Skip to content

Spies at Work Know Where to Find Your Secrets

February 18, 2011

Bloomberg, 19 Feb 2011: “A mental health specialist recommended that the Army private accused of leaking classified material to the anti-secrecy website WikiLeaks not be deployed to Iraq, but his immediate commanders sent him anyway.”

That’s according to the Washington Post, which noted that the soldier, Bradley Manning, was allegedly storing classified material on an unclassified server, had been demoted for assault, and was acting so erratically that his master sergeant disabled his weapon. So why did this man have a security clearance, and what was he doing in a war zone with access to State Department cables unrelated to his job?

Before you call the Army stupid and forget it, why does your mailroom clerk have unrestricted access to everything on your company’s server, including corporate secrets, or your clients’ merger plans and bid data? And why was a Ford Motor Co. engineer allegedly able to steal thousands of sensitive documents that had nothing to do with his job? Poor information security isn’t just a government problem.

Economic espionage is intensifying. The foreign intelligence services of China, Russia, Iran and other countries are after our technology, and most of what they want is in the electronic-information systems of private companies — and the law and accounting firms that work for them.

When people like Manning have access to classified material or your company’s trade secrets, you have an unsuitable employee as well as a worker in trouble. Like Robert Hanssen, the FBI agent now serving a life sentence for selling U.S. secrets to the Soviets, Manning was a serial rule-breaker.

Easier to Ignore

But suitability issues are less glamorous than counterintelligence investigations, so they get less attention. Hanssen and Manning were both left in place. It was easier to ignore the rules than cause a fuss.

Remember the Societe Generale case in 2007, where junior trader Jerome Kerviel incurred massive risks that ultimately cost his firm almost $7 billion? He was another serial rule breaker. The Paris-based bank said only a criminal mastermind could have undone its sophisticated system of trading controls.

This was nonsense. SocGen monitored traders’ individual position limits, but it had no corporate position restrictions and did not even know its risk position in particular securities. Meanwhile, Kerviel evaded his own limits by using his co-workers’ computers to enter trades and by never taking a vacation — which meant that no other trader would look at his positions in his absence. If they had looked, they would have found a mess, and Kerviel would have been out.

‘Typical’ Spy

National security leaks, industrial espionage, and criminal fraud have more in common than most people think. After Bernie Madoff’s Ponzi scheme collapsed, the pop psychology arguments were eerily familiar to anyone concerned with catching spies: He was narcissistic. No, he did it for the money. No, he was insecure — or simply evil.

Counterintelligence officials go through this drill every time they nail some wretch for selling out his country and then try to figure out why he wasn’t caught sooner. Psychologists have a field day trying to profile the “typical” spy (there’s no such thing).

But the Army didn’t have to predict that Manning might create a wholesale hemorrhage of secrets before stripping him of a security clearance and sending him home. Before he became a counterintelligence emblem, he was just a garden variety HR case. If he had been dealt with that way, we never would have learned his name.

Banks are better at spotting financial risk among credit card holders than companies or government agencies are at spotting security risks among their employees. Why? Because they examine the information their customers give them.

Management Failure

Manning is a case in point. So was Hanssen. And so was Madoff. What was remarkable about Madoff wasn’t his personality but the river of available trading data that, had it been examined, would have shown him to be an expensive but empty suit. Look behind these cases and you find mundane management failure.

In November, Xiang Dong (aka Mike) Yu, a former product engineer at Ford, pleaded guilty to stealing design specifications. The Federal Bureau of Investigation said he copied thousands of company documents to an external drive and took them to his new employer, Beijing Automotive Group. As in Manning’s case, most of the information Yu had access to and allegedly stole had nothing to do with his job.

Universal access to corporate information is normal at many companies. In government, where it isn’t normal, “information sharing” has become a slogan, and like all slogans, it’s bad for clear thinking.

Electronic Strip

Unless you propose to share everything with everybody — and nobody proposes that — you must decide what to share, whom to share it with, and on what terms. Repeating slogans doesn’t make this problem go away, and as the WikiLeaks fiasco demonstrates, pretending otherwise is a prelude for undressing ourselves electronically faster than our adversaries can do it to us.

Information security is too important to be left to the privacy police. It’s critical for any organization with secrets to keep. For many companies, the risk of a breach is a strategic risk to their technology. Reducing that risk starts with taking care of your people, enforcing clear rules and implementing role-based access to information. Companies that fail to take these steps are asking to have their pockets picked.

 

Advertisements

Comments are closed.

%d bloggers like this: