I wrote a while back on how Trust is Important. Recently, there was an incident at the State Department where the Passport records of the Presidential candidates were accessed. I think this is another opportunity to look at trust in the IT world.
Before I dive in, let me just state that I don’t know anyone involved and don’t have any connection to the incident. I don’t have any inside information and only know what I have read in the papers. I do have knowledge and experience on a project of similar scope and privacy concerns for another governmental agency. As such, I am familiar with the issues and environment involved.
To summarize, multiple people accessed the records of the Presidential candidates over the past few months. The people involved work for different companies. While I’m sure that all of the unauthorized accesses were “I wonder if I could find XXX” situations, there is no certainty of that fact.
From the information provided, and from what I know about government contracting, the people involved had to undergo some sort of background check conducted by the government. Was it thorough enough? It was for what the government thought the requirements were. The information in the system is most likely Sensitive/Unclassified (maybe Restricted), but not Classified or higher. Essentially, the release of the information would not compromise National Security, so the clearance hurdle is lower.
Before people get too excited, the people involved were investigated more deeply than the guys at the local DMV. I would bet that the Illinois DMV couldn’t tell you how often any record has been viewed, much less Obama’s record. Remember, security clearances cost a lot of money for the government and companies involved. So people are cleared for the minimum that their role on a project requires.
To be honest, I wonder a little about the system in question. Accounts state that the people involved, at least those working for one contractor, were fired the day the search occurred. For this to happen, the system must quickly identify that a search occurred and that it was not allowed. This raises several questions:
- What makes a search not allowed? Is it the fact that it was Obama?
- If general searching is allowed, are they tracking some accounts, like Obama’s, specifically? What if a person looks up their neighbor? How is that distinguished from a necessary search in the system?
- If no searching is allowed, then why did they have access at all?
- If they people involved used an Administrator account, how did they track it? IP Address? How many people have that password?
There are a lot of questions here. The only thing I have no questions about is their auditing. If they truly caught the violations on the day they occurred, then that is pretty solid.
Let’s assume that they did everything “right” in their design and that the accesses were by legitimate System Administrators that had passed full background checks. There comes a time where you just have to trust that everything possible/reasonable was done. You have to trust people.
What is left to do? Advertise.
No Such Thing As Bad Publicity
Why did this happen more than once? I can tell you one reason. It was a case of CYA. Nobody wanted to admit to the breach, so they didn’t publicize it. They dealt with it and moved on with their day. If they had told people that a record had be accessed without authorization and had led to the firing of an employee, that would help people focus.
If you show that tracking works, it limits violations. There are right ways and wrong ways to do it, but the important key here is that you let people know that not only is Big Brother watching, but he will act. Trust but Verify.
Another, smaller, situation occurred back in the 90s. A company was rolling out Internet access to employees. They advertised that they were tracking the sites visited and said that it was not for use to visit inappropriate sites, like a porn site. Sure enough, day one, someone was caught. Word got around “unofficially” and there were no more violations, at least for the few years that I have knowledge of personally.
I would bet good money that even without a single change in policy that these unauthorized accesses won’t happen again for quite some time.