His request seemed straightforward. He wanted the secretary to arrange meetings with ‘high profile people at NSA who can tell me about NSA’s computer infrastructure.’ Good that this secretary turned him down, if only on general suspicion that even though he was one of the most senior officials of the FBI, Robert Hanssen’s need to know seemed vague. Hanssen was discovered to be the most damaging spy in FBI history. In fact, one of his last deliveries to the Russians was a thousand-page trove of documents from the FBI’s automated case support system. He betrayed everything he could access.
The 22-year espionage career of Hanssen for his Soviet, later Russian, intelligence masters is notorious. His damage assessment continues to this day. His commentary after arrest is a warning for clearance holders. Regarding this huge breach of the case system, he said, “Any clerk in the bureau could come up with stuff on that system. What I did is criminal, but it’s criminal negligence…what they’ve done on that system.”
Damage is High When Employees Understand Vulnerable Systems
Our federal government is instituting new computer security certifications for its systems. This will apply across all government contracts. It is because of people like Hanssen, whose true ability was an early awareness of the vulnerability of computers, that such common security measures will be implemented. Companies need to have well-trained and certified computer specialists who can understand what it means to block, air-gap, and compartment information. Sharing of data is always problematic, because need to know must always be a factor.
In May of 2021, an Executive Order was issued to try to limit even further the threats to our computer systems. In fact, several measures were implemented immediately. For example, it was recognized that several Federal investigative agencies were blocked from sharing investigative data about security breaches. “Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by of for the Federal Government.” A certain timeline was established for when and for whom this mandate would apply. It was pointed out that service providers collect and preserve, and share with investigative agencies all measures which help better protect computer security. Any computer incident should be reported by such service providers to appropriate investigative agencies. Privacy issues were specifically stated to be honored in the process of all the above.
Everyone Has a Role in Security
Every company with cleared programs needs to contact their government contract oversight officer to determine how, if at all, this will affect them. It is often difficult to determine the scope of broad federal mandates, but specialists who act in implementing capacities will be there to help. The FBI, DHS, and other federal agencies were mentioned by name, and they along with other agencies will be helped to better defend our computer systems. As the Order states: “Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government.” Learn how your company fits into this picture. Inform yourself on how this works, as it will make defenses easier, faster, and less bureaucratically burdened. Everything from how information is stored, shared, and reviewed is discussed. From cloud retention to software supply chain, you’ll find all these peculiar aspects are included in this broad measure. Check out how it applies to your programs.
As this requirement makes clear, every cleared contractor plays a role in computer security. The first step of any good security program is to know what needs to be done and where to ask for help.