'Snowden Effect' Should Thaw—Not Chill—New Ideas on Systems Intrusion, Detection

Edward Snowden NSA Prism whistleblower
As diabolical as a Seinfeld character?

In an episode of Seinfeld's very first season—in 1989, when hacking was still a bad cough—Jerry returns to his apartment from a trip to find his electronics stolen. Kramer, it turns out, briefly left the door ajar while Elaine—who is apartment-sitting—goes out shopping as she waits for Jerry's shower water to (finally) to get hot. Kramer explains what happened, and asks,

"You have insurance, right buddy?"

"No," Jerry says, despairingly. "I spent all my money on the Clapgo D-29! It's the most inpenetrable lock on the market today. It has only one design flaw. The door ...  must be closed!"

That scene popped to mind last week, as new reporting detailed the ease and creativity with which Snowden was able to hack the NSA's files. Most unbelievable among those details, though, was this: The agency had no effective way of detecting what he was up to because unlike most of its other locations, Snowden's site in Hawaii wasn't outfitted with the sophisticated software to do so.

Someone, in other words, left the door open.

You never point a finger in this industry, so much as empathize and look after your own house. You know you could be next. - Bob Schmeider, Société Générale

At first glance, one might think chief technologists—whether in finance, telecommunications, or elsewhere—will look at that revelation, and breathe a sigh of relief. After all, if the US government arm responsible for “watching” the rest of us can't even capably watch one of its—albeit more shrewd and determined—employees, what chance does anyone else have at prevention?

New Expectations
Of course, the unfair answer is: It doesn't matter. Any seasoned CTO or CIO will tell you that isn't how expectations work.

While a “Snowden Effect” is bandied about, meaning different things—from data-sensitive firms supposedly abandoning the cloud, to libertarians getting on a soapbox over alleged violations of constitutional rights—above all, the whole affair has clearly tickled the public consciousness, including that of shareholders and CEOs.

For financial firms big and small, expectations about actually knowing—and proving you know—what's happening on the systems inside the shop will rise. If the government can make enemies of its own personnel, even its programmers, so too can an investment bank or asset manager. (Just ask Goldman Sachs.) This is interesting, because the past few years have focused more on cybercriminals, their headline-drawing distributed denial-of-service (DDoS) attacks, and advanced persistent threats (APTs), that all originate externally.

It's not exactly a turnabout. Monitoring what one's employees are doing is far from a new IT problem. Snowden, rather, would seem to bring that priority full circle, with perhaps an added wrinkle—knowing how well (or poorly) your own developers and systems monitoring tools can police the IT estate in real time, rather than post-facto.

Bright Side
As one senior staffer at D.E. Shaw nicely put it at Waters USA a few weeks ago, IT's "hard shell" often contains a soft, gooey center. And despite whatever permissioning and education, or policies and containers one can try to wrap around it, goo is still notoriously difficult to control.

There is a bright side to all this. This summer, as I reported for a few weeks in Central Europe for Waters, a couple CIOs I spoke with—from very different kinds of firms—both seemed to exalt, with a palpable enthusiasm, the priority of systems oversight and resilience. In fact, Ralf Schneider, who oversees strategy for a global behemoth, Allianz, and Michal Sanak, the CIO for Czech prop shop RSJ Trading, voluntarily returned to the topic repeatedly. They both appeared to see an opening—rather than a risk—in the new responsibilities that both sides of the Snowden affair imply.

Perhaps they have little choice. As I found elsewhere in his country, Schneider cited Germans' particularly strong disaffection for any kind of data privacy intrusion, given the modern history of surveillance there—especially during its Cold War partition. Sanak, meanwhile, pointed out that in RSJ's role as electronic market-maker, gatekeeping and safety mechanisms are even more natural to the firm's IT DNA than latency reduction or proprietary hardware one might rather expect.

Dr. Schneider leaned on the word "trust" to explain the issue and justify the spend. For Sanak, it was "integrity." (More on that in the Waters January 2014 issue.) Going by these two examples, there is little convincing to do on a cultural level.

Maps and AI
The question, then, and as often, is how. For my part, a few promising answers have already been engineered—if for other more industrial applications. Verdande Technology, for example, has brought case-based reasoning (CBR) logic to finance from the offshore drilling industry, BAE Detica similarly leverages its namesake's defense and aerospace expertise, and Nice Actimize this year began using advanced voice recognition borrowed from its original telecom business.

What do the three providers have in common? For one thing—and coincidentally—none of them is American. But more importantly, they all introduce novel ways of looking at an IT ecosystem, mapping out the interactions taking place within it, and then using different modes of artificial intelligence to decide what is askew, and why.

It could simply be an overburdened server, or a bit of code that slipped through the change management process into production, funneling thousands of bad orders to market at high speeds. It could be a hacker who takes joy in seeing the world struggle for a few hours. Or a disillusioned staff member with his own agenda. The point is identifying which—accurately and quickly—and determining how that augurs a proper response.

Resolving just which technologies are needed is the rub. When Société Générale Americas CTO Bob Schmeider explained to me why firms have focused on infrastructure security in the time since the Jerome Kerviel rogue-trading scheme upended the French bank, he put it simply: "You never point a finger in this industry, so much as empathize, and look after your own house. You know you could be next."

Not So Funny
In the end, as geopolitcal—almost implausible—as the Snowden leak has become, and as promising as new monitoring tools are, an effective combination of technology and leadership probably comes back to fundamentally avoiding that scene in Seinfeld, with multiple actors playing roles they aren't used to, experiencing a sequence of unanticipated events that ultimately leads to an adverse outcome for the protagonist, left without redress.

In the episode, Jerry eventually forgives them—after all, unlike Snowden, Kramer hasn't conspired with Newman to lift Jerry's stuff—but not without one more comedic conceit that, 25 years later in 2014, will feel especially close to those charged with protecting the substance and flow of information,

"[They even stole] my answering machine!" he exclaims. "Boy, I hate the idea of somebody out there returning my calls."

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe

You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.

Waters Wrap: The tough climb for startups

Anthony speaks with two seasoned technologists to better understand why startups have such a tough time getting banks and asset managers to sign on the dotted line.

You need to sign in to use this feature. If you don’t have a WatersTechnology account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here