The U.S. National Security Agency did not install the most up-to-date data protection systems at its Hawaii site before contractor Edward Snowden went to work and removed thousands of classified documents. Officials cited by Reuters said the site had “insufficient bandwidth to comfortably install it and ensure its effective operation.”
After a quick read , my eyes focused on the word “comfort”. What do these guys expect while installing data protection software: lounge chairs, Jimmy Buffett, and a margarita?
This looks like a big-time excuse. But after going through the article a bit slower, I noticed three key phrases that the government officials used. Each one of them is pertinent to organizations that are thinking about installing a DLP/monitoring solution in their organization. So here they are:
- Insufficient bandwidth – They admitted that they just did not have the staffing resources – either people or manhours to properly install the solution. Traditionally, installing a DLP/monitoring solution and fine-tuning it to the needs of the individual organization is a time consuming task. While the Holy Grail of DLP is a boxed solution, the industry is just not there yet.
- Comfortably installation – Forget about the beach music and the mixed drinks, this refers to the steady, progressive pace of DLP implementation. With Safetica, we find that clients learn a lot about their own use of data and data handling processes during the implementation process. They uncover unsafe behaviors which can potentially lead to a data breach. Steps taken to correct these security issues, in turn, make a company less likely to have a serious issue – even before the DLP implementation is “complete”.
- Effective operation –Given the scope of NSA efforts, there must have been a huge amount of data to classify, safeguard and large number of employees to look out for. A malfunctioning DLP/monitoring program can bring an organization to its knees. Was the system clever enough with system administrator controls so that Snowden could not circumvent its controls? And maybe the NSA thought it was above the need for such data protection systems. The Reuters article mentioned that intelligence operations were slower than the military to install this. Yes NSA, will it blend?
Is this DLP or monitoring or both?
Beyond the reasons why it was not installed, it still is a question what was not installed. The article gives two clues about the proposed DLP/monitoring solution (if that was indeed what it was):
- First, the White House initiative dating back to 2010 to improve intelligence agencies’ internal monitoring entitled “Enhanced Automated, On-Line Audit Capability: Systems will monitor user activity on all IC classified computer systems to detect unusual behavior.” That sounds a lot like employee activity monitoring to me. Safetica 5 has monitoring features with DLP and a much shorter title.
- Second, it states that the product was designed by defense contractor Raytheon. Some astute readers might remember that this is the firm that designed the RIOT system which pieces together various social media such as Facebook and Twitter to predict future actions about the individual making the posts.
So it looks like more of a solution that controls access to data than control of the actual data. But I could be wrong. And I don’t expect the NSA or Raytheon to release more details.