Im sure there was a USB backdoor open somewhere. So who's fault is it if the US can't protect its own data? Blame others! That seems to be the way they operate!
There is no single party responsible. There are many. The entire government is to blame. We are talking about people, bureaucrats, who haven't the slightest idea of how a hard disk works or how their computer connects to the internet, and they think that they know everything about computers and can single-handedly swipe technological rights out of the American people. See Carmen Ortiz above.
It's the entire government. The sooner people understand this, things like these won't happen.
The US government has some of the best CNA/E defense anywhere in the world - certainly better than almost all of industry - even departments that you would otherwise think are puny.
The backdooring and lack of encryption in software is because the US is still a primary exporter of technology and we want to be able to continue to hack, surveil, message and control those who get US technology. US FedRAMP and other compliance minimums insist on the use of properly configured encryption in private industry to protect government information and cyber sharing programs enable both the sharing of data between private and public sectors for surveillance and for the detection and analysis of foreign cyber attacks. The US government has state of the art encryption (for the most part) and some of the most heavily monitored perimeters.
None of this is enough to stop cyberattacks, which have all of the advantages in their favor.
So while I'm inclined to agree with you that the US should stop mandating backdoors and weak encryption I don't think its a fair characterization to suggest this anything to do with why the US was breached.
China and the US are battling each other in several arenas of influence, as are Russia and the US. In this case the US is trying to stop Russia and China's global and regional power projection and these countries do not accept the US world order and their current place in it.
Conflict is inevitable. It will be interesting to read the history books to see what gets written about the role of the information warfare space and what role it plays in whatever outcome we get.
Of course it is the Vendor's responsibility. But if the NSA, CIA, FBI, Homeland Security, Secret Service or any other government group gets in the way how much of the blame goes where when the shit hits the fan?
Most vendors will patch if they know about issues. Who is at fault when a hack happens and the the US government could have prevented it by divulging.
Interesting but seems kind of late, no? Even the US State Department has banned USB drives since at least 2008. I don't think US government is particularly well known for being good at security.
whoever is behind it I find it hard to blame them. As they write on their blog:
>> Governments have an obligation to protect the private data of its employees and citizens. In addition, the exposure of proprietary government data can be used for great means of manipulation and for other destructive purposes. While the NCIIPC operates a Responsible Vulnerability Disclosure Program, the recklessness and avoidance of communication represents the complete opposite of a responsible program. <== from https://johnjhacking.com/blog/indian-government-breached-mas...
Enough has been said by people inside and outside of India about UIDAI / Aadahaar[0][1] and it's many horrible side-effects and risks it creates. This situation that has been created years ago after loud warnings of researchers and citizens who have meanwhile been silenced by the Modi government (who are the real culprits here).
India has done this to its people already years ago, therefore breaches here today are mere symptoms of incompetence (not the cause).
The resources of a nation state were not required to hack equifax.. a kid with a laptop could have done it.
This is a consumer trust and safety issue because basic care was not taken to protect the data that Equifax was trusted with guarding.
If it turns out that a nation state is the one that carried out the hack.. then that's a national security issue AND a consumer trust and safety issue. But that doesn't excuse gross incompetence.
Different branches of the same government means there’s only a single entity with all the keys. Pretending otherwise is maliciously naive.
Every entity or group of entities I can think of you suggesting has a pretty well documented history of undermining the legal rights their countries ostensibly provide.
Before you of course get to the elephant in the room: governments are notoriously bad at keeping super critical shit like this under wraps, and once it inevitably leaks literally everyone is fucked.
My suggestion for any nonsense laws like this would be: if the keys are ever leaked, misused, shared with any other entity, the country shall be required to pay full cost of replacement of every impacted device. They shall be liable for all downstream costs. The management and directors of every agency that had access to the material are personally liable for costs as well, as is every elected official that supported or approved the legislation. Claiming that they can’t be responsible for the mistakes of others is not permitted as a defense: there is already a defense against mass invasion of privacy and these incompetent fuck ups are constantly trying to pass legislation like this that removes that defense.
