Finally, Security is a Priority for Agencies, Companies, Individuals
“You are being watched. The government has a secret system, a machine that spies on you every hour of every day. I know because I built it.” Harold Finch, “Person of Interest,” CBS
I’m not much of a TV fan but I do like good documentaries so I got hooked on Person of Interest at the very beginning. Of course, I’ve always felt most people are inherently good and governments are inherently evil. I’ve also understood that those service agreements for all the “free” services I get online and in the cloud meant they were getting something in return, something that they could … monetize. Fair enough!
I still haven’t figured out:
– Why government agencies are up in arms because someone told you what they are doing.
– Why other governments are disturbed that U.S. snoops are listening in on their snoops who are listening in on the U.S. snoops.
– How the NSA could have such a sucky internal security program.
You would think if government agencies were really interested in keeping stuff from us they would have watched several of the films about WW II and the Navajo Code Talkers. You know, really scramble the stuff up so only a few folks could understand but also had a guy standing behind them with a gun just in case they got close to being captured by the other side. Jeezz, not a job I would take!
Wiki leaks Assange is probably a little jealous of Snowden because not many of us think much about him sitting in the Ecuadorian Embassy in London and even his movie bombed. Snowden’s little disclosure had an effect he probably didn’t realize (or probably care about) he would muck up business for companies; and, more importantly, for you and me on the open Internet.
Business Impact
It has already had an adverse effect on businesses like Google, Microsoft, Facebook, Twitter, Cisco, Apple, Akamai and every cloud service company. Governments around the globe are pushing for ways to eliminate the free flow of information by imposing their own national control over the Internet and more than 40 percent of the world’s population that is online. China, Russia, India, Mexico, Germany, oh heck every country is pushing for ways they can govern the Internet. That tears at the very foundation of the Internet to break down borders to work, live in a single community. The network of networks (originally ARPANET – which ironically was government funded) was created to enable scientists, educators, theorists, engineers to work with and share their information and ideas to produce insanely great stuff that would help all of us.
Good, Free
When TCP/IP (the Internet protocol) was settled on back in 1982, the thing really took off; and in the past 20 years, it changed everything:
– eMail
– IMing
– VoIP
– Video calls
– The Web, which gave us forums, blogs, social nets, eCommerce , cloud computing/storage, cat videos
Countries setting up rules/guidelines for Internet traffic inside their borders could limit, strangle all of that freedom. Of course, on the upside it might help the world’s postal service. Now I’m not an IT expert and certainly not a cryptographer, but every CIO/CTO knows that the biggest threat to a company’s data is internal, not from hackers/whackers/cyberbadfolks.
Enemy Within – While IT people spend a whole lot of time and money protecting their organization’s network and data from outside snooping, the biggest threat to the safety/security of private and sensitive data is from within. If it’s a well-known fact among security pros, you’d think the NSA might have taken a few more precautions with the data they’re scraping from just about everyone. Data security has been a big business since the first mainframe was delivered and with the proliferation of BYOD (bring your own device); it has become even more “challenging” for IT pros. Security folks spend a lot time and effort to keep company private stuff private, but it almost seems like it’s a losing battle.
They face:
– Employees falling for phishing expeditions and downloading malware that gives folks access to everything
– Laptops, tablets, smartphones being lost, misplaced, left unattended
– Dumb, dumber personal passwords (hint – 123456 and the word “password” aren’t really good 1st choices)
– Usurping corporate security measures because they just “get in the way of doing stuff”
– Unintentional access to certain stuff
– Disgruntled ex-employees who still have access to the company network
– Using computers, tablets, smartphones that don’t have all the current patches installed
– Unintentional data leaks in the course of “communicating” with someone about your personal/work life
Some of the security breaches are deliberate, others are unintentional. It doesn’t really matter because it puts the company’s network and data at risk and that can mean lost productivity and/or monetary loss.
Security Policies
That’s why IT departments have those policies that target internal breaches like:
– Policies that address the use of external removable media such as flash drives, USB/Firewire hard drives, CD/DVD burners, etc.
– Email attachment policies that keep you from opening infected attachments or sending confidential documents outside the network
– Printing policies that limit folks from making hard copies of electronic documents
– Download policies that keep you from downloading stuff from the Web that has malicious code along for a free ride
Obviously, the NSA didn’t have many of these policies in effect or figured they were meant for the guy/gal at the other desk.
Haulin’ Secrets – Not only did Snowden pack out a ton of really neat stuff from NSA, he had copies that he spread around to places just to protect himself from some unforeseen “accident.” You might think someone would get suspicious of the truck at the loading dock and all that late night work. Still, you’d think someone might have wondered why Snowden was stashing/hauling all of the really good stuff for “later.” I’m not really sure; but if I joined a spy organization, then I might think I would be doin’ spy stuff.
Spy’s Eye – There’s nothing wrong with being a government snoop and looking out for people who might do evil. But HR could do a little better job of screening folks who send in their resumes to make certain who’s side they are really on. And like a good spy, you have a backup plan … you know, copies of copies of copies stashed around … just in case.
Positive Effect
Nevertheless, all of his outing activity has had a positive effect because companies and governments have started encrypting their communications. Google, Microsoft, Yahoo have begun encrypting the traffic between their worldwide data centers, making it tougher for government agencies to tap into customer data (and theirs). Now these folks spend a ton of money leasing private fiber optic cable to keep most of their activity off the public Internet; but still just like your stuff, it periodically (if only for a nanosecond) has to spend time at the public Internet hubs.
Weak Link – Organizations spend billions of dollars leasing private cable to send information, materials to and from their data centers but there is always that one little link where content goes from the public to private network that can be tapped. To prevent theft (snooping), firms like Google, Yahoo, Microsoft and others have decided to simply encrypt all the data and avoid probable loss. So they just decided to add another layer of security to keep their information out of their hands. You can’t really fault the NSA (or most government spy stuff) because it was designed to protect you and me from terrorists or bad folks. But along the way, it seems these folks get “overzealous” in their work; and before you know it, they start doubting/checking friends and significant others. That’s probably true of any person who works in data security very long.
Daily Ripoff
Cripes, Adobe, DropBox, Evernote, Twitter and others who don’t admit it, have had password breaches and losses and folks just shrugged their shoulders and said “****”. But the Snowden/NSA outing has made companies and the rest of us think a little harder about the stuff we have on our devices and how we protect it. Organizations are starting to encrypt sensitive data and IT experts are looking a lot more closely at their systems to make sure there aren’t backdoors folks can tap into. So it probably makes it more challenging for the 12-year-old hacker, whacker and cybercrook. It sure made business tougher for cloud companies – Amazon, IBM, Google, MS and the thousands of other firms (large and small) around the globe. Now they have to spend more time talking about their bulletproof security rather than all of the intangibles like flexibility, responsiveness, uptime, reliability, economy.
Companies and regular folks now understand what Finch meant when he said, “We work in secret. You’ll never find us but victim or perpetrator, if your number’s up … we’ll find *you*” The only thing I can’t figure out is since the government has this system, why can’t they find Finch & Reese? So much for security!