Wal-Mart is used to finding its name on the front page of The New York Times and The Wall Street Journal, but in March of 2007 it found itself making news under very different circumstances.
Wal-Mart officially apologized to the Times and retail reporter Michael Barbaro after a member of its internal security organization was found to have secretly taped conversations between Wal-Mart employees and the Times reporter. Not only did Wal-Mart apologize to the reporter, chief executive H. Lee Scott phoned the chief executive of The New York Times to personally offer an explanation and convey the information that the technician involved, who had 19-years with the company, as well as a supervisor, had been fired.
But the matter did not end there. Weeks later, the fired technician, Bruce Gabbard, went public, telling The Wall Street Journal he was part of a larger, sophisticated surveillance operation at Wal-Mart. Gabbard said the retailer employs a variety of means, including software that can monitor every key stroke on the retailer’s network, to keep tabs not only on employees but also on its board of directors, stockholders, critics of the company, and in at least one instance, on a consultant, McKinsey & Co.
Wal-Mart later denied some of Gabbard’s allegations, in particular statements made that Wal-Mart had spied on its own directors as well as shareholders, but the incident cast a spotlight on the retailer’s normally secretive security organization. McKinsey & Co. was contacted by CIOZone to confirm Gabbard’s statement that Wal-Mart spied on its consultants, but spokesman Mark Garrett said because of the confidential nature of McKinsey’s work with clients, the firm declined to comment.
Kenneth Senser, a former top official at the C.I.A., heads the company’s global security operations. His lieutenants include a number of former government and defense department security specialists. David Harrison, a former member of U.S. Army Special Operations Command, heads the company’s analytic research center, which has a mandate to identify threats from suspect individuals and groups. Joseph Lewis, a 27-year FBI veteran, heads corporate investigations. And Steve Dozier, former director of the Arkansas State Police, is a VP in charge of corporate investigative services.
It is not unusual for Fortune 500 companies to hire law enforcement or intelligence experts for their security departments, but Wal-Mart actively recruits those with military or intelligence backgrounds. Last March it posted ads on its Web site and on sites for security professionals for “global threat analysts” with backgrounds in government or military intelligence.
“Like most major corporations, it is our corporate responsibility to have systems in place, including software systems, to monitor threats to our network, intellectual property and our people,” Wal-Mart spokeswoman Sarah Clark said in a statement in April. Following the Gabbard firing, Wal-Mart said it conducted a review of its monitoring activities. “There have been changes in leadership, and we have strengthened our practices and protocols in this area,” Clark said.
When contacted by CIOZone, Wal-Mart spokesman John Simley restated the company monitors threats using a variety of techniques, as would any company its size. “Every company has an obligation to its shareholders and to its employees to ensure that its information isn’t compromised,” Simley said. Simley would not, however, provide details on the security department reorganization.
To be fair, Wal-Mart is not the only company involved in a spying controversy. Other high-profile corporate spying incidents have drawn public attention to the fact that companies are using an increasing array of methods to snoop on, or monitor as is the preferred term, the everyday activities of employees, suppliers and customers on their networks.
In December a researcher in the anti-spyware unit of Computer Associates, revealed that Sears Holdings Corp. had installed spyware software in a program offered to customers via its “My SHC Community” shopping network that allowed Sears to track its members online browsing behavior.
Sears says it does disclose the tracking software in a privacy statement, but Harvard Business School assistant professor Ben Edelman has criticized the retailer, saying the disclosure is difficult to find and consumers rarely read such statements.
Boeing was the subject of a Seattle Post Intelligencer investigative story in November, which questioned its monitoring activities, including the reading of emails and videotaping of employees. Boeing spokesman Tim Neale said when employees log on to the corporate network they are fully informed that their activities are being monitored. He said only authorized personnel have the capability to monitor corporate systems and they do so only when they have reason to suspect abuse or misuse. “For example, it is against company policy for an employee to use company systems to run his or her own business,” Neal said. “Of course, it is also against company policy to share proprietary information with parties outside the company, unless authorized by management to do so.”
And, in probably the most publicized example, Hewlett-Packard found itself in hot water with California regulators in 2006 after it initiated an investigation of its own board of directors to discover the source of leaks to the media. The investigation included monitoring of emails and instant messages, as well as using illegal means to obtain telephone records of employees and journalists. The company was ordered to pay $14.5 million in fines and bring its internal investigations into compliance with California laws.
Most employees have now come to expect that their activities on corporate computers are being monitored to a certain degree.
But in 2008 CIOs will be increasingly drawn into discussions about who should be in charge of monitoring employees, what software tools should be deployed to protect corporate resources, and which electronic activities corporations should or shouldn’t watch. “There used to be an argument over whether we should be doing this at all,” says Alan Paller, director of research at the SANS Institute, an industry-sponsored research group and computer security training body. “It rarely comes up as an issue any more.”
