Every teensy thing about nearly every federal official has been shared with at least one somebody.
As an engineer of computer systems and programmer, that tells me that our government is no longer secure*, meaning it may not function as expected by cause of conflicting interests in employees, or passwords guessed because of family names and dates, … In general, nothing our government does henceforth can be depended upon to work even as well as usual.
An insecure system cannot be trusted to do the wishes of the owners and operators. If someone can write into my program space, my program will stop doing as I specified, and its failure may cause loss. If my program’s code is known by that attacker, my program very likely can be made to do their wishes. If either condition is true, I should stop using that program immediately.
Soon we will hear the inevitable statement, just as we did about the worlds’ standard Operating System, “No problems we haven’t seen before, more intensive checking will handle them”. No, no, no. Dealing with security where OMB has done a careful job in security vetting is equivalent to dealing with systems of very good software. That forces any opposition to dig, the game is logistics, the rate they find bugs they can exploit defines the defenders work load and rate of emergencies.
But security where the OMB database has been shared is equivalent to a buggy OS with the software available for inspection.** The forces in opposition have a walk in the park, just like they do with the world’s most popular and buggy OS. A hacker’s dream, a spy’s dream. So many leads to follow, the defense will now be overwhelmed with attacks. In security, attack will always ultimately prevail over defense. It only takes one chink in the armor one time, and your system is compromised.
If my car can be controlled against my wishes by outside agencies from anywhere in the world, my car is not secure and may be used as a weapon against me or others. If I have competent enemies, I certainly should not be driving that car.
Our government has competent adversaries in controlling its cash flows, at least. Some might want a foreign policy adjustment or two, and even welcome some kind of distraction in our interests to aid that.
A government compromised is a government far too dangerous to its citizens and allies to be allowed to function.
We have a compromised government. We can’t be sure who is controlling the accelerator, brake, steering.
Shut it down quick. It was time to replace it anyway, the parasitic kleptocracy had become old and overgrown. Ugly, too.
Security of other entities now and future must avoid the contamination of employees with interests aligned with adversaries. At a minimum, no Federal Employee whose name is in that database (how many resigned, retired, separated people were in the database?) may join any current or future government, nor their relatives through first-cousin level of genetic or family relationships.
*Secrecy is an interesting concept in an age in which every less-than-public bit of information is hidden by layers of buggy logic. In a world of buggy software, fallible sysadmins and imperfect ability to read people’s motives, all secrets will ultimately become known. Security can only hope that is far enough in the future that it has no negative political effect. Snowdens are hated because they make noise, the rest of it is normal spy game.
**There is no equivalent that I know of. All of the open-source OSs have quality software as measured by tools such as static analysis checkers. For example, the Coverity tool finds a bug rate of .68 / 1000 lines of code in the Linux kernel. Admittedly, the tool and the code co-evolved so the rate would be difficult to achieve in other code, but the last company whose code I checked with that tool had a rate of 25 bugs per 1000 lines. Their engineer’s lives were dominated by bugs, was a hard place to accomplish anything, had a high turnover in engineers and VPs.
Window’s code is not known to attackers. Every major exploit turns out to have one or more ‘zero-day’ bugs at its heart, the rate of finding new access mechanisms does not appear to have diminished. That is buggy.
Finally, this is a strong indication that our government’s standards for security aren’t very good to begin with.
Added later : This is the House Oversight Committee’s view of the problem.