It’s hard to access any news source these days without reading about Edward Snowden, the former CIA employee and more recently National Security Agency (NSA) contractor who disclosed details of classified spying programs. The debates raging around him primarily have to do with individual and political judgments, but there’s another side to it that deserves attention.
In fact, this story should be required reading for every IT security executive—applied to a corporate context, such actions can devastate a brand, even take out entire companies. That’s because Snowden makes for a fascinating, even troubling, case study in information access, and the fallout that can emanate when such access is in the wrong hands.
While there has been considerable speculation about Snowden’s seniority and salary, the reality is that he was a relatively low-level functionary who was not even employed by the NSA at the time of his disclosure. He had previously been a systems engineer and a systems administrator. At the time of the breach, he was officially a technical assistant (there continues to be some debate over his actual title) with consulting firm Booz Allen Hamilton, which does business extensively with government agencies, and was assigned to the NSA account as an infrastructure analyst. In fact, he had been with Booz for only three months when he made the disclosures (and was promptly terminated).
So what kind of access did this new employee and low-level contractor have to highly classified information and resources? By his own account, it was just about unlimited.
“When you’re in positions of privileged access, like a systems administrator, you’re exposed to a lot more information on a broader scale than the average employee,” he said in an interview. “Anybody in positions of access with the technical capabilities that I had could suck out secrets and pass them on the open market. . .I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world.” In a final bit of braggadocio, he claims that he could have “shut down the surveillance system in an afternoon.”
It all has to with what he calls his “authorities,” or the levels of access granted to specific individuals. This is where it becomes mandatory awareness for the business world.
The heavy migration to virtualized infrastructures and a cloud computing model has brought about a sea change in access policies and practices. To be sure, the benefits of this change are both quantifiable and undeniable: they help streamline the entire IT infrastructure, make optimal use of existing resources, cut overall hardware and operating costs and offer high levels of flexibility. However, they also require a completely different approach to security.
Every corporation now has tremendous amounts of data and resources in virtualized infrastructures and the cloud, and this model requires some level of general access. On the flip side, there’s now a huge number of systems engineers and administrators, along with other mostly anonymous employees, with unprecedented levels of access. Like the NSA’s whistleblower, they have the keys to the kingdom.
Motive is essentially beside the point—some see the man in the news as a hero for what he did, others as a villain deserving of the harshest punishment. But whether he’s Robin Hood or Benedict Arnold, the truth is that, by his own admission, his technical ‘authorities’ gave him enormous power.
He surely has counterparts in the corporate world. What trouble will they cause?
Booz Allen Hamilton stock took a tumble in the immediate aftermath of the exposure, but the real damage may be in the long term. As mentioned earlier, Booz does most of its business with the government, likely through long-term contracts. How much work and effort will it take to renew those deals and win new ones?
In a competitive business environment, reputation is a critical differentiator. Any company that suffers from a major data breach, instigated by an employee with a small grudge and big access, could face devastating consequences to the corporate brand, and to the bottom line.