CISA broke into a US federal agency, and no one noticed for a full 5 months

Original Article ↗ Hacker News Discussion ↗

CISA red-team breach and detection gaps

  • Commenters note the agency only knew of the breach because CISA told them, arguing the headline could drop “for 5 months.”
  • The linked CISA advisory’s “lessons learned” are seen as generic: weak controls, poor logging/analysis, bureaucratic friction, over-reliance on “known bad” signatures.
  • Some argue those issues were almost certainly known internally beforehand; the problem is communication, prioritization, and lack of capacity to fix them.

Structural and organizational problems

  • Multiple posts stress that root causes are organizational and political, not just technical.
  • Bureaucratic processes, decentralized teams, and rigid budgets make it hard to implement and maintain better security controls.
  • There is skepticism that generic recommendations (“implement sufficient controls”) can drive lasting change without fixing incentives and structures.

Funding, spending, and scale

  • Disagreement over claims that US agencies are “underfunded”:
    • One side points to huge overall federal spending and high per-capita outlays.
    • Others reply that what matters is per-agency budgets, rigid earmarks, and purchasing power; big defense budgets don’t help civil agencies’ IT.
  • Some argue the US government does too much and should cut or consolidate agencies and functions; others counter that this would reduce already-limited capacity.

Talent, pay, and working conditions

  • Strong consensus that federal tech pay lags private sector significantly, especially for experienced engineers and security specialists.
  • Pay scales, locality adjustments, mandatory pension contributions, and hiring constraints make it hard to attract or retain senior technologists.
  • Benefits are viewed as solid by some but not enough to offset lower pay, drug testing / clearance burdens, and heavy bureaucracy.
  • Several note burnout, “failing upward,” and difficulty advancing as key reasons strong people leave.

Centralization, contractors, and waste

  • Some advocate centralizing IT (e.g., under a shared service) to reduce duplication and improve security; others warn this creates single points of failure and stifling standardization.
  • Many criticize reliance on large contractors: agencies can’t hire skilled staff at market rates, so they buy the same talent via integrators at large markups, feeding inefficiency.

Comparisons to private sector security

  • Commenters note that private companies are also breached frequently; government isn’t uniquely bad but operates under more constraints.
  • Broader critiques target current computing paradigms (insecure by design, legacy dependencies) and lack of strong incentives for industry-wide security improvements.