Home Danger: Cybersecurity experts have refocused attention on the potential threat posed by insiders following the Edward Snowden incident. (Colin Kelly / Staff)
WASHINGTON — Edward Snowden, the leaker currently stuck in Russia who disclosed a wide range of secrets about US government surveillance and spying, has changed the conversation about cybersecurity. Not because of the documents he released, but as a reminder of the vulnerability organizations have to the threat of insiders with access to large swathes of information and system components.
It’s a lesson that was the talk of the cyber community following the WikiLeaks disclosures through the alleged actions of Bradley Manning that faded as experts began to focus on the growing threat of foreign governments, particularly China. It is back in vogue because of the volume and sensitivity of information Snowden has made public.
Some of the fallout from the Manning case, such as the banning of thumb drives and other external media from sensitive systems, has been walked back in some instances in the name of practicality. One of the problems, as is the case with any security issue, is you can’t make a network truly safe from an insider.
“It’s akin almost to insider attacks in Afghanistan,” Army Gen. Martin Dempsey, chairman of the US Joint Chiefs of Staff, said during a late June speech. “Well, the answer is that you can’t prevent it. You can mitigate the risk, and what I’d like you to take away from this conversation about the incident with Snowden is you can’t stop someone from breaking the law 100 percent of the time. You just can’t stop that from happening.”
Dempsey did, however, suggest steps to reduce the threat of insiders to Defense Department networks, including cutting the number of people in positions like Snowden’s.
“I think systems administrators is the right place to begin to clean this up because they have such ubiquitous access, and that’s how he ended up doing what he did,” he said. “We really need to take advantage of thin client and cloud technology, to dramatically reduce the number of systems administrators that we have managing programs, which will make it both more effective and safer.”
That approach carries risk because fewer individuals will have access concentrated in their hands, said Jeff Moulton, director of information operations at Georgia Tech Research Institute.
“What they’ve done now is rather than mitigating the threat, they’ve increased the likelihood of a catastrophic impact from a threat,” he said. “It’s not going to help. It introduces other problems, like the broader access of the cloud.”
One idea suggested by several cyber experts, including Moulton, is to adopt nuclear launch security as a guide. When it comes to the use of nuclear weapons, two separate individuals have to provide authentication before a weapon can be used. Not only does this prevent accidents, but it guarantees that a second person will be monitoring the activity of the first.
In the cyber realm, this could be achieved by requiring two people to provide their security credentials before either could access certain kinds of documents or segments of the network control system.
“Is it time consuming? Perhaps,” Moulton said. “But what’s more time consuming, doing this or armchair quarterbacking?”
Still, there will always be a residual threat from insiders, which is why deterrence is key, said Ian Wallace, a visiting fellow with the Brookings Institution and a former official with the British Ministry of Defence.
“The insider threat will always exist, and it will be next to impossible to stop it completely,” Wallace said. “But there are also plenty of ways in which that can be deterred. Not the least of those is the traditional deterrent of getting caught and prosecuted, something which is even more likely with the emergence of companies doing big data analysis of behavior on their own systems.”
Wallace cautioned that all of this attention on the insider threat may be misguided. Statistically, insider attacks are exceedingly rare, even if the data that is lost or the risk to systems from a determined insider is significant.
“All of the evidence that I have heard from the best cybersecurity firms suggests that the main threat is still the remote threat, for three compelling reasons: the risk of being caught is much less, it is much more scalable, and at present it is still, sadly, relatively easy for a sophisticated and determined intruder to get into all but the best protected systems,” Wallace said.
In the hunt for solutions to the insider threat, one of the big questions is how to detect intent from an employee ahead of a problem. In much the same way that concerns have surfaced about what radicalized the Boston bombing suspects and whether it could have been detected earlier, experts are studying how to discover the intentions of insider threats sooner.
That can take the form of such mundane facts as the speed at which an employee types. Changes in the rate of typing can indicate mood, a tip that further inquiry might be needed.
But to gain that type of data, a certain degree of invasiveness is required, and some superficial profiling of behavior is employed.
That creates all kinds of legal and ethical questions but may be a necessity for large organizations with many people to monitor, Moulton said.
“You can’t monitor everybody all the time,” he said. “Look at what the casinos do. They profile, but that’s a really difficult word. Are we prepared to profile?”
Dempsey emphasized that some actions would be taken to improve the system, but he described a certain degree of risk acceptance.
“You can certainly increase the scrutiny in terms of their background investigations, you can reduce the number of them you get, there are different degrees of oversight in place,” he said. “But at some point, if somebody is going to break the law and commit an act of treason, I don’t know what he’ll eventually be charged with or espionage, they’re going to be able to do that.”