Doug Petersen Writer, Technologist, and Uneasy Citizen of Oceania

4Jul/131

“People May Die”

Secretary of State John Kerry insists that "people may die" as a result of Edward Snowden releasing classified information about NSA surveillance. On the other hand, people may not die. We don’t know. What we do know, however, is that others have fallen woefully short of their responsibility to secure our most sensitive data. If people die, Edward Snowden does not bear that responsibility alone.

State secrets weren’t stolen by Jesse James, Oceans 11, Darth Vader, Michael Corleone or The Joker. Nope. Edward Snowden. One would have expected the National Security Agency (NSA) to have assembled the best technology, practices and team to secure state secrets. Nope. Edward Snowden. High school drop-out. Junior college drop out. Low-level consultant with little tenure working for a private contractor recently reprimanded by the U.S. Air Force for "Systemic Ethical Deficiencies." And who was it again that spirited away top secret information? Edward Snowden.

The government has a need and a responsibility to protect classified information. And the technologies, expertise, standards and policies necessary to protect that information do exist within the U.S. government. It is, therefore, reasonable to conclude that it must have been a lack of leadership and management that made the Snowden leaks possible.

The Snowdens of the world have no business deciding whether or not classified information is released to the public. But Snowden isn’t the first leaker. And the frequency of leaks seems to be increasing. Perhaps leaks are a result of conscientious people growing uneasy with the types of activities in which the government is engaged. Or the growing opacity with which government operates. Or a reaction to the use of machinery put in place to spy on foreigners now being used to spy on citizens. Or political enemies of the administration being targeted by government agencies. Or the FBI using drones to spy on citizens. It may be none of those things or the cumulative weight of all of them. There is a reason. And these leaks are occurring despite an administration that zealously prosecutes leakers. So leakers, at great personal risk, are breaking the law, misguided or not, to make information available to the public.

Edward Snowden, however, should never have been in a position to leak anything. And someone other than Snowden owns the responsibility for that. So others have also failed to meet their obligations to employer and country. Perhaps not consciously. Perhaps not maliciously. But they have clearly failed. Snowden purportedly acted for altruistic reasons. But why did government officials and private contractors fail to meet their obligations? We can’t know what excuses they might yet offer but a great many security breaches are the result of complacency, apathy or ignorance. The public spin, however, often cites budget constraints. Expect to hear it again. But don’t buy it. None of those excuses are palatable. Not complacency, apathy, ignorance or budget. If you can’t afford to properly protect it, you have no business managing it! Collecting and storing data under such circumstances is little more than doing the legwork for foreign enemies and criminal enterprises.

The government doesn’t want to admit their incompetence or complicity. That’s why the public will be encouraged to focus on Snowden. But focusing on Snowden will be done at the expense of the bigger problem. The bigger problem is how incompetently our state secrets are being secured.

In considering to whom one might also assign blame, any number of basic security questions could be asked, including: Who was responsible for authorizing and granting such privileged access rights to a low-level consultant? Who was responsible for managing keys used to access classified systems and data? And, most importantly, who was ultimately responsible for ensuring that state secrets were properly secured? Someone was.

Readers with little appetite for technical detail only need to understand that generally accepted best practices do exist and are routinely used to avoid Snowden-like security breaches. Many of those practices have been authored by government agencies such as the National Institute of Standards and Technology (NIST). And both government and business regularly employ these practices for reasons far less important than national security.

Virtually all professionals charged with the responsibility of securing data understand the security controls described below and that those controls likely would have stopped Snowden. Snowden’s employer, Booz Allen Hamilton (BAH), is no doubt familiar with these controls. And we’re not talking about spy-novel sophistication here. We’re talking about fundamental security controls such as Dual Control and Data Leak Prevention.

Dual Control is a process of utilizing two or more persons, operating in concert, to protect sensitive functions or information whereby no single entity is able to access or utilize the materials being controlled (think “missile launch scene” in a movie where two officers must collaborate to complete the job).

