Who’s afraid of Edward Snowden and the NSA?

Edward Snowden fled from the USA to Russia just over a year ago.  His allegations about the scope and depth of the eavesdropping by the US National Security Agency (NSA) shook the organisation and have created concern around the world.  A year later, I think the dust has settled enough to start to think about a response to the revelations.  In this article I’m going to concentrate on the computer security aspects, rather than the politics, so I’m not going to ask whether NSA surveillance is a good thing or not.
 
Let’s look first from the NSA’s point of view.  As a sysadmin, Edward Snowden had unaudited access to enormous numbers of highly sensitive documents and was able to download them in bulk onto an external drive.  There’s still considerable uncertainty about exactly what, or even how much, was downloaded, and how it was done. 
 
In theory, it’s quite easy to stop this kind of thing: Privileged Identity Management (PIM) systems are designed to restrict and audit privileged users; Electronic Document and Records Management Systems (EDRMSs) are supposed to manage access to business documents; and Data Loss Prevention (DLP) systems can control what data passes out of your network’s boundaries.  All of these mechanisms have their uses, but they also have their weaknesses for an organisation like the NSA: the difficulty of distinguishing between permitted and forbidden behaviour; the cost of implementing at scale; the practicality of policing subcontractors and partners; and the impact on legitimate business processes (without which the NSA, or any other organisation, wouldn’t exist).
 
If I was examining a difficult problem like this, my focus would be not security, but rather legitimate behaviour.  We need to understand how documents are actually created, used and distributed (rather than how we think they are).  I am always surprised at how poorly most organisations understand their own internal workings.  Understanding legitimate behaviour will be an enormous task, of course, and it is unlikely that you will find a single usage pattern that is appropriate for all document types.  But this understanding is fundamental to enforcing security.
                     
Next, lets’ look at things from the point of view of the people and organisations that are subject to NSA surveillance (i.e. everyone).  One criticism that many practical people make of security experts is that we spend too much time obsessing about obscure cryptographic vulnerabilities (because they’re interesting in a nerdy kind of way) and not enough thinking about basic issues like staff vetting and security awareness. 
 
At first glance, it seems the security paranoid have good reason to say ‘I told you so!’.  All the scenarios they have been warning about turn out to be completely true, or even an underestimate of the real situation.  But what can be done about it?
 
An organisation which needs to protect itself against broad-scope surveillance will have to implement a whole slew of security measures: encrypting inter-site communications, encrypting email and other messages, encrypting mobile devices and media, good end point security.  These will all make it much harder to surveil (is that a word?) the organisation. 
 
But they won’t make it impossible.  If you want to make surveillance impossible, you have to consider weaknesses like subverted software and encryption algorithms, staff blackmail, traffic analysis, and coercion of service providers.  It’s very difficult, and very expensive, to do this: you’ll have to use open source software, Tor routers, specialised encryption, and so on. 
 
There’s no way a real organisation could do all this for its entire operations.  But it can be done for small parts of it.  You may need to consider such options if you have secrets that you need to protect for long periods of time against determined state actors. 
 
This comes back to understanding how your business works.  Only from this understanding can you know what you really need to protect, and how long for.

Related Posts

Cybersecurity

Capgemini presents Next Generation Security Operation Center

Christer Jansson
June 14, 2018
Next generation security operation centers (SOCs) resolve the need for cybersecurity skills and help organizations counter threats
Cybersecurity

Selling security and privacy: Why cybersecurity is the new competitive advantage for retailers

Subrahmanyam KVJ
May 28, 2018
Consumers now see cybersecurity and data privacy as one of the three main reasons to select a retailer, beating even price. In India, it even comes out on top as the number-one reason to do business with a particular retailer.
Cybersecurity

Are you prepared for the GDPR?

Peter Hansen
May 17, 2018
The general issue lies with anyone with justified and managed access to process data, for its purpose, since that’s the business need and actual reason for the data existing in the first place.
cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information