Why the way American Government Contracting works makes cybersecurity there not secure at all

NSA employee Harold T. Martin III has been taken to jail for allegedly stealing documents, files, and maybe devices from the NSA intelligence agency. While there has been some speculation that he might have been the source who leaked a vast amount of NSA tools on the internet recently, including the NSA’s best hacking tools, current reports say he might have just been collecting this information with no particular intention of selling it. So he might have just been curious and a collector of such things.

That Mr Martin worked for Booz Allen Hamilton brings new scrutiny to that government contractor, because Edward Snowden worked there too.

So let’s take a look at Booz Allen Hamilton (BAH) and the government contracting business in Washington and you will get an understanding of why the NSA, FBI, and Pentagon probably do not operate as efficiently as shown in the movies.

Our Insider explains why Government Security Does not Work Well
The person writing this article is well-informed because he worked on several short-term government projects and even held a very low-level security clearance. (That agency was the IRS tax agency. Some IRS employees got in trouble there for looking up celebrities’ tax records. We never had access to tax data, and there was no network route there. For us, the only things that were considered secret were IP addresses and the locations of the IRS data centers.)

There are several problems that impede the efficiency of cybersecurity or any kind of IT in Washington. First, the people best qualified for the job do not seek employment there. Next, government internal IT procedures are so clumsy that it makes it difficult to get anything done. Third, the best IT businesses do not win nor do they seek IT contracts with the US government. Instead businesses like BAH, CSC, IBM (not a tech power anymore), and Lockheed Martin (IT division, not very good either) go for this kind of business.  They spend much effort studying how to win government contracts and not much looking to recruit the best people. As we see below, the best people probably could not get a security clearance anyway.

The Difficulty of Getting a Security Clearance
You might remember that hackers stolen data from the American Office of Personnel Management a couple of years ago. That has not been talked about much since, but it still has serious implications for security. This is because the hackers stole the data for everyone who has applied for a security clearance over many years. They might even have President Obama’s data and that belonging to Edward Snowden and Harold T. Martin III. These hackers could blackmail these people since they know their deepest secrets.

In those forms people are supposed to list every where they live, all their foreign travel and foreign connections, and all their relatives. They are asked very private questions like whether they are homosexual, whether they have seen a psychiatrist, and are asked if they have taken any illegal drugs and how much alcohol they consume. Then investigators are supposed to go around and talk their neighbors and former employees. Although there is some question of how through investigators are in following up. They certainly do not follow up with the many immigrants from India and Asia, as investigators do not travel there. In the USA maybe 30% of computer programmer are Indian immigrants.

american government contracting works

Needless to say, not many partying fraternity boys, who tend to become leaders in our culture, can pass this kind of scrutiny. So either people lie on this form or they apply and get rejected. Not many lie as that can get you sent to jail. Steve Jobs, who look lots of LSD, could not have gotten a job at the NSA or BAH. Neither could have Sean Parker or Steve Case.

The Anti-Startup Environment at US Government Agencies
In the USA, the best qualified people generally do not work for government agencies, because they are too bureaucratic. Someone used to, say, the Silicon Valley startup culture would go crazy there when they find that internet tools and methods they use are prohibited on government projects.

To give an example, at most of these agencies there are two computer cables connected to your workstations: each with a different color.  One has free and fairly open internet access. The second is the classified network. You cannot use Twitter on the classified network or StackOverflow or copy code from pastebin.com.

Where I worked, we were not allowed to touch any of the production computers. Instead we designed our programs in the development area.  Then we had to submit all of that as a packaged script and sometimes manual written instructions which was pushed to production by software from IBM called Tivoli. Of course the easy way to do that today would be to use Docker containers and Ansible and Puppet. But those require an internet connection.  

Working with IBM Tivoli was awkward. Much of the time you had to repeat the process many times until it worked. And you had to depend on someone else to do that. To make matters worse, it takes weeks to fill out all the paperwork and get approval to push any changes to production. We had meetings with 50 and 100 people each week to discuss changes. Very few of them had anything to do with actual computers. Instead they worked on the change management process and nothing else. The manager of the cybersecurity project I worked on actually would sometimes sleep in these meetings. And my team leader literally did nothing but plan where he would go to lunch each day.

If anything did break in production, contractors were not allowed to fix it. Instead we had to get operations people on the phone. There were government employees, but they could have been contractors. We literally had to tell them what to type. You have to understand that in the USA the government is often called the “employer of last resort.” Everyone needs a job, and I am happy the government will hire them. But the people the government hired to do operations were usually people who could not get a job anywhere else. It was extremely difficult to dictate one letter or word at a time over the phone to tell them what to do. Those people were that slow.

Beltway Contractors
The highway that circles Washington is called the Capital Beltway. There are many firms called “Beltway Bandits” that feed off government contracts. Often these contracts are given on an affirmative action basis. So firms owned by women and minorities are given preference when contracts are awarded, but not on all contracts. Needless to say that does not include Google or Yahoo.

I can illustrate this with an example. I was working with CSC to implement the HP ArcSight cybersecurity product at the IRS. CSC packed so many unqualified people onto the project that soon they were billing the IRS $100,000 per month.

I know this because one of the people processing the bills told me. She is an American citizen who grew up in Romania. Interestingly her prior job had been working at the NSA. This was during the wars in Serbia, Bosnia, and Croatia. Her job was to listen in as Serbian and Croatian military talked on the radio, record that, and then transcribe it. She told me that she often felt sick doing that as she heard some horrible and very private things.

The IRS had already implemented ArcSight on its networks. There it works OK because you can simply install the software that corresponds to the device, like an F5 load balancer, and be done with at least that part. But trying to make ArcSight work with software is extremely complicated and time consuming. In fact, it does not work well at all and has now gone out of fashion. ELK (Elasticsearch, Logstash, and Kibana work better.)

So after spending millions of dollars the IRS dismissed CSC from the project long before we actually had anything working. Then they brought in a minority-owned firm to take over the project. The problem is not that the new contractor was minority-owned. The problem is many of these companies are simply too small to undertake something so large. They only had maybe 100 people. CSC has 56,000 employees. The firm would not have dedicated all its resources either to the ArcSight project. Of course they would have hired contractors to do so.

Another example is IBM. In 2010, when I stopped working at the IRS, IBM had been kicked off the project to update the software that calculated people’s taxes. The American tax system actually uses one enormous text file. That is right. It does not even have a database. Now parts of the system is in a database. But when I left IBM had not been able to upgrade even one small part of the system that actually calculated the taxes and move it to a database. The whole thing is still written in COBOL. IBM tried to use C++, which you can see was a bad decision, as Java is much simpler.

One wonders and even hopes that the NSA, FBI, Secret Service, etc. might bend the rules on occasion to get the people they need and give them access. In other to have the best cyber defense they need to hire creative and intelligent people who have smoked marijuana and even those with a criminal record who actually have done hacking.

Edward Snowden had root access to the NSA computers. Since they have made changes where sometimes two people are required to log in. Many of those computers run SELinux, which is an opensource version of Linux with security enhancements. You can download and run that yourself for free. (SELinux was changed when Linus Torvalds, the inventor of Linux and person who approves all changes, ignored requests from many people, including the NSA, to make changes to the kernel to improve security.)

So you can see that the way the US does IT is not a sophisticated as Tom Cruise and his gang breaking into the CIA or Kremlin.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal