This last year or so has been somewhat of a showcase for how not to do security. Much of last month was hundreds of thousands of us dealing with the fact that the NSA likely spent millions finding an exploit that they subsequently lost with the resulting impact that hospitals all over the world had to almost shut down. This would be like developing the nuclear bomb and then losing it, oh wait, we did that too. But by mid-week folks seemed more upset that President Trump spoke to the Russians about a possible notebook hack that was covered in the news weeks ago in a way where the Russians might figure out the source of the information was Israel. Even though that last part was also leaked out of the government and if you had any knowledge of the Middle East you’d likely guessed it was Israel when the news first broke long before Trump’s meeting.
This is all on top of the fact that Hillary Clinton lost the election at least partially because she put in a rogue email server, which was in place for years, without anyone in government security flagging it as a major security problem. I’m starting to wonder if the US government even knows how to spell “security”. This isn’t a Republican or Democrat thing, or an Obama or Trump thing, this appears to be an endemic problem, a lot of which is due to an excessive focus on blame and virtually no focus on actually securing the information in the first place by eliminating the causes for the leaks.
Let’s talk security basics this week.
Now the reason this really pisses me off is I spent a lot of my life either working for security companies, running security units, or auditing security deployments. It is a good skill to have. For instance, because this made me a tad paranoid I used to not only classify my sensitive reports I also used to put hidden tracking codes in them so I could trace back if they were ever leaked. If my peers had known about this they would have likely (and rightly) called me excessively paranoid.
But when but when one of my most confidential reports, one that was highly critical of sales execution and perceived competitiveness made it into our largest customer’s hands and he cancelled a multimillion-dollar bid, resulting in a formal request for my termination by the SVP of sales, that paranoia paid off. We discovered it was the same SVP that wanted me fired that had leaked the report. Apparently, he’d been a mole for our largest competitor and my report had put him at risk.
Why Blame Focus Is a Problem
Now we didn’t find that last part out until after he left the company largely because we focused more on blame than on why he leaked the report. This “why” thing is really important because after the formal punishment of Snowden and Manning things are still being leaked and the US government is still focused on blame rather than the likely cause for the leaks, an adequate and safe method for disgruntled employees to be heard.
Snowden ran into things he didn’t feel comfortable reporting to his superiors and Manning, who had a history of being bullied, was even less trusting of his superiors. Currently the leaks out of the Trump administration are likely the result of folks who either don’t like or trust Trump or his direct reports, or who see President Trump as a threat to their continued employment and so are trying to get him fired, or in this case, impeached first. (By the way the odds of the latter just jumped to 50/50 and are moving toward impeachment).
Now this would suggest, if you want to stop the leaks, (and I would suggest the government does—given the NSA leak of the Windows code has done billions ($4B as I write this) in damage and may have caused some unfortunate deaths) you need to first focus on why people are leaking. In this case if you are going to downsize the intelligence organizations and State Department it must be done quickly, leaving people in jobs that are at risk is always a cause for behavioral problems like leaks. The laid off employees should be escorted off government property, and the organizations put back into hiring mode. But more important government employees must have a place where they can escalate their concerns that doesn’t have a reporter as the primary first point of contact.
Wrapping Up: Fix the Problem Not Only the Symptom
It isn’t just in security. Even when we get sick we often medicate the symptom and not the problem which is why we both have a lot of diabetics and drink a ton of soda with diabetes-causing simple syrup. At Apple, the cause of the leaks was likely status in a company that only granted it to the top executives, at HP it was (at least under Carly Fiorina) a revolt against the CEO, and in my own case the cause was a mole placed in the firm by a competitor. If you successfully get rid of the cause of a problem chances are it won’t recur, if you get rid of the symptom it probably will.
Just remember punishment doesn’t bring back what has been leaked, but a focus on the cause of the leak, can prevent the next one. Preventing that next one should be a far bigger focus for the US administration and most firms. So, next time you have a security problem, focus on the why more than you focus on the who. In the end, you’ll be far better off.