Like Jon Taffer stress-testing a bar, the Trump administration is sending in a lot of orders, and the customers are getting concerned about the quality.
One of the more recent Trump administration executive orders, issued on Feb. 26, introduces a Department of Government Efficiency (DOGE) initiative that calls for each federal agency to create a unified platform to manage contract and grant payments.
For security pros and former government IT practitioners who spoke with IT Brew, having a single payment review technology leaves the concerning possibility of a single point of failure.
“Distributed systems are good in that they’re distributed. And if you compromise one, you don’t get the whole farm, right? Well, they’re creating the farm,” Mike Hamilton, field CISO at Lumifi Cyber and former CISO for the City of Seattle, told us.
Order up! The order calls for agencies to build their own centralized technological system “to seamlessly record every payment issued by the agency pursuant to each of the agency’s covered contracts and grants,” along with written justifications for each payment.
The mandate, the administration claims, is part of a larger effort to transform federal spending “on contracts, grants, and loans to ensure government spending is transparent and government employees are accountable to the American public.”
Fast times. DOGE efforts have arrived with swift deadlines. The statement called for each agency head to review contracts and grants within 30 days of the order. Another Feb. 26 memo regarding “reductions in force” said agency heads must develop “agency reorganization plans” by March 13.
To achieve agency mandates for a central platform, Hamilton predicts the use of a cloud-based repository for multiple distributed payment systems. A speedy development can lead to mistakes—access-control errors came to the CISO’s mind.
“There is a possibility that they will do this right, but the emphasis on speed here is not the friend of security,” Hamilton said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Around 10% of incidents studied in Verizon’s most recent data breach investigations report featured “misconfiguration.”
CrowdStrike’s annual threat report, released a few weeks ago, found a 26% increase in “new and unattributed cloud intrusions,” when comparing 2024 to 2023 data.
Clear! Tony Monell, VP of public sector at cyber risk platform Black Kite, and previously a senior advisor of cyber policy in the Office of the Under Secretary of Defense, sees threat actors turning transparency efforts into opportunities for surveillance.
“Transparency is meant to do something good, to inform taxpayers…of what government’s supposed to do. But that’s how adversaries essentially go to work,” Monell told us.
“If this is acquired by another country all of a sudden, they have all this information on who is doing what for the federal government. And if they want to infiltrate a project and backdoor some product that’s being developed for the federal government, they know exactly what company to go to,” Hamilton said, considering the risks of a centralized payment-review system.
In early Dec. 2024, third-party identity management provider BeyondTrust notified the US Treasury of a compromised key and potential exposure of certain user workstations and documents.
Both the FBI and research firms have found the government sector to be a popular recent ransomware targets.
Too loud. One problem related to an administration proud to announce its IT plans: Everyone, including threat actors, can hear it.
The more you advertise a centralized system containing system data, the more people are going to be curious about that centralized system containing sensitive data, according to Bryce Slaughter, GuidePoint Security’s team lead for automated security validation and former Navy senior cyber defense analyst.
“To me, that screams ‘I’ve now put a target on my own back.’”