Interesting but seems kind of late, no? Even the US State Department has banned USB drives since at least 2008. I don't think US government is particularly well known for being good at security.
Virtually every government office I have been in the past 5 years dealing with any classified information has disallowed the use of flash drives being connected to government machines, and it is pretty strictly enforced with reminder posters all over.
Im sure there was a USB backdoor open somewhere. So who's fault is it if the US can't protect its own data? Blame others! That seems to be the way they operate!
I think this is not correct and perhaps a deliberate downplay. The US Govt theoretically and in many cases provably has backdoors in the very fabric of the internet itself, and has tendrils in products of many of the companies and entities responsible for everything from transistor to application.
It is however, in the US govts interest to not present this, so as not to encourage people away from US tech.
But they don't stop people coming into the country or seizing their property. They are temporarily withholding the devices and copy the data. That's why you use full disk encryption - is they want to copy and store pseudo random data, let them.
The US government has some of the best CNA/E defense anywhere in the world - certainly better than almost all of industry - even departments that you would otherwise think are puny.
The backdooring and lack of encryption in software is because the US is still a primary exporter of technology and we want to be able to continue to hack, surveil, message and control those who get US technology. US FedRAMP and other compliance minimums insist on the use of properly configured encryption in private industry to protect government information and cyber sharing programs enable both the sharing of data between private and public sectors for surveillance and for the detection and analysis of foreign cyber attacks. The US government has state of the art encryption (for the most part) and some of the most heavily monitored perimeters.
None of this is enough to stop cyberattacks, which have all of the advantages in their favor.
So while I'm inclined to agree with you that the US should stop mandating backdoors and weak encryption I don't think its a fair characterization to suggest this anything to do with why the US was breached.
China and the US are battling each other in several arenas of influence, as are Russia and the US. In this case the US is trying to stop Russia and China's global and regional power projection and these countries do not accept the US world order and their current place in it.
Conflict is inevitable. It will be interesting to read the history books to see what gets written about the role of the information warfare space and what role it plays in whatever outcome we get.
I have talked to government officials responsible for my country's digital security policy and they have explicitly told me that they want remote attestation to lock out devices not running big corporate systems and they do not care about freedom. The same ministry is responsible for police. If they could, they would forbid you doing anything that is not explicitly legal just to be safe.
E.G: Microsoft being American (and them being part of PRISM), I just assume the OS has a backdoor for the US gov. Now with Windows 10 heavy telemetry, it's even easier.
I work for a client doing chips for credit cards. Did you know they are now full blown computers that can run a light version of Java (Java Card) ? The company is building their own hardware and software, and just to get to a conference room, you need biometric access + badge + pin code. Pretty sure they send data to my country agencies in some way despite having to trick the banking system to do so for them.
Same from any software, server/cloud hosting or hardware. If it comes from a specific country, this country is most probably using it for intelligence. It doesn't even need to be on a network now, because there is so much interactivity with all devices. And eventually, one will be.
There are hundreds of thousands of machines and millions of removable drives. Tracking down every last instance of a piece of malware and then dealing with it is quite hard at that scale. Usually they fall back on policy ("no usb/removable drives")
They're handicapped by a need AND compulsion to use contractors for everything. Actual government employees didn't build drones; they were all developed and in many cases largely maintained and even operated by private contractors, working to government requirements (which themselves are structured to make the contractors inefficient, compared to normal commercial companies). Same thing with networks.
Remember that story a few months ago about how some government agency had replaced all its keyboards and mice in response to a malware infestation? A lot of folks (including some here) took this as Yet Another Show of Government Cluelessness. I found myself wondering instead if there was a world in which folks advised by government security experts (i.e., you-know-who) would have a good reason to do something like this and not say why.
There is. It's a world in which their opponents had a zero-day against the Windows USB driver, and a way into the government's supply chain. And in which you-know-who wants to play the same game themselves against opponents elsewhere.
Lol I thought as much. At this point I think most people assume that any major global government can access whatever device you own if they really want to.
Not even limited to 'the government'. Improperly sanitized network gear shows up in second-hand markets all around the world. Happened at a former employer of mine and a 'finder' attempted to extort us over it. VPN PSKs on the equipment were still in use in the field (no PFS either, so years of captured content could ostensibly have been decrypted).
Even equipment that appears to have been cleared out is probably hiding secrets in flash. The vendor of the equipment in this case had a separate command to wipe file contents. Deleting files just unlinked them in the flash fs.
In 2009, the government couldn't even provide the Secretary of State with a secure handheld. It would be great to hear some background on it from someone with actual direct knowledge of such things (i.e., not more speculation from the rest of us).
reply