The issue was not political, at least not in my mind. It was all about security. In the national hoopla over whether a foreign government or those under its control should run operations at major U.S. ports, I heard lots of misplaced xenophobia. I wanted to understand the security implications as they might apply to networks in a similar situation, and that took me back to 1999.
At a classified counterterrorism briefing, speaking to a room full of Pentagon brass, I opened with, “Generals, you have lost command authority of your armies.”
I described the implications of the military using foreign nationals to operate unclassified aspects of their global networks. The idea had been that using local individuals in overseas bases was good politics, and because the networks and information were all unclassified, what’s the harm?
The first harm is that unclassified networks that supply meals and travel orders, for example, support military readiness. That is why U-boats targeted the shipping lanes during the Battle of the Atlantic. A severe compromise of a portion of unclassified networks could be just as devastating as a breach of classified security. The Pentagon got the message and the policy was changed quickly.
The second harm is that if you take a bunch of unclassified data and piece it together in the right way, like a jigsaw puzzle, the resulting information could be immensely valuable to a potential adversary. This is why so many organizations are sensitive to dumpster diving and other techniques that can divulge seemingly innocuous information to the public domain. Most of us try to protect company phone books, employee rosters and so on.
The question is, how much of your infrastructure operations and security-relevant processes do you want to outsource? While thinking about the United Arab Emirates/Dubai national security parallel and the natural follow-up — “Is our network protection any less important?” — these questions come to mind:
• Do you want to outsource any of your critical IT operations? If so, how do you make the distinction between mission-critical and non-critical day-to-day operations?
• If you outsource, how quickly can you bring full operations back to an internal function?
• How much of your security do you want to outsource? For example, is perimeter access-control administration better done internally or handed over to outsiders? How many layers of security administration do you have and do you want, and where are they located physically?
• How much of your physical access control, administration of badges and ID tokens, and border security of your facilities do you feel comfortable outsourcing?
• If you choose to outsource, how can you oversee the quality and trustworthiness of those hired to manage your security-relevant assets? A background check can determine only if someone has already been caught. If you outsource to a foreign company, does that make employee oversight more difficult?
Statistics show that 70 per cent to 80 per cent of cybercrime involves a trusted insider. We know many of our controls do not address insider issues adequately, for reasons ranging from cost to expeditiousness to political correctness.
This makes the question of handing over control of aspects of our networks to third parties even more important, as our day-to-day tasks will be removed at least two to three steps from outsourced workers.
In the debate about the ports issue, not enough people reduced the question to its basics: How does this or any other action affect national or network security? Let’s look at the details of what outsourcing really means. Let’s manage our organizations with security, not irrational fear, as the prime motivation behind our questions and answers.
— Schwartau is president of Interpact, a security consulting firm. He can be reached at winn@thesecurity awarenesscompany.com.