Edward Snowden — a failure of basic computer security

Big Red Car here.  The Boss had me out for coffee early this morning.  No meeting or anything, just me and The Boss drinking some nice hot caffeine.

So The Boss was reflecting on the Edward Snowden thang and had some harsh words for the NSA and its brethren.

Securing our Nation’s secrets

The United States has secrets and rightfully so.  Every nation does.  These secrets are only valuable and actionable if they are, well, SECRET.

The most basic responsibility as it relates to national security is to secure our secrets.

The Edward Snowden saga is all about inadequate security which allowed a low level dweeb — no, Old Sport, not an IRS low level dweeb from Cincinnati, haha — working for a contractor to the NSA to access and steal national secrets.

And, Old Sport, these national secrets were BIG ones.  Huge.  Powerful and systemic.  The guy was roaming around in a computer looking at and stealing the most holy of the holiest secrets.

This is a huge screw up.  How did such an unreliable and inexperienced rube get his hands on secrets of that magnitude?

Two words — inadequate security.

Need to know

One of the most basic concepts of securing secrets is the notion of “need to know” — secrets are not revealed to anyone unless they have a need to know them.

This means that an analyst is only exposed to secrets that are necessary for her to perform her analysis.  Field personnel are only exposed to secrets necessary for them to conduct their operations.

Edward Snowden did not have a legitimate need to know these secrets.  He was a computer operator, arguably a computer field operative, perhaps.  He had absolutely no requirement to know the kind of secrets he stole.

Huge failure of “need to know” supervision by the NSA and their contractor, Booz Allen Hamilton — BAH.

Compartmentalization

Another basic concept of securing secrets is to compartmentalize them.  That means to safeguard secrets by subdividing them into categories of secrets which are available to only select groups of folks working on those subject who have an operational or analysis need to know.

Compartmentalization can be by geography or country — Russia v China, as an example.  Or by subject — military, economic, as an example.  Or by person — Chinese leadership or the European Union leaders, as an example.

Compartmentalization can be by classification level — SECRET v TOP SECRET v CODE WORD.  Some classifications are so high that the name of the classification itself is classified.  “Everybody not holding a Ochre 8 clearance, out of the room.  This is an Ochre 8 briefing.”

Huge failure of “compartmentalization” supervision by NSA and their contractor.

Operational security

Another basic concept of securing secrets has to do with the operational security of functions that routinely handle secrets.

This manifests itself more in its absence moreso than in its presence in the case of Edward Snowden.

1.  How did someone of that ilk access secrets that he had no need to know and which should have been effectively compartmentalized against his intrusion?

The NSA and their contractor should have known immediately that a low level dweeb was accessing documents that were way above his responsibilities and pay grade.  This should have been written into the software that allowed access.  In a certain way, this is also compartmentalization that should have been imposed on the storage methodology.

2.  Why, oh why, were there live USB ports on any computer which was accessing such secret information?

The NSA and their contractor should have had a software regimen and a physical methodology of preventing USB ports from being operational.  Crazy Glue in the USB ports?  This thought process should have been applied to all storage and transmittal devices and software.  This is a fundamental concern as basic as having a lock on the door to the file room in which such secrets might have been stored.

3.  How was it possible to get a flash drive in and out of such a secure facility?

The NSA and their contractor should have had a discipline which prevented the intrusion of any storage device from entering or exiting that room.

Again, this is so basic and fundamental as to insult one’s intelligence.  Sorry.

4.  Why was there no physical oversight on the conduct of operations in that room?

By this is meant CAMERAS.  The presence of a journeyman like camera setup would have alerted folks to a real problem — hey, there’s a guy in cubicle no 7 who is operating a flash drive and making copies of documents.  Huh?

The NSA and their contractor should have had a monitored camera setup which would have detected that someone was using flash drives, as an example.  [Oh no, Big Red Car that is so damn fundamental as to be laughable.  Right?  Yes, Old Sport, that is right.]

5.  Why did nobody “walk the cat backwards” and see what this dweeb was routinely doing with his time?

One of the most basic operational security disciplines is to walk the cat backwards to see where an operative is spending his time.  In this manner, a supervisor would be able to see what the dweeb had been accessing on his computer.  This computer history is readily available.

Under the guise of walking the cat backwards, the camera tapes would have been reviewed at high speed and it would have become apparent that Snowden was making freakin’ copies of documents.  Simple discipline indeed.

If it became apparent that he was accessing and copying documents that were ultra-secret and not applicable to his work, then someone would have been alerted and the dweeb could have been shut down, his computer frozen and he could have been interrogated off premises.

The NSA and their contractor should have instituted a discipline that required every computer person to be out of the office one day per month to be able to monitor where they had been roaming on their computer.  This would have effectively surfaced this problem very early in the game.

This is exactly why banks have historically required tellers to take a 1-2 week vacation per year to rummage through their accounts and patterns of behavior to detect any irregularities.

This is a huge breakdown of basic security protocol.

With just the above smattering of operational security considerations, it is easy to see that the Edward Snowden saga is a colossal operational security failure.  On the other hand, had any of these basic disciplines been in place, Edward Snowden would have been caught.

Accountability

Who is going to be held accountable for this problem?

Edward Snowden is clearly a criminal having revealed national secrets.  The Big Red Car will spare you the whistleblower and patriot angles as Snowden failed to follow the appropriate procedures.

Edward Snowden will ultimately be punished.  The secrets are of such a magnitude that a bit of life insurance on old Edward may not be a bad investment.  [Really, Big Red Car, really?  Yes, Old Sport, really.  The guy has done the kind of damage that wins the “bullet behind the left ear” lottery.  The President of the US would be doing the right thing to authorize his disappearance.]

The NSA has shat upon itself in its total lack of operational security and the failure to enforce even the most basic of secret keeping disciplines.  Someone over there needs to get fired.  It is clear that the guard rails have not kept pace with the furious pace of technological development at the NSA.

The NSA problem is all the more serious given that Snowden stole final, finished documents — not widely circulated drafts — which should have been exquisitely safeguarded.  Some of these documents were “eyes only” at the Cabinet level.  It was not uncataloged raw data.  It was the most sensitive information used at the highest levels and of the highest possible classification.  This was the Crown Freakin’ Jewels.

The contractor, Booz Allen Hamilton, gets in the tub with the NSA and should be eliminated as a vendor to the US government.  They have failed — big time.  We are paying for this colossal failure.  We should, at least, get our money back, no?

What this also demonstrates is the difference between legacy physical systems — hard copies — and the digital environment which currently is the core methodology of document administration and storage.  This is a computer problem.

How much damage, really?

The magnitude of the damage done by Snowden is already easily the worst in the history of American intelligence breaches.  Not even close because these are original documents which reveal not just results, objectives and targets but also methodology, sources, analysis and give a keen insight into the thinking of our intelligence community.

The Chinese have all of this information.  The Chinese did not allow a 20-something kid to hang around Hong Kong for a month and not get the contents of those four laptops.  They have every file that Snowden stole.

Ditto, the Russians.

This is information that today, the Chinese and the Russians would kill to obtain.  The simple fact that Snowden continues to breathe is all the proof one needs to know that the information on those four laptops has been completely compromised.

This is huge, America, and we need to pay attention.

The other thing that is important is the clear and obvious revelation that the NSA and, perhaps, the entire tech community is coloring way outside the lines as it relates to privacy concerns.  Microsoft has apparently been helping the intelligence community to decrypt the very email encryption it is selling to its customers.  [WTF, Big Red Car?  That is a subject for another time, ya’ll.]

But, hey, what the Hell do I really know anyway?  I’m just a Big Red Car.