David Zweig, an associate professor of organizational behavior with the Rotman School of Management at the University of Toronto who has written books on the issue of workplace monitoring, says that it is now believed close to 75% of employers have some form of electronic monitoring in the workplace.
Zweig is not against monitoring. He believes in today’s environment, where companies face a wide range of internal and external threats, some levels of monitoring are necessary. However, he believes the monitoring should be in relation to the risk, and that companies need to do more to inform employees exactly how they are being monitored and why. “If you give people a rational explanation for monitoring, they will at least see why the company is doing it,” he says. “But you should be open and inform them exactly how it’s being done and what controls are in place.
“It’s easy to monitor–it’s much more difficult to develop proper controls and processes,” he says.
Ira Winkler, president of Internet Security Advisors Group of Baltimore, Md., and author of books such as “Spies Among Us” and “Zen and the Art of Information Security,” doesn’t believe in coddling employees with lengthy disclosures and explanations for why monitoring is taking place. “Get over it. Companies need to protect themselves,” says Winkler. “The fact is nobody should have any expectations of privacy when they’re using the company’s computers.”
In fact, Winkler advocates companies apply a blanket approach to security and use of the Internet in particular. Simply tell employees or suppliers accessing a corporation’s network, they are being monitored and non-approved activities will not be tolerated. End of story.
Is that fair? “I think it’s totally fair,” he says. “If I want to go shop on eBay or download porn on a company computer, that’s my stupidity, not the company’s,” he says.
For many organizations the line will probably be drawn somewhere between Zweig’s and Winkler’s viewpoints. But what is clear is a mounting body of evidence points to the need for network monitoring against a wider definition of internal and external threats.
As the world’s largest retailer, Wal-Mart does often find itself a target for a wide range of protests and potential security threats. Its stores have been targeted by groups who feel its low wages contribute to the working poor and it has been the subject of frequent union protests over its healthcare policies. In December alone, Wal-Mart stores were evacuated for periods of time after bomb threats were reported at stores in Somerworth, N.H., Noblesville, Ind., Viera, Fla., Fruitland, Md., Fayetteville, Ark., Garden City, Kan., and Halifax, Nova Scotia.
At a gathering of security specialists in New York City in January of 2006, David Harrison, the former Army military intelligence officer who was hired by Senser to head Wal-Mart’s analytical security research center, provided a rare glimpse into the company’s monitoring operations. Harrison told the gathering Wal-Mart faces a wide range of threats: “A bombing in China, an armed robbery in Brazil, an armed robbery in Las Vegas, another bomb threat, and that was just yesterday,” Harrison said.
To safeguard its employees and operations Wal-Mart has tapped its massive data warehouse of information, now believed to be larger than 4 petabytes (4,000 terabytes), to look for potential threats. It tracks customers who buy propane tanks, for example, or anyone who has fraudulently cashed a check, or anyone making bulk purchases of pre-paid cell phones, which could be tied to criminal activities. “If you try to buy more than three cell phones at one time, it will be tracked,” he reportedly told the audience.
When CIOZone contacted Wal-Mart for comment on this story, the company said it would not provide further information or make its security officials available for interviews. It did not dispute Harrison’s reported statements.
But, according to one report, Kenneth Senser, the senior vice president of global security, aviation and travel, is in charge of an apparatus that spans the company’s global operations. Senser oversees a department with about 400 employees, according to an interview he gave last March to The New York Times. Heads of the company’s crisis management, investigative services, the analytical research center headed by Harrison, as well as individual departments assigned to address corporate fraud, security of the company’s headquarters in Fayetteville, Ark., and protection of the company’s top executives, all report directly or indirectly to Senser.
In its advertisements for “global threat analysts” last spring, the job description included collecting information from professional contacts and public data to assess threats coming from “world events, regional/national security climates, and suspect individuals and groups.”
Gabbard, the Wal-Mart employee fired for recording reporters’ phone calls, said in his interview with The Wall Street Journal that Wal-Mart uses software from Raytheon Oakley Networks to monitor activity on its network. The Oakley product was originally developed for the U.S. Department of Defense.
The Oakley software is so sophisticated it can allow administrators to visually see what types of information are moving across the network, from Excel spreadsheets to job searches on Monster.com, or photos with flesh tones that might indicate a user is viewing pornography.
Tom Bennett, senior vice president of Raytheon Oakley Networks, would not reveal the company’s customers other than the U.S. Department of Defense. However, the company does note its customers include 10 of the Fortune 100, including top U.S. retailers and manufacturers.
SOMETHING TO FEAR
There are good reasons why companies are turning to increasingly sophisticated monitoring tools. Some studies, such as one conducted in 2006 by the F.B.I., suggest as much as 70 percent of attacks originate from within an organization.
