While the world watches Edward Snowden and his serendipitous travels and possible end game as he faces charges of US espionage at home, the security world has been asking the same question since the Guardian made its bombshell disclosures: How did this happen?
Indeed despite any personal views on whether Snowden is a whistle-blower, a spy, or a confused young man one thing is certain. With a relatively low analyst role inside of the National Security Agency (NSA), Snowden had access to large data piles of sensitive information – both metadata as well as content data – on the US surveillance programs. While the deep content data was under the auspices of US government efforts to get a handle on thwarting terrorist attacks and cyber espionage from commercial and political entities, it illustrates what can happen when large organization do not pay attention to those able to come and go from their own systems and what information they can see.
Commercial organizations have been dealing with this problem for the past two decades. In the outsourcing shift of the late 1990s and early 2000s, American and other Western-based companies looked to offshore security, network administration, and call center services to countries with lower wage knowledge workers. Countries like Brazil, India and China began to sprout data centers and call centers creating huge demand for trained and skilled tech workers. While many of these workers used their positions to eventually emigrate to developed nations, many remained close to families and absorbed good-wage, local jobs with very exciting large, multinational corporations.
And that’s when the fun stopped. Once in, unless you have multi-tiered governance and access models over all systems users, these third party offshore providers found there were ways to increase their value by siphoning off intellectual property (IP) for use with related home country industries. Granted the vast majority of offshore information technology providers were of good repute and legitimate in their contracts and task execution. However while working for a government contractor – a large multi-national subject to ITAR and other commercial export and technology transfer laws – the candy store was discovered not only open but unlocked.
It seems in their haste and desire to spin-0ff a large offshore company that had been created for the purpose of taking care of their systems in a joint venture, headquarters personnel of this multinational corporation became aware of unusual logs in the use and view of certain key data files. These files related to the design and manufacture of product governed by commercial and government controls, and did not have anything to do with the core systems management processes the offshore company was now contracted to provide and maintain. In short, network administrators had such broad access based on the definition of their user profile they could essentially view, edit, delete and copy any product related files. This led to a large discussion and renegotiation of the service level agreement between the multinational and offshore provider. Eventually a domestic systems management services provider was contracted to take on the network care over product and manufacturing data.
There will always be the Edward Snowden’s of the world, who feel they must act on what they see or re-purpose information that is available to them. However with greater governance and controls of information policy we can limit the availability of future Snowden’s to have full visibility of information that is not on a need-to-know basis. We have the tools and methods available to put these governance policies in place. In both government and commercial sectors, responsible management is needed to do so.