Saturday, July 27, 2013

Liberal Arts Education Meets Risk Management Follow-Up

A few days ago, I published this post about liberal arts education. Just to follow up, here are a couple of articles I'd been holding in reserve: Worst College Majors for Your Career, and Ranger Up CEO Nick Palmisciano's 11 Get Into College Tips. That second one was a follow-up to Palmisciano's excellent video series on How to Get a Job. You know what they say: knowledge is power.

Friday, July 19, 2013

Rethinking Locks

Every day, we put a lot of trust in locks and keys. Have a look at some of these videos, and then reconsider that trust accordingly.





I picked my very first lock back in May - a fairly simple lock for a desk cabinet drawer. I picked it so that my classmates and I could use it, as the key had long since been lost. When researching how to go about trying it - for me, all it took was a straightened paper clip - I watched a few clips, and was both fascinated and shocked by how simple these mechanisms that we place so much trust in actually are. This, folks, is why a simple lock isn't enough to truly safeguard your family, possessions, or workplace.

Wednesday, July 17, 2013

Personal Security Online and In Person Follow-Up

Following up on this post, there are a few related stories: Love Is a Battlefield: How the Taliban are using sex to fight America, She’s Just Not That Into You: Air Force Warns of Online ‘Sextortion’, and Here’s a Reminder Not To Tell Your Foreign Lover U.S. Nuke Secrets. If you're in a position of sensitivity, either in national security or otherwise, and someone is really interested in you and really interested in the nitty, gritty details of what you do, then it may very well be too good to be true.

Saturday, July 13, 2013

Thoughts on Edward Snowden: Part 1

Owing to my background, a lot of people have asked me for my take on Edward Snowden. The story continues to develop, and there's a whole lot of bluster and nonsense to clear away from the actual facts. Without using indelicate language, I'll concisely say that I don't see Edward Snowden as a whistleblower; rather, I think that this is a rather clear-cut case of treason. I hope very much that Snowden is eventually apprehended and made to face justice.

The unfolding story raises a variety of questions, most of which are either being glazed over by the media, misrepresented by people who don't understand the issues, or ignored entirely. I want to go over a few of those issues and try to cut through the garbage.

* * *

First, let's look at vetting.

Part of the challenge in a case like Snowden's is the question of whether he was fit for the position into which he was hired. Accusations of poor vetting were leveled against the government agencies in question, and against Booz Allen Hamilton (the defense contractor that hired Snowden). The accusation that's often reiterated is that Snowden wasn't properly vetted.

Let's look at a different case for a moment. One of the issues that coalition forces in Afghanistan have run into over the last few years is the challenge of proper vetting. One story that I keyed in on months ago, and had been meaning to discuss prior to the Snowden affair, was the case of a particular "green-on-blue" attack in Afghanistan. In December, a policewoman who killed an American advisor in Afghanistan was later revealed to be an Iranian national who had illegally obtained Afghan identity papers. (source, source) Vetting in a place like Afghanistan is very difficult, which is one of the reasons why nepotism plays such an active role in such societies. Without the kind of national infrastructure we in the West take for granted, the measure of one's trustworthiness is how well connected they are to those in authority. In the West, we put our institutional memory on paper or commit it to electrons; in a place like Afghanistan, institutional memory - to include one's crimes - rests in the memory of the elders.

But why is vetting important in the first place? The answer, friends, is risk. People and organizations want to eliminate risk; but in reality, risk is inevitable, hence the need to manage it. In the case of vetting, an individual or organization is trying to determine whether a candidate is a suitable security risk. This takes a variety of forms dependent upon the role in which a candidate will be serving, but the underlying purpose is always the same: to determine whether a candidate is a minimal enough security risk to warrant investing trust into them.

So, what about Edward Snowden? Without being privy to the specifics of the case, one can conjecture that Edward Snowden - regardless of his motives - must have passed a variety of vetting procedures by both BAH and the government to get to the position that he held. It wasn't in the government's interest to hire someone who would use his access to leak information, nor was it in BAH's interest to put forth a candidate who would leak information. BAH, but moreso the government customer who conducts the actual background investigations, would have been looking at a pool of candidates who met the requirements for the work itself, one category of which would have been the security requirements.

Another question, once again tied back into BAH, was described by the BBC as the "rise of the low-level contractor with high-level access". The confusion on behalf of the BBC is understandable, as the Brits tend to throw civil servants at the same tasks at which America throws contractors. Contractors have gotten a bum rap over the last few years because of their ubiquity in Afghanistan and Iraq. In reality, contractors provide things like subject matter expertise and operational flexibility that you don't get from uniformed or civil service personnel. Uniforms, civil servants, and contractors all come with pros and cons. One of the pros of contractors both stateside and overseas is that they fill manpower gaps left by a combination of permanent force reductions following the 1990's "Peace Dividend", and operational tempo increases since 9/11. It's also worth noting that most contractors - including Snowden himself - boast military service of one sort or another.

In Snowden's case, it's possible that there was a lack of due diligence in one aspect or another of his vetting. In all honesty, though, one has to consider whether or not the major "warning signs" that I've heard bandied about - such as the fact that Snowden wasn't a high school graduate, or that he'd washed out of the Army - would have, or even should have, been red flags. Snowden has allegedly exaggerated his biography and credentials, but the bottom line is that if he had turned his life around since high school, it's likely that an objective investigation would have cleared him.

None of that absolves Snowden of his apparent crimes. The point I'm trying to get across is that in order to accomplish any task, an individual or organization must assume some degree of risk. The American government employs hundreds of thousands, even millions, of personnel in roles relating to national security. The fact that so few among that number - people like Edward Snowden and Bradley Manning - actively choose to betray those secrets, means that in actuality, America does a pretty good job of managing these risks.

* * *

At least, from a personnel security standpoint, they do a pretty good job. The advent of personal computing has introduced new risks to information security that were unheard of even ten years ago, and exacerbated existing ones. Despite countermeasures and efforts at mitigation, information systems are built for disseminating data, which makes them a big risk factor for both unauthorized dissemination (leaks) and malicious theft of data (hacking).

This raises a number of questions, and I'll address them in my concluding post.

Wednesday, July 3, 2013

Travel Safely Follow-Up

A few months ago, I published this post on travel safety. At the time, I apparently hadn't seen this story about a woman in the late stages of her pregnancy who disappeared while on a trip to Central and South Asia, including Pakistan and Afghanistan. At the risk of trivializing an obviously tragic situation, it seems obvious that women in advanced stages of pregnancy shouldn't be travelling in dangerous areas like Afghanistan and Pakistan.