You choose, we deliver
If you are interested in this story, you might be interested in others from The Journal Gazette. Go to www.journalgazette.net/newsletter and pick the subjects you care most about. We'll deliver your customized daily news report at 3 a.m. Fort Wayne time, right to your email.

Editorial columns

  • Hoosier court reinforces lack of hope in justice system
    Recently, the Indiana Supreme Court added to its legacy of contempt for working-class Hoosiers by proclaiming that a deceptively named “right-to-work” law does not violate the Indiana Constitution.
  • Erin's House helps grieving kids cope
    We have all seen the headlines – car accident, one fatality, a male 35 years old – but we sometimes forget the likelihood that there is a child tied to this adult. Maybe he was a father, uncle, brother, cousin or dear friend.
  • Word to the wise: Build vocabulary early
    The PNC Financial Services Group recently hosted the Guinness Book of World Records attempt for largest vocabulary lesson as part of Grow Up Great, our early childhood education program.
Advertisement
Gary Varvel | Indianapolis Star

Lessening the damage by the next Snowden

Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government’s security failures.

Yet the debacle illustrates the challenge with trusting people in any organization.

The problem is easy to describe. Organizations require trusted people, but they don’t necessarily know whether those people are trustworthy. These individuals are essential and can also betray organizations.

So how does an organization protect itself?

Securing trusted people requires three basic mechanisms (as I describe in my book “Beyond Fear”). The first is compartmentali-zation. Trust doesn’t have to be all or nothing; it makes sense to give relevant workers only the access, capabilities and information they need to accomplish their assigned tasks. In the military, even if they have the requisite clearance, people are only told what they “need to know.” The same policy occurs naturally in companies.

This isn’t simply a matter of always granting more senior employees a higher degree of trust. For example, only authorized armored-car delivery people can unlock automated teller machines and put money inside; even the bank president can’t do so. Think of an employee as operating within a sphere of trust – a set of assets and functions he or she has access to. Organizations act in their best interest by making that sphere as small as possible.

The idea is that if someone turns out to be untrustworthy, he or she can only do so much damage. This is where the NSA failed with Snowden. As a system administrator, he needed access to many of the agency’s computer systems – and he needed access to everything on those machines. This allowed him to make copies of documents he didn’t need to see.

The second mechanism for securing trust is defense in depth: Make sure a single person can’t compromise an entire system. NSA Director Gen. Keith Alexander has said he is doing this inside the agency by instituting what is called two-person control: There will always be two people performing system-administration tasks on highly classified computers.

Defense in depth reduces the ability of a single person to betray the organization. If this system had been in place and Snowden’s superior had been notified every time he downloaded a file, Snowden would have been caught well before his flight to Hong Kong.

The final mechanism is to try to ensure that trusted people are, in fact, trustworthy. The NSA does this through its clearance process, which at high levels includes lie-detector tests (even though they don’t work) and background investigations. Many organizations perform reference and credit checks and drug tests when they hire new employees. Companies may refuse to hire people with criminal records or non-citizens; they might hire only those with a particular certification or membership in certain professional organizations. Some of these aren’t very effective – it’s pretty clear that personality profiling doesn’t tell you anything useful, for example – but the general idea is to verify, certify and test individuals to increase the chance they can be trusted.

These measures are expensive. It costs the U.S. government about $4,000 to qualify someone for top-secret clearance. Even in a corporation, background checks and screenings are expensive and add considerable time to the hiring process. Giving employees access to only the information they need can hamper them in an agile organization in which needs constantly change. Security audits are expensive, and two-person control is even more expensive: it can double personnel costs. We’re always making trade-offs between security and efficiency.

The best defense is to limit the number of trusted people needed within an organization. Alexander is doing this at the NSA – albeit too late – by trying to reduce the number of system administrators by 90 percent. This is just a tiny part of the problem; in the U.S. government, as many as 4 million people, including contractors, hold top-secret or higher security clearances. That’s far too many.

More surprising than Snowden’s ability to get away with taking the information he downloaded is that there haven’t been dozens more like him. His uniqueness – along with the few who have gone before him and how rare whistle-blowers are in general – is a testament to how well we normally do at building security around trusted people.

Here’s one last piece of advice, specifically about whistle-blowers. It’s much harder to keep secrets in a networked world, and whistle-blowing has become the civil disobedience of the information age. A public or private organization’s best defense against whistle-blowers is to refrain from doing things it doesn’t want to read about on the front page of the newspaper. This may come as a shock in a market-based system, in which morally dubious behavior is often rewarded as long as it’s legal and illegal activity is rewarded as long as you can get away with it.

No organization, whether it’s a bank entrusted with the privacy of its customer data, an organized-crime syndicate intent on ruling the world or a government agency spying on its citizens, wants to have its secrets disclosed. In the information age, though, it may be impossible to avoid.

Bruce Schneier is a computer security technologist. He is the author of several books, including his latest, “Liars and Outliers: Enabling the Trust Society Needs to Thrive.” He wrote this for Bloomberg News.

Advertisement