I was eating lunch with the chief of security at a social network a few years ago. As we sat in his company’s sunny courtyard, young employees passed by us, plates loaded with free food.
“You realize some of these people work for foreign governments,” I remarked. The CISO sighed and replied “Of course I do.”
Now comes the news that Twitter employees were secretly spying on behalf of Saudi Arabia. They retrieved records of Saudi activists and passed them on to their handlers in the Kingdom. When Twitter discovered what was happening, they did all the right things. They fired the spies, called in the FBI, and notified thousands of Twitter users whose data was stolen.
But do Twitter and other social networks do the right things to prevent such spying from happening in the first place? Is prevention even possible?
First, social network companies need to wake up to the threat. Because of the personal data and private communications they collect, they are juicy targets for nation state espionage. This includes US intelligence agencies as well as foreign.
The stakes are high. Foreign governments don’t want user data to sell ads; they want to silence dissidents and eliminate enemies. In the case of the Twitter incident, it is likely the stolen data will result in arrests and harsh interrogations.
Nation state espionage is more sophisticated than the industrial espionage that most companies worry about. It can be tempting to throw up one’s hands and say the problem is too hard to solve. But the military world has centuries of experience in preventing and detecting foreign spies. Private companies can learn from them.
Take background checks, for example. In the private sector, they are typically conducted for job applicants by the HR department, focusing on criminal record, credit history, education, and references. But in sensitive military roles, a much more in-depth clearance check is conducted, and then often repeated at regular intervals. They can even include polygraph tests.
Polygraphs don’t fit the culture at most social network companies, but they could certainly beef up their background checks, and move from one-time applicant checks to ongoing employee screening.
Another common military technique is tiering and compartmentalizing sensitive data. In the US, a secret, top secret, or code word clearance is required in order to access classified data. This too can be adapted to social network companies. They could limit consumer data access to those who meet strict Need to Know requirements, and subject those people to stronger screening and monitoring.
Rogue employees stealing a company’s data are a kind of Insider Attack. There are many things that can be done to mitigate such internal threats, ranging from background checks to Data Loss Prevention (DLP). (I should know, I literally helped write the book on insider attacks.) Such controls are common in mature industries that have dealt with the threat for many years – banks, for example – but social network companies are young, immature, and don’t typically have security in their DNA.
The Twitter incident must be a wake-up call to all social network companies. National intelligence services are embedding spies among your employees. They want access to your treasure trove of data – so limit who has access to the treasure and watch them closely. Lives are at stake.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.