

Manage like a spymaster - Turukawa
http://www.economist.com/news/business/21662540-counter-intelligence-techniques-may-help-firms-protect-themselves-against-cyber-attacks-manage

======
secfirstmd
This sort of approach is a thought process and methodology we have been
training NGOs, journalists and human rights organisations in for years at
Security First ([http://www.secfirst.org](http://www.secfirst.org)). Though it
is strange to think about it this way, the work of many NGOs and journalists
is actually very similar to intelligence organisations (a cycle of planning
requirements, collecting, processing, analysis/production, distribution to
policy makers, collect, etc) and in many ways the threats/defence measures are
similar (insider threats, digital penetration, disruption etc).

All too often organisations we work with focus on tools (encryption,etc)
instead of beginning with processes (compartmentalisation, need to know,
vetting etc), so usually we have to begin with them. For many reasons this can
cause people and organisation'so discomfort ("We are a human rights org, we
won't want to hide information from other staff.")

I could talk all day about the subject and have been meaning to write up or do
a full public presentation about it somewhere about the methodology and how it
applies to NGOs, media etc - I just need to find the right place to do that!

~~~
omouse
Just read a quote from "Secrets of Consulting" that's applicable, _no matter
how it may look at first, it 's usually a people problem_. We do like using
tools instead of focusing on education and training.

------
AndrewKemendo
Security is a mindset, not simply a process. This article goes a little into
the mind of a Counterintelligence officer but when they talk of "paranoia" it
has more of a negative connotation than I think is warranted.

I would offer that the way the CI officer approaches security along the
spectrum (PERSEC, INFOSEC, OPSEC) is an extreme and fractal form of the "Front
page rule." So the question is always: "How would this look on the [insert
increasingly public channels]."

Compartmentalization and segmentation are really the underlying theories
behind defense in depth and I think it is valuable for other people to look at
how these principles should be applied.

The last thing I will say is that, it's probably best to ignore the "Well NSA
does that but look at how that failed." In fact what you see with leaks and
hacks etc...is a failure of the implementation - usually in the form of a
person or persons who tried to make things easier or more user friendly. That
should not indict the theory of compartmentalization, but rather prove that
the human is the most important element in the security system.

~~~
secfirstmd
I think there are also very different attitudes and thus implementations of
Counter-Intelligence, at the tactical, operational and strategic levels.

-Tactical - "Doing this particular activity is a pain, I don't want to keep everything locked up, I don't want to report every little strange thing etc"

-Operational - "This organisation (and my job) is rewarded for running successful XYZ operations, Counter-Intelligence is just a money drain for little obvious results etc"

-Strategic or policy level - "Spying will always happen. If we do it, our enemies will do it. They will probably find out eventually. Ultimately if an enemy finds out our secret stealth space rocket is actually for new types of photos and not a sneaky nuclear strike, they are more likely to act in a rational and calm way."

------
TeMPOraL
This article is somewhat very lightweight on content, but it reminded me of a
thing I'm looking for. Does anyone know of any resources that discuss in
details how spymasters and intelligence agencies manage things in day-to-day
pracitce?

~~~
rm_-rf_slash
My uncle was in the CIA. Before that he used his Yale psychology Ph.D to sneak
into the OSS (20/200 vision and medical disqualification couldn't stop him).
He wrote an excellent account of his time training spies in Britain then
leading resistance movements in Vichy France. His book is titled "The O.S.S.
And I" and his name was William Morgan.

I consider it an essential read for understanding group dynamics in unfamiliar
territories. People tend to act in archetypes when put in controlled
situations. For example, one of the training/vetting challenges was to cross a
pool of water without touching it using supplies scattered around the site. It
took three planks to do it properly, although two would work if you were
extremely slow and careful. One plank was easy to find, one was hard, the
third was extremely well-hidden. You can see from that example who will
examine all of the options and who will get frustrated with 2/3 of the
supplies and try to wing it.

Another interesting facet he brought up was how different tests could show
aptitude in different people. For example, Polish recruits tended to be poor
at individual tests but they excelled as a team because they were far less
prone to bickering over who gets to lead.

I consider "The O.S.S. And I" to be a better guide to management than most
white collar crap we see these days. One of the candidates who got impatient
and failed the water-crossing test, by the way, was an American executive from
a multimillion-dollar company.

~~~
TeMPOraL
I'll look for the book. Thanks for the recommendation! I'm Polish btw. and my
impression of my own society is that while we may not be bickering over who
gets to lead, we like to complain about the decisions that the leader makes
:).

~~~
rm_-rf_slash
I have a close friend from Poland who has shown me much of your lovely
country, and all I can say in response is: YUP! :)

------
omouse
It's a shame that the article doesn't mention all the incidents of government
agencies being hacked. In Canada I remember there were student loan records
that were accessed: [http://www.huffingtonpost.ca/2013/01/11/federal-agency-
loses...](http://www.huffingtonpost.ca/2013/01/11/federal-agency-loses-
data_n_2459088.html)

