news Australia’s peak representative body for systems administrators has taken an axe to claims published in the Sydney Morning Herald last week that a huge proportion of IT professionals abused their system access to illegitimately read others’ email, calling for evidence to be presented to back the claim.
The claim was made in an article published by the newspaper last week, by Carlo Minassian, founder and chief executive of Earthwave, a minor IT security company based in North Sydney. “We know that 40 per cent of IT email administrators and IT managers look inside their manager’s, their board’s, their chief information officer’s, and chief executive officer’s emails regularly and read their email,” Minassian reportedly said.
However, in a statement issued this morning, the System Administrators Guild of Australia (SAGE-AU) strongly repudiating the claim, stating that it “does not reflect reality”. “SAGE-AU condemns the article for lacking any qualification or validation of this figure,” the organisation’s statement read. “The only source quoted is an organisation whose primary focus is the outsourcing of email and other computer system management for Australian businesses. SAGE-AU believes the claimed figure does not reflect reality and that the actual figure across all industries is substantially lower than this. SAGE-AU invites clear evidence from any party to the contrary – if it should exist!”
SAGE-AU highlighted figures published by the Australian Bureau of Statistics, which showed crime victimisation rates in the low single digit percentages across a wide range of crimes. The organisation noted that it anticipated a similar figure (in the low single digit percentages) would apply in the case of IT professionals illegitimately accessing email systems at their workplace. The systems administrator’s group additionally pointed out that modern technology platforms came with audit features built in, which would chronicle both authorised an unauthorised (or even attempted) access to data such as archived email.
“Actions which result in data access by any user, including system administrators, are logged at time of access and recorded in security log files,” the organisation wrote. “Access by administrators to private data of the scale suggested in the article would simply not go un-noticed.”
Furthermore, SAGE-AU added that its members committed to a published code of ethics upon joining the organisation, which contained provisions specifically applying to the appropriate use of an employer’s computing assets, and “to the need to uphold the privacy and confidentiality of material stored on computing systems”. SAGE-AU could expel members for breaches of the code, it noted — and it encouraged Australian organisations to employ IT professionals which were members of such a professional group.
SAGE-AU’s code of ethics on the matter of privacy asks its members to commit to the following statement: “I will access private information on computer systems only when it is necessary in the course of my duties. I will maintain the confidentiality of any information to which I may have access. I acknowledge statutory laws governing data privacy such as the Commonwealth Information Privacy Principles.”
Update: Minassian has provided some further information on the issue, including some of the statistical basis for his claims, in this article on ZDNet.com.au.
What disturbs me about the Sydney Morning Herald’s article is two things. Firstly and most obviously, there is the fact that it completely unfairly demonises a whole class of professionals for merely having access to the resources needed to do their job, without providing a shred of evidence that there is systemic abuse of those resources.
Take this sentence for example, referring to Minassian: “He said IT administrators “can’t help themselves” as soon as they have control and authority over IT assets.”
To my mind, this is a grossly inaccurate and stereotypical generalisation of an entire category of professional. I’ve worked as a systems administrator myself at several major organisations (for example, David Jones), and I can say that if sysadmin staff had been busted spying on sensitive corporate email outside of their remit, they would have been shown the door in almost all cases with no hesitation. I know the IT managers of the groups I have worked for would have taken it very seriously.
It is true that in the IT community, there are a number of recurring jokes about this kind of behaviour, with The Register’s Bastard Operator From Hell series being the best example of it. However, the reason that these jokes exist is that by and large, sysadmins understand that by virtue of their job, they have been given a very large amount of access. The jokes are there to underscore the fact that with that great power, comes great responsibility. Almost all of the sysadmins who I have worked with or dealt with over the years have a high degree of integrity — and I simply cannot imagine them casually reading someone’s private email and covering their tracks.
Secondly, there’s also a broader issue here with the Sydney Morning Herald’s reporting.
Do sysadmins and other IT professionals have higher levels of access to sensitive organisational data than other staff? Of course they do. It’s part of their job to keep the systems running which store such data, and they are also often called upon by management to carry out certain acts with respect to that data. If they can’t access that data, they often can’t do their job.
However, sysadmins aren’t the only professionals with similar access. HR staff, for example, have extensive access to employee data, and anyone above a basic managerial level is usually able at most companies to obtain a certain level of access to the data of their employees. I’m sure a chief executive would be able to access whatever data they wanted inside their organisation. None of this is new or unusual — it’s part of the normal functioning of corporate life.
So why has the SMH chosen this moment to highlight this decades-old fact of corporate life, and attack sysadmins? Why sysadmins and not another profession such as HR professionals? Why cover this story at all? The answer, of course, is because of public relations (what else?).
Earthwave recently hired Australian PR firm Watterson to drum up some free publicity for its security services. Watterson is a very experienced PR firm which specialises in dealing with Australian technology journalists, and so has already been successful in getting Earthwave coverage with a number of the nation’s major technology media outlets (here, for example, or here, or here). It’s also recently begun issuing a ‘wave’ of self-promoting media releases. No doubt one of these, perhaps based on the ‘snooping’ scare campaign issue, found its way into the hands of the Sydney Morning Herald’s technology journalist team, and from there Bob was Earthwave’s uncle, so to speak.
It’s a classic IT security industry campaign: Use the press to scare businesses into thinking there’s some kind of threat, and then sell them the solution to dealing with that threat. In this case, however, I’m rather of the opinion, especially reading the dozens of outraged comments under the SMH’s article (outraged at Minassian, rather than at the issue of sysadmin snooping), that Earthwave’s PR efforts here might have backfired. This one in particular summed it up for me:
“I call bullshit. I’ve been in this industry for a long time now, people who would be stupid enough to display that lack of professionalism don’t last long. Way to pump your own services Mr. Minassian.”
My thoughts, precisely.