That's the primary thing a contractor does: get breached. They also cost the same as an employee, but are usually less talented or at least less integrated within the organization. Somehow, the moment you become an executive, contractors become an appealing option due to some unknowable black magic.
That "black magic" is just different budget pools.
Taxpayers and shareholders hate seeing lots of highly paid people on the payroll, so instead, you have very few full time employees (usually managers) that fit within your limited hiring budget dictated from the top to show you're a lean and responsible organization that doesn't waste money, and then you have a lot of even more expensive external contractors to balance your needs that are part of a different budget that's less scrutinized because those are not YOUR employees, they're just soulless bills in an Excel sheet, like the one for catering, cleaning, maintenance, etc. which are rubber stamped and nobody looks at.
Blame our capitalist society for hating to see people on the payroll, assuming it automatically means inefficiency.
And even better, contractors often cost VASTLY MORE than an employee because you've got a shit ton of middle man overhead to cover (their HR, their benefits, their managers, etc).
It's darkly funny how much of modern business management is really just knowing how to get the right numbers in front of the right people. I've worked at far too many places that have someone who ONLY looks at payroll and wants to make sure it doesn't go up too much. "Everything else" isn't their concern, so all those projects get bloated with consultants that just fall under project budgets.
Contractors are appealing because they don't have the same legal liabilities or expectations as an employee. You don't have to worry about PTO, 401k, healthcare, sick days, overworking, family leave, mandatory breaks, respecting any unionization attempts, etc. You don't have to worry about withholding their wages for things like taxes, social security, etc.
"That's the primary thing a contractor does: get breached. They also cost the same as an employee, but are usually less talented"
Is this exclusive to government work?
In my industry the employees are the people who are less talented and basically have to stick around at the same job until retirement. They 'dont think they can learn a new job'.
despite being allies, big reason why Americans do not trust or share sensitive information with South Korea-whatever they share always ends up in North Korea and China
but perhaps the biggest enablers of these security lapses aren't just the shoddy cybersecurity management but the political environment
anytime you try to fix or address an issue, the opposition party will take contrarian stance without merit.
no political party in america will disagree with the events of 9/11 yet in south korea disagreeing/contrarian stance is the default because they have premature understanding of what democracy is (ex. https://en.wikipedia.org/wiki/ROKS_Cheonan_sinking - imagine if a major American political party started refuting the events of 9/11 and defending Al Qaeda!)
so its no wonder that stuff like this will result in no arrests and waste valuable tax dollars.
A lot of Korean govt tech is also just protected by defense in depth instead of strong principles. It's kinda sad that Japanese organizations that by most standards are much more behind SK in digitization tend to at least have half decent security fundamentals. Hell, a misconfigured key exchange in their switch took down the entire government for 4 days because they couldn't even find it.
One jarring thing I heard from friends is the hacky MDM the ROKA would try to install on phones of conscripts who are serving. Instead of undermining the default security measures they should just ban all outside interconnected devices or buy a half decent MDM instead, but then again the contract wouldn't go to some politically connected dev consultancy.
ROKA (and a lot of Korean government institutions) are just plain incompetent at long term maintenance tbh (which makes sense as most infra in SK is newish - only 30-50 years old at most).
They should also just end KATUSA which is clearly being abused by the politically connected.
Also, given the poor quality of English education in SK, most KATUSA candidates will inevitably be from well educated and upper rungs of Korean society, as they have more resources needed to give that head start.
Don’t be too sure about your assessment of American politics. We have one major political party who is at least half in the bag for Russia during a war of aggression.
>they have premature understanding of what democracy is
SK's problem is that unlike Japan with zaibatsu there was basically no movement/attempt to delimitate the powers of chaebols. Result: You "average" SK person is quite happy to launch into "deep state" related topics and has been ready to do so for the last (at least) 20 years. I've spent quite a bit of time there and a lot of the people I met have "shady oligarchy nudges the country" as their default image of the political landscape.
I have no idea what to do about tech security. The holes will seemingly always exist unless we go back to safety critical code.
Its far easier to be a hacker than a programmer of the same economic/political influence. You can take the second or third tier of programmers and they will be able to get you into a system.
My only thought is to only prevent non-anonymous entry, require some real world presence, and have capachas between commands... This doesnt scale.
The main problem is that most companies are still not spending anywhere near enough on cyber. Even the big boys(mostly because until they actually get hacked they have no idea how much value they have at risk and IMO gov fines for this are nowhere near big enough) like systemic banks are way behind where they really need to be.
The problem with cybersecurity is that if you have no breaches its a "great" item for some striver manager to cut and if you get breached the budget will go up, but the guy in the cybersecurity department will at a minimum get told off and held back, and likely fired.
One of my latest gigs was on Third-Party Security. For years and years companies (especially banks) were giving little to no attention to third-party security/privacy. I've happily seen that over the past 5 years most (mega-big) banks have taken it "all the way up to 11".
Hackers are smart people, why hack company X with 50 people on their SOC and not hack a vendor that is lazy and clumsy? (and in some cases it's 5 guys with laptops behind a cheap never-hardened router in some random country)
These aren't street cops, this is South Korea's national police agency, not unlike the FBI. They have the expertise and resources to investigate internet crimes, and an 8 billion dollar budget. And they also sometimes work with international partners.
Well, yes, but not really. Also, please elaborate.. and assuming that the Police of X country has evidence that the hackers are in Y country, it's not 'that' easy to get them arrested, tried, convicted. Is it?
I mean...it literally says in the title they're from N. Korea. So it's not like we don't know where they are, and we all know the US government can do mostly fuck all about that, so not sure what point OP was trying to make.
