Edward Snowden fled from the USA to Russia just over a year ago. His allegations about the scope and depth of the eavesdropping by the US National Security Agency (NSA) shook the organisation and have created concern around the world. A year later, I think the dust has settled enough to start to think about a response to the revelations. In this article I’m going to concentrate on the computer security aspects, rather than the politics, so I’m not going to ask whether NSA surveillance is a good thing or not.
Let’s look first from the NSA’s point of view. As a sysadmin, Edward Snowden had unaudited access to enormous numbers of highly sensitive documents and was able to download them in bulk onto an external drive. There’s still considerable uncertainty about exactly what, or even how much, was downloaded, and how it was done.
In theory, it’s quite easy to stop this kind of thing: Privileged Identity Management (PIM) systems are designed to restrict and audit privileged users; Electronic Document and Records Management Systems (EDRMSs) are supposed to manage access to business documents; and Data Loss Prevention (DLP) systems can control what data passes out of your network’s boundaries. All of these mechanisms have their uses, but they also have their weaknesses for an organisation like the NSA: the difficulty of distinguishing between permitted and forbidden behaviour; the cost of implementing at scale; the practicality of policing subcontractors and partners; and the impact on legitimate business processes (without which the NSA, or any other organisation, wouldn’t exist).
If I was examining a difficult problem like this, my focus would be not security, but rather legitimate behaviour. We need to understand how documents are actually created, used and distributed (rather than how we think they are). I am always surprised at how poorly most organisations understand their own internal workings. Understanding legitimate behaviour will be an enormous task, of course, and it is unlikely that you will find a single usage pattern that is appropriate for all document types. But this understanding is fundamental to enforcing security.
Next, lets’ look at things from the point of view of the people and organisations that are subject to NSA surveillance (i.e. everyone). One criticism that many practical people make of security experts is that we spend too much time obsessing about obscure cryptographic vulnerabilities (because they’re interesting in a nerdy kind of way) and not enough thinking about basic issues like staff vetting and security awareness.
At first glance, it seems the security paranoid have good reason to say ‘I told you so!’. All the scenarios they have been warning about turn out to be completely true, or even an underestimate of the real situation. But what can be done about it?
An organisation which needs to protect itself against broad-scope surveillance will have to implement a whole slew of security measures: encrypting inter-site communications, encrypting email and other messages, encrypting mobile devices and media, good end point security. These will all make it much harder to surveil (is that a word?) the organisation.
But they won’t make it impossible. If you want to make surveillance impossible, you have to consider weaknesses like subverted software and encryption algorithms, staff blackmail, traffic analysis, and coercion of service providers. It’s very difficult, and very expensive, to do this: you’ll have to use open source software, Tor routers, specialised encryption, and so on.
There’s no way a real organisation could do all this for its entire operations. But it can be done for small parts of it. You may need to consider such options if you have secrets that you need to protect for long periods of time against determined state actors.
This comes back to understanding how your business works. Only from this understanding can you know what you really need to protect, and how long for.