I wrote a while back on how Trust is Important. Recently, there was an incident at the State Department where the Passport records of the Presidential candidates were accessed. I think this is another opportunity to look at trust in the IT world.
Before I dive in, let me just state that I don’t know anyone involved and don’t have any connection to the incident. I don’t have any inside information and only know what I have read in the papers. I do have knowledge and experience on a project of similar scope and privacy concerns for another governmental agency. As such, I am familiar with the issues and environment involved.
What Happened
To summarize, multiple people accessed the records of the Presidential candidates over the past few months. The people involved work for different companies. While I’m sure that all of the unauthorized accesses were “I wonder if I could find XXX” situations, there is no certainty of that fact.
From the information provided, and from what I know about government contracting, the people involved had to undergo some sort of background check conducted by the government. Was it thorough enough? It was for what the government thought the requirements were. The information in the system is most likely Sensitive/Unclassified (maybe Restricted), but not Classified or higher. Essentially, the release of the information would not compromise National Security, so the clearance hurdle is lower.
Before people get too excited, the people involved were investigated more deeply than the guys at the local DMV. I would bet that the Illinois DMV couldn’t tell you how often any record has been viewed, much less Obama’s record. Remember, security clearances cost a lot of money for the government and companies involved. So people are cleared for the minimum that their role on a project requires.
To be honest, I wonder a little about the system in question. Accounts state that the people involved, at least those working for one contractor, were fired the day the search occurred. For this to happen, the system must quickly identify that a search occurred and that it was not allowed. This raises several questions:
- What makes a search not allowed? Is it the fact that it was Obama?
- If general searching is allowed, are they tracking some accounts, like Obama’s, specifically? What if a person looks up their neighbor? How is that distinguished from a necessary search in the system?
- If no searching is allowed, then why did they have access at all?
- If they people involved used an Administrator account, how did they track it? IP Address? How many people have that password?
There are a lot of questions here. The only thing I have no questions about is their auditing. If they truly caught the violations on the day they occurred, then that is pretty solid.
Let’s assume that they did everything “right” in their design and that the accesses were by legitimate System Administrators that had passed full background checks. There comes a time where you just have to trust that everything possible/reasonable was done. You have to trust people.
What is left to do? Advertise.
No Such Thing As Bad Publicity
Why did this happen more than once? I can tell you one reason. It was a case of CYA. Nobody wanted to admit to the breach, so they didn’t publicize it. They dealt with it and moved on with their day. If they had told people that a record had be accessed without authorization and had led to the firing of an employee, that would help people focus.
If you show that tracking works, it limits violations. There are right ways and wrong ways to do it, but the important key here is that you let people know that not only is Big Brother watching, but he will act. Trust but Verify.
Another, smaller, situation occurred back in the 90s. A company was rolling out Internet access to employees. They advertised that they were tracking the sites visited and said that it was not for use to visit inappropriate sites, like a porn site. Sure enough, day one, someone was caught. Word got around “unofficially” and there were no more violations, at least for the few years that I have knowledge of personally.
I would bet good money that even without a single change in policy that these unauthorized accesses won’t happen again for quite some time.
Word of Pie 
This particular incident isn’t unusual when it comes to companies that manage any type of personal or sensitive material. Every Human Resource and Payroll department in every corporation in America has access to your SS # and your bank account for direct deposit. The billing department for any company that you’ve ever done personal business with has your credit card number and more than likely a record of exactly what you bought. Every police officer and county official has access to my driver’s license. Your personal information is out there, like it or not.
So trust is a big issue. I see auditing as an even bigger and important issue. There are people out there that would steal just about anything if they knew they could get away with it. Even little stuff, like office supplies or a ream of paper. If you *know* for a fact that you will be caught, it’s human nature to not risk it. No one likes being punished.
The beauty of auditing is that it allows you, the employer and keeper of information, to show trust in your employees by allowing them to do their job. You can’t completely lock down the passport database, otherwise all those airport workers wouldn’t be able to check those passports. Auditing does allow you to quickly follow up on who is checking information. It’s also very easy to flag any particularly sensitive information.
In the case of the Presidential canditates and their passports, I have no doubt their passports were flagged with extra audit trail information. (It’s standard procedure for any “viable” Presidental candidate.) If anything, the breakdown occurred when the employees violated company policy and looked at data when they had no business need to do so. Just like the medical personnel at UCLA Hospital who peeked at Britney’s medical records.
If the world at large doesn’t want their information leaked, peeked or prodded, they need to hold companies accountable to notify their employees of information policies and above all, taking definitive *action* when a violation occurs. You may not be able to undo the damage, but it goes a looooong way in preventing the next person who is a bit too curious.
LikeLike
The passports were flagged, along with several others. Here is a nice, non-partisan update revealing some celebs were hit as well.
http://news.bbc.co.uk/2/hi/americas/7315813.stm
LikeLike