
Tech Firms Seek Washington’s Prized Asset: Top-Secret Clearances - SREinSF
https://www.bloomberg.com/news/articles/2017-10-23/tech-firms-seek-washington-s-prized-asset-top-secret-clearances
======
jlgaddis
The article uses the Russia election situation as an example, but one doesn't
need a clearance -- or any classified information, for that matter -- in order
to prevent a large number of these recent "hacks" or, at the least, make the
attackers work much harder to be successful.

When companies can't even be bothered to install security updates on public-
facing applications or web sites (cf. Equifax), is anyone really surprised
that they're being broken into and having all their private data stolen?

In my experience, these public/private information sharing "partnerships" are
heavily weighted in the government's favor. That is, the private companies
share their detailed, specific data with the government but the information
that the government shares with the private companies is laughable. When I was
on the "receiving end", it was typically bulletins and notifications that were
vague and lacked enough detail to actually be useful or actionable (and even
those were limited with regard to distribution).

It's been a few years since I was involved with that stuff so perhaps things
have changed. I would be really surprised if they have, though.

In addition, it seems to me that this is a good way for the government to get
these tech companies to "go along with" some of their "requests". Oh, you have
some private data that the government would like to have access to but you
don't want to turn it over? Or, the government has a "black box" they want you
to install in your network but you don't want to? Boy, it sure would be a
shame if your employees' security clearances got denied, wouldn't it?

~~~
nataz
In order to conduct an appropriate vulnerability assessment, you need to be
able to classify your adversaries capabilities and motivations. That's hard to
do with out some kind of privileged information. Only then can you get down to
the stuff that most people think of when they talk about "security" \- e.g.
the risk mitigation and countermeasures.

Edit - added text

To continue the point, the Russia example is important. Individual commercial
ventures are not set up to handle state level attacks. Any company that thinks
they are is going to be in for a rude awakening.

Worse, companies like Google and Facebook are going to be vulnerable by their
very design and function.

Sure, the credit bureau hacks are bad, but truthfully that's only the tip of
the iceberg as far as consequences.

I'm not discounting your point that you may have found government cooperation
unhelpful, but I will say if you are one of these large companies that could
be the target of a state level actor, you are going to want a state level
actor on your side. And in the US that means you are going to have to have
employees with access, which means you are going to need to have a government
sponsor for clearances.

------
throwaway225
For those in this thread that are confused what the tech companies could be
looking for with these cleared people, let me give you an example. I used to
work for a company that ran DNS services for public utilities i.e. "critical
infrastructure". Every week we would get a classified list of "bad" domains
(usually domains that malware would phone home to) from a 3 letter agency and
we would notify the utilities if we saw any DNS requests for those domains
from any of their computers. Only cleared personnel were allowed to see the
list or touch any of the computers that saw the list in any way.

A tech company that wanted to work with a 3 letter agency to see such a list
in order to protect their own infrastructure would need cleared personnel and
a SCIF (the windowless air-gapped rooms that cleared people work from) to even
talk to the agency about a list.

~~~
docandrew
I think the article created a lot of the confusion. Having access to cleared
people is important to companies primarily for winning lucrative government
contracts. For example, if a 3 letter agency wants to implement a cloud
service on an air-gapped intranet, or award a contract to implement social-
media algorithms to suss out terrorist networks, they'll look to companies
with that sort of expertise. But if those companies don't have a corps of
cleared employees, they're out of the running. Having said that, having
trustworthy employees (which a clearance implies, but does not guarantee)
might be valuable to companies not dealing with classified information, but
the article left out the real reason that companies are heavily invested in
recruiting people with clearances.

------
nimbius
This article makes the asinine inference that hiring a ts worker somehow
magically grants you access to ts data. Sf86 makes it perfectly clear: you can
be tried for treason up to and including capital punishment for leaking state
secrets at the ts level. The information is on a need to know basis and
requires the company be certified by disa, NSA, and cleared to have a
compartmentalized government facility that includes an FSO and yearly dod
inspections. The government also chooses you for classified work and sensitive
data. Not the other way around.

------
metaphor
> The average annual salary for a systems engineer working for the U.S.
> government with a security clearance is about $119,000...

In other words, the _average_ USG systems engineer is roughly a GS-14 Step 6
based on 2017 Rest-of-US locality...GTFO with this garbage.

~~~
trdtaylor1
Most with that high of clearance are working in the DC area, one of the
highest locality pay in the country

~~~
metaphor
For USG systems engineers, clearance level has zero impact on compensation;
you either have it or you don't.

> Most with that high of clearance are working in the DC area...

For a systems engineer based on 2017 DC locality, that's lead-/supervisory-
level GS-14 Step 3, or working-level GS-13 at the tail end of a _long_ career
in government...hardly an _average_.

------
walshemj
Article is wrong if you had clearance you don't get to transfer it if you move
to a civilian job is my understanding.

So is there an equivalent to List X companies in the USA who are allowed put
staff through clearance.

And for TS clearance I doubt that any dual national other than those because
of birth circumstances will be getting clearance any time soon which sucks for
SV company employees who are immigrants

~~~
CalChris
You are mistaken. Security clearances go with the person and not the job.
Indeed, there’s an entire industry available to people with the correct
clearance. Yeah, there's paperwork to do when you move to a new job.

[https://www.state.gov/m/ds/clearances/c10977.htm#9](https://www.state.gov/m/ds/clearances/c10977.htm#9)

[https://www.clearancejobs.com/](https://www.clearancejobs.com/)

For example, Edward Snowden had a clearance and worked for a private company,
Booz Allen after first working for the NSA as a security guard then the CIA.

~~~
eradicatethots
The first link you have makes it sound like clearance does not transfer,
unless I’m reading it wrong

~~~
CalChris
_Security clearances only apply to positions that fall under the purview of
the federal government._

 _Under the purview_ doesn't mean that you are employed directly by the US
Government. Again, from the example, Snowden had a clearance from his previous
employment. Yeah, it had to get transferred but he didn't have to get re-
cleared all over again.

~~~
eradicatethots
Ah ok. Thanks for explaining that to me.

