The laxness of infosec in government continues to astonish me. It's not like these types of attacks are new either. I can only assume that the people in charge of infosec in such situations are bureaucrats without much technical knowledge.
It's a failing of the American condition. The country was founded by radical conspiracy theorist farmers that didn't want to pay taxes. Distrusting government is in our national ethos. It pervades to this day in the form of governments generally being staffed with people too incompetent for private sectors. The pay sucks. It's hard to get raises. It's hard to do anything because Americans hate taxes; they'll help their neighbors, but they won't help those they can't see beyond their porch. There's little personal incentive to work in local/state governments. And that's partly how we end up with events like this.
> It's a failing of the American condition. The country was founded by radical conspiracy theorist farmers that didn't want to pay taxes. Distrusting government is in our national ethos.
Not true at all. Distrust of government is a relatively new phenomenon in American politics. It can be traced back to Reagan's infamous "The most terrifying words in the English language are: I'm from the government and I'm here to help" quote. This is because Reagan strictly believed in small government, and wanted to limit government interference in most things.
Before Reagan, Americans had no issues trusting government to solve big problems or accomplish major goals. See the Space Race, and Roosevelt's New Deal policies two decades before that. American people were largely optimistic about those endeavors because they trusted their government.
One time I accidentally left in an HTML tag when adding a note on the Social Security website. That page got messed up and would no longer load properly. I just stopped using it since I didn't want to report it and get in trouble. It was shocking that they fail to do even the most basic input sanitization.
The decision makers are the city council and the mayor.
If none of these people
have the knowledge to make an informed decision, they will defer to either internal IT staff (if that even exists), or their contracted MSP.
I seriously doubt there is much, if any, proactive coordination between the council and IT.
I think it’s basically the same problem as small businesses, people have this psychological expectation that I’m too small to target. They don’t realize that they are just another IP address or email address in a sea of IP/email addresses that is being automatically targeted every hour of every day.
