Arrogance of Trust

The news that Edward Snowden had somehow managed to persuade 20 to 25 of his fellow colleagues at the NSA to give up their passwords and login information has probably shocked IT professionals and corporate security types.  “What kind of slipshod IT security is the NSA running?”  Could the smartest guys in the room really be so dumb and trusting?  As Reuters reports:

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

This may seem incredible to those involved in information assurance that a system administrator, who had only been at the job a few months, could talk that many people out of their passwords.  Don’t these people have any information security training?  Every company IT department  teaches its employees to never share their password information.  Didn’t these guys have any training?

Headquarters of the NSA at Fort Meade, Marylan...

Headquarters of the NSA at Fort Meade, Maryland. Español: Instalaciones generales de la NSA en Fort Meade, Maryland. Русский: Штаб-квартира АНБ, Форт-Мид, Мэриленд, США (Photo credit: Wikipedia)

It turns out they do.  The Department of Defense, which the National Security Agency falls under, has extensive computer security training.  But that only begs the question further.  Snowden was so new at his base in Hawaii that he probably didn’t have any long term personal relationships to play on in order to trick people out of their passwords.  But I don’t think he needed to trick anyone.  And I think I know why.

I should preface this by saying this is just my personal opinion, but I think the popular idea of intelligence agencies and organizations, at least American ones, as a font of constant paranoia, looking over your shoulder at all times, and a lack of trust between co-workers, as depicted in movies and popular culture (think the Bourne movies) is totally opposite of the real situation.  I think the security problem in US intelligence organizations, which Snowden exploited, is that everyone trusts each other too much.

Security Clearances for Top Secret and above levels cost thousands of dollars and can take months to complete.  Once you have a security clearance, it’s not only a marketable item, but it’s sort of a short hand as to what kind of character you have.  Although it actually means you’ve mostly stayed out of trouble and have not screwed up too much, it’s taken as a certificate of approval that this person is trustworthy and of good character.  So if you work in a classified facility, surrounded by cleared people, some of them may strike you as crazy, or unpleasant, but not thieves, not crooks, and not traitors.  Why?  It’s nothing they did, it’s simply from the fact that they are working there; they’ve been vetted.

Once you are on the inside, you are part of special limited clique, in which everyone on the inside of the vault door holds secret knowledge that those on the other side of the vault door don’t know, and can’t know.  It’s like being part of Skull and Bones, only instead of knowing secret arcane nonsense; you know real things about the world that matter.  That dividing line between those on the inside of the door and those on the outside is huge.

One of the first things they teach you in Basic Training and Boot Camp is to keep you locker and money locked up and secure at all times. Even the camaraderie of military service isn’t enough to be sure your buddy won’t grab your wallet in an act of desperation. But like Singapore, if you decide to leave your wallet on your desk at work in your secured facility, you can mostly be assured that it will still be there, undisturbed, when you come back from break.  Having many roommates in the past with security clearances, I never worried for a second about leaving money or valuables around out in the open. I may have worried if they would clean up the kitchen after fixing dinner, or vanishing for days on end, but I never worried that they would steal from me.  I granted them an automatic level of trust that most keep within close family members.

And maybe that’s the problem.  In spite of all the security, and in spite of all the rules and security procedures, it doesn’t mean a thing unless people can operate with even a normal level of caution.  In my corporate environment I would never turn over my password to anyone, system administrator or otherwise.  But if I was back in the classified world, inside that insular level of trust, I can’t be sure how I would react.  And the fact that I would even question that is the problem.

Enhanced by Zemanta
Advertisements

4 thoughts on “Arrogance of Trust

  1. This is fascinating. Some of the earlier hackers have explained that simple charm can go as far as technological savvy. Kevin Mitnick talked about this and it was one of his fortes. So while I’m sure the atmosphere of “he’s one of us” made people bend the rules, Snowden probably had a knack for putting people at ease. Frank Abagnale also comes to mind. Now I know nothing about Snowden’s personality or whether he really is charming, but he did have a hot (if ditzy) girlfriend and has managed to weasel out of a whole lot of trouble. So I’d guess he’s pretty slick.

    • I had never thought there was any reason to think Snowden was particularly charming; I just assumed he got that crazy level of cooperation because he was inside the door. But I had forgotten he had a hot girlfriend. So maybe he can poor on the charm.

  2. Hackers refer to that technique as “human engineering.” It’s really just a good, old-fashioned confidence game. My guess is that Snowden chose his targets carefully. Even today, you have some folks who are less than computer savvy walking around with access to restricted networks. If someone in a position of “authority” (like a system administrator) asked for their password, people without a lot of tech smarts might be inclined to hand it over. I’ve worked with a number of folks who were recycled into intel from other career fields. Some of those people were old timers (like us, Mike) who hadn’t really adapted well to the boom in information technology (unlike like us, of course). Someone like Snowden would seem like a lifeguard to a drowning swimmer. If you want to get out of the water alive, you’ll do as he says. I wouldn’t be surprised to learn that he got many of these passwords while helping people with computer problems.

    Of course, even some people who are fairly comfortable with computers don’t have a real grasp of cyber security. Passwords actually serve two functions. The obvious one is that they keep out unauthorized users. The second, and less obvious function, is that they allow usage to be tracked. If a problem occurs, it makes it easier to find out who is involved. To maintain the integrity of this function, no one, including system administrators, is allowed access to your password. If you forget your password, they can’t look it up for you. They have to reset it instead. Then they instruct you to log on and change it immediately. The bottom line is that if a system admin was authorized to know your password, they wouldn’t have to ask you for it, they could look it up themselves. But they can’t, and the system is designed that way on purpose.

    • I think I have adapted rather well to the information technology era, although I didn’t grow up with it. Pong doesn’t count. But I imagine the use of those multiple passwords and login accounts was the reason the NSA had such a hard time determining what information was stolen. When I first heard that, I was thinking to myself, “are you kidding me? When every move on the computers is tracked?” But accessing the information under many different accounts does throw a monkey wrench into the usual cyber forensics.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s