Edward Snowden, who has the distinction of having stolen data from the most secure database in the world, has written a book. Called “Permanent Record,” it describes his exploits while employed by the U.S. National Security Agency.
Snowden’s prodigious technical skills allowed him access to the NSA’s entire cache of data, which he memorably referred to as the “keys to the kingdom” in a 2013 interview with “60 Minutes.”
If the NSA data was vulnerable, every company’s data is vulnerable. Indeed, the unfettered access that IT people have to data can take a company down. Unfortunately, a company may not be able to tell which employees to be worried about.
Snowden underwent heavy background checks before obtaining the access — much heavier than the average company is able or willing to perform.
There were no signs of potential disloyalty at the beginning. In fact, Snowden admits that when he started in his intelligence community work he was a proud and dedicated member of his country’s defense forces. His attitude changed over time, though.
According to Snowden, his superiors’ lack of technical knowledge gave them no choice but to trust him.
In addition to his work with the NSA, he had interactions with the CIA. He writes of a cultural change, “when the old-school prepster clique that traditionally staffed the agencies, desperate to keep pace with technologies they could not be bothered to understand, welcomed a new wave of hackers into the institutional fold and let them develop, have complete access to, and wield complete power over … systems of state.”
The key terms there: complete access and complete power. Without fully knowing their technology, employers cannot control — or even know — what IT staff are doing.
Snowden further described the consequences of this:
“Here is one thing the disorganized CIA did not understand at the time, and that no major employer outside of Silicon Valley understood either: the computer guy knows everything, or rather can know everything. The higher up this employee is, and the more systems-level privileges he has, the more access he has to virtually every byte of his employer’s digital existence….
“And with the official title and privileges of a systems administrator, and technical prowess that enabled my clearance to be used to its maximum potential, I was able to satisfy my every informational deficiency.”
Such unfettered access is not unique to the intelligence community. It happens in virtually every company. Management generally knows this, at least vaguely, but also generally accepts it. But it clearly should be managed by access control, segmentation of duties, and IT department monitoring.
Snowden passed the toughest security clearances. So what happened? He saw things, or felt things, that gradually made him change his attitude; one night, he says, “some dim suspicion stirred in my mind.” He was very young; only in his twenties.
He writes, “There’s always a danger in letting even the most qualified person rise too far too fast, before they’ve had time to get cynical and abandon their idealism. I occupied one of the most unexpectedly omniscient positions in the Intelligence Community — toward the bottom rung of the managerial ladder, but high atop heaven in terms of access.
“And while this gave me the phenomenal, and frankly undeserved, ability to observe the IC in its full grimness, it also left me more curious than ever about the one fact I was still finding elusive: the absolute limit of who the agency could turn its gaze against.”
Whatever we do in our companies, most of us think it’s noble. An energy company thinks it’s heating homes and keeping their lights on. But the not-yet-cynical young employee, still steeped in idealism, may regard the company as a corrupt polluter.
Snowden hadn’t yet had time to get cynical. In other words, he hadn’t come to accept that the world might harbor injustices or might not always operate the way he would like. Instead, he became cynical while on the job — the worst-case scenario for his employer.
Snowden wrote that he didn’t have any politics at age 22.
A few years later: “Contradictory thoughts rained down like Tetris blocks, and I struggled to sort them out — to make them disappear. I thought, pity these poor, sweet, innocent people — they’re victims, watched by the government, watched by the very screens they worship. Then I thought: shut up, stop being so dramatic — they’re happy, they don’t care, and you don’t have to either. Grow up, do your work, pay your bills. That’s life.”
By age 29, he came to view the NSA as an example of an organization “in which malfeasance has become so structural as to be a matter not of any particular initiative, but of an ideology.”
He wrote, “They’d hacked the Constitution.”
It’s hard to know for sure who might become that rogue employee, but management awareness can help. Snowden’s attitude evolution might have been spotted if anyone had been looking.
As discussed, the IT department is where access and control lie. So someone outside of IT has to be watching what IT is doing. Whether by a dedicated internal audit team or an independent contractor, oversight is necessary. Often these oversight units report to the CFO.
Regarding cyber insurance coverage, it’s important to understand the coverage for loss from rogue employees. Insurers today like to take the position, in an increasingly forceful way, that the policy will not cover actions by members of a “control group.”
It might be acceptable if the definition of control group is limited — to, say, the CEO, CFO, and general counsel. But what about a control group that continually expands over time. We recently reviewed a cyber policy actions made by all of the following were excluded:
“Any duly elected or appointed Chief Executive Officer, Chief Financial Officer, Chief Information Officer, Chief Privacy Officer, Chief Security Officer, Chief Information Security Officer, Chief Technology Officer, Risk Manager, General Counsel and in-house attorney designated to be in charge of litigation, or the functional equivalent of any of the foregoing.”
Simply put, there is no way for a company to control or know the intentions of that many people.
The rogue employee phenomenon is not common, which is both a blessing and a curse. Why it’s a blessing is obvious.
Why a curse? The problem with rare, potentially very severe events is that their remoteness can cause us to ignore them. We focus on frequent events because they are always in front of us. Unfortunately, the rare one we have ignored can be the one that takes the company down.
Frequent risk events automatically get all the attention they need. Risk managers should always force attention to the rare, severe ones. One suspects that Edward Snowden would say the same.
Frank Licata is president of Licata Risk Advisors, a Boston-area risk management consulting firm.
Featured photo: Edward Snowden speaking from Moscow during Web Summit 2019, held in Lisbon, Portugal, on November 4. Credit: Horacio Villalobos#Corbis/Corbis via Getty Images
Don’t want to have to deal with cybersecurity? Ship it off to the cloud!
Not so fast.
The cloud generally has the same issues regarding rogue employees: access to the cloud accounts is provided to, and can be controlled by, IT insiders.
But you also have to worry about the actions of the cloud provider, and their insiders. The contract with the cloud provider will not provide relief from that exposure.
Edward Snowden’s own take on the cloud is not that comforting. He wrote, “I don’t think I’d ever seen such a concept so uniformly bought into, on every side. ‘The cloud’ was as effective a sales term for Dell to sell to the CIA as it was for Amazon and Apple and Google to sell to their users.”
These companies “regarded the rise of the cloud as a new age of computing. But in concept at least it was something of a regression to the old mainframe architecture … where many users depended on a single powerful central core that could only be maintained by an elite cadre of professionals.”
And: “From the standpoint of a regular user, a cloud is just a storage mechanism that ensures that your data is being processed or stored not on your personal device, but on a range of different servers, which can ultimately be owned and operated by different companies. The result is your data is no longer truly yours.”