Edward Snowden, an ex-CIA employee and a current employee of defense contractor Booz Allen Hamilton, is all over the news this week. He’s also the source of the NSA leak that outlined PRISM, a broad-based U.S. Internet intelligence-gathering program.
Last month we learned that QinetiQ, a major DoD government contractor, had been repeatedly breached by Chinese hackers.
Together, these events have a lot of people talking about the safety and security of U.S. government contractors.
The Defense Security Service (DSS) administers the defense portion of the National Industrial Security Program (NISPOM), a rigorous program outlining the requirements for government contractors that need a U.S. government security clearance to access national security information.
If you skim the table of contents for this program you’ll see what people have to go through to get these clearances – it is comprehensive.
Here’s the ugly truth of information security: In spite of the rigorous controls spelled out in NISPOM and other security programs, security lapses are bound to happen.
This is true of any compliance or regulatory measure. Even if you implement all of the controls, there is never a sure fire way to prevent all leaks or breaches 100% of the time.
Take PCI for example– this regulation is intended to secure the credit card industry, but we still routinely hear about breaches in banks, payment processors and point of sale devices.
Now PCI and NISPOM are very different programs, but the point is that breaches of security controls happen – we just don’t hear about many of them, especially those within the government, because aren’t made public.
The fact of the matter is that lapses in security controls take place in every industry. Government contractors and government employees are human, so security lapses are going to happen in government.
Even when the stakes are very high and the security controls are rigorous there is no magic bullet and there is no magic pill that will permanently solve the all the problems of confidentiality, integrity and accessibility.
Security professionals everywhere wish it was otherwise, but we have to keep reminding ourselves that there is no way to be 100% secure 100% of the time.
- Snowden source of leaks: http://www.guardian.co.uk/world/2013/jun/10/white-house-nsa-leaks-edward-snowden
- QinetiQ Breach: http://www.bloomberg.com/news/2013-05-01/china-cyberspies-outwit-u-s-stealing-military-secrets.html
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock