While the Edward Snowden saga continues to play out, PFC Bradley Manning was back in the news last week as a result of his trial and continuing sentencing hearings. Manning was the central figure in the massive intelligence leaks that ended up being posted on WikiLeaks a few years back.
Some consider Manning a traitor while others maintain his innocence and look at him as a whistleblower/ hero. Regardless of your perspective on Manning himself, his case illustrates numerous and serious lapses in information security policies, procedures, and risk management.
Given the infamous spotlight, CISOs would be wise to use the media attention around Bradley Manning as a tool to educate executive management on insider threats and assess organizational risks. Here are a few basic questions that security-conscious organizations should be asking:
- What types of access controls and monitoring should be applied to users with access to extremely sensitive data? Manning had extraordinary access to classified data, but it appears that there were few restrictions and little oversight. This laissez faire security had a devastating effect -- WikiLeaks. CISOs should make sure that their organizations know exactly who (i.e., roles and individuals) has access to their most sensitive data and implement proper controls for detecting/preventing anomalous activities like sudden downloads of hundreds of thousands of documents. Think risk-based authentication (a la RSA) and triggered alerts as well as diligent activity monitoring by trained security analysts.
- What types of physical security and digital rights policies should be enforced? Manning walked into a highly secure workplace with a CD case labeled “Lady Gaga.” The case actually contained a blank disk that was used to save thousands of classified documents. From a physical security perspective, CISOs must decide whether users with access to sensitive data are permitted to walk into the office with CDs, DVDs, iPods, etc. which may be used as portable storage media. Even more elementary, should analysts have the ability to save this type of extremely confidential data? Of course not. CISOs need to prevent this by wrapping the data with DRM capabilities or disabling CD/DVD burners and USB ports.
- Is there a formal risk management process applied to problem employees? Manning had a rocky tenure in the US Army for several years before being arrested. For example, he was sent to the discharge unit six weeks after enlisting, he displayed emotional problems and was referred to an army mental health professional, and was described as “a risk to himself and possibly others” by 2 of his superior officers. The army chose to ignore these issues as it had a shortage of security analysts at that time.
Okay I get it, this is a business decision.That said, it appears that army personnel either didn’t communicate these problems to the security team and/or there was no formal risk management analysis for developing compensating controls for a high-risk individual. In a commercial setting, CISOs and HR executives should have a standard process to align HR and cybersecurity actions in similar situations. For example, security analysts could conduct an investigation to track historical online behavior, or ramp up monitoring of specific personnel.This type of strategy only works if organizations have thought through these risks, address them with formal policies, and maintain open communications channels between departments.
You’d think that the U.S. Army would have assessed and addressed these security risks, but it obviously had some type of SNAFU.Clearly someone other than Bradley Manning has some accountability here since the intelligence vault was virtually wide open.Alas, DoD has been far less public about what went wrong and who should have known better.
As for those of us in the commercial sector, we can’t ignore insider threats in the face of sophisticated attacks and advanced malware. The U.S. army overlooked basic warning signs and best practices. Enterprise CISOs should make sure that their organizations have the right policies, processes, and communication channels in place so they can address analogous risks and avoid similar headlines in the future.