The other day at work I was taking my annual Information Assurance Awareness Training. This training is supposed to teach me how to protect our information systems, also known as our computers. One of the first statements that I was presented with, after I got past their paranoid scenario whereby hackers have brought down our economic system by taking over the federal pay system and writing themselves paychecks, is the fact that, I, as an insider, am the greatest threat to our information systems. Now, I realize that inside threats are the most difficult to protect against. We have, after all, deliberately been given access to those systems. But I really think they could have worded it better. They could have told me that I was a key element in information system security, thereby trying to enlist me as an ally rather than immediately branding me as an enemy. This sort of thing does, however, shed some insight into the mindset of the security people. In their universe, it seems, everything and everyone is a potential threat.
Now, in my day job I am a system safety engineer on military systems and I understand the necessity of evaluating risk. In fact, evaluating risk is something that we all do, whether or not we realize it, everyday. But if I adopted the mindset of the security culture, I wouldn’t let anyone do anything because I wouldn’t trust them to do the right thing. This is a road that our information security folks seem to be heading down. For several years now, I have not had any administrative privileges on my computer, I can’t even open up the system clock to look at the calendar because I might change the time. Recently they have restricted our emails to plain text only, ostensibly to reduce the bandwidth of our email traffic to make room for the digital signatures that have now become mandatory. Yeah, I don’t really buy their reason, either, but at least they gave us a reason, which is more than they did a couple of months ago when they suddenly banned us from using thumb drives.
Banning the thumb drives actually created a lot of problems. It isn’t easy for us to share our files on our computer networks because we are limited to 10Mb for our email attachments. Fine, you say, why not just post the file to a server. Well, that works, if you’re in my immediate organization, and if I’ve been given write permission to that folder, but access is restricted, and we have limited server space. We have been cleared to use USB hard drives, but not everyone has those, and it is not so easy for us to order supplies, so a lot of CDs are getting burned. Of course, they never told us why we couldn’t use the thumb sticks, and they probably won’t ever let us use them again. Maybe they think that sharing their reasons with us will somehow weaken their security posture. Or maybe, somewhere, deep inside, they know how utterly absurd what they are doing is. Nah, I don’t buy that either.
All of this shows what happens when one factor outweighs all other considerations. In this case that factor is security. Someone, somewhere, doesn’t want to balance security with our ability to perform our jobs. It is just easier to ban things than it is to put an intelligent security policy in place. It is also apparently easier to turn us all into enemies, rather than to enlist us as allies. If I used this approach in my system safety work I would end up killing our soldiers because I would have made the system so safe they wouldn’t be able to use it effectively when they needed to.
The end result of this securitizing (ugly word, isn’t it, well it’s an ugly concept) is the empowerment of the security elements and the disempowerment of the productive elements of our society. Look at what the Federal Government has been doing with airport security? How many hours are being wasted every day by business travelers? How many millions of dollars of tax payer money is being wasted every year on this Security Theater? With security, as with system safety, a little bit of effort will get you a lot of return, but you can never achieve absolute security, just as you can never achieve absolute safety. It is wasteful, and an abuse of power, to even try.
Hacker, Hack Thyself
3 weeks ago