Two strikes against BAH (Booz Allen Hamilton)! First, Edward Joseph Snowden. Second, Harold Thomas Martin III. Both BAH contractors working for the NSA (National Security Agency). Will another strike against BAH mean that they are out … out of the cybersecurity contracting business, that is? No, I don’t think so. BAH employs some of the most accomplished infosec experts that I have had the opportunity to meet. But clearly there is something wrong which must be fixed. Seemingly BAH employees are screened as carefully as NSA employees. But it is likely that BAH can attract more highly qualified candidates than the U.S. Government with the promise of higher pay, and more and better career opportunities. As I describe in my 2004 book “Outsourcing Information Security,” having third parties, who are better qualified than your own employees and who have control over your systems and data, is a very risky proposition. You must maintain the knowledge internally and install strong oversight capabilities. You emphatically should not allow the fox into the proverbial henhouse.
What does these two recent thefts of high-classified documents, perpetrated by employees of BAH working as contractors to the NSA, say for the NSA and its contractors?
While nefarious insider activities are among the most difficult to detect, one would have hoped that the NSA, as the premier cybersecurity agency in the world, would have not only been able to detect the data leakage but also have plugged the leak at the outset. It is indeed disappointing that these two individuals (and likely others) could get away with as much as they did. While these persons were not NSA employees, they were granted as much, if not more, access to secrets than true insiders.
In my view, given the clear inadequacy of incumbent detection and prevention methods, and the general ineffectiveness of deterrence, the only remaining approaches are avoidance and obfuscation. I frankly don’t accept the convenience argument, and support a need-to-know approach where needs are highly restricted and continuously monitored and handling of data and documents are watched in real time and questioned at every point. I have heard the arguments about needing to take or send materials home so that they can be worked on to the benefit of the organization. I have had to deal with workers claiming they need to bring along huge customer files when on the road. So what! Does the trade-off between convenience and security always have to favor the user? CISOs need to have some backbone and be willing to challenge such demands. I know that it is hard to do, especially when it is your boss or a senior executive making the demands. But that is a strong argument for InfoSec to report to the Board, as typically does Internal Audit, and not to the CIO or CRO. It comes down to a governance issue.
An additional approach is to form a committee that reviews all requests for access. We had such an arrangement for a time at one place where I worked. It was effective mostly because a senior committee member was the head of Internal Audit. He was more than willing to say “No” when any questionable requests were presented to the committee. After this person retired, the committee became weaker and eventually disappeared, much to the detriment of the security of the organization.
What is needed is an authoritative and powerful person or group, knowledgeable in computer technology and cybersecurity, willing to take on senior management when there is a question as to the risk that access will raise and who can just say “No.” And this applies not only to businesses but also to the NSA and other government agencies handling highly confidential information, such as the Office of Personnel Management (OPM).