The unfolding story raises a variety of questions, most of which are either being glazed over by the media, misrepresented by people who don't understand the issues, or ignored entirely. I want to go over a few of those issues and try to cut through the garbage.
First, let's look at vetting.
Part of the challenge in a case like Snowden's is the question of whether he was fit for the position into which he was hired. Accusations of poor vetting were leveled against the government agencies in question, and against Booz Allen Hamilton (the defense contractor that hired Snowden). The accusation that's often reiterated is that Snowden wasn't properly vetted.
Let's look at a different case for a moment. One of the issues that coalition forces in Afghanistan have run into over the last few years is the challenge of proper vetting. One story that I keyed in on months ago, and had been meaning to discuss prior to the Snowden affair, was the case of a particular "green-on-blue" attack in Afghanistan. In December, a policewoman who killed an American advisor in Afghanistan was later revealed to be an Iranian national who had illegally obtained Afghan identity papers. (source, source) Vetting in a place like Afghanistan is very difficult, which is one of the reasons why nepotism plays such an active role in such societies. Without the kind of national infrastructure we in the West take for granted, the measure of one's trustworthiness is how well connected they are to those in authority. In the West, we put our institutional memory on paper or commit it to electrons; in a place like Afghanistan, institutional memory - to include one's crimes - rests in the memory of the elders.
But why is vetting important in the first place? The answer, friends, is risk. People and organizations want to eliminate risk; but in reality, risk is inevitable, hence the need to manage it. In the case of vetting, an individual or organization is trying to determine whether a candidate is a suitable security risk. This takes a variety of forms dependent upon the role in which a candidate will be serving, but the underlying purpose is always the same: to determine whether a candidate is a minimal enough security risk to warrant investing trust into them.
So, what about Edward Snowden? Without being privy to the specifics of the case, one can conjecture that Edward Snowden - regardless of his motives - must have passed a variety of vetting procedures by both BAH and the government to get to the position that he held. It wasn't in the government's interest to hire someone who would use his access to leak information, nor was it in BAH's interest to put forth a candidate who would leak information. BAH, but moreso the government customer who conducts the actual background investigations, would have been looking at a pool of candidates who met the requirements for the work itself, one category of which would have been the security requirements.
Another question, once again tied back into BAH, was described by the BBC as the "rise of the low-level contractor with high-level access". The confusion on behalf of the BBC is understandable, as the Brits tend to throw civil servants at the same tasks at which America throws contractors. Contractors have gotten a bum rap over the last few years because of their ubiquity in Afghanistan and Iraq. In reality, contractors provide things like subject matter expertise and operational flexibility that you don't get from uniformed or civil service personnel. Uniforms, civil servants, and contractors all come with pros and cons. One of the pros of contractors both stateside and overseas is that they fill manpower gaps left by a combination of permanent force reductions following the 1990's "Peace Dividend", and operational tempo increases since 9/11. It's also worth noting that most contractors - including Snowden himself - boast military service of one sort or another.
In Snowden's case, it's possible that there was a lack of due diligence in one aspect or another of his vetting. In all honesty, though, one has to consider whether or not the major "warning signs" that I've heard bandied about - such as the fact that Snowden wasn't a high school graduate, or that he'd washed out of the Army - would have, or even should have, been red flags. Snowden has allegedly exaggerated his biography and credentials, but the bottom line is that if he had turned his life around since high school, it's likely that an objective investigation would have cleared him.
None of that absolves Snowden of his apparent crimes. The point I'm trying to get across is that in order to accomplish any task, an individual or organization must assume some degree of risk. The American government employs hundreds of thousands, even millions, of personnel in roles relating to national security. The fact that so few among that number - people like Edward Snowden and Bradley Manning - actively choose to betray those secrets, means that in actuality, America does a pretty good job of managing these risks.
At least, from a personnel security standpoint, they do a pretty good job. The advent of personal computing has introduced new risks to information security that were unheard of even ten years ago, and exacerbated existing ones. Despite countermeasures and efforts at mitigation, information systems are built for disseminating data, which makes them a big risk factor for both unauthorized dissemination (leaks) and malicious theft of data (hacking).
This raises a number of questions, and I'll address them in my concluding post.
No comments:
Post a Comment