Comment by xoa
2 days ago
This. In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything? Why let anyone take any sort of accessible credential at all vs handing out hardware they can use but that cannot have the credentials taken off? At some organizations the extra cost would be a concern of course but that wouldn't be the case here.
Or maybe that'd have been the sort of project and standard CISA would have formerly done before the Republicans gutted it last year I guess, and this is just another symptom of rot? But yeah to your point technology certainly can absolutely help with this sort of thing. It's not some inevitable act of nature.
I think you have to look at it against the backdrop of so many people being fired and new employees being tasked with “urgent” projects across the government. It’s very plausible that the people who used to enforce all of the policies which would’ve preceded or contained this were either fired for political reasons or didn’t think they could tell someone to follow policy if it slowed them down.
> In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything?
They do use it for a lot, but there are a lot of things that need to authenticate to each other in a modern ecosystem, especially if you're trying to replace security based on network boundaries as trust boundaries with zero trust (as the government is).
I worked with more than a few IL4 systems where the PKI/smartcard stuff was simply shoved into an F5 that did TLS termination and then everything on the internal VPC just used HTTP headers without even a crypto signature to convey which user had actually logged in.
As with anything else, the more you make it easy to the do the right thing, the more often you tend to see the right thing being done. So agencies that make it easy to request server PKI certs see increased uptake, other agencies just have server-to-server auth done by PSKs / API keys instead.
So the concern isn't usually cost but compliance, if it's nearly impossible to get those little developer experience affordances ATO'd themselves, agencies will instead just focus on getting the mission system itself ATO'd come hell or high water and the devs just get told to piece it together however...
I worked for a bit in an org that was agglomerated into CISA. Let's just say PKI integration continues to be infeasibly difficult for most projects, especially small ones. (And cost is very, very much a concern. Be honest, do you want your taxes going into a project where it isn't?)
In the context of secrets getting lost with access to a number of sensitive systems, yes, I do think they could spend maybe a bit more money.
"A bit more" is not comparable to "money is no concern". Either way, no amount of money can replace good judgment, which is what was actually lacking: if nothing else, judgment in who to hire.
Not all "government" systems are the same. They're rated in terms of impact level and data classification. Classified systems can't be logged into outside of SCIFs anyway and have no outgoing connection to the Internet. Unclassified systems at IL5 require certificate auth with a government-issued smart card. IL4 requires endpoint attestation but can otherwise use normal username/password auth. Lower impact levels are not as heavily secured. I would have expected they at least require MFA to access the AWS API, but even that depends. A lot of times accounts will be split between production and non-production with MFA required on the production accounts, but work done purely for experimentation, platform development, or other non-user facing things that don't touch real data might not even be in GovCloud since the commercial accounts are cheaper.