This is one of my favorite USDS stories: Very quickly in my career at USDS I developed a reputation for being a person you could send out an SOS distress call to, not so much inside USDS itself but externally with contractors and different government partners. There’s a fair amount of backstabbing in the government, even in the civil service. Whenever you chose to reach out to a 3rd party to ask for help you were taking a risk that the person you reached out to would screw you over. Just because DC doesn’t have a palace doesn’t mean we don’t have palace intrigues.
Anyway, one day this group of security researchers reached out to me and let me know that the agency they were working with was being actively targeted by domestic white supremacists. They had alerted the appropriate people and made recommendations but were getting the run around. The website the white supremacists were interested in targeting had thousands of known security vulnerabilities but it also had a very specific launch date non-negotiable and written into law (this is a stupidly common thing in government). Leadership did not want to stop development work to fix security issues, but they also could not be seen to be ignoring security issues. Especially not thousands of them. So they would engage with the researchers, put on this big performance with meetings and field trips and PowerPoint decks, and then do nothing.
And they were doing this on multiple fronts, slow walking both external consultants and government oversight authorities. It wasn’t a situation where we could report the problem up to one of the many organizations in charge of information security in the federal government. Everyone who could be called upon to apply pressure was already aware of the situation and applying maximum pressure.
I suggested we let the FBI know and see if they could block the potential attackers for us without worrying about the website. No crime had yet been committed, so the FBI couldn’t technically do anything about the threats. But they do track this kind of information and perhaps what the security researchers had could support other investigations. It took me a couple of weeks to find the right contact and reach out. After establishing that he was on the relevant…