Liberty versus security. Hmmm.
Is that really the dichotomy? Or is it privacy versus security? Can you have liberty without privacy, or vice versa? Enough v-words.
One of my favorite security pundits always has a good point to make, and his take on the topic is no exception:
In security, we always say “The insider threat is responsible for 70% of all loss bearing security incidents” yet we rarely talk about effective ways to do anything about it. The reasons why are many:
- Keeping the bad guys out is heroic, making sure the good guys don’t do bad things is invasive
- The external bad guys are faceless and evil - the internal bad guys are our co-workers
- Most of what internal people do is good, by monitoring them to see if they are doing bad things we give up liberty and privacy in the name of security - Ben Franklin wouldn’t like that
- Information security groups believe they don’t have the charter to monitor employees without human resources and chief legal counsel involvement and approval - a lot of paperwork is involved.
So, because of the above we have employees putting Social Security Number databases on laptops and taking them home, we have child pornography being found on corporate servers, we see backdoor trojans on many, many laptops that lead to customer databases flying out the door and we see supposedly confidential financial information and intellectual property being accidentally or intentionally leaked by internal users.
I take exception with his last bullet point, though: of course we don’t have the charter to monitor individuals without HR and general counsel permission. And we shouldn’t cross the line of monitoring behaviors to the point where they can be tracked down to an individual without that same permission and real cause. But that doesn’t mean we can’t log everything and then get permission to examine it later. Any entity that is legally liable for the actions of its employees has the right—and the responsibility—to monitor for and prevent illegal activities. (This is different from the current NSA wiretapping fiasco, where they are not complying with existing legal restrictions on their monitoring. If I monitored my individual co-workers without getting the requisite signatures—on the form I created myself for that purpose—I would be fired faster than you can say “executive privilege.")
Personally, I would rather prevent behaviors so that I don’t have to monitor for them. The old saying goes, “Trust but verify”; I’d rather verify so that there’s no question of trusting. It makes it easier to trust in an environment where you know that certain bad behaviors just aren’t possible. And since we all want to trust our co-workers, we’d better have those security measures in place so that we can go on about our jobs without worry.
It’s those sticky situations where you have to allow a behavior because sometimes it’s for a good reason that cause trouble. Then you have to spend a lot of time figuring out on a case-by-case basis which behaviors are legitimate and which are a breach of policy. Email is a good example of this; so is laptop usage.
In these cases, I’m not squeamish about monitoring. It’s my job to address all threats to my organization within the strictures of our policies, ethics and laws. And let me tell you, the VAST majority of my investigations involve insiders—and I’m not the one requesting them, either. It’s just an ugly fact of life that people misbehave on both sides of the fence, and when they’re on the inside they have the potential to cause more damage.
My management can take the public position that they care about their employees and will protect their privacy; that’s okay with me. I’m fine with being the bad cop they come to first thing in the morning and say, “Um, we need you to look at something.” I’ve set things up so that I’m held as accountable as possible: the logs of my privileged activities are kept on a server that I don’t have access to, and I have the reports from those logs delivered to my boss on a regular basis. I make sure that my ass is covered with as much paper as it takes, and I keep all my signed forms and documentation safely archived.
I sleep fine at night.
