Thursday, June 27, 2013

Snowden Classified Data Theft Incident was Avoidable


The Snowden incident, (where a government intelligence worker was able to easily copy and disseminate large amounts of highly classified data), highlights one of the fundamental problems of legacy cyber security and the thinking behind it.   Like many complex technology problems, people without the needed domain knowledge required to identify solutions tend to focus on the symptom, at least in part to cover up the fact that the knowledge is lacking.  Unfortunately, next-generation cyber security technology, which the government is trying to adopt and implement, is a solution that few people in government understand.  However, the Federal Government is not alone in its slowness to implement next-generation cyber security.  Banks, oil, gas, water and power utilities are similarly vulnerable when it comes to protecting digital assets and critical infrastructure. 
The Snowden incident could have easily been avoided with some next-generation digital asset protection.  Snowden’s ability to simply copy terabytes of classified data was possible, at least in part because of a reliance on obsolete technologies, security strategies and processes.  The government (NSA) has for some time focused on the use of high-grade cryptography to protect data and, in this area, commercial firms have tended to follow the government’s lead.  However the advent of the Internet and global networks changed the game significantly with respect to protecting data. 
 
The government tends to use encryption as an all or nothing proposition, encrypting hard drives on computers or databases at the file level.  The problem with this approach is that, once a user has entered the access credentials, the entire file or drive is completely exposed.  Instead, using triplex-authentication in conjunction with folder and record level encryption solves the problem.  In this environment Snowden would have been able to do his job and even bring large amounts of data and data files together but all the data would have remained encrypted, except when viewing query results or a limited number of individual records.  He never would have been able to copy entire files, at least not without triplex authentication notification and approval of a higher-up, and not without the copied files remaining encrypted at the record level.  This means that even if he had gotten approval to copy the data to an external storage medium or the cloud, the file would not be divorced from the triplex authentication access required to view or query the data.  Additional protections are available that would have destroyed the encryption lock if the authentication failed even once, since the files would have been tagged as a copy outside of its home domain.  
There are other considerations and failures that the government says may have occurred in this incident but most of these revolve around manual processes, policies and procedures that are only reliable if they are part of closed-loop processes, and even then rely on timely communication.  Finally, the Federal Government continues to operate with legacy cyber security that provides little or no security once access is achieved. The President recently issued an executive order to address the issue and I recommend firms consider doing the same.