Whether you view Edward Snowden, the former CIA employee who blew the doors open at the ultra secret NSA, as patriot or as spy, you can be assured that the CIA and NSA will take strong measures to put the lid back on how they do business.
The director of the NSA, Gen. Keith B. Alexander, says that his agency will institute a two-man rule, similar to what is used on submarines where both the commanding officer and executive officer must agree that the order to launch is valid. The idea is that it will take two people to gain access to server rooms and that System Administrators (SysAdmin) will be paired together when accessing sensitive intelligence. Also, access to data will be limited by not storing as much on a single server.
However, with the job of a SysAdmin how will the two-man rule be implemented and will it truly be effective? Many organizations protect their secrets by using ‘security by design’, where the software or systems have been designed from the ground up to be secure, or by ‘security through obscurity’, where secrecy of design or implementation provide the security.
Effective security is not just about the technology managing the secrets, but more importantly the management of the people who hold those secrets. The problem is that the role of SysAdmin is one of access to the systems and they are usually the ones who hold the keys to the kingdom. With a two-man authentication system the NSA will certainly undergo a slowdown in the amount of data they’ll be able to review since approvals for both the ingress and egress of that data and its systems must be done in tandem. Also, with the advent of even bigger Big Data and Cloud-based data solutions the problem becomes exponentially more difficult to manage.
How can a SysAdmin, who by the nature of the job has access to enormous amounts of sensitive information be regulated and controlled? To start, the NSA has said they’ll be cutting SysAdmins by 90% to limit data access. Gen. Alexander has said that “what we’ve done is we’ve put people in the loop of transferring data, securing networks and doing things that machines are probably better at doing.” Using technology to automate the work done by employees and contractors would make the NSA’s networks “more defensible and more secure,” Gen. Alexander said at a cybersecurity conference in New York City.
Regardless of the security technologies implemented, security processes in place, and the systems to protect the release of those secrets, security will still boil down to the trust of the people who control those systems. What’s to stop a person who manages the NSA’s new control systems from releasing those secrets? Will the next Snowden be the person who manages those control systems or the person who wrote the software that manages those controls? Implementing the two-man rule, reducing the number of people with access, and bringing in new control systems will help the NSA, but it will come at a high cost in efficiency. The solution to not having another Snowden actually lies not only in the security processes put in place to protect the secrets, but in the most simple part of the equation – ensuring that the to be hired analyst undergoes more stringent interviews, background checks, and ongoing recertification upon hire. It turns out that Booz Allen Hamilton, the firm that hired Snowden as a subcontractor, had concerns when finding discrepancies in his resume, though they still hired him.
It used to be that when someone joined the military and applied for a secret or top secret clearance not only would they be interviewed by the FBI and the hiring branch of service, but so would their friends, and their friend’s friends. That hiring and approval process was very exhaustive. A good start to avoiding another Snowden would be to tighten up the interview and background checking process. Having subcontracted firms be responsible for the approval process of hiring prospective NSA personnel is not the most effective method for weeding out poor candidates. All potential NSA personnel should go through extensive checks beyond what a subcontracted company can provide and that responsibility should be given back exclusively to the government. Strength in security must start at the individual that is hired, and not only be reliant on the systems in place.