Not only that, but the definition of what constitutes and insider has changed. Companies now open up their corporate networks to a wide range of suppliers, consultants and customers, and that in turn opens up new avenues for security breaches and data leakage.
Consider some of the higher profile network security breaches of the past year:
- Oracle sued rival SAP in March, alleging that employees of an SAP operating unit called TomorrowNow, based in Bryan Texas, stole proprietary information from Oracle’s network. In its suit Oracle claims that TomorrowNow employees used “the log-in credentials of Oracle customers with expired or soon-to-expire support rights,” and then “accessed and copied thousands of individual software and support materials.” Oracle alleges SAP then used the materials to offer “cut-rate” support deals to Oracle clients. In a statement, SAP responded to the suit by saying TomorrowNow was authorized to download materials from Oracle’s Web site on behalf of TomorrowNow customers. It says it will defend the lawsuits in hearings expected to resume in U.S. District Court in San Francisco early this year.
- Formula One racing team McLaren Group was fined $100 million last September and excluded from the 2007 Constructors’ Championship, after it was revealed a former Ferrari employee took designs for special gases with him when he defected to McLaren. Ferrari was able to finger the culprit because it had deployed software from Verdasys of Waltham, Mass. which allows it to track individuals that access certain files.
- WestJet Airlines, a Canadian discount airline, was forced to issue an apology in May 2006 to rival Air Canada and pay a $15.5 million penalty, after it admitted members of its management team accessed a password protected Air Canada employee Web site and downloaded competitive data. The WestJet employees used the Air Canada Web site to obtain detailed information on Air Canada flight loads.
Keith Rice, a vice president with the Threat Detection Engineering Group at Bank of America, notes that an insider may, in fact, be a partner working on critical application development overseas. “One thing we’re running into now is we’ve outsourced a lot of development to India and other locations,” says Rice. “We have very strict contractual rules in place, that state what they can do, what they cannot do, and what they must have installed on their networks. But that creates whole new issues for us.”
“It’s a constant battle,” adds Bruce Valentine, senior vice president in treasury management at Comerica Bank. Valentine is responsible for ensuring the security of the bank’s e-commerce and other customer facing applications. “We have what everyone wants – money. And data is the key to that money,” says Valentine. In today’s competitive banking environment, you have to open up your networks to customers, says Valentine, but that means you have to put systems in place to manage the risk.
Keith Carter, executive director of materials management systems with EstÃ©e Lauder, agrees that companies have to accept a certain amount of risk or trust when dealing with partners and suppliers. But, he says, that doesn’t mean blind trust. He shared a recent example of data leakage at a security conference in Palo Alto in November. EstÃ©e Lauder had designed a counter poster display it wanted to use in stores with its Bobbi Brown cosmetic line. “One of our competitors came out with it a month earlier, because the photographer, in this case, showed it to the competitor as a sample [of their work]. We couldn’t use it any longer, because we didn’t want to look like we were the ones who copied the idea,” says Carter.
In this case, the company ended its relationship with the photographer, but Carter says the incident demonstrates how easily competitive data can leak out of an organization without proper controls in place. It also demonstrates the kind of analysis companies need to perform to determine what types of data or files need to be protected.
The consensus seems to be that in today’s environment, where corporate networks are increasingly exposed to insider and outside threats, companies must protect their data by putting controls, policies, and systems in place to monitor activity.
But if you accept it as a necessary evil, how do you go about putting systems and policies in place, and making sure employees, partners and suppliers abide by those policies?
“When we hear people tell horror stories, so often the breakdown is in the area of communication,” says Robin Ruefle, a member of the technical staff at the Carnegie Mellon Software Engineering Institute Computer Emergency Response Team (CERT).
“The right people didn’t get told in the right time frame, the information didn’t get to the right people who could effect change, people didn’t know what the right policies or procedures were . . . there’s a breakdown in process.” Ruefle’s team is involved in developing security best practices for organizations, including creating Computer Security Incident Response Teams (CSIRTs) to respond to security incidents as they happen.
“A lot of people think it’s just about technology, but really, developing and having the right processes in place is critical,” says Ruefle. “It’s about being prepared. What’s your plan? Who’s involved? Do they know what to do when something’s happened? Do they know what the policies and procedures are? Do they know how to escalate?
“Having those processes in place, along with the right education, is key.”
Zweig, the associate professor of organizational behavior with the Rotman School of Management at the University of Toronto, says while monitoring may be a necessary evil, companies should resist the temptation of putting in systems that go beyond what is necessary.
He says there is a line that can be drawn between benign monitoring and intrusive, and Wal-Mart has crossed that line. “If you have to use a stick, make sure the stick is in relation to the behavior you’re trying to stop,” says Zweig. “People are going to rebel against the constant monitoring, and you know, Wal-Mart is going to reap what they sow.”