Many of you will know of my interest in IT security issues and technological risk â€“ I wouldnâ€™t dream of posting anything technical on the Blog, but just occasionally, I come across an article that deserves wider circulation, and I thought that some of you might like to read this one. Bruce Schneier is an internationally renowned security technologist, called a â€œsecurity guruâ€ by The Economist. He is the author of 12 books, as well as hundreds of articles, essays, and academic papers. His influential newsletter â€œCrypto-Gramâ€ and his blog â€œSchneier on Securityâ€ are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT â€” formerly British Telecom.
This is an article extracted from Crypto-Gram dated 15 September 2013.
Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on governmentâ€™s security failures. Yet the debacle illustrates the challenge with trusting people in any organization.
The problem is easy to describe. Organizations require trusted people, but they donâ€™t necessarily know whether those people are trustworthy. These individuals are essential, and can also betray organizations.
So how does an organization protect itself?
Securing trusted people requires three basic mechanisms (as I describe in my book â€œBeyond Fearâ€). The first is compartmentalization. Trust doesnâ€™t have to be all or nothing; it makes sense to give relevant workers only the access, capabilities and information they need to accomplish their assigned tasks. In the military, even if they have the requisite clearance, people are only told what they â€œneed to know.â€ The same policy occurs naturally in companies.
This isnâ€™t simply a matter of always granting more senior employees a higher degree of trust. For example, only authorized armored-car delivery people can unlock automated teller machines and put money inside; even the bank president canâ€™t do so. Think of an employee as operating within a sphere of trust â€” a set of assets and functions he or she has access to. Organizations act in their best interest by making that sphere as small as possible.
The idea is that if someone turns out to be untrustworthy, he or she can only do so much damage. This is where the NSA failed with Snowden. As a system administrator, he needed access to many of the agencyâ€™s computer systems â€” and he needed access to everything on those machines. This allowed him to make copies of documents he didnâ€™t need to see.
The second mechanism for securing trust is defense in depth: Make sure a single person canâ€™t compromise an entire system. NSA Director General Keith Alexander has said he is doing this inside the agency by instituting what is called two-person control: There will always be two people performing system-administration tasks on highly classified computers.
Defense in depth reduces the ability of a single person to betray the organization. If this system had been in place and Snowdenâ€™s superior had been notified every time he downloaded a file, Snowden would have been caught well before his flight to Hong Kong.
The final mechanism is to try to ensure that trusted people are, in fact, trustworthy. The NSA does this through its clearance process, which at high levels includes lie-detector tests (even though they donâ€™t work) and background investigations. Many organizations perform reference and credit checks and drug tests when they hire new employees. Companies may refuse to hire people with criminal records or noncitizens; they might hire only those with a particular certification or membership in certain professional organizations. Some of these measures arenâ€™t very effective â€” itâ€™s pretty clear that personality profiling doesnâ€™t tell you anything useful, for example â€” but the general idea is to verify, certify and test individuals to increase the chance they can be trusted.
These measures are expensive. It costs the US government about $4,000 to qualify someone for top-secret clearance. Even in a corporation, background checks and screenings are expensive and add considerable time to the hiring process. Giving employees access to only the information they need can hamper them in an agile organization in which needs constantly change. Security audits are expensive, and two-person control is even more expensive: it can double personnel costs. Weâ€™re always making trade-offs between security and efficiency.
The best defense is to limit the number of trusted people needed within an organization. Alexander is doing this at the NSA â€” albeit too late â€” by trying to reduce the number of system administrators by 90 percent. This is just a tiny part of the problem; in the US government, as many as 4 million people, including contractors, hold top-secret or higher security clearances. Thatâ€™s far too many.
More surprising than Snowdenâ€™s ability to get away with taking the information he downloaded is that there havenâ€™t been dozens more like him. His uniqueness â€” along with the few who have gone before him and how rare whistle-blowers are in general â€” is a testament to how well we normally do at building security around trusted people.
Hereâ€™s one last piece of advice, specifically about whistle-blowers. Itâ€™s much harder to keep secrets in a networked world, and whistle-blowing has become the civil disobedience of the information age. A public or private organizationâ€™s best defense against whistle-blowers is to refrain from doing things it doesnâ€™t want to read about on the front page of the newspaper. This may come as a shock in a market-based system, in which morally dubious behavior is often rewarded as long as itâ€™s legal and illegal activity is rewarded as long as you can get away with it.
No organization, whether itâ€™s a bank entrusted with the privacy of its customer data, an organized-crime syndicate intent on ruling the world, or a government agency spying on its citizens, wants to have its secrets disclosed. In the information age, though, it may be impossible to avoid.
If you are interested in using cryptography to protect your communications, you have a number of optionsâ€¦ whilst Bruce advises that public key cryptography isnâ€™t as good at protecting your messages as symmetric-key cryptography, itâ€™s easier to use if you want a wide range of correspondents to protect their messages to you. My own public keys can be found by searching for â€œcrorieâ€ on any PGP key server.