Protecting Against the Insider ThreatWill Continual Monitoring of Private Lives Affect Worker Morale?
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2014.
As the U.S. federal government tightens procedures to prevent Edward Snowden-type insider leaks, agency leaders are discovering that implementing well-thought-out plans isn't easy.
For each step taken to make it more difficult for insiders to pilfer or manipulate data, the business of government slows down. Implementing new processes and tools to mitigate insider threats also can have an adverse impact on employee morale, with workers holding security clearances feeling their bosses no longer trust them.
And, applying new controls to limit the insider threat costs money, funds cash-strapped agencies must find by rejiggering their existing budgets.
Still, as National Security Agency Chief Information Officer Lonny Anderson says, agencies have little choice. "We haven't asked for additional resources," he said in a recent interview with NPR. "We just said we've got to do this."
Mitigating the insider threat is a key element of any organization's risk management plan. And other organizations can learn important lessons from the efforts of government agencies.
One of the more publicized efforts the NSA and other government agencies are taking to prevent the insider threat is the so-called dual-approval approach, which requires two people with security clearances to approve any transaction, such as moving a classified file from one agency server to another or adding or deleting of new user accounts on a classified system.
Army Gen. Keith Alexander, the outgoing NSA director, announced last summer the agency was moving toward the dual-approval approach as a result of the Snowden leaks (see NSA Pilots 2-Person Rule to Thwart Leaks). Alexander said a system administrator such as Snowden who wants to enter a room with secure servers or transfer classified documents to a removable drive would need the concurrence of another employee with security clearance. But the extra manpower comes at a cost. "This makes our job more difficult," the four-star general said.
Safeguards Slow Critical Processes
Such moves slow workflow and critical processes. "The challenge will be making it convenient, meaning not slowing down important activity so much that people would just go around it," says Alan Paller, founder of the cybersecurity training school SANS Institute.
Increasing resources to mitigate the insider threat will require each organization to determine what level of inconvenience it will accept to secure critical assets. "Adding a separate step does add to complexity, but it adds to some security into their IT processes," says Randy Trzeciak, senior leader at Carnegie Mellon University's CERT Insider Threat Center. "That's the tradeoff many organizations struggle with."
But many government operations - and businesses as well - have little choice but to take steps to reduce the threat insiders pose. Among federal agencies, taking steps to diminish the insider threat isn't a choice. In 2011, President Obama issued an executive order for structural reforms to improve securing classified networks, which includes adoption of standards and guidelines offered by the president's Insider Threat Task Force (see Obama Establishes Insider Threat Task Force).
"We talk about the geeks inheriting the world," says Ron Ross, the information risk management leader at the National Institute of Standards and Technology. "You've got the system admins sitting on top of a treasure trove of gigabytes of classified information and they really have a lot of power out there. And, it's going to be really important that we take extraordinary measures where those assets are very critical to make sure one person can't bring down the entire organization."
DHS Units Tackle Insider Threat
At the Department of Homeland Security, three units - Citizenship and Immigration Services, Transportation Security Administration and Custom Border Protection - have begun to establish collaborative insider threat working groups to develop an integrated strategy and program to address insider threat risk.
TSA's assurance division has implemented a training plan that is routinely used in insider threat assessments to inform and educate after auditing insider activity at airports, says Jim Crumpacker, director of DHS's liaison office with the inspector general and Government Accountability Office. TSA also implemented insider threat monitoring capabilities in TSA-controlled secret and top-secret networks and established the Classified Security Operations Center, which employs analysts and forensics professionals focused on detecting insider activity in networks holding TSA's most sensitive data.
"To support the mission of safeguarding and securing cyberspace, the department has continued to strengthen both the monitoring of insider threats and its assessments to prevent loss, theft or destruction of mission-critical data," Crumpacker says in response to a DHS audit.
In that audit issued in December, DHS Deputy Inspector General Charles Edwards said Citizenship and Immigration Services, Transportation Security Administration and Custom Border Protection are incorporating insider threat vulnerability assessments that check privileged user accounts on unclassified information systems to verify the necessity for privileged user access and determine user rights granted to system administrators.
Security Operations Centers
The three DHS units also are establishing security operations centers to monitor information systems to help detect and respond to insider threat incidents. Edwards says the units could further develop their insider threat program by implementing specific policies and procedures and a risk management plan as well as enhancing awareness and training programs.
"DHS can strengthen its situational awareness against insider threats by centrally monitoring information systems and by augmenting current IT applications and controls to better detect or prevent instances of unauthorized removal or transmission of sensitive information outside of DHS networks," Edwards says.
At a Senate hearing in December, Alexander said the NSA is taking 41 actions to prevent leaks by insiders, including the dual-approval approach and increased use of encryption to keep sensitive data secret from unauthorized individuals (see NSA Moves to Prevent Snowden-Like Leaks).
The agency also is deploying software to continually monitor unauthorized activities on its networks. In fact, it was in the process of installing software to monitor networks in real-time to detect anomalous activity, such as the unauthorized downloading of top-secret files, when Snowden accessed top-secret documents about NSA e-spying programs. "Snowden hit at a really opportune time, for him, not for us," incoming NSA Deputy Director Richard Ledgett, who heads the agency task force investigating information leak, told Reuters.
Defense Department officials say the entire department - including the NSA - is implementing continuous monitoring of the activities and behaviors of employees with security clearances. In the past, individuals receiving security clearances were reviewed every five or 10 years. The new continuous security clearance vetting of individuals employs a risk management approach and is based on the sensitivity and quantity of the programs and information to which individuals are given access.
On demand, continuous monitoring systems can query a large number of government and commercially available databases with "adjudicated, relevant information that speaks to the reliability of an individual," says Stephen Lewis, deputy director for personnel, industrial and physical security policy at the Directorate of Security Policy and Oversight in the Office of Undersecretary of Defense for Intelligence.
After mining big data, such systems evaluate the results from the queries and issue red flags, when necessary, that would require an individual to intervene. "We are looking at continuous evaluation in addition to the normal inputs we get from commanders and supervisors," Lewis says.
Raising Red Flags
The types of information that could raise a red flag include arrests for driving under the influence and running up credit card debt that can't easily be repaid. Lewis says DoD seeks information that could help determine whether individuals should continue to be in "a position of trust."
The perception of a lack of trust could have an adverse impact on employee morale. And blame Snowden for that. "What we had is a person who was given the responsibility and the trust to do this job; [he] betrayed that responsibility and trust, and took this data," Alexander says.
Government workers and contractors with security clearances have been required for years to sign a national security document, known as SF-86, which allows the government to monitor their private lives, though in the past it rarely involved the extensive use of sophisticated data mining technologies.
"People signed those forms, but then nothing had happened in the past," says Robert Carey, DoD's principal deputy chief information officer. "Now, we have more positive knowledge about our workforce for what it's doing and not doing than we did in the past. That's good, but to the nominal national security workforce member, it's a little bit of a change. This makes people uncomfortable for a while until such time as it becomes standard."
And, as the department educates personnel about the monitoring program, Carey says he believes most security-cleared employees won't see it as a problem.
"We trust them implicitly but we need to mitigate what they could do," says Carey, who also co-chairs the federal CIO Council's information security and identity management committee. "It isn't anything against them. It's about just making sure that the information stays on the proper side of the firewall."
Carey says the DoD is rolling out the monitoring system on a fast track. But many other agencies may not be as fast as DoD and NSA in getting their monitoring systems implemented.
"It takes a while to populate such programs through the federal system," says James Lewis, the government cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. "People know it's something they have to do but it's not moving as quickly as it could if you gave everyone a template and said, 'Now, here, use it.'"