Data Leak Prevention systems are commonly deployed in both government and business. DLP systems detect data ex-filtration by monitoring, detecting and blocking the access of sensitive data in order to avoid disclosure to unauthorized personnel either by malicious intent or inadvertent mistake.

Once a security breach occurs, governments and businesses have incident handling procedures for controlling damage. Part of that includes public relations. But listening to government officials claiming they are going to implement policies designed to “make sure this never happens again” is nauseating. It’s also disingenuous. That tired old spin is, of course, designed to make the public believe they are working overtime to devise something new. The truth is that the controls and policies that are needed have existed for years. And virtually all security officers and system administrators in government or private industry already understand them. They only need to be properly implemented. One can only reasonably conclude that existing policies and best practices were willfully ignored.

Our government expects, and often demands through regulation, that industries such as financial services and healthcare adhere to security practices like those described above. Yet, apparently, they do not hold the NSA to similar standards. How can they not have implemented common security best practices? That notion elicits visions of aging spies twiddling Cap’n Crunch decoder rings. It’s sloppy. It’s unprofessional. It’s the equivalent of malpractice. It’s negligent.

As a society, we hold negligent drivers accountable for life and limb. Ship captains for the loss of precious cargo and environmental damage. And malpractice is a form of negligence for which physicians are commonly prosecuted. Where’s the accountability here?

In assigning blame, one could start by singling out NSA Director General Keith Alexander who just recently claimed he “didn’t know who Wikileaks are.” If that’s true, he has no business being the Director General and, if false, you have to question why government officials are motivated to mislead the public.

The next target for blame should probably be those government officials responsible for the oversight of Booz Allen Hamilton. Unfortunately, the practice of outsourcing work to private contractors seems to have been twisted into an outsourcing of responsibility. If responsibility has been outsourced, what value is being provided by government officials? When something goes wrong, those officials simply decry the failure, promise to get to the bottom of it, and to fix it so it never happens again. It must be nice to have a professional position with no responsibility. Convenient that failure has no consequence. Our government officials seem able to outsource accountability into thin air. When the music stops, no one is held accountable!

Next in line would be everyone at BAH who failed to observe common security practices. The granting of access rights was clearly inappropriate. DLP controls were clearly not implemented. The practice of Dual Control could not have been observed. BAH needs to fully explain what their role was in the Snowden leak. And sympathy for BAH is going to be tough to find since the Air Force only recently lifted their suspension for "Systemic Ethical Deficiencies."

Diversion may or may not be a centerpiece of NSA’s damage control efforts but as long as the light is shining on Edward Snowden, the NSA as well as its employees and agents will probably not be held accountable and the myths that deficiencies have been addressed and data secured will be propagated.

Edward Snowden doesn’t have the swagger of Oceans 11, Darth Vader, Michael Corleone, Jesse James or The Joker. But when it comes to procuring state secrets, there are others who do. China, Wikileaks, Anonymous and Russian hackers to name a few. Government officials, the NSA and private contractors such as Booz Allen Hamilton had better start meeting their responsibilities. If people die, Edward Snowden does not bear that responsibility alone.

Comments (1) Trackbacks (0)
  1. Very well written article. Too often we see outsourcing contributing to lesser qualified personnel who do not embrace the competence, pride and integrity to do the right thing. Outsourcing might seem to be cheaper but many times the money for cheaper help results in issues such as this…. and the extra money saved from outsourcing goes into the pockets of those making the decisions to outsource instead of into better ways of protecting the deficiencies or fixing issues/problems….as the old saying goes…you get what you pay for… Your statement, “If you can’t properly protect it, you have no business managing it” speaks volumes. We often see the shifting of blame as mentioned in your article…fingers pointing to fingers…pointing to fingers without getting to the bottom of facing responsibility.


Leave a comment


No trackbacks yet.

Follow me on Twitter

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Blogroll

Hangouts

Categories

Archives

Add Link to Facebook