What WikiLeaks tells us about the inevitability of insider threats
Can technology, policy or operational control prevent someone from going rogue?
- By (ISC)2 Government Advisory Council Executive Writers Bureau
- May 09, 2011
Although the WikiLeaks incident moved the insider threat risk back to center stage, the essence of this message had already been steadily communicated in several cybersecurity initiatives, including the most recent 2010 Verizon Data Breach Investigations Reports based on a study conducted by the Verizon RISK Team in cooperation with the U.S. Secret Service.
Among the many takeaways, the DBIR reported that, of the 900-plus incidents of data breaches involving more than 900 million compromised records during the six-year history of the DBIR, approximately 48 percent involved insiders.
Whereas public, private and even military institutions have all acknowledged the harsh reality and complexity of combating the insider threat, none of these institutions has uncovered the "silver bullet" to rid their respective organizations of this pervasive and debilitating threat, largely due to a combination of the following reasons:
- Current personnel adjudication processes are fallible.
- The insider threat problem is not purely a technology or a policy problem.
- It is difficult to accurately predict if an employee will go “rogue.”
Spotting insider threats on the front lines
How to prevent data breaches – and respond after they occur anyway
Listen to an (ISC)2 podcast on WikiLeaks and insider threats here.
One could argue that history and religion provide much context for the insider threat risk, dating back to Judas Iscariot’s betrayal of Jesus and Benedict Arnold’s role in the Revolutionary War.
More recently, we have also seen the publicized incidents involving Robert Hanssen of the FBI and Aldrich Ames of the CIA.
The recurring theme with each of these incidents is that the perpetrators, including Army Pfc. Bradley Manning, who is accused of disclosing classified documents to Julian Assange of WikiLeaks, all underwent rigorous background screening and vetting before being allowed to occupy the positions of trust that they later betrayed.
The current vetting process for most organizations in the public sector, private sector and even the Defense Department is heavily front-loaded, meaning that much rigor goes into the background investigation for initially awarding prospective employees positions of trust within these organizations, with little ongoing refresh.
The standard vetting process typically includes background, criminal, credit, financial, tax and national agency checks. This process is conducted only once upon initial entry (especially for federal employment) without proscribed refresher checks, even for the most sensitive positions.
The same is not true, however, for DOD, as there are routine reinvestigation cycles for holders of clearances of secret or above. Another exception is the intelligence community, which has the most rigorous and robust vetting and reinvestigations processes, of three years or more, for refresh. That said, however, as exemplified in the case of WikiLeaks, human tendencies, behaviors, motivations and allegiances change at the speed of thought. It is therefore virtually impossible for even the most rigorous vetting processes to detect the trusted employee who is about to go rogue.
On the technological front, even the best internal audit trail mechanisms would have been challenged to prevent what Manning was allegedly able to do. Only a very highly instrumented data-loss prevention enterprise would have been able to detect and even prevent files from being written to an external, removable media device.
Whereas pundits of digital rights management, data tagging and data-loss prevention technologies have sought to capitalize on the WikiLeaks disclosures to espouse how various permutations and combinations of technologies would have prevented the release of the classified information, technology alone cannot prevent a WikiLeaks-type incident from occurring in federal environments.
With the latest efficiencies and cost savings that the Office of Personnel Management has implemented into the investigation process, federal chief information security officers should be able to re-vet employees for a fraction of what it would have cost in the past.
However, the harsh reality is that the insider threat risk is not a problem that can be solved easily with technology alone, or with policy or pure operational control. None of these tools can protect against an employee who has been entrusted with privileged access to sensitive information from going rogue.
Members of the (ISC)2 U.S. Government Advisory Council Executive Writers Bureau include federal IT security experts from government and industry. For a full list of Bureau members, visit https://www.isc2.org/About/Advisory-Council#