This of course talking about an agency that does things like spend tens of millions every year designing applications with embedded client-sever encryption, multiple hardware-encrypted diverse network paths, two factor authentication at every border (network, host & application), etc., then uses contracting firms with programmers on foreign work visas from places like Pakistan and China, and transmits the project source code over the internet with anonymous ftp.

This is an agency whose S&T group pays contracting companies millions of dollars to "re-invent" buffer overflow exploits and common scanning tools because the argument is that "they must be from a known and trusted source." Despite the fact that they have the original source code to begin with to review, and those same contracting firms have horrible operational security themselves (go check any news archive for multiple problems.)

This is an agency who has people flying around the country with tempest-certified classified laptops handcuffed to their wrists in locked briefcases, yet may never have any mechanism to block 128MB USB keyfobs coming in and out of their various buildings.

The threats to the US intelligence community are myriad, and the recent amount of espionage (and terrorism) has done even more to stir up the internal paranoia. Unfortunately, like many government agencies, the bureaucratic mentality is to over-engineer things to the point of absurdity, overlooking silly things like common sense and usability.

As long as there is fear, some beltway contracting firm will be slouching towards Langley with a high-dollar solution that "sounds" like it might actually work and includes a lot of heavy-duty security buzzwords.

IMHO things will only continue to get worse unless people within the intel community actually do start to use some common sense, and shift some focus back to traditional OPSEC and HUMINT.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/5201/20271#20271