The recent hacks used NSA tech, the FBI had nothing to do with it. The OP is generalizing that un-closed vulnerabilities in the hands of any government agency are an unacceptable risk, which I agree with, but let's put the blame for the current issue where it belongs.
You say it like you're blaming them. Do you realize the sheer number of assets they have to protect?
The government knows it will always have a soft exterior due to it's size. This is why they have air-gaps and such strict policies.
A lot of people give the government a ton of flack for how poorly they work but for an entity of their size they do a pretty good job. I'm not saying there isn't obvious room for improvement but they do a fairly good job. Other countries of similar size have much larger infosec issues than the US....you just don't hear about them.
Why is everyone so shocked? Has anyone ever talked to a friend that works for the Federal govt.? They are well known to be completely incompetent when it comes to technology. Even the DoD, which gets billions of dollars for cyber defense, often doesn't do things right.
How can you expect the Fed. Govt. to handle things competently when some of the best paid private contractors F' things up too. Security is hard.
What IS a bit surprising is not the fact that they were hacked, but that they actually found out they were hacked. From what I understand, the Fed. Govt. has lost even more important data (like designs for weapon systems), and not even realized it till like years later when the technology shows up in foreign weapons.
We haven't built anything flawless so I'm not sure if it is fair to blame anyone for building something that might not be secure without any evidence.
No matter who is going to lead 5G technology, The service provider will have full control as they already have. They will be still able to do everything that they are doing already.
So we will have our domestic controls and it is secure it that sense.
Perhaps, What we might not have is having our backdoors to have the same powers in all other countries around the world.
What doesn't make sense? They would rather have sole access to all the data even at the expense of having to build their own tools. It's not the first or the last attempt of government taking power through 'protection'.
Yes, it's totally the fault of tech companies that the US Federal government forces them to give up access to any information they want, and a non-profit email org would immune US intelligence agencies. /s
It's a technology problem too: the devices should have been encrypted such that it wouldn't matter if they fall into the wrong hands.
Of course, it all comes down to organizational issues in the end (they knew about the risk and ignored it), but this seems like exactly the kind of thing that politics want to prevent when they throw around money for "cybersecurity".
If FireEye, ostensibly full of competent people, can be hacked, what hope does the government have for protecting access to legally mandated backdoors in encryption? The silver lining of these events is it shows how ridiculous mandating backdoors would be. It’s begging other nations to attack us.
You're totally falling for the plausible deniability governments engage in when conducting surveillance and espionage on their own citizens.
"Oh it wasn't our fault the software was wrote poorly. Not like we wrote laws around it or paid companies to share data with us."
What else do you believe that comes from the govt's mouth? Would you simply never believe they'd take advantage of us unless caught in some precise way, in some precise situation?
Government can start showing us it's loyal to us, or face attack of its own networks.
American hackers are no less careful to avoid running services or communicating through American datacenters. Everyone knows that Google, Apple, Facebook, Amazon etc. are more than happy to turn over the IP address logs and any unencrypted data whenever law enforcement brings a valid search warrant, and sometimes they'll offer a dragnet of all their data when law enforcement just asks nicely.
The problem is that law enforcement is listening to local victims: Hack Colonial Pipeline and ask them to bring you a bag of cash in the parking lot, and you won't be meeting with their CFO - that guy in a suit is from the FBI. Hack Nord Stream, and you'll make some Russians angry, but they're going to have a hard time bringing that complaint to the FBI.
To make this more sensible, we need a paradigm shift. With a global Internet separating victims and hackers, while national governments only look for domestic victims of domestic perpetrators, you're going to end up with a lot of useless fist-shaking across the borders. I'm not suggesting that the answer is extradition of scapegoats at the whims of foreign powers, either, but our small, modern world has a lot of growing up to do before this makes sense.
reply