Cyber Attacks: Should the US Revisit Security Access Requirements For Sensitive Items?
Over the past decade, the number of security breaches seems extraordinary. Trade magazines and Congressional testimony reveal both the extent of cyber attacks and the growing concerns about both the quantity and the sensitivity of information losses. To date, these losses include personal information, business practices, trade secrets, and even government secrets.
Many of the these losses involve far too many of us in one way or another, as shown in the recent breaches of Anthem Blue Cross and Blue Shield, Home Depot and Target stores. These hacks compromised the personal identities, information and more of thousands of customers. The Cyber attacks on the Sony network a few months ago showed that even entertainment companies have trouble resisting assaults until revelations about the simplicity of the Sony protocol all but invited trouble. Other recent attacks on Apple Computer, Dow Agro Systems and others point to the need for improved technical means to limit potential information losses even before they occur. On the government side, the release of information by SPC Bradley Manning and more recently by Eric Snowden makes one wonder if their work will harm the security of the United States even more than the Walker spy family did in the 1980s.
This article makes suggestions for applying several different controls in use in some sectors, along with some other adjustments. These changes need implementation with care as people who work with sensitive information will sometimes feel coerced to violate protocol in order to get a job done on time. Another part of the potential solution involves quick reporting to an appropriate authority; in many cases this means the Federal Bureau of Investigation.
Cybercriminals have several faces: some want information on a competitor, others seek to divert money, while others seek information to sell to third parties. Regardless of who conducts the attack, prevention needs direction. A true cyber defense program needs the right people, procedures and equipment; and all three of these components need appropriate installation and maintenance.
The people side of the equation requires trustworthy employees or contractors who have less vulnerability to accept bribes or to act on a whim. As easy as that seems, we know that both Bradley Manning and Eric Snowden had background checks considered appropriate. One factor missing in both of these cases: neither had appropriate supervision. Manning had misbehaved and his unit considered him a sub-par Soldier but then made the decision to punish him by having him work overnights with either little or no supervision. Likewise, Eric Snowden as a junior employee in a probationary period, seemed able to access significant information during the time he should have had supervision. Both of these cases point to the need for management oversight when sensitive information exists.
I recently worked at a location where all employees submitted to occasional or random searches which focused on looking for phones, cameras and similar contraband and yet I have seen designer jewelry capable of hiding a four and even eight Gigabyte drives; enough to hold thousands of pages of documents in full detail. To make matters worse; in the current time, cloud computing allows rapid uploading of immense files and the person who sent them off-site can leave at the end of the day with nothing on his person and then recover all documents from home or a coffee shop.
This kind of situation brings several ideas to mind: control the person, which most places do, but then control the information in other ways. Since nuclear weapons aboard submarines and in silos existed for many years, the need to ensure that these would follow strict protocols ended with the development of “two-man” rules. No one single person can launch nuclear weapons and a formal verification system worked then and continues to work today. Why not apply that seem idea elsewhere?
In the fall of 2001, just after the 9/11 attacks, a series of letters containing Anthrax bacteria went to Senator Tom Daschle, Tom Brokaw and others. Shortly after, the Federal Bureau of Investigation named Dr. Stephen Hatfill as a person of interest but eventually lost this case and Dr. Hatfill received compensation from the government. Several years later, a second scientist at Fort Detrick, Dr. Bruce Ivins, came into focus but the information got into the media and Dr. Ivins apparently killed himself prior to contact by the FBI. Similarly, Dr. Wen Ho Lee, a Los Alamos Laboratory scientist suspected of mishandling nuclear secrets in 1998, reached a settlement in 2006 involving a cash award of more than a million dollars from the Government and from five media organizations who had legally wronged him prior to any indictment. This case also resulted in an apology to Dr. Lee from President Bill Clinton. Dr. Lee later wrote the book “My Country Against Me.” The stolen nuclear information remains unrecovered.
Both the Dr. Ivins and the Dr. Lee cases point to a solution used elsewhere in the government: enforcing two person security for certain document access. In the military, often this means two people must together sign that a safe has opened and both must also sign when materials return to the safe. If one has access to something with either a high information value or happens to have a high danger if released, why not make two-person access a part of the process? I should note that from 1980 to 1983 I worked at Fort Detrick and had raised the question as to why Dr. Ivins worked very odd hours and had unaccompanied access to the Anthrax. At the time I recall a conversation with a senior officer who said: “Oh, he’s one of us, don’t worry.”
We have reached the time in which perhaps a mix of old technology and new technology together might provide improved security. Among the old ideas: number all copies of documents; print them on a color of paper that will not photocopy. Suggestions for newer methods: make documents non-printable from a computer and limit the number of paper copies. Some file types already have this feature. Perhaps we can devise a method to prevent viewing of more than one file only accessible from a two person station; or, we should limit how many documents one person can view or download in a day. Another would involve better compartmentalization. In recent years, the expansion of NATO means that more individuals might access many more documents than before. On the domestic front, one has to wonder about how effective “For Official Use Only” is when it extends too much information by volume and details. Surely, groups with terroristic ties, even domestic groups, might gain advantage to having too much information available with minimal controls.
Another concern involves both the judgment of employees and the setup of their work locations. This involves retransmitting government information on non-government emails. Some have said this is done because it saves time. G-mail seems ubiquitous, but it may come to pass that individuals in public or private employment in sensitive areas may not have the ability to dial up Gmail, place an Amazon order, or to check up on their families during the day. Recently, a government employee used a sophisticated system to play an electronic game over a boring weekend shift; and without knowing it, compromised the system at his location. These situations demonstrate the need for appropriate supervision, but since employees may work away from their supervisor, other administrative lock-outs need implementation to prevent the creative employee from harming themselves or our nation.
History shows that in situations as varied as the Rodney King beating and the Three Mile Island Reactor Incident; supervisory presence, or lack of it in these cases, proved a great ingredient to the expensive outcomes. In the time of cyber security, even more supervision and controls may become more necessary; but along the way, we need to improve protections to keep information where it resides and limit access, downloads or transmission either by quantity, File Transfer Protocol or by sheer number of items. Adding controls to limit the ability to copy or print commonly exist today and implementation of these controls would require some thought for consistency.
Whether in an industrial, medical, banking or retail setting, the need to improve cyber security, coupled with continued personnel practices, both become necessary. Without both together, one only need imagine what a disgruntled employee could do if her access terminates on the day she leaves employment; or, for that matter who or why someone has access at odd times of the week. Senior managers may have to take on a formal cyber gatekeeping so that should a mid-level employee need access to their building after a storm or during a work emergency on a holiday weekend, that they will have some monitoring of their activity.
A last kind of protocol not involving employees would involve processes, particularly in the manufacturing business or utilities where computers control valves or processes. These systems need to have code control and whenever possible exist on a secure network, preferably and internal network only (intranet), very different from the Internet. Portable hotspots and even local cars with hotspot capability to reach the Internet will likely make either shielding or other isolation of processes necessary.
The world changes and yet the changes brought by connectivity can provide a better way of life or the end to life as we know it.
About the Author
Rick Whitman served four decades with the Army Reserve and had a three decade career as a government scientist. He continues his graduate work.
This article originally appeared at The Simmons Review.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.