from Pro@programming.dev to cybersecurity@sh.itjust.works on 30 Aug 12:34
https://programming.dev/post/36577117
cross-posted from: programming.dev/post/36577114
FEMA Chief Information Officer (CIO) Charles Armstrong, Chief Information Security Officer (CISO) Gregory Edwards, and 22 other FEMA IT employees directly responsible were immediately terminated.
While conducting a routine cybersecurity review, the DHS Office of the Chief Information Officer (OCIO) discovered significant security vulnerabilities that gave a threat actor access to FEMA’s network. The investigation uncovered several severe lapses in security that allowed the threat actor to breach FEMA’s network and threaten the entire Department and the nation as a whole.
The entrenched bureaucrats who led FEMA’s IT team for decades resisted any efforts to fix the problem. Instead, they avoided scheduled inspections and lied to officials about the scope and scale of the cyber vulnerabilities.
Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility.
FEMA spent nearly half a billion dollars on IT and cybersecurity measures in Fiscal Year 2025 alone and delivered virtually nothing for the American people. Despite burning hundreds of millions of taxpayer dollars, FEMA’s IT leadership still neglected its basic duties and exposed the entire Department to cyberattacks.
threaded - newest
while I have little sympathy for them if the accusations are true, cutting all those people at the same time is just stupid and dangerous. Hopefully there’s still people around the know how the systems work…
It’s Nazi sidekick Kristi Noem. I have little doubt this is all part of the coup to purge antifascists from the ranks of every agency.
Or let some doors open so their Russian masters will be able to get in without triggering any alarm.
So these guys wouldn’t or couldn’t hand over some data or install some malware or something?
Who actually trusts this moron cunt to even understand what happened?
Coming from the woman who as the head of a government department was quoted as saying “You can’t trust the government”, and had to be reminded by Dana Bash that “you are the government”.
She forgot her new talking points after being appointed. She reel smrt.
The lady who killed a puppy for a performance issue has butchered an entire IT department for performance issues. Who could have guessed such a reaction? They’re lucky she didn’t take them to a quarry.
I work daily with federal agencies, and state and local governments specifically in cyber security. There is absolutely no way that an agency such as FEMA would be able to both spend what is claimed and also not deliver any results for “decades”.
Additionally, firing dozens of IT staff does not begin to address their issues and likely just caused a mass exodus of integral knowledge of their environment.
So DOGE goes in and messes everything up, allowing Russia to easily get in, and then they blame it on FEMA employees as a good excuse to remove actual professionals that weren't hired by the regime, aka non-sycophants?
And we’re just supposed to trust the word of partisan hack. Ya, no.
I do get that there is a lot of intransigence in Federal IT. I was an IT and IS contractor for a couple sites within the US FedGov and there were places where “that’s the way we’ve always done it” was the trump card for any proposed change. And this led to some abysmal security practices which should have resulted in a lot of management getting shown the door (and mostly not just IT/IS management, culture gets set from the top). And I’ve worked at others where we had a large staff of folks whose entire job was ensuring compliance with all required cybersecurity controls and documentation. While I’ll be one of the first to state that compliance is not security, I also have yet to see a site which got security mostly right which didn’t also have compliance on lock. If you are doing things the right way, compliance is actually pretty easy to achieve, since good documentation is the foundation of security. If you go into a site and they can’t even spell CMDB, expect a shitshow.
So ya, if the DHS team went to FEMA’s IT team and started asking for network diagrams, data flow diagrams, system and network baseline checklists and system documentation; and the FEMA IT team’s response was, “sorry, we don’t have that”. Then yes, I would get cleaning house. Though, I’d have started by figuring out if the problem is the IT team just not getting it done; or, if the IT team was prevented from getting it done. My experience has been that IT teams are willing to patch and correct configurations; but, this means downtime and risk to applications. So, upper management will side with the application owners who want five nines uptime on a “best effort” budget, which ends up blocking patching and configuration changes. Also, if the IT team is spending 40 hours a week putting out fires and dealing with the blow-back from accumulated technical debt, that’s an upper management problem.
The problem, of course, is that the DHS is led by a two-bit partisan hack. And this administration is known for straight up lying to clear the board for it’s own partisan interests. I have zero faith that they did any sort of good faith analysis of the FEMA IT department. Especially since this is the same administration which gave us Russian compromised DOGE servers.