The national security state has, to put it mildly, “flipped its shit” over Edward Snowden. And in information security, where I work, it’s become de rigeur to call Snowden’s actions a wake-up call. But, really? It’s more like a snooze alarm.
I still encounter people who think that the government must have great security. After all, the NSA blah blah blah – and you saw that data center Tom Cruise broke into in Mission Impossible, blah blah. The reality is a lot more prosaic. It’s just data centers managed by people, storing data created and used by people, accessing it from systems managed and used by people. The weakest link remains: people. The second weakest links is: people (specifically in the form of executive management’s lack of vision)
The CIA is understandably mum about what happened with Aldrich Ames, though it sounds like he obtained necessary clearances then copied some really sensitive top secret files to his computer, made a floppy disk of them, and walked out of the building with it. Then he contacted the Societ embassy through channels he had learned about during his CIA work, and started selling them the data. It was a simple “need money, get money” operation and it continued for about 8 years. One thing that’s interesting is that the CIA ignored the changes to Ames’ lifestyle that came from all the money (he said he’d married into an inheritance) and fell for a straightforward head-fake from the KGB where some information was leaked that indicated the mole was elsewhere in the organization. When Ames was finally arrested, there was a great question around what, exactly, he had sold the KGB. Apparently the CIA’s internal audit capability was not very good and they didn’t have any way of going back and seeing who accessed what file, and when.
Many of the companies I’ve worked with in the last 20 years could go back into their archived system logs, pull out the file server logs, and – given the date – tell you which files Ames took. That’s basic IT competency: an organization with valuable intellectual property usually understands that. Managing that sort of thing is the Chief Security Officer (CSO)’s job. It’s IT competence. Take, for example, one highly competent IT organization: google. They still have transaction logs for every message gmail has ever sent or dropped into a user’s inbox. They do that because a) they can b) it’s IT competence and c) the FBI insists on being able to get that sort of information from organizations like google. Is this a case of “those who can’t do: regulate those who can”? I’m not going to talk about FBI mole Robert Hanssen here, because the FBI managed to do a pretty good job of keeping details about Hanssen’s actions out of public knowledge. What we don’t know about Hanssen is how much he stole and sold, and whether the FBI was able to figure it out.*
Computer security in government agencies looks more like a scene from Brazil than Mission Impossible.
Earlier I mentioned that “management vision” is a critical piece of this problem. Executive vision in the intelligence community is largely irrelevant. Back in the oughties I served on a panel of experts** regarding intelligence community data sharing and my recommendation was: “don’t.” However, one of the dangers of “don’t” is that compartmentalization of data breeds a requirement for cross-compartment data movement, e.g.: USB sticks full of classified data. Or worse. The problem with data on a USB stick is that it’s no longer trackable and logged, it goes dark. Sharing might have improved some parts of the system, while damaging others; it’s hard to know. In either case, because secrecy is hard to manage, it appears that insufficient audit was in place. Meanwhile, there were directives from the Bush administration to “maximize information sharing” which appeared to translate, to some organizations, to: “dump everything you’ve got onto SIPRNET”
The US State Department certainly did dump everything onto SIPRNET. Enter Chelsea Manning, who copied out large amounts of evidence of US war crimes, by the simple expedient of burning data disks, labelling them “Lady Gaga” and carrying them out of the secure area mounted in a laptop’s drive. I’m not going to second-guess Manning’s tradecraft but let’s just say was not very sophisticated and didn’t involve hanging from ceilings Mission Impossible-style.
Now, stop me if this is starting to sound repetitive: the US State Department does not appear to know what Manning took. Or, didn’t, until they learned through Wikileaks. In terms of IT competence that makes me assume the expensive lesson of Aldrich Ames was not learned (probably because Ames was a CIA problem, and nobody at the management layer of US Government IT exists to connect the dots)*** If it had been data at most competently managed corporate shops, some system administrator would have spent a tough week pulling backup tapes and unarchiving system logs, then shovelling them into a log management engine and searching and sorting through to figure out what Manning took. But what do you want for your taxpayer’s dollar? Best practices aren’t on the menu.
Next up, Edward Snowden!
There are many many things that are interesting about the Snowden incident but let’s just look at two: 1) he was an authorized administrator working for a contractor 2) the NSA doesn’t appear to know what files he took.
The second point, first. Stop me if you’ve heard the punchline already: apparently the NSA hadn’t learned to turn on file server logging. After Ames, Hanssen, and Manning, why would they? Some accounts I’ve read of Snowden’s activities prior to his leak-a-thon indicate that one of his assignments was to be setting up a system log server/logging capability. Oh, the irony.****
Another account of Snowden’s actions was that Snowden apparently was queried by a co-worker, as to why he was accessing so much data. If that’s true, that’s better organizational response than to Ames, Hanssen, or Manning. But allegedly Snowden said he was testing a new backup system, and the co-worker shrugged and went back to doing whatever they were doing.
