Thursday, July 18, 2013

Missing the lessons

Listen up people, I enjoy a pointless socio-political sequential rant on Twitter as much as most folks (I say sequential rant instead of debate, because real debate rarely happens on Twitter)- but seriously, almost the entire InfoSec world is missing the lessons of Manning, Snowden, et. al. which are relevant to our goals of securing info.  Also, I see way too many people who should know better falling into media, troll, and pundit (hard to tell the difference sometimes, probably because there isn’t always a difference) trap of narrowing choices.

Let’s start with the choice flaw: if you are given an “either/or” choice and fall for it, you’ve let the punditroll define the terms of the conversation, and you’ve lost (or at least truth has lost, but what the hell, The Truth is sadly accustomed to losing).  Is [Snowden/Manning/U.S. Grant/George Washington] a hero, traitor, or demon? Yes and no to all of the above- it depends on your position and too many other factors.  Reject the either/or fallacy, and don’t participate in it.

Now, about the lessons- politics, justice, and all that stuff best decided on Twitter or Reddit (or 4Chan) needs to be set aside for a minute so we can look at the security challenge.  My first InfoSec reaction to both the Manning and Snowden breaches was WHY THE HELL DID HE HAVE ACCESS TO ALL OF THAT?!?!?  A few hundred thousand diplomatic cables and other sensitive info freely available at a forward military base- all of which could be accessed and copied by enlisted personnel without supervision- and without setting off any detections?  Treasure troves of Top Secret documents available to a junior contract employee of an intelligence contractor?   Epic failures of fundamental information protection.

The US Department of Defense knows better, but they failed miserably.  To their credit, they’re trying to fix those access problems, but that is not an easy task, and I fear that those beating the Drums of Cyberwar will distract the DoD from getting the basics under control.  And what about Boozed-Allen-give-us-the-Hamiltons?  We (literally we, US taxpayers) pay them a lot of money to screw up.  As I have said many times before, never outsource your core competencies, especially failure.

I understand that this is not a simple challenge, but if you can’t answer

“Who has access to what, under what conditions, and with what monitoring and safeguards?”

you have a problem.  Probably more than one.  And no, I do not expect you to be able to answer that about everything you need to protect.  But maybe, just maybe, the stuff that can embroil multiple nations and in political and diplomatic turmoil if leaked- that stuff, you should put a little thought into protecting it.  Maybe you don’t protect (or fail to protect) anything that sensitive, but you probably help protect things which if lost would cause people (including you) to have A Really Bad Day.  Skip the next round of pundit listening or troll feeding and think about that.