IT Security: Who Watches The Watchers?

Analysis
Mar 16, 20094 mins

The situation with D.C.’s IT security is huge mess. Yusuf Acar, acting chief security officer following Vivek Kundra’s exit to take the Federal CIO position, is now in the hands of the FBI on bribery charges from an alleged under the table deal with security vendor AITC. Kundra’s not been implicated but has taken a leave of absence, presumably until this shakes out and it’s clear he wasn’t involved. Let’s hope Kundra wasn’t involved, as that would be a very terrible start for the nation’s first top federal CIO. 

Acar’s not being accused of any type of security related malfeasance (at least that I’m aware), but given his level and breadth of access, everyone’s a bit paranoid about the potential he has some backdoor access or there may have been others involved in this scam. And if he was in cahoots with one of his IT security vendors, AITC,  who knows what other scams they may have collaborated on.

When someone in IT security shows very poor judgment, damages or violates their trust relationship, and in this case, commits a crime (allegedly), everything comes into the question. You have to look at everything, because you just don’t know. What did they have access to? What level of access did they have? Who might have been participating in the scheme with them? And what did they leave behind, such as backdoors, time bombs, booby traps or already damaged systems? If they were willing to go this far, how much further might they have gone or should we just assume the worst. Just how deep does it go? Often times there’s no way of really knowing for sure.

As in the District of Colombia’s case, you have to be overly cautious and err on the safe side, assuming if it’s possibly, they may have done it. Probably the only way to be sure is to overhaul and re-implement you security implementation. Certainly a thorough, hands on investigation is required.

IT security engineers, and often times IT administrators, are giving access to some of the most sensitive internal business and personal information. With that access, which is usually necessary to do some parts of their job, comes trust… trust the individual will only access what’s necessary to perform the job, and will maintain strict confidentiality of what they see and access. That trust is directly tied to the integrity of the individual. Violate that trust in any significant way and integrity is questioned as well.  

The question arises, do we need more than just auditing of the security of our systems and networks? Who watches the watchers, to play on a theme from the graphic novel and recent movie hit, The Watchmen. Are we destined to the compartmentalized structures, like those used to protect sensitive, secret and top secret information in our military and national intelligence?

Given the environment of greed and corruption we’ve all learned about on Wall Street and arrests like Acar’s, you start to get paranoid, wondering what does it really take to protect our systems and data. Is the Acar situation the D.C. district’s security equivalent of a Wall Street meltdown? Likely not, at least lets hope it isn’t. But the process to investigate, re-plan and re-implement security for D.C.  “just in case” will take time and could be very costly.

Like this? Here are some of Mitchell’s recent posts.

  • Top 5 “Must Have” Features For Windows Marketplace
  • Microsoft Era of “Take It Or Leave It” Is Over
  • Fed CIO Vivek Kundra: Google Apps or Office Live?
  • Windows 7 Post-Betas Leaks – Why You Should Care
  • Economy Spotlights H-1B Visa Hiring Debate For Microsoft
  • Will Tom-Tom Lawsuit Further Distance Microsoft From Linux Crowd?
  • Were Microsoft Layoffs Political or A Token Gesture?
Mitchell’s Book Recommendations: Also visit Mitchell’s other blogs and podcasts:

Visit Microsoft Subnet for more news, blogs, opinion from around the Web. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)