Here’s how that sounds to anyone with security experience: “Before the bank president gave his nephew the vault keys, somebody must have had access as well.”
Federal IT has tons of policies designed to prevent unauthorized access and mistakes. People go through background checks, they only work on secured networks using official devices, everything is logged and audited, and circumventing it is a crime with penalties potentially leading to jail time. Some of those policies have strong legal requirements for oversight: even if you’re not doing anything other than your job, the agency needs to be able to show how work is done to auditors, Congress, FOIA requests, etc. Anything with national security implications should be designed to avoid a single compromised person from being able to avoid detection, too, especially for people trusted with administrative access to IT systems.
These guys are widely reported to be using personal emails and devices (violating the record and transparency laws) and even if they’re acting entirely in good faith they are bypassing policies designed to contain the damage due to mistakes. For example, what happens if one of them gets an email with an attachment claiming to have evidence of politically incorrect activities and runs the payload on a device/network which has had safeguards removed by executive fiat?
Federal IT has tons of policies designed to prevent unauthorized access and mistakes. People go through background checks, they only work on secured networks using official devices, everything is logged and audited, and circumventing it is a crime with penalties potentially leading to jail time. Some of those policies have strong legal requirements for oversight: even if you’re not doing anything other than your job, the agency needs to be able to show how work is done to auditors, Congress, FOIA requests, etc. Anything with national security implications should be designed to avoid a single compromised person from being able to avoid detection, too, especially for people trusted with administrative access to IT systems.
These guys are widely reported to be using personal emails and devices (violating the record and transparency laws) and even if they’re acting entirely in good faith they are bypassing policies designed to contain the damage due to mistakes. For example, what happens if one of them gets an email with an attachment claiming to have evidence of politically incorrect activities and runs the payload on a device/network which has had safeguards removed by executive fiat?