Securing govt systems means knowing when to defend against nation states vs lower-risk actors. DOGE may have seen hosting Numident on a private server as easier for collaboration, but it gutted defenses against threat actors. In govt tech, national security concerns aren't optional.

Typically the most well funded threat actors are foreign nation state based attackers. These threat actors have the resources to break into even major tech platform infrastructure, despite significant investments in cyber security practices, infrastructure, and testing.

Cybersecurity is about increasing the cost of attack based on threat models and threat actors. Breaking into a flashlight app is cheap; breaching a bank system is expensive. A lone hacker might crack an unsecured site, but it would take a well-resourced team to steal protected personal data.

To be fair, major breaches happen all the time in the private sector, and when they happen, companies quietly clean up after breaches. In general, you can’t perfectly secure any system because humans are involved and humans are usually the weakest link from a security perspective.

But you don’t know who’s around or who may have followed you to the park bench. The big risk isn’t just that someone follows you and takes all the passports, it's also that someone hides in the bushes near the bench to carefully watch what you and your friends do with the passports.

It’s like taking all the passports of all Americans and leaving them out on a public park bench somewhere so that it’s easier for your friends to look at all the passports. You convince yourself this is fine because you haven’t told anyone other than your friends where the park bench is.

New report, with case studies, from @ann-lewis.bsky.social: www.niskanencenter.org/how-to-save-...

And apologies to all the senior government officials who then had to sit through me earnestly explaining what cache invalidation is so they could understand the reference.