Blowing the whistle without blowing your career
- 08 October, 2014 00:16
Technology professionals are among today's most infamous whistleblowers. The list of those who have made headlines for exposing corporate or government skulduggery includes Shawn Carpenter, a network security analyst who blew the lid off a Chinese cyberespionage ring; Bradley (now Chelsea) Manning, who shared more than 250,000 classified State Department cables with WikiLeaks; and Edward Snowden, who leaked top-secret information about NSA surveillance activities.
But for every high-profile case, there are plenty of tales of IT professionals who have accused their employers of wrongdoing without making national headlines or feeling the need to seek asylum in foreign countries.
Take Nell Walton, for example. A former database administrator at Nova Information Systems (now Elavon), Walton filed a whistleblower complaint with the Occupational Safety and Health Administration in 2005 against the credit card processor for security violations on databases that contained billions of transaction records.
According to Walton, she repeatedly asked the company to bolster its database security -- a request that she claims prompted retaliation from Nova's "chain of command." Walton's complaint was dismissed by OSHA. She appealed the decision with the U.S. Department of Labor but eventually lost her case against Nova in a federal court. (Elavon didn't respond to an interview request.)
The case, which lasted nearly three years, cost Walton her job, physical health and nearly $50,000 in legal fees. "It totally pretty much wrecked my life for three years," she says. "Even after the case was over and we lost, it was just awful."
Such is the difficult and often stressful path for IT professionals who dare to expose what they perceive to be misconduct or negligence on the part of their employers. "It's like that saying from my childhood: Nobody likes a squealer," says James Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies, a Washington-based think tank. "You can be noble and a whistleblower, but don't expect it to be an easy life."
Yet the potential for techies to become high-profile whistleblowers is growing, whether they like it or not. For starters, today's data deluge -- bits and bytes of information being generated by everything from assembly-line sensors to point-of-sale devices -- is fueling a demand for unprecedented data transparency. Suddenly, the public is requesting greater openness from IT departments regarding what data is being collected, how it's being used, how it's being secured and who's accessing it.
At the same time, the stakes have never been higher for organizations to keep their systems secure. According to Ponemon Institute's "2014 Cost of Data Breach Study: Global Analysis," a report sponsored by IBM, the average cost of a data breach to a company was $3.5 million, up 15% from the average reported by companies participating in last year's study. The 314 companies from 10 countries that took part in this year's study estimate they will be dealing with an average of 17 malicious codes and 12 sustained probes each month. IT teams must keep confidential data safe from these mounting threats or face the wrath of angry shareholders, fine-wielding regulatory bodies and disgruntled customers.
All of that puts technology professionals between a rock and a hard place. On one hand, they're saddled with the awesome responsibility of ensuring data openness and seeing to it that data management practices meet the highest ethical standards. On the other hand, IT professionals who detect -- and then report -- shoddy security measures or misuse of data are sitting on "a potential powder keg," warns Larry Ponemon, founder of Ponemon Institute, a privacy and data protection think tank in Traverse City, Mich. It's no surprise that many IT leaders "take the attitude that [reporting malfeasance is] someone else's problem," he says, "or convince themselves that even though it's a data breach, it won't really be harmful to people."
Fortunately, a number of new developments are helping IT leaders more readily embrace their emerging role as corporate watchdogs. Greater legal protections, innovative whistleblowing platforms, new reporting processes, cultural shifts -- they all promise to help technology professionals prepare for a new era of high-tech whistleblowing, even under the threat of employer retaliation, lengthy legal battles and foreign exile.
For four years now, the Dodd-Frank Wall Street Reform and Consumer Protection Act has received mixed reviews on its ability to fulfill its mandate to reward and protect people who report governmental or corporate misconduct. The legislation works by granting whistleblowers monetary awards ranging from 10% to 30% of the money collected in an enforcement action. In fact, in the first seven weeks after the Dodd-Frank Act took effect in August 2011, the Securities and Exchange Commission received 334 tips from informers seeking rewards. Since then, the SEC has fielded more than 6,000 whistleblower reports.
In addition to offering financial rewards, the Dodd-Frank Act aims to protect whistleblowers from employer retaliation by allowing them to maintain anonymity.
However, as financial experts continue to debate the impact of Dodd-Frank, many organizations are taking matters into their own hands. "The Dodd-Frank rules around whistleblowing were a good wake-up call, but I'm seeing a lot of organizations stepping back and asking, 'How can we take this to the next level? What's the Version 2.0?'" says Mohammed Ahmed, a senior manager at Deloitte Financial Advisory Services and co-author of the Deloitte report "Whistleblowing and the New Race to Report."
How not to air dirty laundry
For many organizations, the answer is to establish an internal whistleblowing program, complete with a 24/7 hotline and financial rewards for employees who expose bad behavior and faulty systems. Whistleblower hotlines, for example, allow IT workers to anonymously report any misconduct they witness within their organization either by phone or via a Web portal. Although IT professionals are most likely to notice something like the mishandling of data, other causes for concern include fraud, corruption and illegal activity of any kind, of course, as well as safety violations and health hazards.
Walton says she wishes whistleblower hotlines were available back in 2005 when she decided to tell her employer about her concerns about data security. "I honestly think that a [whistleblowing] channel would have opened [the case] up to people that were more interested in protecting the data rather than protecting their own jobs," she says.
Even so, while more and more organizations are providing internal communication platforms and incentives for whistleblowing, the real motive behind many of these initiatives is to ensure corporate missteps are handled in-house and not brought to the attention of authorities.
The rationale behind many of these internal programs "is to motivate whistleblowers to report internally first before going to the SEC," says Ahmed. "Companies are grappling with the fact that reports can be made directly to the SEC. Most are uncomfortable with the notion that they don't know what's being reported about them and that the first time they find out is from a regulator."
