The National Security Agency is implementing 42 different “fixes” to combat the insider threat in the wake of Edward Snowden stealing millions of documents and releasing them to the press.
Retired Army Gen. Keith Alexander, who recently left as head of NSA, said these changes are evenly made up of technology, people and policy fixes to ensure data isn’t compromised.
The State Department no longer lets employees use thumb drives and similar devices. It also disabled the ability of computers to write on CD-ROMs and removed any chance that classified data can be easily taken on removable media.
State’s actions are part of its response to the November 2010 WikiLeaks release of sensitive diplomatic cables.
“We make sure our employees know that government computers are not the same as their own computers,” said Patrick Kennedy, undersecretary for management at State, Monday at the ACT-IAC Management of Change conference in Cambridge, Md. “If you need to move data, say unclassified data to a classified system, we have ways to do that safely and securely.”
State and NSA’s actions are among a growing “trust but verify” culture in the government. The signature phrase President Ronald Reagan used when discussing relations with the former Soviet Union is taking on a new life and meaning in this post WikiLeaks and Snowden era.
Federal managers are trying to develop insider threat programs that create a new culture embodying this 1980s saying.
Jim Henderson, CEO of InsiderThreatDefense.com, which runs training courses on creating insider threat programs for public and private sector organizations, said public and private sector organizations aren’t clear how to take separate and many times disparate security initiatives and bring them together into one cohesive insider threat program.
Henderson offers these tips for agencies and government contractors:
Start with the basics. For both the government and contractors, employees must go through some sort of background check. That’s standard operating procedure for every employee.
Continuous evaluation of employees. Just because the employee was cleared once, it doesn’t mean they will stay that way. You pull credit checks. You have reporting in place. It’s a see something, say something type of campaign. It’s not tattling but if there is a concern, you have an anonymous reporting program.
What data is your most valuable assets. It can’t be all of your data so you need to figure out what are you most valuable assets that if released would do the most harm? Then ask how it’s protected today, and make decisions about what steps are needed to harden that data.
What are people doing on your network? What are they touching? Are people touching data they are not supposed to touch?
Physical security. This includes bag checks, turning off access to creating writable CD-ROMs or plug USBs, or even adding physical security to multi-function printers and copiers that adds accountability to those processes.
Throughout the course of history in the United States, the insider threat has been real. Names such as former FBI executive Robert Hanson or former CIA Aldrich Ames or World War II era spies Julius and Ethel Rosenberg have been replaced by recent insiders like Chelsea Manning, Snowden and Aaron Alexis.
But now instead of passing off top secret documents in a park or carrying documents to an unnamed courier, insiders use thumb drives, CDs and email.
“The WikiLeaks opened our eyes because that was such a big one. With each case or data breach, the spill has been bigger,” said Jim Henderson, CEO of InsiderThreatDefense.com, which runs training courses on creating insider threat programs for public and private sector organizations. “Now with technology, what you can put on a USB stick, I think you can fit 65,000 one- page Word documents on a 2G stick. The spy stuff has always been there-way back. Information, bottom line, whether cyber criminals want it or spies want it, it’s worth money.”
Henderson said understanding what’s at stake is a lot different than grasping how to create a well-run and successful program.
“All of these polices came out from the White House and some people are lost on what to do,” he said. “In many ways, it’s really security 101. That’s the shock to many organizations. Its things they probably should’ve been doing all along. Now it may not have stopped Snowden or Manning, but it would have been an element to add as a further deterrent.”
The deterrent piece is what State, NSA and many other organizations are further developing because it’s not just locking down data or the technology.
The fact is more people than ever have access to sensitive or classified information so any insider threat program must address multiple aspects of security.
A recent report from the Office of the Director of National Intelligence found the total number of people deemed eligible to access classified information increased by more than 232,000 in fiscal 2012. ODNI reported, however, that the number of people who were given access to classified information declined by more than 27,000.
Who needs a security clearance?
Beth Cobert, the deputy director for management at the Office of Management and Budget, is leading an interagency effort to reform the security clearance process.
“One of the things as part of this we are looking at is do all of these people actually need that access to do their jobs and carry out their work. On that focus in particular, we’ve said, ‘gee it’s probably time to take a step back and do a review.’ ODNI has actually instituted a process for agencies to go back and look at their clearances. Like many of these things, it’s easy to add people over time as someone comes into a role, but you really need a systematic approach to look back and say, ‘where are we today. What do we need going forward?'” she said. “So for example on that score, agencies have all undertaken an effort to validate that everybody, employees and contractors, need that clearance, what do they need it for, and how does it relate to the core work they are doing? We do think that will bring the actual number of clearances down. That is one way it will reduce threats because people will have less access to information.”
Cobert said agencies are expected to complete these reviews by early summer.
Another factor is the amount of data that the government classifies or even puts a classification level on such as for official use only (FOUO) or sensitive but unclassified (SBU). The more data agencies classify or at least make sensitive, the greater number of employees and contractors who need secret or top secret clearances. And all of that, Cobert said, creates a higher risk profile for the government.
