A common objective of information security awareness is to encourage whistleblowers to use internal mechanisms to report their concerns. External whistleblowing and the airing of concerns in public view risks brand damage and exposure of sensitive information. The Snowden affair has shown how divided we are on the ethics of external whistleblowing. To date, much of the debate has been speculation about Snowden’s character flaws. Sometimes when trying to understand a controversial decision such as Snowden’s it helps to understand the chain of events leading up to the decision since failures in complex systems can rarely be given justice in a single newsbyte. In this case there are a series of failures that occurred prior to the employee of a subcontractor deciding to flee the country and leak sensitive information to foreign journalists:
The NSA failed to convince Snowden as part of his training and engagement that their activities were lawful.
- The NSA failed to convince Snowden that they had a credible whistleblowing process that would not subject him to reprisals.
- The NSA failed to provide adequate controls to identify when administrators were abusing their access.
- The NSA leadership pushed their activities to the margins of legality and possibly beyond which increased the chances that someone out of the many thousands of employees and contractors would eventually leak the information out of motivation for the public interest.
- Members of congress failed to hold the NSA to account. Senators Wyden and Udall made cryptic references to creeping surveillance but failed to take decisive action.
- The NSA failed to engage with the public and gain informed consent for their activities. As the gap widened between the NSA’s activities and the public awareness the likelihood was increasing that someone would leak.
- The harsh and unlawful treatment of previous whistleblowers may have encouraged Snowden to flee.
So after a whole series of failures by many over many years the decision was left to Snowden. There is a paradox in that many who are now ‘thankful’ to have a conversation about privacy are unwilling to credit Snowden for enabling the conversation. While the US government and his employers would argue that he must honor the confidentiality clauses in his employment contract and laws relating to classified information, it can also be argued that the law cannot be used to keep unlawful activities secret and thereby facilitate their continuance. What about professional ethics? Snowden attended an ethical hacking course in 2010 and the codes of conduct for this course included a requirement to ‘Disclose to appropriate persons or authorities potential dangers to any e-commerce clients, the Internet community, or the public, that she/he reasonably believes to be associated with a particular set or type of electronic transactions or related software or hardware.’ Presumably, secret vulnerabilities being built into software falls into this category?
Of course there are problems with Snowden’s disclosures as well. That he had access to the information does not mean that he understood the operational impact. Just because he couldn’t foresee a safety risk doesn’t mean that there wasn’t one. While he appears to have made an attempt to disclose the information through responsible journalists rather than dump it on Wikileaks, he could not have been certain that one of them wouldn’t either sell the information to a foreign intelligence service or make a basic security mistake.
The path to anarchy is everyone going to the press whenever they suspect that their employer might not be wholly compliant with the law. The legality of the NSA’s activities appears to be a highly subjective issue and until activities are expressly enshrined in law or upheld in an open adversarial court, we won’t really know one way or the other. Do we really want people who suspect their employer is breaking the law to respond by saving up a large collection of files and giving them to journalists? What happens when people start whistleblowing just to get on TV?
The one clear lesson from this is that it would have been much better for the NSA if they had been able to deal with Snowden’s concerns internally. Many of the failures which led up to Snowden’s decision were well within the NSA’s ability to influence. Potentially, fixing any one of them would have been enough to change Snowden’s decision. Does your organization have a whistleblowing process? Is it credible? Do people trust it? If you’re not sure then you’d better go and ask them. Otherwise, your whistleblowers may decide to go external.
Originally published in the November 2013 edition of the ISSA International Journal.