Preventing Leaks from the Inside
After an Army intelligence analyst allegedly leaked 260,000 diplomatic cables to the WikiLeaks website, thwarting inside jobs is under the radar.
Toward the end of 2010, details of U.S. diplomatic cables, posted on WikiLeaks and shared with international newspapers, raised major concerns regarding information security. The fact that an Army intelligence analyst allegedly leaked 260,000 diplomatic cables reminded officials at every level of government just how detrimental insider threats can be.
With or without WikiLeaks, chief information officers (CIOs) and chief technology officers (CTOs) should continuously update policy and security to try to prevent such events. Even then, however, these updates won't guarantee a solution to the problem. The core of security breaches isn't about technology at all. It's about the culture, or the morals and ethics of human beings.
CIOs and CTOs need to be able to trust the men and women who work in these departments. They walk a fine line when entrusting their employees with sensitive data. I spoke to a handful of CIOs and CTOs from around the country who were willing to share with me their strategies for securing confidential data. We covered three primary areas: policy, technology and culture.
In several states, employees must sign an acceptable use policy or agreement that lays out the general expectations for employees about behaviors and monitoring. In Arkansas, employees with the Department of Information Systems sign a confidentiality agreement that says they will not disclose or use in an unauthorized capacity any confidential information. They sign this agreement annually, says state CTO Claire Bailey. "We look at all the things we do for our employees," she says, "and want to make sure through education that they understand that in some of their roles, they have access to information that's very private."
New York State's CIO Melodie Mayberry-Stewart says its policy also is updated regularly. "We operate the four mainframe data centers across our state agencies, which is a big target for someone if they so choose to abuse that," she says. "But this policy on protection of [state] information assets provides guidance to our staff regarding the steps they should take to reduce the risk of employee unauthorized disclosures."
Signing such agreements, however, doesn't necessarily deter disgruntled employees from releasing confidential information. If agreements can't stop someone from releasing data, technology steps in to catch any culprits.
While all levels of government are concerned about protecting confidential documents, Florida CIO David Taylor notes that preventing an inside job is very difficult -- if not impossible. "Unless we work to prevent employees from moving that data off the local network by eliminating USB tokens, eliminating all CD-Rom and DVD drives," Taylor says, "there's no physical way of stopping people who have the right to have that data from taking it out of the organization if they're a disgruntled employee."
Ultimately, state government employees have a right to access secure data, but state CIOs generally enforce "least privileges," where employees have the least amount of access to protected data that is necessary to do their jobs. Taylor says Florida state agencies are reassessing these privileges post-WikiLeaks. Florida agencies also conduct annual self assessments of security risk to determine if there are any possible risk factors within the organization. "A security evaluation for all state agencies is absolutely critical," he says.
Michigan's CTO Dan Lohrmann also references the difficulty in preventing such occurrences, noting two primary ways to keep such events at bay: "You have to trust and verify, and you have to have separation of duties," he says.
Separation of duties is an audit principle that makes detection of employee dishonesty easier to catch. "If I'm cutting a check for employee expenses for travel, or I'm giving John Doe money or Medicare or Medicaid or authorizing new payments, at least two people, if not more, are in the process," Lohrmann says. These other employees have separate accounts and passwords in the system, and can verify the details of such a transaction. Additionally, a centralized logging system records any changes to a transaction. For example, if someone added a zero to a check to change the payment to John Doe from $1,000 to $10,000, the change would be recorded.
The trust and verify method is the ability to randomly test what people are doing, as well as monitor e-mails to see if employees are mailing out sensitive information, such as Social Security numbers. "Everyone says they're being honest," Lohrmann says, "but I'm verifying that that's actually happening."
The New York State Office for Technology (OFT) has a multi-prong approach to thwarting attacks, whether internal or external. Like Michigan, monitoring and detection is a focus. "All of our scanning monitors activity of all users on network," says Bruce Rollins, acting director of Security & Risk Management at OFT, "whether they're coming in from the outside or they're internal users moving from one application to the other."
The core of security breaches, however, is about culture. "We try to address the needs from an ethical perspective," says Mayberry-Stewart. "It's about behavior." New York Gov. Andrew Cuomo is making the state's ethics laws a very important part of his administration, she added, noting that Cuomo's second executive order after being sworn in required ethics training for all top state officials, as well as those inside the governor's office. "What we do to impact the culture is continue to emphasize and accentuate how important and critical this is -- that these are values that have to be inculcated into every employee."
Lohrmann echoed that sentiment. "Cyber ethics is an important piece of this," he says. "Highlight in your training that it's people, process and technology. The people side [is] the biggest asset; it's also our biggest liability. It is the hardest to secure. Helping people understand the implications of their actions is really important."