Comment by bjt
12 years ago
I'm not sure why you think that's so easy to do. You need a person who:
1. Has the technical credentials and interviewing skills to get hired at Google (not easy). 2. Has a security clearance. 3. Wants to be a spy. 4. Can get themselves assigned to the team working on datacenter interconnects. 5. Can set up a tap on the interconnect without getting caught.
That sounds both hard and expensive to me.
Consider Sally Smith, our hypothetical employee. She worked for several government and military agencies for years with a concentration in data center security. She has top-secret clearance.
Before the Snowden revelations came out, I'd have strongly considered Sally Smith to be a good fit for a position dealing with data center security. Who wouldn't have?! Years of experience at high levels securing data centers? Letters from generals and senior government officials attesting to her qualifications? Sign me up right away!
Post-Snowden, I'd start believing that Sally Smith is far more likely to be Sally Spook, an active NSA employee experienced in data center infiltration and with an impeccable cover story.
The only thing that keeps Sally Spook away from our data centers is Google's hiring processes & internal security, and is that really enough to stop a determined adversary with all the advantages of the NSA? I doubt it.
The Google hiring process seems to be very focused on discerning a candidate's practical knowledge not their on paper experience or recommendations. It would be silly to think that a general or senior government official would even have the technical knowledge to make a well informed recommendation of someone for a technical position.
Then the NSA finds a candidate that really knows how to secure inter-datacenter communications and gets them placed at appropriate positions inside the government or in collaborating private companies to build experience & a valuable network, with the long term goal of getting a job at Google. And if they really want in they place ten candidates in various companies.
The NSA can do this. They have the resources and the time to try. The only question is if they want a mole inside Google. Hell, I'd be shocked if large internet companies (Google, Yahoo, etc.) don't have agents from foreign and domestic intelligence agencies working there right now.
Betting on a companies hiring process to catch agents of an advanced persistent attacker is betting against house money in Vegas. You aren't going to win in the long run.
I think you dramatically underestimate the quality of the people the NSA has on staff. I know of two people who almost certainly worked there (obviously nobody confirms anything, but when two agents show up at your office to ask about their patriotism, the implication is clear), and they are brilliant, easily as smart as anyone I know at google.
Finding such a person would be difficult (but not impossible) for you or for me, but conditional probabilities work heavily in the NSA's favor. They have thousands of in-house people already satisfying 1, 2, and 3. 5 can be perfected by a team and taught to any of those thousands of people and 4 can be achieved with resume tweaking and, at most, a few repeat trials.
It's the same reason why security through obscurity doesn't work: if you chain together 5 obfuscation layers that each keep out 80% of competent hackers, in total they probably keep out 85% or 90% of competent hackers if you're lucky, but certainly not 99.99%, because everyone who bypasses the first layer has a much higher probability of having the skills to bypass the other layers as well.
Take those requirements in reverse and apply them to an already employed NSA person -- then send them out to apply for jobs as an asset.
there is also very easy other way around - "ask for help" [to fight terror and defend Motherland, err... USSR wording, today in the US it is "Homeland"] an existing Google employee.