The national security state has, to put it mildly, “flipped its shit” over Edward Snowden. And in information security, where I work, it’s become de rigeur to call Snowden’s actions a wake-up call. But, really? It’s more like a snooze alarm.
I still encounter people who think that the government must have great security. After all, the NSA blah blah blah – and you saw that data center Tom Cruise broke into in Mission Impossible, blah blah. The reality is a lot more prosaic. It’s just data centers managed by people, storing data created and used by people, accessing it from systems managed and used by people. The weakest link remains: people. The second weakest links is: people (specifically in the form of executive management’s lack of vision)
The CIA is understandably mum about what happened with Aldrich Ames, though it sounds like he obtained necessary clearances then copied some really sensitive top secret files to his computer, made a floppy disk of them, and walked out of the building with it. Then he contacted the Societ embassy through channels he had learned about during his CIA work, and started selling them the data. It was a simple “need money, get money” operation and it continued for about 8 years. One thing that’s interesting is that the CIA ignored the changes to Ames’ lifestyle that came from all the money (he said he’d married into an inheritance) and fell for a straightforward head-fake from the KGB where some information was leaked that indicated the mole was elsewhere in the organization. When Ames was finally arrested, there was a great question around what, exactly, he had sold the KGB. Apparently the CIA’s internal audit capability was not very good and they didn’t have any way of going back and seeing who accessed what file, and when.
Many of the companies I’ve worked with in the last 20 years could go back into their archived system logs, pull out the file server logs, and – given the date – tell you which files Ames took. That’s basic IT competency: an organization with valuable intellectual property usually understands that. Managing that sort of thing is the Chief Security Officer (CSO)’s job. It’s IT competence. Take, for example, one highly competent IT organization: google. They still have transaction logs for every message gmail has ever sent or dropped into a user’s inbox. They do that because a) they can b) it’s IT competence and c) the FBI insists on being able to get that sort of information from organizations like google. Is this a case of “those who can’t do: regulate those who can”? I’m not going to talk about FBI mole Robert Hanssen here, because the FBI managed to do a pretty good job of keeping details about Hanssen’s actions out of public knowledge. What we don’t know about Hanssen is how much he stole and sold, and whether the FBI was able to figure it out.*
Computer security in government agencies looks more like a scene from Brazil than Mission Impossible.
Earlier I mentioned that “management vision” is a critical piece of this problem. Executive vision in the intelligence community is largely irrelevant. Back in the oughties I served on a panel of experts** regarding intelligence community data sharing and my recommendation was: “don’t.” However, one of the dangers of “don’t” is that compartmentalization of data breeds a requirement for cross-compartment data movement, e.g.: USB sticks full of classified data. Or worse. The problem with data on a USB stick is that it’s no longer trackable and logged, it goes dark. Sharing might have improved some parts of the system, while damaging others; it’s hard to know. In either case, because secrecy is hard to manage, it appears that insufficient audit was in place. Meanwhile, there were directives from the Bush administration to “maximize information sharing” which appeared to translate, to some organizations, to: “dump everything you’ve got onto SIPRNET”
The US State Department certainly did dump everything onto SIPRNET. Enter Chelsea Manning, who copied out large amounts of evidence of US war crimes, by the simple expedient of burning data disks, labelling them “Lady Gaga” and carrying them out of the secure area mounted in a laptop’s drive. I’m not going to second-guess Manning’s tradecraft but let’s just say was not very sophisticated and didn’t involve hanging from ceilings Mission Impossible-style.
Now, stop me if this is starting to sound repetitive: the US State Department does not appear to know what Manning took. Or, didn’t, until they learned through Wikileaks. In terms of IT competence that makes me assume the expensive lesson of Aldrich Ames was not learned (probably because Ames was a CIA problem, and nobody at the management layer of US Government IT exists to connect the dots)*** If it had been data at most competently managed corporate shops, some system administrator would have spent a tough week pulling backup tapes and unarchiving system logs, then shovelling them into a log management engine and searching and sorting through to figure out what Manning took. But what do you want for your taxpayer’s dollar? Best practices aren’t on the menu.
Next up, Edward Snowden!
There are many many things that are interesting about the Snowden incident but let’s just look at two: 1) he was an authorized administrator working for a contractor 2) the NSA doesn’t appear to know what files he took.
The second point, first. Stop me if you’ve heard the punchline already: apparently the NSA hadn’t learned to turn on file server logging. After Ames, Hanssen, and Manning, why would they? Some accounts I’ve read of Snowden’s activities prior to his leak-a-thon indicate that one of his assignments was to be setting up a system log server/logging capability. Oh, the irony.****
Another account of Snowden’s actions was that Snowden apparently was queried by a co-worker, as to why he was accessing so much data. If that’s true, that’s better organizational response than to Ames, Hanssen, or Manning. But allegedly Snowden said he was testing a new backup system, and the co-worker shrugged and went back to doing whatever they were doing.
The US intelligence community has had its IT organizations gutted because of privatization. Why work for the government if you can quit your job, then turn around and get a better-paying job, with more mobility, working for a beltway bandit? The funny part is that the beltway bandit will turn around and rent you back to your parent agency to do your original job, anyway. This is a matter of some importance because of “wall jobs” – a “wall job” is where your mechanic parks your car over there, against the wall, and when you come get it they tell you they did something and charge you something and they never even looked at it. If you’ve got a car and you don’t understand how it works, you’re vulnerable to wall jobs. You’re vulnerable to your mechanic telling you “the haydiddlediddle has disconnected from the muhlefratzer, it’s gonna be a couple days and cost $750.” If you’re a government agency and you have allowed your IT expertise to be completely drained out, you’ve got a false front that only knows how to read powerpoint and write checks. You’ve become a cloud computing organization and you didn’t even realize it. What’s crazy is that the US Government is dropping audit requirements on the cloud providers (because they want to see what you’re doing) but they’re too silly to look at what they’re doing, themselves.
How’s that working for ya, Uncle Sam?
(* If I were a betting man, I’d bet a lot that Hanssen negotiated a more gentle treatment in return for telling the FBI what he knew about what he sold. The FBI’s IT incompetence is legendary and the idea that the FBI would be able to back-audit file accesses to 1985 is extremely improbable.)
(** Global Infrastructure Grid – GiG Senior Industry Review Group, SIRG. There were a lot of smart people on that panel, and me. The post 9/11 view of GiG was to break down ‘stovepipes’ and open information sharing across all agencies. It was clear from the beginning that that was not going to happen. NSA said they would be happy if CIA shared with them but no way were they going to share with CIA. Etc.)
(*** Part of the problem is: there is no management layer for US Government IT. I mean, there is, but it’s largely a ceremonial position utterly mooted by inter-agency wall-building. You call it a “stovepipe” they call it “security” I call it “a wall”)
(**** Who watches the watchers? In a competently run IT organization, management assesses the risks and may determine whether a two person rule is necessary and where. For damn sure, in organizations where money is being moved electronically, the checks are cross-checked and there are cross-cross-checks that ring alarms if the cross-checks are turned off.)
As a non-fan of government secrecy, I think a great deal of this problem would go away if the US Government stopped lying to its people so much, stopped engaging in secret diplomacy, etc. I’m not unhappy to see the embarrassing laundry come to light – it always does – but I’m unhappy that the organizations that are trying to bury that laundry are both expensive and incompetent. Give me expensive and competent and that’s OK, or give me free and incompetent and that’s OK, but expensive and incompetent is a non-starter.)