Sunday, August 07, 2005

Opportunity Costs of Security Clearances

Recently a friend asked me if I knew of anyone with a security clearance who has also passed a polygraph. It seems some agency (unknown to me) requires individuals with digital security assessment experience and the designated level of security clearances. I told my friend I did not know of anyone with that combination. He replied that the agency in question was ready to simply find someone with the necessary clearances, and teach them whatever skills were needed to perform the security assessment.

Something about this bothered me. I realized that this unknown agency was more concerned with the supposed trustworthiness of the assessor than with the skills he or she would apply to the agency's digital security interests. In other words, this agency valued a cleared yet unskilled person over a skilled yet uncleared person. In my opinion, that calculation defeats the purpose of the security clearance. Let's examine why.

A security clearance is designed to be a preventative measure that guards against a specific threat: rogue insiders. One of the most dangerous adversaries is someone on the inside, trusted with access to sensitive networks and data. It is important to ensure that people in such positions are worthy of the trust granted to them.

A security assessment is designed as another preventative measure. A security assessment enumerates vulnerabilities so they can be remediated or mitigated. These are the sorts of vulnerabilities one could expect an outsider, or more seriously, an insider, to try to exploit.

We have a situation where an unknown agency is willing to hire someone without the necessary skills to perform a very important task. That task is discovering vulnerabilities and recommending answers. This is not a job for a newbie, even if that newbie is "trusted." By putting itself in this situation, the agency has calculated that it values employing supposedly trusted newbie assessors over the act of discovering and fixing security holes.

Good vulnerability assessors or penetration testers are not born in boot camps. Discovering, validating, and remediating vulnerabilities requires more than knowing how to run Nessus or Metasploit. I doubt someone who has just learned to perform an assessment will deliver the report truly needed by this agency. The "work" by a brand-new "assessor" has just turned into a compliance item; the box has been checked, but who cares about the result?

This brings me to the broader question of clearances. What other trade-offs have been made in the interest of "trustworthiness," and at the expense of "security"? I know of people who could have made significant contributions to various projects, but had to wait months or years waiting for the appropriate security clearances. What damage was done, what missions were lost, what opportunies foresaken while the clearance process was followed? For other economics-trained readers, what is the opportunity cost of security clearances?

I read articles about problems with the clearance backlog, and these are the questions I do not see addressed.

7 comments:

Anonymous said...

Could one make the same analogy as to the cost oppurtunity of a promoting a non-Information Security saavy MBA, or other Sr. Executive to a CISO-esque position? Obviously at the time of promotion, this MBA runs out and reads ISO17799 and embarks on his noble mission of scoping out and defining his incident handling, change management, business continuity, and disaster recovery policies.

It would seem to me that this process would be undertaken with a great deal of ignorance as to the various severities, and probabilities associated with determining the liklihood that an assumed, or partially mitigated (Read: a deminished threat, that retains some impact potential), risk will actually manifest into asset loss, thus effectively (and possibly unknowingly!) creating misguided and substandard security policy.

I haven't discarded the idea that my argument here is based on faulty logic, so any and all comments are definitely welcomed.

Keydet89 said...

Richard,

This is nothing new at all. I wish I could tell you the number of places that I've submitted resumes to, and followed up with, in which the issue of a clearance was more important than the skill sets. I say this, b/c I've spoken to the people who're making the decisions to go in this direction. Much of the federal government needs the skills to be available now, but the clearance process is slowing things down...it's much easier to find someone w/ a clearance and simply teach them the skills.

And, as you've pointed out, this does raise the question of "what's missed?" What would someone with experience have seen and/or done, where someone with just the training but no experience missed? What's the delta in the quality of work?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

Amen!

Richard,
It makes me so happy to hear someone questioning the validity of the Security Clearance strategy used by the various TLA agencies in Washington.
To me it seems that agencies might begin to suffer from serious (hate to use this word but seems appropriate) group-think if this practice continues. If all analysts are hired as unskilled, yet cleared, to-be-trained workers then there might be a lack of diversity in the skill-set acquired. Additionally I have also seen skilled workers sit around for months because of the backlog, I'd hate to see the total cost of this lost productivity. Higher levels of clearance also begin to affect personal freedoms, many highly skilled workers have been turned off by the security clearance process and thus we lose their expertise where we need it most!

Anonymous said...

I agree about people being turned off with the process. I can easily see why someone would eventually count it as a negative when weighing whether to accept a job that requires a higher level of clearance with even more investigation.

It is particularly odd when you consider that time working effectively at your job doesn't seem to mean much. I had one job that simply required a background investigation every three years. It didn't make much sense to me that they had to have me fill out all the paperwork and go through it again even though I had been working there for years and had been doing a good job.

And that wasn't even a job that required clearance!

