Americans don’t love technology, we worship it. In cleared programs, however, we find ourselves conflicted over such changes. Yes, we save thousands when we no longer hire a person to do a job, but placing classified information on computers doesn’t eliminate the risk – in many cases, it just increases its reach and the possibility for leaks.
One item of malware inserted into a classified computer could send each and every document produced to an adversary. Government agencies and contractors hire professionals to oversee cybersecurity for just that reason. Ah, but who will watch the watchers? Recent wailing and gnashing of teeth bemoans how young people are tasked to operate our office ‘help desks’. You know who these people are, right? They’re the ones you call when your computer won’t respond. They are the ones who install patches to protect against outsiders accessing your system. Generally, they work at night while you are at home. When you return in the morning, like magic, your computer is protected from glitches that would compromise your data. What’s wrong with this?
How does your ‘help desk’ team operate? Are they alone with your systems, the better to work in the quiet of the evening to properly install your protective patches? Here’s where it gets tricky. Do they have a ‘need to know’ everything they can access as they update your computer system? For that matter, does the ‘two-person rule’ apply to them when they work away in the evening? Are you ‘saving money’ by only having single people apply correctives to your system? Are your really saving money, or risking everything because you allow single individuals to apply patches, alone, at night? Even if they were observed reading classified materials to which they had no authorization, who would be there to say they couldn’t?
Just like when you had guards checking to see what employees were carrying out of the building, by personal or bag checks, so should one of your other employees perform modern checks when your ‘help desk’ team goes home each morning. This cyber-guard’s job should be to track all the history of what your help desk accessed. This is relatively easy to do. You can even discover if a person tried to delete some of their history. It is a means of ensuring that your team remains honest. If they work in twos, are checked upon departure, and know this is a daily routine, you’ll have done due diligence in protecting your devices. This kind of procedure could have made all the difference in the Jack Teixeira leaks.
Where does this leave you in terms of secure computers? What policies do you have in place to remind your staff of their security obligations with a computer? Are the simple practices in place? Do you forbid USB devices be brought into the building? Do you have after hours checks of computer systems to see what your regular employees are watching, reading, or accessing? Special Agent Robert Hanssen, the FBI spy recruited by the Russians, was an early advocate of computer literacy. He knew how to avail himself of computer data, knowing what protections were in place. It was not computer literacy by investigators which brought him down, but standard shoe leather doggedness. He shielded himself well from the computer protectors, but not from others who pursued him, employing tried-and-true forensics leading to his ultimate arrest.
We should learn something from each espionage case that comes to light. Ask what was lost, and how. If we determine this, who did it should not be far behind. Difficulties arise when we are quick to assign blame, but not so ready to apply prevention in the first place. A recent corporate spy published an essay on his skill at eliciting information telephonically from compliant office support staff. In fact, he determined that if he pretended to be with ‘compliance’ – a sort of inspector general in private industry – he could get loads of information from receptionists wanting to help. Were these office workers to blame for their leak to a ‘fellow employee’ in a major corporation? (After all, the organization was huge, and he claimed to work for them in another city). Or, had they not been briefed on how information is shared in the company? Would they know to report unusual requests, and to whom? In most government facilities, all information provided to outside elements are processed through public affairs. Would the secretary have been protected if she were to have checked with an oversight office before releasing names, titles, and cell phone numbers to an individual she didn’t know?
We started this discussion by trying to understand when human or computer reliance is warranted in security matters. The truth is both can oversee one another. It is essential that rules of the road be made clear. If you are authorized to deal with certain classified programs, you must be accompanied whenever you work on them away from your desk. This is the ‘two-person rule’ principle. If you appear at a meeting without authorization, that is to say you have no need-to-know, you can’t attend. (In fact, such an oversight should be reported to security as well, no matter how senior the person demanding access).
If you must apply patches to computer systems, you should not do so alone. Likewise, someone who asks for something you aren’t authorized to provide, no matter how friendly, charming, or what a good listener he is, be sure to refer him to your public affairs office. Oh, and if you see anything that appears to violate any of these double check ideas, tell your investigative support people. What’s more, let all your staff know that you conduct random, security double checks of all computers to see what people are doing on company time. Accountability applies to all staff, and is a good deterrent for individuals who would otherwise take advantage of a lack of oversight – whether human or technological.