All the attention on whether Russia or some other nation-state entity is trying to hack the election in November or how organized gangs are flooding PCs with ransomware has obscured that truth about where the real threat to our collective cybersecurity comes from: our employees.
Employees come in many shapes and sizes, but when it comes to cybersecurity, there are two archetypes, the rogue employee and the ignorant employee. The epitome of the former is Ed Snowden, the epitome of the latter is all of us who has been tricked into opening a phishing email or forgotten that we’re not allowed to save sensitive files on our personal Dropbox account. Either way, the vast majority of cybersecurity threats come from the people who work for us and around us, not nameless, faceless entities located thousands of miles away.
Which is why I keep looking around for how Chief Human Resources Officers (CHRO) and their cohorts are responding to this issue, and not finding a whole lot. When I ask the people in the C-suite who are in charge of cybersecurity, Chief Information Security Officers (CISO), about the direct role HR should play in cybersecurity, I tend to get the kind of funny look you get when you’ve asked whether the moon is made of cheese and you’re more than six years old.
Are you serious? After all, the bailiwick of the CHRO is stuff like hiring, firing, benefits, and payroll. What could those processes (and, all the other HR processes that CISOs are ignorant of) have anything to do with cybersecurity?
Plenty, it turns out, both for the sake of stopping the rogue employees of the world as well as keeping Betty and Jimmy from clicking on that fake invoice or “jaw-dropping” offer in a phishing email and unleashing some techno-horror into the company’s IT infrastructure.
And herein lies a tale. I’ve had the privilege of working with the IEEE Computer Society for a number of years now, helping them organize and participating in a series of topic-specific conferences. One of the most recent ones, entitled “Rock Stars of Cybersecurity”, featured a speaker named Steven Bay, whose claim to fame is that he was the guy who hired and supervised Ed Snowden at his last job before, well, Ed Snowden became Ed Snowden.
Steven’s story is an amazing one – regardless of whether you think Snowden is a hero or a traitor – but the kicker comes around minute twenty-four, in case you want to scroll forward to the good stuff in his presentation. The segment starts with Steven giving a quick overview of the separation of duties between systems analysts and defense analysts: Basically the former has access to systems but not necessarily access to sensitive data, and the latter has access to all matters of sensitive data but can’t wander around the IT infrastructure at will. Sounds like a pretty good idea.
Too bad that good idea wasn’t put into practice for Mr. Snowden. The trick to Snowden’s success, according to Bay, is that he was at his systems analyst job on a Friday and starting his new defense analyst job the following Monday. Importantly, considering his goal in taking the job was to download a few terabytes of sensitive NSA data, his credentials from his old job inexplicably remained in place at the new job. In other words, Snowden’s employer “forgot” that, while he had all the right clearances for both jobs, neither job allowed him to possess the credentials of the other.
And that oversight in the HR basic process of on-boarding and credentialing a new hire is how the greatest cyberhack of modern times was able to take place.
How did this IT/defense analyst credential overlap problem happen? I don’t know the specifics of Snowden’s case and Bay doesn’t really say. But it’s safe to surmise, based on my aforementioned queries regarding the role of HR in cybersecurity, that the HR department, and their colleagues in IT who manage system credentials, lacked the right procedures for handling employees who crossed over the line from systems to defense analyst. We don’t know if Snowden knew about this lacuna, but considering Steven Bay’s contention that Snowden specifically targeted the contract Bay’s team worked on – in other words, Snowden didn’t just show up on that fateful Monday and have his conscience tweaked by some startling revelation about NSA data collection – it’s very likely that Snowden knew about this lack of attention to separation of duties.
Ed Snowden didn’t succeed by finding a hole in the cyber-security fabric of the company or the country’s most powerful and, in theory, secretive spy agency, he succeeded by finding a hole in the credential and compliance processes of the contractor he worked for. So much for creating a dense cybersecurity technology infrastructure: it only takes one smart operative, and all the technology in the world can’t keep the world safe.
Of course, the Snowden case was an especially egregious one, except that the problem of credentials, compliance, and training are at the heart of too many cybersecurity meltdowns, particularly the malicious ones. In what is perhaps the ultimate irony, the US government’s own HR “department”, the Office of Personnel Management (OPM), was spectacularly hacked last year due to a number of factors, including embarrassingly poor coordination between IT and security. But at the bottom of the pile of blame at OPM is the poorly trained employee who clicked on a phishing email and gave up his or her credentials. And because the system lacked basic security features, including multi-factor authentication, the race to download what turned out to be 4 million employee records, including security clearance information and a host of other cringe-worthy data, was on.
Importantly, whether it’s an employee gone rogue or an employee asleep at the switch, cases like Snowden and the OPM breach highlight the fact that preventing these disasters requires the active participation of several C-level big-wigs: the CISO, the CIO, and the CHRO all have a role in making sure the bad guys don’t succeed. But if they do their jobs individually without coordination, which seems to have been the case at OPM, and probably with Snowden as well, then what you get is the perfectly permeable environment for nurturing a major hack.
The old adage in cybersecurity is unfortunately all too true: the problem is that the good guys have to do their job right 100 percent of the time, while the bad guys only need to do their job right once – a successful phishing email or other hack – and all hell breaks loose. Getting it right isn’t just a matter of letting the CISO do her job, nor is it enough to let the CISO and the CIO collaborate. If people are at the root of the global, pandemic cyber-threat of today, then the number one people-person in the C-suite, the CHRO, needs to be in the mix as well.
Just leaving security up to the CISO, or CIO, means we’ll just keep fighting the good fight with the wrong team. And we know far that’s not worked as well as anyone would like.