Platt Perspective on Business and Technology

Learnable lessons from Manning, Snowden and inevitable others 1 – understanding what barn doors you are locking after the horse has escaped 1

Posted in business and convergent technologies, in the News by Timothy Platt on August 10, 2013

I recently posted a note to this blog on a recent and still ongoing flow of news stories of leaks of classified US government documents, and particularly about Bradley Manning and Edward J. Snowden and their activities. I primarily wrote in that piece: John Peter Zenger, Henry L. Stimson, Edward J. Snowden and the challenge of free speech, about the still unfolding, as of this writing, story of Snowden’s activities and the embarrassment that he in particular has caused for the Obama administration and for a host of others as well. I at least tried putting that into at least something of an historical perspective, at least with regard to the issues of need to conduct surveillance and intelligence gathering per se and for the problems that can cause when effort to do so is made known.

I would begin here with a few lessons that we face from Bradley Manning’s action. He was a low level intelligence analyst with access to classified documents and information, so the fact that he could and did access at least some classified material is not much of a surprise. But he did so with user access privileges only and without any formal, explicit system administration authority or access. And the range of logs and systems directories and data files and processed intelligence assessment and analysis reports and other documents that he was able to access, log into and download was breathtaking – and with seemingly no one aware of any of that until he sent his trove of hundreds of thousands of secret and top secret documents to WikiLeaks. All he had to do to gather all of this was to log in as himself, and mass copy from his work computer into standard thumb drives of the type you can buy seemingly anywhere.

The response coming out of the US intelligence community to Manning and I add to Snowden too, has been more complex that to just add in one simple safeguard step to the processes of managing and accessing classified information. But one of the more significant of these new security measures was to begin to more widely implement a required dual approval authentication system based on what is called a two-man rule, where a user has to get a second party who also holds security clearance to agree that accessing specific intelligence resources would be both prudent and necessary. Operationally, that means validating that an access requestor has sufficiently high security clearance to be allowed permissions to gain access to the specific requested resource and that they have legitimate need to do so in carrying out their assigned work. This, I add would also serve to more fully put on visible record who accesses what, when and why and where and under what security level conditions, fleshing out an otherwise spotty record at best for details like those. The way that Manning gathered so much without anyone knowing until he went public, proves an ongoing systematic failure to adequately log and track classified information accessing activities at any level.

The second party approver who would sign off on and gate keep this access request would themselves have to have sufficiently high security clearance to be able to access and use intelligence information classified to the same level as that requested here too, at a minimum. And their approvals process seconding would itself be monitored with those details logged, indicating who they seconded for in authorizing document access, and where and when and for what purposes. In principle, this would work for system resource users who do not have any administrative privileges, but this picture get a lot more cloudy when someone with those higher level access capabilities on their own and as part of their job, seek out classified documents and information. A high level systems administrator with true root privileges can, at least in principle, directly access and look into any part of the overall system and then edit access log files and other records to hide that they have done so. That is, of course, the nightmare scenario for the two person authentication system as one such senior systems administrator can both bypass any access controls in place and cover their tracks while doing so, so routine forensic analyses after the fact would have little if anything to look at.

And with this, I explicitly turn to consider Edward J. Snowden. Snowden had systems administrator privileges when he first started gathering information about a massive, far-reaching surveillance program that was aimed at tracking and following the activities of civilians, codenamed operation PRISM. But simply stating that he had some level and type of system admin privileges does not in and of itself tell much as to what extra levels of access he would have, or where he would have them in a complex compartmentalized secure digital information system – as they have at the National Security Agency (NSA). That brings me to one of the points where this story gets really interesting, and where there are some perhaps unexpected twists to it.

A simple, small system might have one Information Technology department systems administrator who is hands-on responsible for keeping all of the technology in a networked system running smoothly, and for restoring parts or all of that system if it does develop operational problems. A more mission-critical system of this scale might have two or even more equal level overall system admins who have root permissions for the entire operation. This way problems can be addressed quickly and even if one such admin is out sick, away on vacation, or simply home asleep after a long workday. More complex systems and systems that are compartmentalized for maintaining security or confidentiality often follow a more hierarchically structured systems administration model. At the top of this type of system you do generally have one or more individuals who have overall and systems wide root privileges and who can gain access as noted above. But below them are what amount to assistant administrators who have administrative oversight and responsibilities for, and admin access to specific select compartmentalized subsystems of the overall digital network and its connected resources.

In principle, this type of responsibility and access partitioning could be divided out in a number of ways and in practice it is.

• One that I have seen in the private sector and for geographically dispersed systems with multiple offices and several regionally dispersed server farms is to assign specific geographically defined portions of the overall system to specific lower level admins. They would generally be employees who live in the area where they hold hands-on authority and responsibility and certainly where that type of physical proximity is feasible, so they can be closer at hand for when hands-on problem solving cannot simply be done online or remotely, and when hands-on means physically hands-on. There, not to belabor a point, having someone with the requisite knowledge and access permissions who can go into the office or facility in the middle of the night to reboot a server that has crashed or swap in a new one, can make all the difference.
• A second such approach would be to assign different functional areas to different lower level administrators. One such admin or one group of them might for example be responsible for the intranet and the internal digital information architecture that supports it. Another might be responsible for the in-house servers and routers and database systems that would connect into the organization’s web sites as back-end for their online commerce capabilities. And those same systems might also provide data support for phone-based and other customer relationship management (CRM) and customer support systems too and with that group of admins responsible for systems resources needed for all of that activity. And a third such partition, to cite just one more of a wide variety of possible systems divisions might be dedicated to managing server and network support for the Finance department with its confidential databases and its specialized per-user licensed software required by its accountants and other specialists.
• Damage control information releases coming out of the US government in the aftermath of Snowden’s document releases have of course been spotty and have sought to maintain systems security and confidentiality for the NSA and the US government as a whole. But they have at least strongly suggested that their systems administrator hierarchy is set up and managed with admin permissions divided out along the lines of a third possible systems admin model. I am not going to go into any of the details of what I and I am sure others have seen in that, except to note that access and responsibility divisions can be made according to the specific information content that would belong to specific security designated operations and programs and groups of them. I will simply add that this approach is also sometimes followed in the private sector too, and for private sector security and confidentiality reasons too. And in that regard I cite my second bullet point of this list, where I added in Finance as a separate systems admin and access partition, making the example I loosely sketched out there a hybrid example.

At over 1,500 words to here I am stopping this posting at this point, but I will continue this discussion in a next series installment. Meanwhile, I have decided to post this note in Ubiquitous Computing and Communications – everywhere all the time 2 and also under my In the News posting category.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: