It is also not because of the likelihood that a similarly opportunistic and amoral corporate culture is endemic to the entire sector - a suspicion made more credible after noticing that the leaked proposal uses the letterhead of another government-friendly company, Palantir, and generously credits a third one: Berico.
No, that's not it. The reason why I am frightened is the emergence of a new class of government contractors - a class that depends on the perpetration of an alluring, yet completely irrelevant belief: that an incredibly sophisticated and determined adversary is constantly scheming to wage a devastating cyber-war against everything we hold dear.
It is an ugly truth: for the past 10 or 15 years, the security industry has made virtually no progress in helping large organizations deal not with Bond-esque villains, but with the simple threat of bored kids and geeks with an agenda - their most significant, and most unpredictable foe. It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true.
The inability to solve this increasingly pressing problem is no reason to celebrate - and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board. But between all the talk of cyber-jihad and APT, this unpleasant message is easy to overlook.
On the flip side, the difficulty of securing a complex enterprise hardly applies to specialized, well-funded security outlets: that one problem is easy to fix. These companies should have an abundance of expertise and resources to tightly manage and monitor their relatively small and self-contained networks. Similarly, their employees can be reasonably expected to exercise above-average restraint and a good dose of common sense. It is an uncomplicated matter of living up to your own bold claims.
From this perspective, the purported details of the attack on HBGary - a horribly vulnerable, obscure CMS; unpatched internal systems; careless password reuse across corporate systems and Twitter or LinkedIn; and trivial susceptibility to e-mail phishing - are a truly fascinating detail. These tidbits seem to imply either extreme cynicism of their staff... or an ubelievable level of cluelessness. And from a broader perspective, both of these options are pretty scary.
Oh, the ironic part? Despite all the lofty rhetoric, looks like in the end, they have been undone by just a bunch of bored kids.