Analysing the NSA/BAH case

In months and years to come, Security sales team will bring up in conversation the name of Mr Edward Snowden as an example of “insider attack,” perhaps to highlight security risks or recommend “new” technologies to protect organisational assets. Snowden´s actions will be compared with the paradigmatic Société Générale case, where lack of controls allowed fraudulent financial operations, but a deeper analysis of what has happened will be more useful for the Security disciplines than just the usual fear-inducing tactics.

As Security professionals, we have an obligation to analyse the recent revelations regarding mass surveillance, so to be able to better advise our public and private clients.

The primary distinction between the SocGen security failure and the NSA/Booz Allen Hamilton scandal is that in the first case you have common criminal activity, while in the second case you have a political action. To those who would say that this is not relevant, because both actions become in the end “security breaches,” I would recommend a mode detailed consideration of these cases, for while employees (as Snowden and Kerviel) are under obligations to their employers to help defend their interests, and operate under corporate codes which prohibit certain types of access and use of data, a scientific security model must be based on the whole interaction of the individual as a Person and an Employee and the organisation, and should not be limited to the position of the Employee only.

This is because a focus on the individual as Employee only yields a defensive Security position, while a focus on the complex interaction of the Person and the organisation are the basis for advanced organisational strategy.

In the context of modern public and private organisations, contradictions arise between the Person and the Citizen/Individual. For example, in the political sphere, governments or parliaments may issue regulations that negate the fundamental rights of the individual as a Person. Famously the US Constitution First Amendment states: “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances”, but this does not preclude the writing of regulations that precisely to do so. What it means is that there are deeper, more fundamental rights associated with the Person which automatically enter into conflict with public or corporate sphere norms which go against those rights independently of any given rationale.

There is a complex correlation and contraposition between the individual as Person and the individual as Citizen (as member of a State) or as Employee (as member of a Corporation), because while Natural Rights can be associated only to the Person, they have to be recognised and protected in the political and contractual spheres, i.e. in the space of the Citizen and the Employee. Many people are confused by these correlations, and assume that because the rights of the Person exist in the political or contractual (business) sphere these rights can be “changed” or even “relinquished” by means of laws or regulations. This is not the case and most legal and political traditions assign ultimate value to the human individual as Persons, while upholding that these rights are not only inviolable bur also may not be waived.

I have to leave to Legal Experts and Political Scientists the full and proper explanation of these matters but wanted to mention this here as the wider context in which Security Professionals must act and advise our clients.

Returning to the probable comparison between the SocGen and the NSA/BAH case, let´s not ignore the fact that in both cases we must speak of a Security breach, as definitely these cases reveal failures in the Security controls of the organisations in question. There were also violations of the norms or obligations of the individuals as employees involved. On the other hand, it is essential to avoid both the conflation of political and criminal actions, as well as ignoring the underlying security failures that these cases reveal. Otherwise it will be impossible to draw correct conclusions.

In terms of the failure of Security controls, we know that excessive access rights, misallocation of authorisations, lack of segregation of duties, and other access control problems are present in all types of organisations. Not a single organisation of any type, in any sector is free from access and security problems associated with the use of computer technology.

In reality, it is difficult, complex and costly to maintain control of local and remote access to computers, databases and related systems. In my experience, these are tasks that cannot be solved or even addressed only with technologies and require extensive and purposeful processes to be effective.

How do organisations defend themselves against internal and external attack? Here is where the previous distinction between the Person and the Citizen (or the Person and the Employee) is useful to understand what the sources of danger for organisations are when handling critical or sensitive information.

The starting point is the nature of the information that should be defended. A security system cannot be defined if there is not clarity about the “assets” or “systems” that need access and protection. Organisations differ in their levels of maturity regarding this, and many do not have a good understanding of their information processes. Sadly a large number of organisations do not work on the basis of governing transaction and identity data as business assets.

Under these conditions, the IT Departments struggle in an unwinnable “war,” patching away software, closing gaps, only to survive until the next attack or data loss. If we look at the root of the problem, we can see that Security is a business and leadership issue, and not a technical one.

