Re: Commission on Cybersecurity for the 44th Presidency and your right to cyber (security)

[travis+ml-dailydave () subspacefield org]

On Tue, Aug 31, 2010 at 07:18:54PM -0700, Michal Zalewski wrote:
> It's not as much that I suspect the government has questionable
> motives, of course; this is best left to the Slashdot crowd :P Rather,
> I feel that particularly when it comes to IT, it's plagued by problems
> far more profound that these plaguing the private sector. There are
> reasons why they have so much difficulty hiring security talent, and
> it has very little to do with any sort of a stigma associated with
> govt jobs.

Summary:

Government: We need cyber-security, put out a contract for bids.
CompanyA: We can do it for $120k/seat.
CompanyB: We can do it for $100k/seat.
CompanyC: We can do it for $140k/seat.
Government: SELECT * FROM CONTRACTOR ORDER BY COST_PER_SEAT;
CompanyB: Find us the people who are arguably qualified, and
          will work for a maximum of $50k, fill out an EPSQ,
          submit to a SSBI, and whose poo doesn't stink.
          Nobody who who has used the word "hacker" need apply.
          Nobody who has used bittorrent need apply.
          Nobody who looks odd need apply.
          No foreign nationals need apply.
          Nobody with ties of obligation to foreign nat'ls need apply.
          You need to know shell scripting and vi.
          And you'll relo to DC, MD, Northern VA, or some red state
          where land is really cheap, senators really influential, and
          sheep really scared.
          Leave your ipods, cell phones, thumb drives and laptops at home.
          You'll be working 12-hour shifts, and have to arrange vacation
          by trading days with co-workers.
          And don't think of using printer, FAX or email for personal
          use; we take FW&A very seriously.

Three years later:
Government: OMG, CompanyB is charging $120k/seat, put it up for bids.
CompanyA: We can do it for $100k/seat.
CompanyB: We can do it for $110k/seat.
CompanyC: We can do it for $120k/seat.
Government: SELECT * FROM CONTRACTOR ORDER BY COST_PER_SEAT;
CompanyB: You're all fired.
CompanyA: Hire half the employees of CompanyB, but decrease their
          salary by 20%.  Make sure they're glad to have jobs.

Employee perspective:
No incentive to do better, because government won't ever pay
contracting company more for above-average performance.  But
heaven forbid you mess up.

Result:
Massive CYA and buck-passing.
Marginally-qualified employees (with some exceptions, of course)
Exact minimum work required by contract.
Highly qualified employees leave for greener pastures.
-- 
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john () subspacefield org to get blacklisted.

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave