There was a time not so long ago when federal cybersecurity efforts were focused mainly on keeping foreign agents out of U.S. networks. It turns out those were the good old days. More recently, vast damage has been caused to U.S. military, intelligence and diplomatic capabilities by insiders such as Bradley Manning and Edward Snowden — insiders who supposedly had been vetted for handling sensitive information, and whose relatively junior positions would not seem to have provided much opportunity for mischief. Now we know differently: the vetting was inadequate, the positions provided access to vast troves of touchy information, and obvious clues about nefarious intent were overlooked. So coping with insider threats has become a top federal priority.
Department of Defense Chief Information Officer Teresa (Terry) Takei said as much in testimony before the House Armed Services Committee on March 12. She told members of the Subcommittee on Intelligence, Emerging Threats & Capabilities that she and the Undersecretary of Defense for Intelligence — the department’s lead policymaker for addressing insider threats — had issued a series of instructions for closing security gaps that have permitted insiders to steal sensitive data. Among other things, the department will tighten up procedures for awarding special access privileges, impose stronger safeguards on the use of removable media, and complete implementation of a “public key infrastructure.”
That’s all fine, but it isn’t clear that the defense department really has a handle on the threat, because its understanding of who is most likely to steal sensitive data and under what circumstances is a bit sketchy. Like I said earlier, it wasn’t so long ago that federal cybersecurity efforts were focused mainly on actors in St. Petersburg, Beijing and points south. A handful of security disasters perpetrated by oddballs like Manning doesn’t provide the kind of forensic archive that would allow wrongdoers within the system to be fingered before they can cause massive damage. The options for surreptitiously exfiltrating data have become incredibly diverse, and the motives for doing so are similarly numerous.
Obviously, the Pentagon needs to go through its customary sequence of framing a policy for dealing with insider threats, then executing the policy through programs, and finally identifying products and procedures that can contain the danger. There are several security products on the market that can help block the flow of sensitive data to unapproved users and unregistered devices; the department should consider licensing off-the-shelf solutions immediately until it comes up with a comprehensive, integrated solution to the insider challenge. What it shouldn’t do is waste time and money by reinventing a wheel that has already been crafted by other federal organizations and commercial enterprises facing their own insider threats.
That is particularly true in the area that CIO Takei referred to as “continuous evaluation,” which includes keeping tabs on the behavior of those with privileged access to sensitive data. If the government is not careful, it could waste a boatload of money, demoralize its workforce, and still not identify that one needle-in-a-haystack worker who is about to perpetrate a serious breach of security. As former FBI information-security officer Patrick Reidy pointed out in a public presentation last summer, you can’t count on potential wrongdoers doing obvious things like hiding communications with external parties, asking coworkers for help in accessing data, and conducting off-hour transfers of large files. So FBI, TSA and other agencies have come up with sophisticated ways of detecting suspicious patterns.
These methods typically include the use of information from activity logs, human-resource records, psychological profiles, salary histories, travel itineraries and the like. Understanding how to merge and evaluate such information without violating the rights of employees is a science, or at least an art, where the defense department probably lags behind other agencies. It also lags behind some private-sector companies who figured out years ago that if you’re going to hire hackers to keep up with “advanced persistent threats,” you’d better have clever ways of keeping track of what they’re doing. If DoD wants to fix this problem, it ought to start by looking at what other organizations have done to contain threats within their own ranks.
Find Archived Articles: