Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information (2001)

effective. Taking into account psychological profiles when hiring is another tactic; this can be problematic though, especially without consistent metrics to distinguish merely quirky employees from potentially dangerous individuals. Research into organizational and functional work design as it pertains to making it easier (or possible) to audit activities that would reveal undesirable insider activities was also mentioned as a way to provide management with better tools to address the problem. The broad implications of employee monitoring were not discussed.

Recent movements toward more open architectures along with more collaboration and teamwork within and across institutions present even more management challenges. In a classified environment, for example, information is supposed to be distributed on a need-to-know basis, but given a shift towards more collaborative exercises, determining who needs to know what and constraining the sharing of information to that end is difficult. Similarly, in the business world, there has been a significant movement toward embracing cooperation across organizations and sectors, but this, of course, introduces security problems. One participant characterized the dilemma in both domains by paraphrasing directives from senior management and government as, “Collaborate with everybody but build systems that are resistant to attack.”

There are many legal aspects to the problem of the insider threat. First, the usual privacy and workplace surveillance issues need to be addressed when determining how, within an organization, to implement tools to decrease the possibility of insider malfeasance. In addition to this, though, is the issue of building technology that produces data (audit logs, for example) that meet acceptable legal and forensic standards. The interplay between employment laws and the need for system security is also a concern. For example, termination of suspected individuals may not occur immediately, and thus such people may maintain access to sensitive information while the necessary paperwork goes through channels. Finally, sophisticated adversaries can take advantage of jurisdictional differences and route their attacks through non-cooperating jurisdictions. The jurisdictional challenges are complicated by the fact that under U.S. law search warrants are geographical in nature.

Participants in the meeting discussed several technological tools and strategies that may help mitigate the insider threat. These technological approaches ranged from better authentication, and access control techniques to biometrics and application-based audit trails. The pros and cons of many of these approaches were debated.

Authentication, access control, and audit trails are three well-understood technologies that can be used in combating the insider threat. Using these mechanisms to enforce strict accountability can be effective, but in practice they are often not as successful as

they might be. Participants agreed that understanding why this is the case⁴ and how to use available tools more effectively might be more useful than generating new research in these specific areas. Internal firewalls were also mentioned as a technique to achieve better protection against insider misuse.

Due to the vast amounts of data that are collected in audit logs it can be difficult to glean relevant information from them. However, even when not useful for on-the-fly analysis, audit logs, if properly created and secured, can be used as forensic evidence after the fact. Unfortunately, retaining large volumes of audit logs for long periods is quite expensive. Cost is always a factor. Participants pointed out that large amounts of money have been spent on nuclear security with good results. Risk management thus becomes a significant factor in deciding what amount of effort and resources to allocate to combating the insider threat. As another example, credit card companies go to great lengths to prevent and detect fraud. It was argued that the percentage of false positives (valid transactions deemed invalid) and false negatives (invalid transactions deemed valid)⁵ such companies will accept is much greater than that acceptable in some other domains (such as national security).

The mix of technologies that is employed in effecting information security deserves scrutiny. Questions that need to be asked include: What set of tools, technologies and strategies constitutes good security practice? Is there a widely accepted standard? If so, is it possible to reduce it to a set of business rules? If not, how could such a standard be developed? Participants identified a significant amount of technology that seems mature but whose application and/or implementation is less than optimal. The reasoning behind decisions about why and when such technology is deployed needs to be understood and communicated. Adding to the complexity, different security mechanisms are deployed in different environments. Often, strong security measures are not applied because the implementation is too difficult is or is too user-unfriendly. Further examinations of how to better make use of available technology are needed. Distinguishing between best security practices and best business practices may prove useful in articulating the issues involved. Participants acknowledged the challenges in communicating technical security concerns to managers whose attention is often elsewhere.