The US intelligence community has had its IT organizations gutted because of privatization. Why work for the government if you can quit your job, then turn around and get a better-paying job, with more mobility, working for a beltway bandit? The funny part is that the beltway bandit will turn around and rent you back to your parent agency to do your original job, anyway. This is a matter of some importance because of “wall jobs” – a “wall job” is where your mechanic parks your car over there, against the wall, and when you come get it they tell you they did something and charge you something and they never even looked at it. If you’ve got a car and you don’t understand how it works, you’re vulnerable to wall jobs. You’re vulnerable to your mechanic telling you “the haydiddlediddle has disconnected from the muhlefratzer, it’s gonna be a couple days and cost $750.” If you’re a government agency and you have allowed your IT expertise to be completely drained out, you’ve got a false front that only knows how to read powerpoint and write checks. You’ve become a cloud computing organization and you didn’t even realize it. What’s crazy is that the US Government is dropping audit requirements on the cloud providers (because they want to see what you’re doing) but they’re too silly to look at what they’re doing, themselves.
How’s that working for ya, Uncle Sam?
(* If I were a betting man, I’d bet a lot that Hanssen negotiated a more gentle treatment in return for telling the FBI what he knew about what he sold. The FBI’s IT incompetence is legendary and the idea that the FBI would be able to back-audit file accesses to 1985 is extremely improbable.)
(** Global Infrastructure Grid – GiG Senior Industry Review Group, SIRG. There were a lot of smart people on that panel, and me. The post 9/11 view of GiG was to break down ‘stovepipes’ and open information sharing across all agencies. It was clear from the beginning that that was not going to happen. NSA said they would be happy if CIA shared with them but no way were they going to share with CIA. Etc.)
(*** Part of the problem is: there is no management layer for US Government IT. I mean, there is, but it’s largely a ceremonial position utterly mooted by inter-agency wall-building. You call it a “stovepipe” they call it “security” I call it “a wall”)
(**** Who watches the watchers? In a competently run IT organization, management assesses the risks and may determine whether a two person rule is necessary and where. For damn sure, in organizations where money is being moved electronically, the checks are cross-checked and there are cross-cross-checks that ring alarms if the cross-checks are turned off.)
As a non-fan of government secrecy, I think a great deal of this problem would go away if the US Government stopped lying to its people so much, stopped engaging in secret diplomacy, etc. I’m not unhappy to see the embarrassing laundry come to light – it always does – but I’m unhappy that the organizations that are trying to bury that laundry are both expensive and incompetent. Give me expensive and competent and that’s OK, or give me free and incompetent and that’s OK, but expensive and incompetent is a non-starter.)
Pierce R. Butler says
… expensive and incompetent is a non-starter.
Which is why Marcus J. Ranum ended up on the nerd panel, not in purchasing and acquisitions.
Marcus Ranum says
Pierce R. Butler@#1:
The folks in purchasing and acquisitions aren’t always bad. The problem is that they’re mostly managing the money movement from point A to point B, it’s the corrupt program officers above them that tell them “go get us this very specific widget that can only be sole-sourced from my friend’s company, that has offered me a consulting position when I leave here.”
I more or less swore not to do any more work for the government after the 90s; I got on the GiG SIRG as a favor to an old friend, and immediately regretted it. I’m sure they regretted it, too. It took me until I was halfway through to realize that the whole thing was theater: the powers that were (Bush Administration) had said “break down the walls” and the agencies had decided to use the mandate to get Lots More Money. Money which was used to build bigger (but not better) walls.
Pierce R. Butler says
Marcus Ranum @ # 2: The folks in purchasing and acquisitions aren’t always bad. … it’s the corrupt program officers above them that tell them “go get us this …”
Well, the grunts doing the actual work are mostly just that – but some harbor fond ambitions of reaching the corrupt-program-officer-above level (and perhaps some actually do).
… the powers that were (Bush Administration) had said “break down the walls” …
I sometimes fantasize of producing a video showing Republicans doing things advocated in rebellious ’60s rock: combining Shrub visuals and Jefferson Airplane audio should really give film editing equipment (and the space-time continuum) a good durability test.
Owlmirror says
Technically, he actually was! [*snrk*]
Marcus Ranum says
Owlmirror@#4:
Technically, he actually was! [*snrk*]
Just like the NSA has built a gigantic SMS and snapchat backup and storage system out in Utah…
Unfortunately, you can’t get at your own backups because they’re in there with everyone else’s and national security!
John Morales says
[meta]
I really wish some commenter would attempt to dispute (or at least critique) some of your fact claims, Marcus.
Marcus Ranum says
John Morales@#6:
I really wish some commenter would attempt to dispute (or at least critique) some of your fact claims, Marcus.
No fact claims can withstand a skeptical challenge, if that’s what you’re referring to.
I do wonder about that, sometimes. I don’t want to have to turn my writing into a great big mass of waffle, “it appears to me now that…” etc. Maybe I should just say that all my postings are paranormal or performance art and nothing should be expected to be factual.
Joking aside, I think I’m supposed to be writing editorial, occasionally, which appears to me to be the art of writing one’s opinions as if they are fact, and combining them with facts, experience, and analysis. If someone wants to ask me where I get a particular fact, I’ll do my best to substantiate it, but I won’t play a game of “infinite regress” just to amuse someone else.
Or were you referring to a specific fact? If there’s something you want me to clarify, such as my comment #5, I can.
John Morales says
Marcus,
Not at all; I was being literal. I rather enjoy seeing you respond to quibbles within your field of expertise.
As I see it, this series of yours (whether or not you call it such) amounts to editorials based on expert opinion, and I guess I’m intimating that I can’t really challenge any of it without trolling, since I’m both sympathetic to your message and find nothing to sustainably dispute therein.