Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information (2001)

sensitive unclassified information (especially non-governmental information) is involved. (The reason is that individuals granted access to classified information routinely sign away many rights to privacy that most people take for granted.) During the course of the meeting, however, participants often expanded the discussion to include threats other than insider threats and to include systems other than classified systems. Reasons for this expansion are explored in the next section.

Participants also repeatedly emphasized the fact that security (be it in a classified or unclassified environment) is not simply a matter of appropriate technology application. There are psychological, social, managerial, and legal issues that manifest themselves. These issues are elaborated upon in section 3. Any security solution is a mixture of technology and of people following well-designed procedures. Some of the technological approaches that may prove helpful are discussed in section 4. Section 5 outlines possible suggested next steps for CSTB.

Meeting discussions made clear that the distinction between classified and unclassified systems was artificial from the point of view of both the technology and, in many cases, the threat. The participants concluded that the focus should be on high-grade threats against high-value targets. These targets may be classified or unclassified, but they have the property that they tend to attract attacks by organizations (including nations) that are well planned, well funded and sustained if necessary. High-value targets also have the property that they are worth the expense of protecting them in whatever way is technically and managerially feasible.

In an attempt to elucidate what is meant by the terms ‘high-value target’ and ‘high-grade threat,’ the participants discussed the relevant differences between threats to classified and non-classified information, the differences between the systems themselves, and how such differences might have an impact on the approaches taken to combat the threat. They noted that the fundamental issue is the value of the information. Corporations protect highly sensitive and valuable information, just as the government does. Such non-governmental, non-classified, highly sensitive information (for example, an individual’s medical records or a pharmaceutical company’s drug research data) is deserving of strong protection.

The anticipated threats will have an impact on what kind of protective measures (both in the research community and in the practitioner community) need to be undertaken; significant threats (sometimes by the same adversary) are now made against both the government (‘traditional’ espionage) and against corporations (industrial espionage). These threats may well involve insiders, but participants were reluctant to focus exclusively on insiders, due in part to the difficult boundary and definitional problems raised by the use of the term (see section 3). Participants spent some time attempting to characterize the problem in a way that would encompass a broad set of significant attacks while remaining constrained enough not to include all attacks on information systems of any sort.

Distinctions between classified and unclassified systems were discussed and include the following:

• The motivations for attacking classified systems are often much more serious (e.g., personal conviction, blackmail, ideological shifts) than for attacking other systems. Persons may be coerced or recruited, trained, and planted as moles.

• Threats to classified systems often differ from other kinds of threats. A serious threat to classified systems, for example, is espionage stemming from foreign intelligence. Rather than focusing exclusively on attacks that can be executed through the Internet, insiders may be subverted or backdoors may be built into software products. Such attackers have time, patience, and resources.

• While systems within the Department of Defense are mandated to use commercial off-the-shelf (COTS) products, there are processes within government that slow down both upgrades (so that internal users are frustrated at not having the latest software functionality) and patch applications (compromising security). Participants suggested that this problem was more pernicious than in the private sector.

• The degree of testing varies between types of systems. Unclassified systems in the federal government are subject to less stringent testing than classified systems.

Notwithstanding these distinctions, there are also several similarities between the classified and non-classified spheres of influence. Information inference through data aggregation is a threat to national security as well as to corporate interests. The Department of Defense (DOD) Website, for example, has approximately 200 gigabytes of publicly accessible data from which much could be inferred. In some cases, conclusions that can be drawn might be classified while the individual pieces of data are not. Similarly, sensitive information about a corporation’s status or plans can be inferred from disparate pieces of information that are publicly accessible. The increasing amount of information that is easily publicly accessible in electronic form exacerbates this risk.

Classified and non-classified systems alike are subject to both espionage and sabotage. In some cases, access and information (espionage) may be more valuable to the attacker than causing actual damage (sabotage); in others, sabotage might be the goal. The sabotage or compromise of even unclassified networks can have national security implications since significant amounts of sensitive information are transferred over public networks. Much of the United States’ critical infrastructure is increasingly dependent upon unclassified networks for operations, which can have a large impact on national security as well.

In light of all of this, participants emphasized that attention needs to be paid to high-grade threats to both classified and non-classified information systems and that too much attention is currently given to lesser threats where solutions are often known but not implemented. A strong case was made that advocacy from the point of view of the high-grade target that receives high-grade threats is needed. In other words, serious security threats require serious attention on the part of the larger research and practitioner community. Any such efforts should encompass classified systems (national security

implications) as well as commercial systems (industrial espionage). With current trends, the overlap between systems with national security implications and commercial systems will grow. The “insider” remains an intrinsic part of this problem, since high-value targets will be attacked no matter what controls are placed on them, and those attacks may often be accomplished through the actions of insiders.

Meeting participants discussed a number of issues related to the intersection of psychology, sociology, and management policy that affect how best to combat the insider threat to information systems. The first concerns the definition of the term ‘insider’ and methods for understanding the motivations of persons who present an insider threat. The second is the pressing need for more data in this area. The third addresses the complexity of managing employees who are often working with seemingly contradictory or unclear goals (for example, managers who encourage substantive inter-group or inter-institutional collaboration while insisting on protection of sensitive information). The fourth concerns the legal issues that arise with respect to insider security concerns.

Participants acknowledged that defining the term ‘insider’ is difficult.¹ Persons who constitute insider threats range from incompetent users making critical mistakes to moles who have been recruited, trained, and planted by nefarious outsiders; their motivations also vary widely and include the desire for recognition for hacking skills, ideological convictions, and monetary incentives. Determining what techniques are most appropriate in defending against the insider threat requires the consideration of at least three dimensions: the individual’s access privileges, their intent, and their technical abilities.

A compelling case was made at the meeting for the need for more data on insider threats and better modeling techniques. Models of a typical ‘hacker’ have been available for a long time; while similar kinds of composites of persons likely to present an insider threat would also be useful, the requisite repository of data does not yet exist. One challenge to constructing the models and compiling the data needed for such a repository is the fact that insiders can be characterized in many different ways. For example, the behavior of the insider will likely vary depending on a wide variety of factors, including whether that person is unwitting, incompetent, coerced, vengeful, and so on. Such factors imply that simply relying on externally observable traits and behaviors in order to identify potential insiders may not prove useful.

An additional point was made at the meeting about the need for hard data on insider attacks. The salient question to be answered satisfactorily before any particular organization will contribute large numbers of resources to solving the insider threat is: What is the threat, both in terms of number of occurrences and in potential risks or losses