There are a number of new research areas related to information security being explored. A list of potential research topics, some already underway include:

• Attack specification languages

• Intrusion Detection (signature-based, anomaly detection, object-based, distance measures, policy-based)

• New models of inside threat versus outside threat

• Authentication of roles, rights, privileges

• Semantics of authorized access

• Automated, dynamic revocation of privileges

• Profiling patterns of user behavior

• Response approaches (automated, recovery, reconstitution)

• Application-based intrusion detection

• Instrumentation of commercial off-the-shelf (COTS) applications

• Continuous biometrics

• Software for monitoring the system administrator

• Component verification

• Fingerprinting of documents

• Tagging technologies

A Rand workshop in August of 2000⁶ on the insider threat generated the following as the top research areas to which attention should be devoted in the next two to five years:

• Survivable architecture frameworks

• Differential access controls

• Provenance

• Mobile code (protect code from attack as well as systems from malicious code)

It was emphasized repeatedly that the insider threat and cyber-security problem is not merely a technological one. Good policies and policy enforcement are also necessary. Research is needed in how to define, describe, manage, and manipulate security policies. Systems can be abused through both bad policy and bad enforcement. Tools are needed to make setting and enforcing policy easier.

Another issue raised was the question of how to begin focusing security techniques at the application level, both centralized and distributed. Application-level audits to examine usage patterns (presuming that normal use of a particular application is well-defined) could be integrated with other kinds of audits to provide a more robust picture of system usage. In addition, a list of applications that are most often exploited by insiders could be used to provide guidance as to where attention should be focused. On the other hand, this runs the risk of an escalating ‘arms race’ as attackers become aware of the common knowledge and then focus their attentions elsewhere.

A particularly useful area of investigation would be to gain a more complete understanding of what sophisticated and successful system administrators do to protect their systems. Encapsulating that knowledge and codifying it somehow would provide insight into what the best kinds of defense are. Participants also noted that adding to system administrators’ security knowledge and overall resources would strengthen systems security.

Meeting participants emphasized that progress on this issue will be made only when researchers move beyond thinking about how to protect systems against relatively

unsophisticated hackers and concentrate on how to protect against sophisticated, well-financed attackers. If the costs of attacking a system can be made sufficiently high as to deter all but the most determined, then attention can be paid to the more difficult challenge presented by the truly skilled and motivated adversary (who in many case may well be an insider). Participants who have studied computer security over many years noted that, unfortunately, hacking information systems is becoming easier rather than more difficult. This is due to a number of factors, including the decline in the quality of COTS software, easily obtainable hacking toolsets and information, increased expertise in the general population, and poor default configurations that are not corrected by users.

A lively discussion took place about how a CSTB study in this area might best be oriented. As noted in the introduction, participants were nearly unanimous in their agreement that focusing exclusively on classified systems would not be appropriate. Several participants indicated that the Office of the Secretary of Defense (OSD) and the intelligence community can be (and likely already are) persuaded that this is a serious concern, and they would therefore be a good audience for such a study. However, limiting a study to classified networks and the classified aspects of information security would not produce as widely applicable a result as a broader conceptualization would. As has been described, corporations have very sensitive data and systems, and they invest in substantial protection just as the government does. Unclassified networks are often just as important (even in terms of national security) and just as likely to be attacked by a sophisticated adversary as are classified systems.

Participants argued that limiting such a project to classified systems would artificially constrain its sphere of influence. While acknowledging that much could be learned from a limited study that was, nonetheless, broadly applicable in the range of security issues it addressed, participants were concerned that such a limitation would also unnecessarily inhibit the size of the audience for such a report. The government currently uses COTS systems and any examination of such systems in a classified context will also likely produce useful results for those who use such systems in unclassified situations. More troubling is the possibility that a report focused only on classified systems (and the weaknesses in security thereof) could be used against the government were the report to lay out best practices that are not currently in place. CSTB has a history of examining governmental requirements versus commercial requirements and explicating the similarities and differences thereof, making a project of this scope feasible.

The participants in this meeting encouraged CSTB to develop a proposal for a study to examine high-grade threats (including insider threats) to high-value information systems. The study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.