

Automation Myths: The NSA Can't Replace 90% of Its System Administrators - adfm
http://programming.oreilly.com/2013/08/automation-myths.html

======
dsr_
Hi, I'm a sysadmin.

90% was always a bogus value, but that's not the main problem that I see.

Intelligence agencies are in the business of gathering, recording, analyzing
and cross referencing information, and then producing reports -- all while
maintaining compartmentalization to a degree that would be insane in most
other contexts.

You should never outsource your value proposition. What's the key
differentiator between the NSA and, say Arbor or Stratfor? Ignore the lack of
need to be profitable. The main difference is that the NSA needs to make
security its religion. To do that, the principle of least privilege applies.
The concept of Need To Know applies. And whenever possible, decisions need to
be implemented by two or more people who can't/won't conspire with each other.

Sysadmins set those systems up and run them. Sysadmins understand security as
it actually is -- bits without Colour, c.f. yesterday's discussion -- and can
turn the Colourful requirements documents into reasonable facsimiles of
working systems.

The NSA should never outsource computing expertise, be it development or
systems administration. If they were to eliminate 90% of their contract
sysadmins - by bringing them in-house - the problem would be with the
remaining 10%. But reduce their operational workforce like that and claim
automation can do it?

That's so much bull.

~~~
joe_the_user
_You should never outsource your value proposition._

Probably that literally is true. But the phrase itself generally goes with the
unsaid assumption you should outsource _something_.

It's been said that security is different from everything else in that it
can't be bolted on later and it can't be the job of some of the organization.
That's probably true too. And if the NSA's "value proposition" is security,
then one assumes they shouldn't outsource _anything_.

But there's this small problem that the NSA metastasizing has gone hand-in-
hand with the whole government contracting revolution. Especially, the various
private entities sucking the teet of the state are the ones best placed to
lobby for more and more funds for the various agencies, the "revolving door"
is now well established as the means by which agency officials are rewarded
and so-forth. So you can't stop subcontracting yet you can't do it securely.

Well, bummer for them. Hopefully there will be more, not fewer, breaches in
the future. They seem more in our advantage than otherwise.

~~~
Roboprog
Charles Stross deals with this somewhat humorously in the "Laundry Files"
novel series. The protagonist is a hacker who was drafted into a (paranormal)
spy agency. He still has to do computer support and go to committee meetings,
though (lest his supervisor outsource the network rebuild, or have the BSA do
a software audit).

------
karlkatzke
HN, and many of the technical writers covering this story, are missing out on
a major subtext of this story. I'm on my phone, so I can't cite my source, but
look at the actual quotes from NSA staff.

They're not laying off 90% of the people that performed system administration
tasks, they're revoking the administration rights of 90% of the people that
have them.

That means that their Windows domain was so badly administered that only 10%
of the people who have Administrator roles were performing administration
tasks.

I doubt anyone is actually losing their job nor do I think they're adding
significant automation.

~~~
courtneywylie
Here's the Reuters quote from NSA Director Keith Alexander that most people
(myself included) are using for this: "What we’re in the process of doing –
not fast enough – is reducing our system administrators by about 90 percent."

~~~
karlkatzke
The piece that's missing that I can't find right now, but was fully quoted by
the BBC, is the adjacent sentence, which was about how they had been too
permissive with user permissions.

------
diminoten
This reads like the rest of the industry's pitch for automation against the
cries of, "but you're automating me out of a job!"

Automation, done right, _does_ replace low-skill labor. In QA (my
perspective), automation replaces the need to run regression tests for each
build. That means if a person's job is primarily comprised of executing
regression tests, they're not likely going to have much to do once regression
tests get automated.

Similarly, if the NSA hired systems administrators to primarily do things like
deploy servers etc., then those people can be replaced by automation.

However, your "average" systems administrator job is as much about
firefighting, troubleshooting, and customer service (internal customers) as it
is deploying servers and managing other (automatable) technical problems. Some
of NSA systems administrators are possibly working on optimizing and scaling,
or implementing what the NSA's developers and architects have designed and
written - stuff that can't realistically be automated.

That said, they probably could play games with titles if they really wanted to
get this done without losing their ability to function. Rename a bunch of
sysadmin positions as "automation engineers", or reclassify their current
sysadmins as "developers" or "systems engineers", and continue on their merry
way, happy to have satisfied some congressional pressure without having slowed
operations.

~~~
walshemj
But the NSA CIA etc is not low skill labor and has specialized needs I could
see replacing 90% of the contractor Sysadmins bringing the job in house would
mean better control.

And in high security environments you want to strictly limit what one person
can do this is security 101. The NSA has talked about implementing the two-man
rule and presumably making much more use of discretionary access control which
increases staff requirements.

~~~
diminoten
Why wouldn't there be some low-skill labor involved? Someone has to physically
place the server blades into the racks, install operating systems and
necessary libraries, manage raid setups, configure the network, etc. Sure
these government orgs have special needs as well, but they don't magically do
away with the mundane needs. They are, after all, building a _huge_ data
center - someone (or something) is going to have to manage the space.

Sure, Ed Snowden wasn't a low-skill labor IT worker, but I bet when they did
an internal audit, they discovered a bunch of low-skill IT workers with more
access than they needed, and it was at that point they realized not everyone
is doing a job a human has to.

But again, I bet this is going to be more reclassification than it is going to
be actually having less warm bodies on the project.

~~~
walshemj
Well building a secure system for a TLA isn't low skill labor It needs to be
built to very high standards googles data centers have poor physical security
for example.

For this sort of use case you need to trust the people who are building your
DC's just as much as your sysadmin with root access.

Why do you think the FO in the UK has people whose job is to design and build
secure sites and to oversee contractors - to avoid the unfortunate experience
of finding bugs in your embassy as the USA has done in the past.

~~~
diminoten
Designing? Not low skill. Actually building? Possibly less skilled. Frank Gary
doesn't need master carpenters to get his dream created.

------
RougeFemme
If the sysadmin staffing was at the level truly needed, I don't see how they
could reduce it without playing the games described her in other posts -
bringing work in house, reclassifying positions, etc. But it could be that the
staffing level was bloated to begin with. . .not uncommon with government
contracts. And - being slightly facetious here - they might just choose to
reduce the multiple of human redundancy that the staffing level represents. .
.from say quintuple to triple redundancy. Comb through the remaining system
admins and remove those viewed as most likely to "leak" information. .
.although they are obviously not that great at it.

------
coldcode
We can hope they make it impossible to get any work done. I say eliminate
100%.

------
mathattack
I was thinking the same thing when I saw that. If you have too few people
doing the job, the sh*t will really hit the fan. If everyone's too busy to do
their own job, nobody will watch the watchers.

------
batgaijin
Well it's possible if they are switching from a leviathan sharepoint setup.

