Comment by owenmarshall
12 years ago
Consider Sally Smith, our hypothetical employee. She worked for several government and military agencies for years with a concentration in data center security. She has top-secret clearance.
Before the Snowden revelations came out, I'd have strongly considered Sally Smith to be a good fit for a position dealing with data center security. Who wouldn't have?! Years of experience at high levels securing data centers? Letters from generals and senior government officials attesting to her qualifications? Sign me up right away!
Post-Snowden, I'd start believing that Sally Smith is far more likely to be Sally Spook, an active NSA employee experienced in data center infiltration and with an impeccable cover story.
The only thing that keeps Sally Spook away from our data centers is Google's hiring processes & internal security, and is that really enough to stop a determined adversary with all the advantages of the NSA? I doubt it.
The Google hiring process seems to be very focused on discerning a candidate's practical knowledge not their on paper experience or recommendations. It would be silly to think that a general or senior government official would even have the technical knowledge to make a well informed recommendation of someone for a technical position.
Then the NSA finds a candidate that really knows how to secure inter-datacenter communications and gets them placed at appropriate positions inside the government or in collaborating private companies to build experience & a valuable network, with the long term goal of getting a job at Google. And if they really want in they place ten candidates in various companies.
The NSA can do this. They have the resources and the time to try. The only question is if they want a mole inside Google. Hell, I'd be shocked if large internet companies (Google, Yahoo, etc.) don't have agents from foreign and domestic intelligence agencies working there right now.
Betting on a companies hiring process to catch agents of an advanced persistent attacker is betting against house money in Vegas. You aren't going to win in the long run.
I think you dramatically underestimate the quality of the people the NSA has on staff. I know of two people who almost certainly worked there (obviously nobody confirms anything, but when two agents show up at your office to ask about their patriotism, the implication is clear), and they are brilliant, easily as smart as anyone I know at google.