In my area of activity, each Security failure is a failure of leadership, direction and governance. Nothing more, nothing less, and I know that world class organisations do not need fancy machinery or trendy software but complete and consistent control processes, and –above all—tend to have very focused programmes dedicated to manage critical information primarily at the business level and not in the IT Department.

At the root of such position, an organisation-focused Security model takes into account the type of information stored or processed, as well as the structure of ownership and stewardship over that information. If this structure is not present or stewardship is weakened by delegation and lack of leadership, the organisation must make a clear and conscious decision about the hazards derived from such delegation of control.

If we start from first principles, we understand that there will be cases where the members of an organisation organisation may be under more or less equal contractual or regulatory obligations to defend and preserve the interests of the corporate body, but will have different sentiments and interests at a Personal level. Persons are not part of organisations but only its periphery. Organisations do not hire “persons” but “individuals”, in the sense that they hire the public, commercially driven persona but do not acquire control or ownership of the natural person (the “biological individual”).

Equally so, a State may have hegemony and subjection of an individual, but –at least in within modern democratic Western models—the State does not own or control the Person.

This separation is obviously normal and part of public and corporate operation, but at the same time it is the root of the contradictions that will arise depending on the role of the individual in the organisation, for while the public individual “persona” (Employee) is under complete “hegemony” of the corporation, the Person is not and cannot be.

A Security model must start then from a clear conception of this contradiction, understanding that Corporate structures, contracts, regulations, etc. are not enough to effectively secure the informational assets. Neither government organisations nor private corporations can operate as absolute democracies or as dictatorships –at least within the context of Western democratic traditions or similar systems. In that sense, a Security model needs to anticipate and cater for dissension, opposition and conflict within public and private organisations.

Corresponding to that, the wise organisational leader will judge the security model in relation to the “mission” the organisation is trying to accomplish. For example it is reasonable to expect that an organisation which delivers politically or morally contentions activities at least for a segment of the population, will be more difficult to protect against dissension, opposition and outright sabotage than one that does not have such types of activity. Consequently, the security model of the first “type” of organisation must be one where a decision must be made between the inevitable conflicts of interest between the individuals as Citizens, as Employees and as Persons, and the organisation, because that correlation will lie at the core of the overall Security position of the organisation in question. To reiterate: It is evident that opposition and conflict will be stronger if the activities of the organisation accelerate or somehow promote the contradictions arising between the spheres of the Person the Citizen and the Employee as we describe above.

In this analysis Framework, then, the distinction between basic criminal activity and politically motivated security breaches becomes clear, because the resulting security models will have different objectives.

Dedicated Security professionals will have to analyse the NSA/BAH security failure as a combination of political conflict and process failure to extract lessons from it independently of the opinions that may arise about the meaning or nature of the actors, including Mr Edward Snowden. Taking that perspective, I believe that this extraordinary event calls for security strategies that help public and private organisations re-assess and enhance their positions. More specifically, I believe that there will be two important consequences: a) increased relevance of business and operational models that do not rely on, do not require user data mining and do not enable mass surveillance, and b) increased need for security and IT strategies that favour a strict separation of concerns between the different layers of the ITC systems: infrastructure, platforms, applications, security, collaboration, etc. both at local and global level.

Regarding the first point it might be said that currently data mining models are dominant and that it is not “realistic” to speak about their demise. I am not predicting a date of such an event though, and I am only saying that business models that affect privacy or enable mass surveillance are not acceptable and will necessarily decline as they imply increasing failures and unacceptable security risks from a business point of view.

Regarding the second point people may remark that currently IT technologies do not permit such separation or make it very difficult and costly. Others may say that the benefits of concentration of IT resources in one or two suppliers are too great to ignore. To which I would respond that precisely devising how to obtain efficiency while delivering separation of concerns is a gigantic business opportunity for those organisations who understand the need to offer security and assurance to their partners and customers.