Monday, 06 May 2013 11:27

Military Contractors Say The Risk is Worth Saving the Cost of Security

Written by

Reading time is around minutes.
lock-broken

Over the last few years we have followed the sorry state of cyber security in both corporate and governmental systems and have always been surprised at the solutions that they have presented. For some reason these groups want to remove responsibility from themselves for making sure their data (which in some cases is your data) is secure. This lack of corporate responsibility has led to misguided bills, acts and other nonsense that will still not do anything to stem the tide of security breaches. One of the most famous examples of this is QinetiQ.

For those of you that have not heard about them QinetiQ is a military contractor who has designed many combat systems and security systems for the US. This company was also hacked repeatedly over a span of about 3-4 years and had massive amounts of secret data stolen. The fact that QinetiQ was unable to do anything about the hacks is an embarrassment considering the fact that they have had several contracts to provide cyber security systems!

The details of the hack have spread around the internet thanks to the length of the attack and also due to a hack by Anonymous on HBGary. HBGary was one of the security groups brought in by QinetiQ to help stop the breaches. Anonymous managed to grab and publish a large number of emails from HBGary some of which covered the happenings at QinetiQ. In the wake of this many of the security companies that worked to help QinetiQ have come forward to tell parts of the story almost as if they are seeking to protect their own reputations.

In short the attacks happened because of a certain type of mindset which plagues many organizations once they reach a certain size. This is the one that allows them to overlook security in favor of maximizing profits. Now I am all for a business making money, but not at the expense of their clients. That is simply unprofessional and unethical. In the case of QinetiQ they had unpatched systems which allowed hackers to gain entry into their systems. Once the hackers got in they waited too long to try and shut them down and ignored many signs of continued access.

It seems that the cost of correcting these issues and working to mitigate future attacks was just not worth the cost. We are not talking about a mom and pop store here, we are talking about a company that is often awarded multi-million dollar contracts to build highly sensitive equipment and also to put cyber security systems in place. You would think that their systems would be very secure (no system is completely secure). You would also think that critical information would be stored in a network that was not accessible to the public internet (and has limited access from the internal LAN). This is security 101 and not a complicated leap of logic.

QinetiQ was not the only contractor (or security consultant) to fall victim to the risk Vs cost way of thinking. It seems that during the time frame that these hackers were making QinetiQ their bitch they were also hitting up many others that also should know better including (as we mentioned) HBGary. It is a mystery to us that they (QinetiQ) are still being allowed to provide consulting and contract services considering that they could not stop a 4 year hack. Reports say that almost all of the systems they created have been compromised. This means that someone could replicate or worse find ways to disable them with the data they have.

Strangely enough the group that is responsible for seeing if they should be banned does not have the technical staff or knowledge to investigate this. Yup you read right, the US State Department does not have the ability to determine if QinetiQ should be banned from bidding on future contracts due to negligence. These are also some of the same people that are pushing for more control over the internet instead of making it the responsibility of the companies who have been hired to develop these secret technologies. I guess that they have not figured out that any “internet wide” system would end up being as vulnerable as these incompetent companies when it comes to security.

What makes all of this even worse is the sad fact that these are only the breaches we have heard about. Most breaches of government or military contractors are classified so the details are never made public. However, if some of the estimates are right then almost every military contractor has been hacked and US secrets have been compromised. Why this is not the focus of Congress is a mystery, instead they appear to be working on ways to protect movie and recording studios from the dangers of piracy. In the meantime requiring contractors to ensure higher levels of security is not even talked about.

Tell us what you think about this in our Forum

Read 2445 times Last modified on Monday, 06 May 2013 12:16

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.