Every entity knows their data is sensitive and needs protecting, whether one is the counterintelligence officer within a defense contractor’s facility or the data security officer within a corporate entity. RSA 2017 just wrapped up in San Francisco, where thousands of vendors and attendees discussed all there is to know about security and cybersecurity. Many of those peddling solutions offer complex applications or appliances to mitigate the insider threat. Few address the phenomena of data hoarding as a counterintelligence/cybersecurity threat.
Data data data
“Data hoarding” is a cybersecurity risk that has grown over the past several years. Part of the issue, as discussed in an essay by Ankur Laroia, a solutions strategy leader at Alfresco, is the deluge of data which each of us has to deal with in our professional lives. Laroia explains how 80 percent of all content is unstructured, thus forcing employees to come up with their own solutions to interconnect disparate data sets for the employee’s purpose. Or worse, nothing is deleted because no one knows if it “might” be of importance one day.
Look at your own entity. Don’t think it happens? Look again.
A survey conducted by Veritas global of more than 10,000 office professionals and IT decision-makers found more than 82 percent admitted to data hoarding. And to fully extend your counterintelligence antenna, the respondents noted that 75 percent of them held information which could be construed as harmful to their company if exposed (personnel, trade secrets, sensitive correspondence, etc.).
NISPOM
Those who are operating under the guidance of the National Industrial Security Program Operating Manual (NISPOM) have a mandate to put in place their Insider Threat Program (Creating an Insider Threat Program – Adjusting to NISPOM Change 2).
NISPOM requires the classified materials to be handled in accordance to the Standard Operating Procedures of the facility and the NISPOM manual. Unclassified materials are of import as well, and must also have policies and handling procedures in place. Again, Laroia points out, “scattered content, regardless of where it is stored, poses a major security risk.” How is your shop measuring up?
We wrote of Harold Martin previously (see below for those articles) and his scorched earth collection methodology. The indictment is telling, “Beginning at a time unknown, but no earlier than in or about 1996, and continuing through on (sic) or about August 27, 2016, Martin stole and retained U.S. government property including the documents listed in paragraph 25 below.” Martin’s hoard included over fifty terabytes of information (50 terabytes = 50,000 gigabytes. One gigabyte is space for approximately 10,000 pages of documents/images). The rationale behind his hoarding is unexplained, as his indictment did not include any charges of espionage.
While Snowden’s hoarding has been widely reported, discussed and debated, the truth of the matter is that he also manipulated his colleagues to increase his access as we discussed in Privileged Access and How Edward Snowden ‘Snowed’ His Coworkers. His hoarding was purposeful and calculated.
Another well discussed and dissected case of extreme hoarding was Jonathan Pollard a Navy analyst who was convicted of espionage on behalf of Israel, and was paroled in late 2015. The volume of data which Pollard absconded with filled a 9’x12’x8′ room floor-to-ceiling and wall-to-wall with classified materials. A remarkable amount of data in an age when the primary form of communication within government was the teletype.
Retention policies are your friend
Keep information as long as you need information and use the delete key with relish. Don’t allow your personnel to fall into the “I might need it someday” sinkhole. With the advent of online cloud storage solutions, the capacity to hoard has never been greater. Checks, balances, policies and procedures are your friend. The confirmed deletion of obsolete data reduces the amount of data which must be protected. This is a plus for any within the NISPOM compliant world, where our insider threat program must detect hoarding so we do not have another instance of Martin, Pollard or Snowden. We don’t need another counterintelligence nightmare.