The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors
a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
While much of the focus in the wake of the incident will rightfully be directed at the leaker and the details he disclosed, it’s important to look at the broader lessons learned, as well. After all, leaky contractors are hardly a problem exclusive to the NSA (or even the government).
It may the most notorious contractor in government today, but Booz Allen Hamilton is one of many thousand of external businesses in charge of analyzing top secret data.
In 2000 and then again in 2002, Apple filed suits against contractors that allegedly leaked trade secrets.
Contractors present other risks -- from workplace injuries and illnesses (see the HP HIV case) to benefits and overtime complaints (see Indiana v. IBM or Vizcaino v. Microsoft) to sexual harassment claims (see HP’s scandal with former adult actress-turned-contractor Jodie Fisher).
The moral isn’t that contractors are bad. Contractors can be very valuable. Rather, the real lesson is that the true cost of contracting may be significantly higher than the finance department says.
From Snowden to Apple, the issue appears to be that companies are trying to get something for nothing. They’re giving contractors access to mountains of documents that often would be more tightly controlled among actual employees. They’re looking to avoid the kind of benefits paid to regular employees.
Enterprises -- including information technology firms -- could avoid most contractor headaches if they adhered to the same principles they apply to regular staff. Most employees are required to sign intellectual property (e.g. “invention assignment” and “work-for-hire” clauses) and confidentiality agreements. Further, most employees are required to disclose their previous holdings and interests to prevent misunderstandings; the same principle applies to contractors.
You can reduce leaks by limiting access to sensitive information -- particularly details not necessary to a contractor’s specific position. Further, you can cut down on inadvertent leaks by demanding your contractors follow secure data practices. For example, if contractors travel to a region -- like China -- with government-endorsed intellectual property theft, they should take a computer that has none of your intellectual property onboard.
It’s absolutely reasonable (and a good idea) to regularly audit your contractors to ensure they’re productive and adhering to industry best-practices, including security. Don’t be afraid to cut off unreliable contractors.
Many of these ideas -- audits, access restrictions, and contract clauses -- may strike your contractors as onerous. Contractors may bemoan them. But ultimately, such terms are for the contractor’s own good as much as your own. After all, as bad as the Snowden leak is for the NSA, it’s also bad for Booz Hamilton, whose stock has plunged 5 percent in the wake of the incident, erasing tens of millions of dollars in market value.
As the old saying goes, “What’s good for the goose is good for the gander.” The inverse holds equally true.
— Jason Mick is senior news editor at the independent tech news site DailyTech.