Why do we fear the NSA?
Why do we fear sharks?
Why do we fear anything?
Here’s some context:
- Shark attacks in 2014: 72 unprovoked attacks with 3 fatalities.
- A 2006 Time article stated that more than 600 people die annually in the US alone by falling out of bed.
Which should you fear more, the creature whose main potential for attack is within swimming distance of shore in salt water or the item that is the featured item in every single bedroom?
There are a few factors at play that brings threats to our attention. First is a combination of how we remember and validate information and the second is called “the availability heuristic”.
We tend to remember things that are recent and that are repeated frequently. So anything that meets these two requirements becomes perceived as common place even if it is not quantitatively true. Shark attacks are so dramatic that they are instant headlines on every news outlet and through several news cycles. Intellectually, we recognize that there was only the single attack, but emotionally, our brain is pounded with multiple inputs from multiple sources.
Add movies, videos games, and sharknadoes, then the threat becomes a part of our cultural background.
All of the information feeds into how the brain perceives the availability of the threat: the availability heuristic. It feels so common-place to us that the emotional response of the danger outweighs the facts. After all, we have all witnessed shark attacks… at least on TV, but who has ever seen anyone die from falling out of bed, even on TV?
Sharks and the NSA
Ever since May 2013, when Edward Snowden fled to Hong Kong, his name and the NSA have been part of the US’s media chatter on a weekly basis. There have been revelations in the press, congressional panel investigations, and numerous articles on the breadth of the NSA’s data collecting capabilities.
Call Snowden a traitor, call him a hero, but the NSA has faced a media storm for over two years.
It seems to me, the public response, is that the NSA has achieved Orwellian proportion in its ability to dissect and analyze the electronic minutia of both potential bad guys and every member of the US public. There is a lot of hyperbole that is too deep of a rabbit hole to examine here, but how will this affect a business, what is the threat?
There are about 22 million businesses in the US.
I am sure, statistically, that a small percentage of those businesses are involved in shady dealings and I am sure, statistically, that an even smaller percentage is involved in activities of interest to the NSA.
As a normal, honest business person, I assume that the NSA has zero interest in collecting information on anything you do personally or professionally.
But, who is your Snowden?
For whatever motivation Snowden claims to justify his actions, he was a vetted, trusted employee who used a position of confidence to steal information. We assume in the day-to-day operations of our companies that everyone we hire is honest and, if we are responsible, we vet them to the best of our abilities.
Every company faces the possibility of the disgruntled employee, industrial espionage, stolen intellectual property, hackers and for some, traditional intrusion by foreign governments. These threats far outweigh any possible danger that the NSA could pose.
This isn’t about politics, this is about perception, about priorities.
It is about protecting your intellectual property. In a study by the Software Engineering Institute, most IP thefts are undertaken to provide an advantage to a new employer (former competitor) or to create a new business.
We exist in a media echo-chamber. We perceive low-percentage threats to be huge problems because we hear about the threats over and over through multiple news cycles. You have to be intellectually aware of the biases and recognize the influence biases have on how we perceive and evaluate evidence.
We certainly need to be aware of our external threats and how we can strategically plan and protect continuing operations from external influences. Risks must be weighted toward the most likely threats. The unlikely risks can be covered with fundamental, systematic processes.
We cannot exist in a state of paranoia. We have to extend trust to our employees and colleagues. But… we cannot ignore the possibility of internal threats. We have to anticipate and design in-place systems that prevent sins of opportunity.
I guess the point I’m trying to make is that everyone has many concerns about their business, but not every threat is truly threatening. You have to peel back the layers and examine the facts, not the fears.
Ask yourself: should you be more worried about the NSA using your proprietary company data or more worried about Edward Snowden protecting it? What are you doing to protect against your present or future Snowden?
My biggest lesson from the whole NSA/Snowden drama was if it can happen to the NSA, it can happen to anyone. What are you doing to protect against your present or future Snowden? NSA’s biggest weakness was born of complacency. He was able to extend his system access through stolen passwords from other employees. A two-part or biometric validation system would have prevented or highlighted his clandestine activities.
Obviously, sharks and beds are too different to compare, but going with the percentages, it probably wouldn’t be a bad idea to think “bed rails” at some point in your life.
 Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations”, Collins/Spooner/Cappelli/Moore/Trzeciak, May 2013, Software Engineering Institute.