Monday, June 10, 2013

The NSA Leak And Why You Should Never Piss Off Your IT Guy

When The Guardian revealed the source of the NSA leaks Sunday, he turned out to be a twenty-nine year-old who was essentially a contracted IT guy for the agency without a background in national security policy, despite earlier claims by the Washington Post that they came from a “career intelligence officer.”

While leaker Edward Snowden says that he was a spy for almost his whole adult life, his background suggest he wasn’t an agent so much as systems admin or engineer for most of it. He reportedly attended a Maryland community college to get enough credits for a high school diploma and was studying computing, but never completed the course work and later received a GED. He then enlisted in the Army in 2003 and become a security guard at a covert NSA facility at the University of Maryland. From there he leveraged his computer skills to get a job doing IT security with the Central Intelligence Agency (CIA), leaving in 2009 to become a private contractor serving at a variety of NSA locations — That’s the role where he became “hardened” as he watched President Obama advance “the very policies” he thought would be reined in.

Some of Snowden’s claims seem far fetched — like that he personally had “the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President” — but as one of the guys doing internal network security for the agency, Snowden did likely have a fairly far-reaching ability to access documents and chatter flowing through the system. IT security folks need to have a certain level of authority to dig down and look at what’s happening in order to investigate possible security breaches and determine their sources, although there should be an auditing system in place to determine how often someone is looking at things they have no reason to be accessing.

It seems that Snowden used his network authority to gather the documents that he is now leaking, although access to the content of those documents may not have been necessary to his day to day procedures. Considering Snowden’s personal views on internet freedom and privacy (his laptop sports stickers from digital civil liberties advocacy organization the Electronic Frontier Foundation [EFF] and anonymous browsing tool Tor), it’s probable that some of the things he saw shooting over the networks set off alarm bells, thus eventually leading him to make the decision that allowing the general public access to the information was worth the personal repercussions of leaking them.

Indeed, Snowden describes the experience as having “an awareness of wrongdoing” that came from being in a position of “privileged access” where he was exposed to “a lot more information on a broader scale” than the average NSA employee. And as an IT guy, Snowden’s access to information combined with his understanding of the capacity of data collection possible and its long-term implications were also different than those of the average NSA employee. He wasn’t just worried that data was being collected, but that it would eventually be used selectively to derive sinister conclusions from the actions of people living innocent lives.

But as an IT guy rather than, say an intelligence officer, Snowden’s divorce from the actual context of the policies has led to some disconnects between initial coverage of the leaks and what appears to be the actual workings of the programs they describe. For example, while it was first claimed that PRISM allowed “direct access” to the servers of leading tech companies, later clarifications from the Director of National Intelligence suggest it was a more restricted computer interface with a legal functionality to request content data. But it’s easy to see the IT guy reading a slide that says “collection directly from the servers” of tech companies and interpret that as “direct access to servers,” especially if he was never briefed on the exact functionality.

However, the larger takeaway here is that as all sectors of our society have become more reliant on computer networks, system admins and IT professionals at large generally have much broader access to the information been carried across those networks than even the people directly responsible for the content flowing through the system. It’s certainly scary that the NSA wasn’t more careful about their custodial and auditing systems. But at its heart it looks like the reason the NSA documents are coming out now is the same reason you don’t want to look at porn at work: Your IT team sees all.

No comments:

Post a Comment