Kadupottan said...

A sad state.... In India, most of the leading security solutions providers are recruiting fresh ( or <1 years' experience) computer science graduates with certifications like CEH, CCSP, CCNA, MCSE as Information Security Analysts !!! It is really disturbing to see that they are serving companies like Duestche Bank, AMD, NCR, Nike etc. As a network admin for a fortune 100, I was given the task of evaluating some of these providers due to an audit requirement.I had interviewed a few of the so called "consultants" from these companies. It was a horrible experience ...... That raises a question in my mind... What counts ? Experience or just product certifications ?

Instrumental Surveillance Agency said...

One thing is for certain. If the government plans to continue their argument in favor to how they've been operating their security clearances, they are by far, creating nothing but ignorance within the sector.

We see this same situation in effect within the Iranian regime. All of the talented and bright Iranians are currently the individuals whom are fighting in this revolution against their own government. It's hazardous to any 'National Security' to hire analysts and not properly analyze them. It's a very weak point which will in fact, be the self-destruction of this nation over time. Tyranny and corruption play in part with ignorance. Those who risk their everyday approaches to create their own analyzed opinions based on facts, non-biased opinions, and those whom assume but to a certain degree, are not involved in our everyday government.

It's really frightening that our own government will put a credit score, something that was only created over the last century, to place a higher role over the fact of your employees being tangible in their everyday analysis.

The story of James Bond, may be a fictional story, however, it emphasizes a great look into how national security should be sought upon. James Bond has a great deal of containing a temperamental attitude towards individuals, and thus, is sometimes seen as a threat towards Mi6. However, the plot of the story is always coordinated around the thesis of James Bond looking out for the sole interest in the solvency of the United Kingdom. He has a record of consuming amphetamines while on the job, gambling in large amounts of cash, sleeping with random women he picks up, what other violations does James Bond not break in order to prevail his missions?

The story conjoined with this argument is a little farfetched, but it proves to how our current policies are detrimental to the health of the American government. Theoretically, it’s the same path like the ancient Athens era & Sparta who began the Great Peloponnesian War in 432 B.C.E. Athens whole strategy going into the war was purely arrogant & wanted to show Sparta that they were invulnerable in the beginning, & then regain power by means of their strong fleet further into the war.

Athens were clearly too confident of its own ability & later proved vulnerable to Sparta's army. For if you think you are more then you are, you will never know who you really are. Athens were blind to its limited power & failed to foresee the results of its actions. Athens did not know themselves & suffered from this ignorance.

What follows not knowing yourself is destruction & in Athens’ case, downfall of the city. In 404 B.C.E. Athens surrendered to Sparta, Sparta having starved Athens into submission. This misguided belief only leads to thinking of yourself as someone you are not & destroying yourself in the process.

History is one scenario, but repeating the same mistakes from the past is ultimately the essence of ignorance, and self-indulging arrogance. I hope for analysts to embark on this knowledge, and realize, that these policies are not more than 40 years old. And within the last 40 years, the United States has lost every war it has come across. Not like the wars that created American history where every man fought for his own cause within his ideology of America. Theoretically, a significant increase to our current deficit still results in a loss on our behalf. Oh Lady Liberty. Where have you gone to let moronic individuals to examine the security of your land over feasible answers to protect this sovereign nation? It must have been when she took her smoke break.

http://www.funnythreat.com/images_funny/images/funny-ads-0.jpg

The struggle for power within this world is so complex, that only the individuals who cannot pass a security clearance, would be the individuals who could prolong the lifespan of America, if they were analyzed thoroughly and not judged based on ridiculous policies.

God bless the United States of America.

Instrumental Surveillance Agency said...

Our schools have entirely led you to believe that staying out of trouble, maintaining a high credit score, and being certified in a degree is your only chance in life. This is all bullshit. Non of this matters when it comes to survival skills when fighting wars, or conducting prolonged issues, that should be quickly pondered on. Only the elite survive in the struggle against power. People may contain the highest degree of mathematics, but as we've witnessed, Einstein even created the greatest threat to our nation. Yet, I'm a devils advocate, and it seems as if the most successful people within this world are the ones who decided to under mind the education system in order to manifest their own success. When will America wake up and smell the coffee? Because we all wake up every morning, and brew a fresh cup for them. Hoping for them to wake up, and to rid their continuous ignorance. The problem with ignorant individuals is that their hard headed. And while they want to look at some of us, like were stupid ourselves, we would like to believe that they aren't, however, deep inside we all know that they are.

The greatest threat known to mankind, is not arms. Or nuclear warfare. Corrupt governments, or money. It's solely and entirely ignorance...I'd like to see someone with a security clearance figure that one out. Much more than that, figure out a way to abolish American ignorance.