Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s. Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward Teach model, the notorious “Blackbeard.” One of Blackbeard’s most infamous successes occurred in Charleston, South Carolina in 1718 when he blockaded Charleston Harbor and held some of the town’s leading citizens for ransom. Rather than demand the typical jewels and money, Blackbeard wanted something else – he held both the town and its people ransom for £300 of medicine. After a circus of errors conspired to delay the ransom payment, Blackbeard received his medicine and released both the harbor and his prisoners – minus, of course, much of their finer possessions (they were pirates after all) – and sailed off into legend. So what does this jaunt down piracy lane have to do with cybersecurity and federal contractors? Simple, sometimes we don’t know what’s really of value and how that value can be used. Case in point – the OPM breach.
Unless you’ve been living in the 18th century you are aware that the records of approximately 4 million current and former federal employees were compromised as a result of a recently disclosed network breach at the Office of Personnel Management (“OPM”). The full extent of what was stolen remains unclear (as with most breaches), but it is currently believed that the attackers gained access to information such as Social Security numbers, job assignments, performance ratings, training information, and, most troubling, the information resident on the Standard Form 86 (“SF-86”), Questionnaire for National Security Positions. The SF-86 is a 127 page form contractors and federal employees complete in advance of background checks for security clearances. As such, the forms contain a wealth of sensitive – near-confessional – data, not only about the clearance-seeking workers, but also about their friends, spouses, family members, and foreign nationals with whom they interact. That information, in the hands of federal investigators, allows for the vetting of the keepers of the national security kingdom. But that same information – which may include financial information, criminal history, psychological records, and information about past drug use – can take on a decidedly more nefarious tone in the hands of … well, the people who now have access to it. But, unlike credit card numbers or identity theft, the more granular OPM information on individuals may pose a threat to employers as it could allow the bad actor to ransom an individual’s sensitive information and his/her reputation, in exchange for an employer’s trade secret, an open door, or the simple act of plugging in a thumb drive.
According to DHS’ National Cybersecurity and Communications Integration Center and the Federal Bureau of Investigation, an individual’s “vulnerability to blackmail” is a key indicator in identifying if that individual may pose an internal threat to his/her employer – be it the Federal Government or a federal contractor. The risk posed by that individual can vary, but that variance is largely due to motivation. For example, while poor cyber-sanitation can lead to a significant, albeit inadvertent, disclosure, imagine the harm that could be caused by an irritated employee or – gulp – an angry, put-upon, member of IT. Companies with formalized insider threat programs may be able to respond or address these somewhat common – but no less difficult – scenarios. But when blackmail enters the arena, you get the worst of both worlds: you get an educated and dedicated bad-actor directing the activity of an unassuming and seemingly unassailable employee. At the risk of stating the obvious, it’s hard to see that coming and that is a “bad thing.”
What’s worse is that this “bad thing” is happening at a “bad time” for the Government. Back in November, this blog informed readers about DoD D 5205.16, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, DoD’s insider-threat program policy that required components to issue respective insider-threat policies and implementation plans. However, according to a June 2015 GAO report, DoD is dragging its anchor. According to the investigation’s findings, while the components assessed have begun implementing the six minimum standards mandated in Executive Order 13587 to protect classified information and systems, those same components “have not consistently incorporated all recommended key elements.” For example, the report states that only three of the six components examined have “developed a baseline of normal activity” for their component. This is noteworthy because the development of a baseline is not only a “key element” of an effective insider threat identification and mitigation program, it is literally its foundation – you can’t gauge when something looks odd if you don’t know what normal looks like. The GAO cited this (fundamental) shortcoming as the result of DoD’s failure to “issue guidance that identifies recommended actions beyond the minimum standards that components should take to enhance their insider-threat programs.” The GAO report goes on to suggest that DoD’s efforts to assess its current insider threat programs and that of its components fail to adequately analyze gaps or incorporate risk assessments into its programs. In sum, while DoD struggles to do only what is minimally required of it, GAO found that “the department will not know whether its capabilities to address insider threats are adequate and address statutory requirements.”
Federal contractors are sailing on stormy seas and should not share the Government’s laissez-faire attitude toward insider threats – especially now. If a company has individuals with security clearances, it may be time to reinforce and remind employees of the risks and obligations accompanying their clearance. This conversation, however, should not be accompanied by saber rattling and pistol pointing; it should be an open discussion intending to assuage fears and encourage individuals with a “vulnerability to blackmail” to come forward should they find themselves at the end of a plank, sword at their back. The events at OPM serve as a reminder that there are black flags on the horizon and we may not know the intended target or plane of attack. As a result, companies need to ensure all hands are on deck with a unified mission to repel the invaders – from wherever they may come.
(Join Alex for Federal Publication Seminars’ complimentary webinar “The Cyber Insider Threat – Detecting and Protecting” at 1:00 pm EST on August 13, 2015 as he and colleague Christine Couvillon discuss best practices for dealing with the insider threat, details available here.)
This post first appeared in the Government Contracts Blog.