The PRISM Lesson: Beware the IT Guy

By

Of all the amazing, Le Carréan details surrounding the case of NSA leaker Edward Snowden, the one that seems to shock the most people is that all of this troubling, top-secret information was available to him, a 29-year-old high-school dropout who worked as a system administrator at private contractor Booz Allen Hamilton, and had little in the way of traditional accomplishment.

"He isn’t a seasoned FBI or CIA investigator," Slate's Farhad Manjoo wrote in a column that was typical of much of the sneering surrounding Snowden's credentials. "He isn’t a State Department analyst. He’s not an attorney with a specialty in national security or privacy law. Instead, he’s the IT guy, and not a very accomplished, experienced one at that."

But there is actually quite a bit of precedent for a case like Snowden's. To find it, you just have to look north from the NSA's headquarters, to Wall Street, where executives have known for years what intelligence officials are perhaps just realizing now: IT workers always know more than you think they do.

Consider the case of the rogue trader. These are bank employees who lose billions of dollars for their firms through unauthorized traders. As the Financial Times' John Gapper noted in his e-book, How to Be a Rogue Trader, most traders who have gone rogue got their training in the so-called "back-office" of a financial institution, where they learned the ins and outs of the firm's computerized trading systems — information they would later use to override the controls on those systems and avoid getting caught.

Two of the most famous rogue traders in history — Jérôme Kerviel at the French bank Société Générale and Kweku Adoboli at the Swiss bank UBS — both got their starts this way. Kerviel, who lost $6.4 billion for his bank and was sentenced to five years in prison as a result, began his career in the bank's compliance department, where he picked up the techniques necessary to bypass internal controls and evade detection once he moved over to the trading side. Adoboli, who lost $2.3 billion through unauthorized trading and was sentenced to seven years in prison, began his time at UBS in the bank's trade support division, where he learned some of the tricks that allowed him to conceal his trading risks later on.

Back-office workers aren't well respected or well paid within investment banks, but they can often outpace front-office workers when it comes to learning how the machinery works. As Gapper writes, "The back-office is a less glamorous and well-rewarded place than the trading floor — it has to ensure that everything runs smoothly and that the bank’s cash is accounted for. For Kerviel at Société Générale and Adoboli at UBS, it was useful training."

In fact, Wall Street banks have become so wary of the potential for harm on their trading desks that some have instituted a policy known as "block leave," a mandatory two-week vacation that is meant to afford supervisors a chance to sift through their employees' computer systems to look for traces of wrongdoing.

The tech world's equivalent of the back-office trade support worker is the "sysadmin," short for system administrator. The sysadmin rarely draws attention — you probably don't know the name of your company's sysadmin — but he or she knows everything and sees everything. The sysadmin is in charge of setting account permissions, creating and deleting accounts, and routing information to the correct people and places. If a corporation is a giant organism, the sysadmin is the cerebrum — the part that allows the rest to move.

It's surprising that Edward Snowden used the information he collected about PRISM and other surveillance efforts — which he has said gave him "the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President" — to blow the whistle on his employer.

But it's not surprising at all that he had access to that information. After all, Snowden was a sysadmin. And like the sysadmins at every Wall Street bank and major corporation, Snowden knew and had access to much more than his title and level of expertise would indicate. If you're part of a large company, or even a small- or medium-size one, your employer has an Edward Snowden, too. And it's all you can do to hope they don't one day decide to go rogue.