1. "Add public keys to major services"
The security services just use their own or find others or find the users.
2. Build better random number generators
Yet strange limits seem to be added to many public and private crypto like products efforts every decade. From banking to what shipped with personal computers.
3. Expand trusted hardware
That gets found and upgraded during while in the safe hands of the trusted global postage or delivery services. (supply-chain interdiction/Tailored Access Operations).
4. Add Merkle trees to the file system
More logging, tracking and understanding of any network or site helps. The main issue is who gets to see the files after an event? Domestic or federal investigators just take it all away to cover parallel construction or another gov/mil access?
Many of the more skilled nations are opting for their own code, designing their own cpu and networking hardware to escape most of the the more direct ways into their own existing networks.

Re "Why is this news? I'm all for efficiency, but savings that small are not worth it in a budget that freaking large"
Go back over the years of getting:
"That year, about $280 million worth of satellite capability was bought outside the DISA process. If the GAO is correct, then the military could have gotten that same service for about $45 million less."
Back to 1990? 2000? 2010? The decades add up. The billions of $ needed to just to buy into the private sector can be very expensive.
The linked "DOD Needs Additional Information to Improve Procurements" at http://www.gao.gov/products/GA... had a "Full Report" pdf
http://www.gao.gov/assets/680/... has :
"DISA also estimated that if DOD used a capital lease or purchase of a single band satellite based on commercially available technology, the department could avoid
costs of about $4.5 billion over 15 years compared to the current baseline.
This was the lowest cost alternative identified by the analysis."

The numbers have been around for years in public. The US gov/mil is fixated on buying from the private sector every decade.
"The High Frontier" (Broadcast: 02/05/2005)
"Outer space is open for business. It’s a booming $50 billion a year industry"
http://www.abc.net.au/4corners...
from the transcript at http://www.abc.net.au/4corners...
".. makes $100,000,000 a year, buying and selling airtime on communication satellites. ...."

Re "So what is necessary to address the problem?"
A strong compartmentalized, air gapped database that has real human oversight? The US can make and run that for every agency, department and project it needs to over decades.
They dont leak by design. Nobody networks out with plain text anything. Every access internally is logged. There is no external access.
It seems the US wanted a database, networked and usable. Who would want such a networked database?
If you need a contractor with skills and its not logged. Thats a positive for projects that needed a lot of staff in different parts of the world at some time in the past.
Internally staff feel they can look up anything. A great way to see is looking up what and why while they feel like its an open network at their desk.
Great for testing and seeing who is looking for what when alone. Hard to do if they have a person next to them and an encrypted time limited window thats logged by default.
Re What will actually happen?
A wait to see who goes looking over huge lists of interesting sounding fictional projects.
For an Operation Bodyguard https://en.wikipedia.org/wiki/... to work the mix has to be interesting.

The US and UK have had great wins with other nations skilled staff.
Some insights can be seen with the 1945-early 1950's use of German, Italian and other staff to help with cryptography.
Induced, motivated and rewarded they saved the US and UK years of work with ready, working solutions to French, Soviet and other nations post ww2 crypto.
TICOM (Target Intelligence Committee) https://en.wikipedia.org/wiki/...
Operation Stella Polaris https://en.wikipedia.org/wiki/...
The US and UK then advanced this idea of trusting other nations staff to Australia, New Zealand, Canada. Their top crypto experts got to share with the USA and UK and their work was rewarded over decades.
Staff in France and West Germany soon got the same offers and results can now be more understood. The US and UK got total look down in plain text over allied nations thanks to trusted work with well with trusted foreigners.
Decades later French and German political leaders finally understand the reality of their own secure crypto and communications networks.
The US and UK dont allow databases to walk, they create easy to read information to test their own and other nations "trusted" staff.
Anything found, searched, used is bait. But the bait has to be believable and irresistible at low clearance level. Just not useful at any real clearance level.
Everyone involved has to believe it is a real leak of some real value. Political leaders and contractors have to be public in their real reactions. Sock puppets on social media have to offer their "it was real but fixable" spin. Just find the correct contractors, add more funding, over time.. and the bosses new security product.
How hard would it be to load up a massive database of past projects linked to past operations in parts of the world of no future concern?
Add in a lot of fakes and trackable data in an outward facing network and see how everyone interesting reacts.
Other nations, internal staff, social media. Keep pushing the message that the data is really real.

If the U.S. government wants a server to be secured it is, as designed, run, used.
The US lectured its more trusted allies in the 1950-2010's about keeping their own and all shared projects very secure.
The Soviet Union, Russia, China did not get far when trying to look into real US networks, systems without the direct help of local staff who had turned or where deep cover.
So the US could, can and in the future can design and run very secure networks of any size or standard when needed.

Why the sudden political and media interest in network security? US cleared staff have to understand that a 'list' trap is set, baited and will be tested.
Anyone on the vast low level 'digital' security list might get a chat down from two or more people who fit the caricature of foreigners with a story, files, backgrounds and an offer....
In changing economic times, with an understanding of security, staff might be tempted as the approach could be real and of great to gain personal wealth.
US staff now know every low level security validation is going to be re tested, reviewed, re interviewed, approached, chatted down as a list by expert contractors and gov officials.
The only reaction now is to report any approach. The US has secured a generation against approaches by other nations.