Solutions hidden in plain sight
If today's internal whistleblowing tools fail to instill confidence in IT leaders, there's a growing crop of third-party sites and submission systems to choose from.
Tor (previously known as The Onion Router), for example, is an anonymizing program that routes traffic through a network of multiple nodes -- or virtual tunnels -- to anonymize the identities of its users.
According to the Tor website, the technology bounces communications around a distributed network of relays operated by volunteers around the world. Tor prevents websites from tracking users, be they CIOs or political dissidents, so those individuals can remain undetected if they want to, say, communicate sensitive information to journalists, connect with authorities or browse whistleblowing sites.
Another option is GlobaLeaks, an open-source whistleblowing framework that's designed to help IT professionals report wrongdoing without having to rely on in-house tools or technologies. "Whistleblowing is risky," says Marco Calamari, a member of the Hermes Center for Transparency and Digital Human Rights in Milan, Italy, which developed the innovative technology. "GlobaLeaks is a highly configurable software built on the foundation of Tor, which allows for anonymous browsing of the Internet." The upside of GlobaLeaks, which boasts 5,000 voluntary servers and 1 million users, is its ease of use, which allows even nontechnical people to set up their own anonymous whistleblowing sites.
One of today's more innovative submission systems is an online advertising network called AdLeaks. Unlike tools such as Tor, which rely on SSL connections over an anonymizing network to mask a user's identity, AdLeaks works by embedding AdLeaks ads onto a website.
These ads contain code that encrypts a whistleblower's messages, which are then delivered back to AdLeaks as small packets of encrypted information. By letting a whistleblower's browser substitute messages with encrypted parts of a disclosure, AdLeaks ensures the sender is completely unobservable and that eavesdroppers can't distinguish between a regular browser's transmissions and those of a whistleblower's browser.
But even AdLeaks isn't a foolproof solution. For one thing, because it leaks only a small piece of information each time, the process may take weeks to complete. And because AdLeaks is a research project, the system is still considered part of an experimental research product line. Professor Volker Roth of Freie Universitat (Free University) in Berlin, who is spearheading the project, says, "We cannot guarantee the security of any submissions, and we do not have the organization to handle whatever would be submitted to us."
Joining the executive ranks
As whistleblowing technologies continue to multiply and mature, Ponemon says there's an attitudinal change afoot in IT departments that could spur greater openness among technology professionals. "People who work in the security trenches or in IT who are not supervisory level or above often feel as if no one is going to listen to them even if they do see a problem," he says.
It's a difficulty that Walton says she faced when she was a database administrator. "Between the business and the IT department, there was just a real kind of disconnect on the severity of the [data security] issue," she recalls. "That can happen a lot in business.... A CIO has to be very good at explaining the technical side and the risks. That's what was missing all those years ago."
But that's changing as the role of a technology professional is slowly being redefined in the face of growing responsibility. For example, "more chief security officers are being elevated to a higher level," says Ponemon. "Companies want a person not to just be a technician but to be part of the governance solution. They want people to own the responsibility and accountability, which basically gives the CSO more power."
Greater purpose, more processes
With greater power comes the need for more formal processes that identify the steps IT professionals should take when they detect misconduct. Consider, for example, the recent controversy surrounding the U.S. Department of Veterans Affairs. Whistleblowers have stepped forward accusing the department of tweaking computer systems to make it appear that veterans waiting weeks for medical appointments had no wait time at all.
"The issue for IT folks is what do they do?" says Lewis. "Do they go and tell their boss that the software is under-reporting waits? Absolutely -- that would be a responsible thing to do. But what if their boss says, 'Don't tell me about it, I don't want to know.' What do they do then? That's where you have to make one of these decisions about how much stress you want in your life. It might work out really well, but you are taking a risk."
To minimize such risks, Ahmed says more IT professionals need to step up and participate in efforts to establish whistleblowing policies. "Oftentimes the whistleblower program is considered a legal general counsel area," he says. But that's a mistake. "A technology group can play a very important role in helping design a whistleblower program and in analyzing the type of reports that are coming in, particularly as they relate to topics of information security."
For instance, Ahmed says that when deploying an in-house whistleblower hotline, a technology professional can act "as either an adviser or a partner in setting up these types of programs and influencing the kinds of reports that would be of use to IT as they try to protect the organization."
Education can also go a long way toward helping IT professionals better handle the sensitive issues that can arise from having unfettered access to confidential data and sophisticated computer systems. What access to confidential information does IT have? Do IT staffers understand their roles and responsibilities? Can they differentiate between data that is and is not sensitive? What are their responsibilities for reporting misconduct? What whistleblowing mechanisms are in place? How will they be protected if they choose to speak up? What proof is required to substantiate a breach or misconduct?
Only by making IT professionals distinctly aware of their roles -- and of the way whistleblowing will impact them both personally and professionally -- can companies successfully enlist IT in efforts to achieve greater accountability.
Proceed at your own risk
The enormous burden of whistleblowing, however, should never fall squarely on the shoulders of a single IT professional. Rather, Roth says, "it's extremely important that corporations send a signal that they assure whistleblowers that they will protect their identity and protect them from harm."
But there are no guarantees that an IT professional who lifts the veil on corporate misconduct will emerge from the experience personally and professionally unscathed. "If you work at a company and you release damaging information about them, how will that company regard you in the future?" Lewis asks. "Frankly, there will be a diminution of trust. You can add more legal protections [for whistleblowers], but there still will be social penalties that are going to be hard to avoid."
Just ask a whistleblower. "It's not for the faint of heart," says Walton. "I'll put it that way."