About a year after I started at the National Security Agency, I suffered the embarrassment of being caught violating NSA security procedures.
I was totally guilty and it was quite humiliating, as you can imagine.
It was made worse by how easily it could have been avoided.
Welcome to the National Security Agency
My first job out of college was in NSA’s quite small cryptographic design group. Our job was to design all of the cryptography for U.S. classified systems as well as help make sure the cryptography was implemented properly.
It was the late 1980s as the Cold War was coming to an end (though we didn’t know it yet) and I had a state-of-the-art 486 home computer with Compuserve and GEnie accounts and a 14.4k modem.
It was an awesome, fun job with great people. I wouldn’t trade the experience for anything.
My screw up
As you’ve probably learned from the movies, the news, and Edward Snowden, people at NSA handle lots and lots of classified material (SECRET, TOP SECRET, etc.). Some of that material is extra sensitive and is protected by compartments and other restrictions over and above the basic classifications (the codewords that you’ve seen – TOP SECRET – SLEEPY WEASEL).
So, at some point, I had to get “read into” a compartment.
As this was the Government, paperwork was involved. A 6-part form which a bunch of people had to sign in order for me to get access to the sensitive data.
Eventually, I was approved and received the 4th or 6th copy of the form to take with me to be “read in.”
There was no hurry. I wasn’t actively doing anything that required the clearance. So, it sat on my desk until I got around to making an appointment. Then, taking the form, I took the shuttle bus to the main building, went to my briefing, and left the building to return to my office…
Except, on my way out of headquarters, a security guard looked at the form I was carrying and noticed it was marked CLASSIFIED.
Clear security violation.
So, off to the security office I had just left to be read the Riot Act.
The crux of the problem, of course, was that my copy of the form had the classification typed in. On my copy, it was that easy to ignore bland blue color which you’ve seen on multi-part forms.
I never noticed it. Neither did anyone who looked at my desk (where the paper sat for weeks, a security violation). Neither did the guard when I left my building (another security violation). Neither did the guard when I went into headquarters (security violation). Neither did the security officer when I carried the loose classified document into the briefing (also a security violation, by the way).
No one noticed. Except the last security officer.
Even though all of us cared about security and took it seriously.
To secure is human
Security is not an IT discipline. It is not really about cryptography or biometrics or firewalls or trusted this-or-that. It is all about people.
No people, no security problem. (Actually, no people, and no need for security at all).
Or, more properly:
No people, no security solution.
It is amazing how hard we work in security to make the lives of people miserable and hard for them to be part of the security solution.
- Terrible password rules, the classic.
- Regular “security trainings” that are a nuisance and encourage “click & forget.”
- Internet filters that treat valuable employees like children or criminals.
- Procedures and processes that make life and work so difficult that the only rational answer if you need to get your work done is to circumvent them.
- Expensive, difficult to use technology that doesn’t actually fix security problems.
It’s completely backwards.
Our job in security should be:
To make it as easy as possible for people to do things right… and obvious (and maybe difficult) when they do something wrong.
When I look at “Security Awareness Programs” and the tools we are building and buying (and selling), I see organizations and toolmakers at war with their customers.
Of course, we do this by selling to IT departments who are sorely tempted by the petty power that our tools give them over the rest of the organization:
- We give junior system admins and techs the power to make the life of anyone at a company miserable.
- We give IT leaders the power to turn on and off security features and make “exceptions” on a case-by-case basis so that Business VPs and line managers must come begging to the security staff so that their employees can do their jobs.
It is irresistible.
It is widely accepted that the most serious security threats are from “insiders.” Trusted employees who abuse their legitimate capabilities either through sloppy inaction or through malice.
I’ve been asked what a company should do about its insider security threat.
- Hire superb, honest people.
- Treat them very well.
- Make it as easy as possible for them to do their job properly, ethically, and securely.
- Let them do “funky” things if necessary… but know that they did (and let them know that you know).
Build tools to support your business in this and you have your best chance to thrive.
People are not the security problem, they are the solution.
P.S. – In my years at NSA and afterwards when I had a security clearance, I never saw anything covered by the compartment that caused my security violation.
Do you have any security horror stories? Great victories?
Share them below or email me with your comments.