06 March, 2007

Security by Self-Delusion

Covering Up Problems at Sandia.

I imagine that parts of this quote could apply to many companies.
"This was the first time that my activities uncovered evidence that entities outside Sandia were compromised, and data was being stolen. They were not willing to contact the proper authorities because outside law enforcement would certainly inquire about how the data was obtained -- bringing unwelcome scrutiny upon Sandia."

Fortunately until recently I had never worked at one. Now that I have I can see the the consternation it causes throughout the organization.

To a certain extent this is the ultimate end point of the "Compliance" centric Security management model. Organizations that are very good at "Security by Self-Delusion" may not even have problems with external audit (though internal audit often knows [or at least suspects] the truth). After all they are very good at filling out paperwork and forcing their employees to perform onerous tasks with "Security" as the primary reason for the task. It is also common for the average user to have virtually no control over their computing environment at all causing near complete cessation of information based innovation within the business itself. That is as or more likely to be fatal to a company than any security breach.

Now I will admit that the Sandia case is quite a bit greyer than it might seem. The employee was actually engaged in "Hacking" of some sort and there were probably cases where he could have gotten caught and caused problems for Lockheed completely separate from the issues they were trying to cover up. Without knowing exactly what he did to chase down the data path it is even possible that some of his actions were illegal. Any company would be justified in stopping illegal activities but it appears that the interest in his actions was not in the initial activities but his subsequent work with the FBI.

I am sure that it is rare for most organizations to have to decide between letting an employee go for actively hacking external entities or for covering up internal security failures. It is not however, uncommon for them to have conflicts between disclosing internal security failures in other ways. Indeed it is often politically difficult within an organization to facilitate honest transparency of security issues. At what point does one have to decide if their organization is deliberately deciding not to look at internal issues as opposed to trying to save money or even institutional incompetence. I have to confess that I don't know where that line is. I am inclined to agree with one of my co-workers when he repeats the quote "never assign to malice that which can be attributed to negligence" but when does it not matter?

Well enough of this complaining, back to real work.

That is if they will let me do it.

No comments: