Is Secrecy Over?

Is this not an incredible question? We’ve been bombarded over the past couple of decades with numerous cases of privacy compromise. But secrecy! Is nothing sacred anymore? Not if you read the November 12, 2017 New York Times article “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core” by Scott Shane, Nicole Perlroth and David E. Sanger. The question raised in the article, which describes a series of cyberattacks and insider leaks, is “Have hackers and leakers made secrecy obsolete?”

It is unconscionable that the National Security Agency (NSA) should have allowed such infiltrations and exfiltrations to have occurred. Yes, I know that no protection is 100 percent effective and that bad guys always have the advantage. But this is the NSA, supposedly the premier security agency in the world. I have expressed my disappointment with the defense capability of the NSA in prior columns and subsequent events appear to validate such concerns.

The NYT article provides interesting reasons for the breaches. One is that ECI (exceptionally controlled information) used to be stored in safes but, for reasons of building integrity, ECI is now stored in locked file cabinets … and, of course, in electronic databases that are accessible by “privileged” users. Locked safes and isolated computers and networks (i.e., not accessible from the Internet or other less secure networks) are still the best means of guarding extremely sensitive data. Identity and access management should be stringent enough to screen out inappropriate access and ensure that only thoroughly-vetted authorized individuals can get into secret information. And the activities of all users, including approved ones, should be monitored, saved in tamperproof databases, and reported to independent auditors. The military has world-class secrecy and access rules. You would think that these rules would especially apply in the case of NSA employees and contractors. Somehow, the NSA is falling short either with respect to policy and procedures or with their ability to monitor activities and enforce policy.

If we have no privacy and traditional secrecy no longer applies, what’s the point of spending all this money on information security? If we don’t do it right, why do it at all?

Well, I’m not in favor of giving up. But I do think that we have to rethink our security models as Amit Yoran asserted when he was CEO of RSA Security. I personally think that we expose too much information to the possibility of compromise, especially as many consider data breaches to be inevitable. It’s time to take a stand against thoughtless exposure of sensitive information, personal, corporate and national. And if we must expose such data, then policy and procedures to protect the data from unauthorized access and misuse have to be effective and stringently enforced.

Post a Comment

Your email is never published nor shared. Required fields are marked *