The National Archives and Records Administration’s Information Security Oversight Office (ISOO) has been tackling this problem of over-classification since 2010.
John Fitzpatrick, the director of ISOO, said a group of experts have been working on a new rule to create governmentwide standards for labeling unclassified data, called controlled unclassified information (CUI).
“We are, this month, delivering to OMB’s Office of Information and Regulatory Affairs (OIRA) the draft rule for interagency coordination. A big step in the rulemaking process as long and painful as that process can be is to get it out of our expert group and into the government interagency,” he said. “I expect then, later this year, to be out in Federal Register public review and comment phase, and on to what hopefully will be a final rule published in spring of 2015.”
Once ISOO publishes the draft rule, agencies can begin to get a sense of how to implement this new standard.
“It’s important to keep in mind that controlled unclassified information is new as a single label for information that has always been present in many pockets across government,” Fitzpatrick said. “Every agency has privacy information, financial information, many even have proprietary business or even acquisition information.”
Standards set expectations, create trust
Fitzpatrick, who spent 30 years working for the CIA, said having this standard helps establish rules for when and how information needs to be controlled. He said it could be for a limited time of control like the budget information that eventually becomes public, or a longer time of control like personnel information.
Fitzpatrick added the rules for classified data have been standardized for a long time. But for CUI, agencies almost made it up as they went along.
“Federal employees, by and large, are mission focused. They understand what it is they do that helps their agency achieve their mission. They are looking for the guidance that helps them do that the best,” he said. “When the guidance is clear – – this is stuff you can share with everybody, and this is stuff you have to think about and share with a smaller group. The clarity of that makes it easier to do my job. At the day-to-day, desk-to-desk level, that is an important thing. You wouldn’t naturally think that leads to trust, but when I know I’ve done the right thing and I know where to go when I have a question about what the right thing to do is, then the personal investment of each employee in that particular handling practice can be discovered.”
Clarity, surety and communication not just for handling data, are the keys to creating a successful insider threat program.
President Barack Obama issued new governmentwide standards to protect classified data from insider threats in 2012. Agencies also got minimum standards they must use in standing up their own insider-threat programs.
Yet, most public sector organizations still have a long way to go in developing insider threat programs.
Dawn Cappelli, director of insider risk management for Rockwell Automation, an industrial automation and information company, led a 2013 study on private sector insider threat programs for the Intelligence and National Security Alliance (INSA).
The study found most companies also struggled and had no formal insider threat detection programs.
So INSA and the Homeland Security Department partnered to create a new website that is expected to be online later this month to help agencies and industry create insider threat programs.
Cappelli said the site will list 13 steps to create an insider threat program that came from interviews with six companies and other experts.
“It starts with initiation. So first, we start about you’re at the ground floor and don’t have a program in place. You may have pieces. That’s the one we think we emphasize is even if you don’t have an insider threat program, you probably have a lot of the pieces in place. It’s really pooling a lot of the pieces together,” she said. “So we talk about identifying stakeholders, who in the organization need to buy-in before you even start. Then we talk about doing a risk management assessment to try and determine what are your insider threat risks, a communications plan, identifying critical assets and then we get into operations and actual insider incident response.”
Case studies explain relevance
For Rockwell’s program, Cappelli said she offers real cases of insiders who damaged their company to illustrate why these programs are important.
She said in one case a researcher stole 38,000 documents and provided them to their competitor.
In another case, she said a disgruntled employee caused a raw sewage spill of 800 liters into the local water shed.
Those case studies and explanations of why insider threat programs are important and not just big brother tactics by companies or the government are keys to success, experts say.
“We need to start a conversation that really goes back to sort out acceptable behavior. This is what we are going to do,” said Bill Harrod, security advisor with CA Technologies public sector business. “Understand that we hold lots of information and protecting your information from identity fraud is just as important as protecting the agency’s mission-critical information.”
Harrod said the employee and management trust relationship is comparable to having children where you set rules and monitor them through both human interaction and technology.
Ed Hammersla, who is Raytheon’s managing director of cyber products, said it’s also about managing risk as the physical and logical security worlds come closer together.
“It’s not so much the technology as it is the need to set clear policies that can be implemented in a technological environment,” he said. “You just could not do this manually. You’re talking about organization with literally tens of thousands, if not hundreds of thousands of employees, around the world, all connected into a single or multiple networks. The only possible way to grasp the volume of data is to deal with it at the policy level, and automate those policies in a manner that doesn’t interfere with day-to-day operations or doesn’t impede privacy, but allows you to mitigate the risk and manage the data.”
Hammersla also said the burden is on the company or agency to be transparent about what they are doing and have a cross-functional team of human resources, IT, legal and others involved in the policy setting process.
OMB’s Cobert said the insider threat task force is creating training to help agencies do just that.
“Helping people understand what their responsibilities are, how they can carry them out appropriately, and the same is true in the security clearance and in the investigative process,” Cobert said. “We want them to understand why. We want them to feel that personal ownership for not just their own activities, but the activities in the workplace because that’s the way we will collectively get to the best point.”