One of the things that has resulted from the NSA leaks by consultant Edward Snowden is a reactive move by the agency to replace 90% of their system administrators with automated systems. It’s an interesting concept – if you’re concerned about security and you know people are the source of the problem, replace most of them and the problem will go away.
The problem with this analysis is the premise. Because with only one instance you don’t have a trend and that likely means you aren’t fixing a problem – but you may be creating a bigger one. The problem here isn’t the leak, it is a lack of analysis before arriving at a solution.
Let me explain.
Analyzing the Leaks
The two big security leaks that have occurred in the US recently were by Edward Snowden, an externally hired consultant performing the role of systems administrator, and Bradley Manning a security analyst. The common thread isn’t their job, title, who they worked for, or even their sexual orientation. They are both young, they are both male, and both used similar methods to distribute the information they’d taken.
The fix the NSA is proposing is only focused on the job class of “system administrator” and suggests that this class is the source of the problem. But that is clearly incorrect. Even stepping back and attempting to address the employee vetting process wouldn’t work because both men were hired by very different entities.
In fact there is a third leak in the process of being investigated and the source is allegedly a retired General who clearly was not a Systems Administrator.
This means there is no evidence that Systems Administrators are any more likely to leak than anyone else who has security access. So cutting and automating their job probably won’t prevent the next leak.
In fact automation should increase the likelihood of a leak instead.
Automation for the Wrong Reasons
Automation is typically done successfully for two reasons. To increase the effectiveness of labor and to eliminate it. The more simple and repetitive the task, the more effective automation is.
That’s why, for complex jobs, it’s used to make employees more effective by removing the repetitive parts of those jobs, and for simple repetitive jobs (like assembly line) it’s used to replace humans, who are ill-suited for constant repetitive tasks.
In this instance neither reason is being used to replace the administrators. These aren’t simple jobs that lend themselves to replacement by automation, largely because the problems – which can range from attacks to system failures – require a broad set of skills and are essentially non-repetitive.
Applying automation as a replacement to a job that automation is well designed to replace should make the NSA less secure and less reliable. While it won’t make people more or less likely to leak secure information, it should give hostile agencies better access because it will remove oversight. And the automated systems will come with their own unique exposures.
Finally, by giving a smaller pool of people both far more access and much higher job stress you increase the likelihood that any one of them will make a bad decision because of stress. Their increased access should result in an even more comprehensive problem.
Wrapping Up: Right Tool for the Right Problem
What this showcases is the problem with a knee jerk reaction to a breach, or any big visible problem. One of the reasons you do war gaming and put in place contingency plans is to help prevent this.
Managers, when faced with a high profile embarrassing problem, want to play whack-a-mole and make that problem go away as quickly as possible. So they shoot from the hip before understanding what it is they are shooting at and their fix, like it is in this case, can often create a problem worse than the problem they are trying to correct.
In this example doing nothing with regard to staff reduction would likely have a better outcome than the automation project they have proposed. In effect they are likely lowering the security of the NSA substantially, rather than increasing it.
We often jump ahead to a product or service without first analyzing the problem we are trying to solve. In this instance, a process that allowed effective reporting of concerns inside the agency with trusted protections for the whistle blower would go farther to assure these events didn’t repeat and require no expensive technology to implement.
This would be assisted by a focus on using more mature employees who might be more likely to think through the repercussions of their actions than young people tend to. If you start with a deep understanding of the problem you generally are far more likely to get a solution that both is far less expensive and won’t make that problem worse.