Edward Snowden did one important thing: He made an important conversation on security and ethics popular and international.
On one hand, he told us something we always knew: Spies spy. That is, stealthily gathering secrets, usually associated with times of war or matters of national security, is the third(?) oldest profession.
Spying on specific national interests is assumed, expected, and probably universal, which is why the feigned indignation of global leaders is laughable.
However, spying on a populous is extreme. Spying is normal when its targets are decision makers, influencers and information handlers. Regular citizens, though, don’t qualify for surveillance unless they are associated in some other way with a security threat.
- Surveillance of a high crime street corner is appropriate
- Surveillance of a shoplifting-prone market is appropriate
- Surveillance of military leaders engaged in assault on national interests is expected
- Yet, combing private communications, collecting information that may someday be factored as a risk – destroys the fabric of trust between a people and its government.
Therefore, surveillance in itself is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention. It’s a simple formula: Analyze meta data, identify risks, manage risks.
This surveillance and spying conversation, however, sends shivers down the backs of security managers and executives.
My recent informal research shows that security executives are Least Aware of physical threats to information. Every security executive we’ve interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
“Surveillance in itself is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention”
…and Least Prepared for Social engineering and physical penetration. Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).
Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by:
- an unauthorized visitor tailgating into the building
- an attacker bypassing security controls at doors and fences
- rogue employees or contractors (a la Snowden)
- an internal attacker of any type
We are all in this discussion now, public and private organizations, data and physical infrastructures. Now tell me your opinion. Do you think the “Snowden affair” is relevant to your organization? Is it a physical security issue? A cybersecurity issue? Both? Something different?