Yesterday, James Clapper, the Director of National Intelligence, publicly said he still didn't have the necessary technology to stop the kind of incident Snowden represents. It was an interesting statement to make.
We forget that Snowden is not the first spy to steal classified information from our government. It is most commonly a person with access, a security clearance, and not enough security to stop him (it is almost always a man, ladies). Security of computer systems went up and down for years when we had a long list of these folks stealing stuff from the most secure locations the government had. All of them had clearances and all had access to computer systems, getting things they were allowed to have. That is not the same thing as "authorized to have". The computer systems they were on didn't stop them from having access, and didn't find out what they were doing while they were doing it.
Our government has a had a resurgence of "auditing" interest, with the mistaken belief that more auditing produces better chances of catching some of these fellows who are stealing from us. There is no evidence to suggest any such logic applies in these cases. We have been auditing since the early 60's when someone figured out that computers were not places everyone should be allowed to go. Hackers used to be able to roam around in a system and nobody really cared. They weren't hurting anything and didn't take things. That started changing in the 70's. In the 80's there were some pretty good security changes that allowed monitoring of multiple systems from the same automated systems. A business could baseline their "normal" operations and detect deviations from that norm. It took work to baseline, and it took more work to sort through the false positives that were generated by the systems. We can do it better now, but the real question has not changed very much. Are we monitoring the right things when we do look at what people are doing?
Snowden, Ames, Hanssen and a few others that never made the public eye, are all cases of the same type. After each one, we said we had to do better. One of biggest obstacles is the willingness of the Feds to spend the money that it takes to do the job. They have to study it; they have to refine it; they have to implement unpopular policies and clamp down on the networks. Until they demonstrate that they can catch a thief, there will continue to be more.
It speaks to the credibility of the computer security polices of the people involved. We used to have good policy, adequately enforced, monitored, and controlled. Now we have laundry-list policies fostered and disseminated by NIST, which has never, ever know how to secure systems like the ones that have been exploited. These kinds of controls are the absence of policy, and amount to saying, "do what you can." A staffer I worked with for number of years, said NIST was given the policy responsibility because "they knew NIST wouldn't do anything" and the Agencies could do what they wanted. Be careful what you wish for. The damage of having no policies, far outweigh the benefits. Amazon books:
No comments:
Post a Comment