All the data in the wild is bait. Projects, places, events, dates. Everything at that level is set up to be trackable internally and externally.
To work as bait it has to be readable in English, usable over time by staff on internal networks in English and usable over the US to job fairs, contractors, operations needing staff, staff been given clearances as they change from gov to mil to private sector and back.
The other reaction is to test internal US networks and all staff levels as they react to the very 'real' 'news' of reviews.
Is someone in middle or upper management getting fixated looking up their own past, names, other names? Why?
Another test is to see how social media tracking and planted cover stories over years can handle the interest.
Cleared staff are been tested. How do they react to the media attention. What are they searching for on work and public networks.
Or not looking for when all their colleagues are.

The "managed very differently" aspect is just a new set of fancy expensive contractors with new security products to sell or rent.
Gov using contractors to watch over skilled contractors as they help gov upgrade to expensive new security.

The covert side of the gov and mil wanted the skills but no questions, no paper trail, no project names, multiple social security numbers, social media magic and an instant job interface between the public and private sector. That was harder to create but offers stories to different covert groups long term.

The private sector also needed ways to escape of paying all the local wages. Why not just hire a local cleared front company and have a long tail of cheap supply globally while meeting all the paper work. Disassembled and recreated with all the local paperwork. Multi nationals could then front for mil/gov grade work using lower wages and have the same legal standing for any mil/gov contract without traditional domestic costs.

The result is a perfect method of hiding projects, hiding global support by contractors for different projects, keeping costs hidden, reducing local wage claims and making top staff feel they are not been tracked.
At their level as they have passed all the tests and are trusted alone, with vast plain text databases...
Cleared staff feel they have an open database to transverse looking up projects and names without been logged. How they use access has been watched for decades.
The freedom to look at open, plain text databases allow 'everyone' to look at fake names, fake projects, fake tasks, fake support requests that are all traps waiting for any sign of been searched for at any level on any network.
The national media attention about leaks might induce random cleared staff to look up a wide variety of projects and names... and that can be noted.
The new classifying system is not designed to be understood. It is designed to understand and test every cleared worker all the time while offering freedom to the private sector, hide covert needs from all and keep security contractors funded.

Its not a new idea. The UK tried it in the 1910-40's, rapid expansion, new technology, experts, rushed language support. The win was understanding most embassy work/codes in use in Europe as used. The downside is the loss of internal vetting control long term.

The managed very differently is just a new set of contractors with new security products to sell or rent.
Gov using contractors to watch over skilled contractors as they help gov upgrade security.

The covert side of the gov and mil wanted the skills but no questions, no paper trail, no project names, multiple social security numbers, social media magic and an instant job interface between the public and private sector.

The private sector was sick of paying all the local wages. Why not just hire a local cleared front company and have a long tail of cheap supply globally while meeting all the paper work. Disassembled and recreated with all the local paperwork. Multi nationals could then front for mil/gov grade work using lower wages and have the same legal standing for any mil/gov contract without traditional domestic costs.
The result is a perfect storm of hiding projects, hiding global support by contractors for different projects, keeping costs hidden and making top staff feel they are not been tracked. At their level as they have passed all the tests and are trusted alone, with vast plain text databases...
The new classifying system is not designed to be understood. It is designed to understand and test every cleared worker all the time while offering freedom to the private sector, hide covert needs from all and keep security.

Its not a new idea. The UK tried it in the 1910-40's, rapid expansion, new technology, experts, rushed language support. The win was understanding most embassy work/codes in use in Europe as used. The downside is the loss of internal vetting control long term.

Re "just needed a new source"
How many nations are setting up front group "contractors" and "private sector" teams that are a direct link back to their own military counterintelligence units?
Watching diverse state and federal police forces offer complex tenders for and accepting code thats then used live around the world.
Front door, back door, trap door, skylight.... just watching day to day network use would be useful to see what is been whitelisted, tracked or allowed to go under patched for week, months, years...

Re "have jurisdiction over citizens of ... "
Most of the gifts and joint efforts establish a long term foothold in other nations. A nation of interest gets upgrades to secure networks, fast new software that always needs "free" updates and upgrades.
Local staff are then invited on fact finding trips to learn more about 'very' advance methods and return with new ideas and more news about emerging technology.
Over time the trips become routine to meet with their new colleagues.
Who uses the systems diligently or is much more cautious about sharing local methods and the best informant details long term. The question of local files or the vast shared network.
Some advice can be offered over who has a good working relationship with and might get promoted locally.
Hearts and minds over many decades. Free offers of further education, funding, trips go far. Military intelligence and all vital counter surveillance teams would be getting the same help.
Jurisdiction becomes a friendly request between "international" staff who have known each other for years as their bosses did.

AC it depends on how much the US gov screams globally about dumping product, national security and keeping top quality local jobs in the USA again this decade.
It becomes very expensive just to keep the paperwork, legal teams, export controls around US R and D teams.
Sooner or later a generational hardware change will see other nations like Canada, Israel, Australia, South Korea, France, Taiwan just offer the same expert export focused campus deals. Top experts, a much more understanding local tax system and no questions about: national security, export production lines, where the final product is made.
Production can shift to any nation with low cost workers and design can spread to nations that are more understanding to a multinationals needs and trending global sales.
Most nations have fully understood how Japan was treaded in the 1980's and 1990's over computer related design and exports.