Former deputy director of the NSA Chris Inglis was in London yesterday in his new role as strategic advisor to cyber-security company Securonix, but he took time out to answer questions from SC about Edward Snowden and his time at the NSA.
Inglis, who is also a professor of cyber-security at the US Naval Academy, was deputy director of the National Security Agency until January 2014, seven months after Snowden revealed thousands of classified NSA documents to journalists.
In a meeting with journalists at the British Museum yesterday, Inglis was questioned about how Snowden was able to remove the data from the NSA and the agency's response to the breach.
SCMagazineUK.com also asked Inglis (see video below) about Snowden's recent request for a pardon from President Obama prior to his departure from office in January 2017. Obama has stated that he will not pardon Snowden.
Inglis said that the NSA was not prepared for an insider threat and a low probability event ended up having almost exponential consequences.
“What Snowden taught the NSA and many people watching the NSA is that we very likely underestimated the marriage or product of the probabability and consequence of an insider threat, and that is in part derived from the fact that people in possession of computer and network systems today have an opportunity to do much more harm in a much faster period of time than they once did.”
He said that the allegations made by Snowden filled a vacuum of information about the agency and the NSA is partly to blame for not having told its story earlier so that people had something against which to compare Snowden's claims.
He said “the NSA chased that story trying to get that back in the box as opposed to conducting its stated purpose, which is to help the United States and its allies sustain national security in the world.”
As a result of cases like Snowden, organisations are becoming more aware of the insider threat but the traditional approach of vetting staff and then trusting them to always do the right thing is no longer enough – which is where the sales pitch for Securonix came in.
What's needed, he said, is to monitor all staff activities and build up a profile of ‘normal' behaviour for each member of staff and then use analytics to identify unusual activity.
“We need to begin to be able to defend the data in real time against the exercise of privilege. That's a fancy way of saying you can no longer defend perimeters or checkpoints as someone leaves your activity and assume that any mischief on the inside will be caught at the margins and restored to good order, because they can do a lot more damage much faster,” he said.
“The goal is not to react well or even to track well, it's to anticipate, to see these things coming, so you can anticipate and step in before the disaster occurs and perhaps mitigate that by restoring that person to good order, or perhaps by respectfully escorting them to the boundaries of your estate.”
One of the problems for the NSA and US government more widely was the sheer number of people who required secret clearance and the problems of vetting them all. Compounding this problem was the fact that Snowden was a SharePoint administrator whose job it was to help analysts understand the systems that they were working with which gave him admin level clearance.
“The problem is, how do you make a determination on a case by case basis of what amount of access you should have and in that regard you need to enforce discipline at all levels and it turns out that over time things that are allowed to simply stay static tend to grow in number.”
On the topic of transparency, he said that organisations need to be transparent about their activities. He believes that history will vindicate the NSA and find that it had achieved a proper balance between individual security and collective security for US and foreign persons.
“What it didn't get right was it wasn't sufficiently transparent about that, people didn't understand that alignment [or balance] and hadn't said they were OK about that or hadn't had the opportunity to argue against what that alignment was.”
Inglis thinks that Snowden should be held accountable for betraying the trust of the NSA (see the video) but he still feels that there is a place for whistleblowers within organisations.
Within the NSA, for instance, staff have access to at least three different Inspector Generals including one dedicated to and located within the NSA. Snowden, he says, didn't take advantage of the internal systems that would have allowed him to raise his concerns (contrary to what Oliver Stone claims in his recently released movie, “Snowden”).
When challenged about the ethical implications of the Securonix software, which could be used to detect a whistleblower collecting information in support of a grievance, he said that whistleblowers should be formally supported within organisations which is why US government organisations have inspectors general.
However, he felt that it would be difficult to work out how to allow an employee to gather information in secret for the purposes of blowing the whistle on bad corporate behaviour without opening the door to malicious insiders who might want to steal information for nefarious purposes.
Later, John Handelaar, vice president EMEA at Securonix, told SCMagazineUK.com that there were systems in place to protect the privacy of staff behavioural profiles. In Germany and the Netherlands, he said, agreements had been reached with workers' councils for a trusted member of the council to hold a passkey which was required to unlock the identity of the member of staff associated with a particular behavioural profile.
The anonymisation of the profile means that aberrant behaviours can be monitored and managed without security staff being able to identify which member of staff was involved until such time as it was deemed necessary to learn their identity – and then only with the agreement of the workers' council.
Asked about the “Snowden” movie, Inglis said he rejected wholeheartedly the events as portrayed by the director Oliver Stone and reasserted that Snowden's “revelations” were mere “allegations” which unfairly vilified the NSA.