SUMMARY OF DISCUSSIONS AT A PLANNING MEETING ON CYBER-SECURITY AND THE INSIDER THREAT TO CLASSIFIED INFORMATION
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
THE NATIONAL RESEARCH COUNCIL
THE NATIONAL ACADEMIES
NOVEMBER 1–2, 2000
Chair:
Anita K.Jones, Lawrence R.Quarles Professor of Engineering and Applied Science University of Virginia
Rapporteur:
Lynette I.Millett, Program Officer and Study Director Computer Science and Telecommunications Board
This white paper summarizes the discussions of a planning meeting sponsored by the National Research Council (NRC) on November 1–2, 2000. It has not been reviewed by the National Research Council and does not reflect the institutional views of the NRC in any way.
Meeting of November 1–2, 2000 on
Cyber-Security and the Insider Threat to Classified Information
CYBER-SECURITY AND THE INSIDER THREAT TO CLASSIFIED INFORMATION
In order to determine whether to conduct a study on cyber-security and the insider threat to classified information, the Computer Science and Telecommunications Board (CSTB) of the National Academies (described in Appendix A) hosted a meeting on November 1– 2, 2000 to advise CSTB on the issues that such a study might address.
Meeting participants endorsed the concept that CSTB should undertake a project that would examine high-grade threats (by definition including insider threats) to high-value information systems. Such a study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.
The meeting was chaired by Anita K.Jones, Lawrence R.Quarles Professor of Engineering and Applied Science, the University of Virginia. The steering committee consisted of Tom Bozek, Office of the Secretary of Defense; Michael Caloyannides, Mitretek Systems; and Carl Landwehr, Mitretek Systems. Meeting participants (Appendix B) included experts in information security, law, national defense, and law enforcement. The meeting agenda is given in Appendix C.
1. Introduction
Public attention to information security today tends to focus on the problem of preventing harm that results from the actions of a hostile “outsider,” such as a hacker. However, security breaches accomplished with the cooperation of (or at the instigation of) an insider can cause significant damage. For example, an insider might be able to disable certain network security mechanisms, thereby allowing a collaborator on the outside to gain access. Or, an insider might be able to transmit electronically large volumes of sensitive information without ever being subjected to physical search. The compromised or actively hostile insider clearly presents a difficult challenge for the manager or security practitioner.
The classic insider attack in which an individual uses authorized access to a computer system to view a sensitive piece of information, memorizes it, and then divulges it at a future date in a different location seems impervious to straightforward technological solutions. However, it may be possible to develop technologies that can mitigate the damage done when such individuals use technological means to assist in the information transfer or are more interested in sabotage than espionage. Technology can also be employed that increases the likelihood that the individual will be caught. Nevertheless, dealing with the insider threat inevitably involves organizational policies, practices, and processes as well as technological approaches. For example, in an environment in which most employees are trustworthy, what policies, practices, and processes can be implemented that will help to cope effectively with the insider threat?
The CSTB meeting’s initial focus was on the threat to classified systems and information because the political and organizational issues that often arise with protection policies and practices (e.g., rights to privacy) are considerably fewer and less intense than if