(re: what a “senior-level defense official” said about Mr. Snowden)
Those who speak for large entities, governments, corporations, etc., even when they speak anonymously, tend to make some assumptions that most of us cannot make. The first is that they can state the obvious as if it is a tremendous revelation because denying the obvious looks dumb. Since the opposite of dumb is smart, stating the obvious would, they seem to conclude, be saying something smart.
The second is that statements are not debatable unless the forum is a debate. Most of us try to make statements in our professional lives that we expect to be able to defend and hence take care to make the statements defensible. Spokespeople stay “on message” and do not usually debate.
So, in an earlier post, I quoted a NASA spokesperson discussing a stolen laptop that had been removed from one of their facilities with personnel records on it. The spokesperson pointed out that their controls were “adequate.” They had a policy and the guy didn’t follow the policy. To the points above: number one: describe the obvious, this would not have happened if the policy were followed (“well, duh”). Point number two– no debate: how exactly do we accept that the controls are adequate when describing an incident when they failed? The statement is the statement. Take it or leave it.
Which brings us to a curious post on the CNN cybesecurity blog: http://security.blogs.cnn.com/2013/07/18/deputy-secretary-of-defense-2-mistakes-led-to-snowden-leaks/
In discussing the leak of information carried out by Edward Snowden, Deputy Secretary of Defense Ashton Carter is quoted in the post as saying:
This is a failure to defend our own network,” Carter said. “That failure originated from two practices that we need to reverse.”
The first mistake: “In an effort for those in the intelligence community to be able to share information with one another, there was an enormous amount of information concentrated in one place. … It creates too much information in one place.”
The second: “You had an individual who was given very substantial authority to access that information and move that information. That ought not to be the case, either.”
So, let’s be clear: the reason Edward Snowden could access information is because he was authorized to. The reason he could find the information is that it was where it was put. And the reason he could remove the information from where it was put is because he was authorized to move the information.
In other words, Edward Snowden was a privileged user who decided to use those privileges in ways that were not in alignment with his employer’s interests. Stating the obvious? Yes. Bottom line: there will always be privileged users. the question is how do you control for that. The debate that is invited in Deputy Secretary’s remarks is not what you’d expect.
Given the media coverage of the NSA/Snowden leak, there are two necessary public debates in the Edward Snowden case that are already occuring: one is whether or not the NSA should have been collecting the information that Snowden revealed they were collecting; the other is whether or not Snowden should have leaked the information. But, neither debate is invited by the quotation above.
The debatable point here is the statement: “In an effort for those in the intelligence community to be able to share information with one another, there was an enormous amount of information concentrated in one place.” Are we sure, as Deputy Secretary Carter suggests, we want to “reverse” that? Isn’t analysts sharing legitimately collected data a good thing (and whatever you think about the NSA data collecting activity, you have to believe the majority of those engaged in it believed it was legitimate)? Weren’t we told that the 9/11 tragedies might have been prevented if various intelligence agencies had shared information with one another? Wouldn’t it be a step backwards if legitimately collected intelligence information was so siloed off that our analysts couldn’t “connect the dots”?
Access should be controlled to “least privileged.” And back-end administrative users should be subject to scrutiny by virtue of them having the “keys to the castle.” But in cases where there is a legitimate reason to have “big data”, fear of leaks should not destroy usability. We might lose the usefulness of the information if we are too aggressive in making big data small.
I can only imagine that Snowden’s role as a back-end sys admin at NSA didn’t require him to have knowledge related to the topics contained within the leaked documents. Reverse the practice of incorrectly implementing RBAC and properly institute detection capabilities for your critical assets.