Red Tape and Bureaucracy - That's What's Wrong With Us

by Bluefossil

In the Autumn 2024 issue, lg0p89 asks us what's wrong?  Why are people leaving cybersecurity?  Why is the supply of qualified and skilled cybersecurity professionals dwindling?  Is it a lack of passion, desire, interest?  Absolutely not.  AI and automation?  Maybe just a little, but no, that's not the main issue either.  The author goes on to suggest that political forces likely play a large part in this challenge.  I am here to both confirm and compound on this theory.

lg0p89's experience with a county municipality closely mirrors my experience working in a very similar capacity with a city municipality.  If people had any clue what goes on in their local governments... anyway, I digress.  Let's stay on topic.  Being responsible for the network security infrastructure of a city with a population of over 250,000 people was quite interesting at times.  Not only was I responsible for securing public library kiosks to prevent malware, city attorney PCs, city judge and courtroom PCs, but also a full 911 call center and all public safety departments, including police and fire, just to name a few.  When I first took on this responsibility, I was amazed to find that those public library kiosk PCs had direct SMB access to improperly configured file shares the courtrooms across town had configured to share docket information between attorneys and judges.  So much for privacy.  (I wish I was making this stuff up.)

Children would often find creative ways to bypass group policy and change desktop wallpapers or do any number of other stupid things to the public kiosks.  When we headed down a path to properly secure those systems, you would not believe the amount of pushback received from library staff.  Something as simple as URL filtering to prevent accessing pornography was met with objection.  After all, adults must be able to use public resources to access any Internet resources they desire.  We literally had to set up "adult access" kiosk stations in a separate section of the libraries where adults could request unfiltered Internet access to get their pornography fix while at the public library.  After all, what else is the Internet for if not porn and cats?  (I wish I was making this stuff up.)

The police stations and officers were some of the worst when it came to bureaucracy.  Side note - ironically, laptops, desktops, and other IT equipment was over three times more likely to get "lost" if assigned to the police department than any other department throughout the entire city.  Briefing room PCs had to have access to Candy Crush (I guess to provide officers with a way to de-stress while on break?), and God forbid you block a patrol officer's access to any website.  Yes, we had divisions that worked on sex trafficking, child pornography, and other horrendous crimes and yes, they needed access to Tor, the deep web sites, Craigslist, and wherever else, but I never understood why the motorcycle patrol needed to be able to access Netflix.  (I wish I was making this stuff up.)

For every attempt to secure the network and minimize risk, there was always an equal and greater rebuttal to leave everything alone.  Whether it be department heads, city manager, or even city council, I could never enact even the most basic of security best practices without a fight.  I thought it was just this dysfunctional city.  Then I moved into the security vendor space working for a global organization supporting State, Local, and EDucation (SLED customers and boy did I quickly find out that it wasn't just my city that was dysfunctional - it was every city, county, and state municipality, and don't even get me started on the education space.

The good cybersecurity professionals know what needs to be done - and know how to make it happen, and in many cases, do make it happen, only to be hit with red tape and bureaucracy and directed to undo it all.  Then, when the malware infects, the files get encrypted, or the library patrons start printing out confidential court documents, who do you think gets blamed?

It's no wonder we get burned out.  Many of us are super passionate about the industry.  I don't know about you, but I still get extra excited at every opportunity to perform a red team engagement.  But red tape and politics will only allow you to get so far before you get burned one too many times, and start considering a new role in auto mechanics, welding, or plumbing (all trades where we can still use our logical minds and troubleshooting skills).

Oh and by the way, PIN-to-PIN messaging is not an effective way to avoid open records requests!