Meeting of November 1–2, 2000 on

Cyber-Security and the Insider Threat to Classified Information

CYBER-SECURITY AND THE INSIDER THREAT TO CLASSIFIED INFORMATION

In order to determine whether to conduct a study on cyber-security and the insider threat to classified information, the Computer Science and Telecommunications Board (CSTB) of the National Academies (described in Appendix A) hosted a meeting on November 1– 2, 2000 to advise CSTB on the issues that such a study might address.

Meeting participants endorsed the concept that CSTB should undertake a project that would examine high-grade threats (by definition including insider threats) to high-value information systems. Such a study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises.

The meeting was chaired by Anita K.Jones, Lawrence R.Quarles Professor of Engineering and Applied Science, the University of Virginia. The steering committee consisted of Tom Bozek, Office of the Secretary of Defense; Michael Caloyannides, Mitretek Systems; and Carl Landwehr, Mitretek Systems. Meeting participants (Appendix B) included experts in information security, law, national defense, and law enforcement. The meeting agenda is given in Appendix C.

1. Introduction

Public attention to information security today tends to focus on the problem of preventing harm that results from the actions of a hostile “outsider,” such as a hacker. However, security breaches accomplished with the cooperation of (or at the instigation of) an insider can cause significant damage. For example, an insider might be able to disable certain network security mechanisms, thereby allowing a collaborator on the outside to gain access. Or, an insider might be able to transmit electronically large volumes of sensitive information without ever being subjected to physical search. The compromised or actively hostile insider clearly presents a difficult challenge for the manager or security practitioner.

The classic insider attack in which an individual uses authorized access to a computer system to view a sensitive piece of information, memorizes it, and then divulges it at a future date in a different location seems impervious to straightforward technological solutions. However, it may be possible to develop technologies that can mitigate the damage done when such individuals use technological means to assist in the information transfer or are more interested in sabotage than espionage. Technology can also be employed that increases the likelihood that the individual will be caught. Nevertheless, dealing with the insider threat inevitably involves organizational policies, practices, and processes as well as technological approaches. For example, in an environment in which most employees are trustworthy, what policies, practices, and processes can be implemented that will help to cope effectively with the insider threat?

The CSTB meeting’s initial focus was on the threat to classified systems and information because the political and organizational issues that often arise with protection policies and practices (e.g., rights to privacy) are considerably fewer and less intense than if



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 2
Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information Meeting of November 1–2, 2000 on Cyber-Security and the Insider Threat to Classified Information CYBER-SECURITY AND THE INSIDER THREAT TO CLASSIFIED INFORMATION In order to determine whether to conduct a study on cyber-security and the insider threat to classified information, the Computer Science and Telecommunications Board (CSTB) of the National Academies (described in Appendix A) hosted a meeting on November 1– 2, 2000 to advise CSTB on the issues that such a study might address. Meeting participants endorsed the concept that CSTB should undertake a project that would examine high-grade threats (by definition including insider threats) to high-value information systems. Such a study should focus both on national security concerns and classified systems as well as non-classified, commercial enterprises. The meeting was chaired by Anita K.Jones, Lawrence R.Quarles Professor of Engineering and Applied Science, the University of Virginia. The steering committee consisted of Tom Bozek, Office of the Secretary of Defense; Michael Caloyannides, Mitretek Systems; and Carl Landwehr, Mitretek Systems. Meeting participants (Appendix B) included experts in information security, law, national defense, and law enforcement. The meeting agenda is given in Appendix C. 1. Introduction Public attention to information security today tends to focus on the problem of preventing harm that results from the actions of a hostile “outsider,” such as a hacker. However, security breaches accomplished with the cooperation of (or at the instigation of) an insider can cause significant damage. For example, an insider might be able to disable certain network security mechanisms, thereby allowing a collaborator on the outside to gain access. Or, an insider might be able to transmit electronically large volumes of sensitive information without ever being subjected to physical search. The compromised or actively hostile insider clearly presents a difficult challenge for the manager or security practitioner. The classic insider attack in which an individual uses authorized access to a computer system to view a sensitive piece of information, memorizes it, and then divulges it at a future date in a different location seems impervious to straightforward technological solutions. However, it may be possible to develop technologies that can mitigate the damage done when such individuals use technological means to assist in the information transfer or are more interested in sabotage than espionage. Technology can also be employed that increases the likelihood that the individual will be caught. Nevertheless, dealing with the insider threat inevitably involves organizational policies, practices, and processes as well as technological approaches. For example, in an environment in which most employees are trustworthy, what policies, practices, and processes can be implemented that will help to cope effectively with the insider threat? The CSTB meeting’s initial focus was on the threat to classified systems and information because the political and organizational issues that often arise with protection policies and practices (e.g., rights to privacy) are considerably fewer and less intense than if

OCR for page 2
Summary of Discussions at a Planning Meeting on Cyber-Security and the Insider Threat to Classified Information sensitive unclassified information (especially non-governmental information) is involved. (The reason is that individuals granted access to classified information routinely sign away many rights to privacy that most people take for granted.) During the course of the meeting, however, participants often expanded the discussion to include threats other than insider threats and to include systems other than classified systems. Reasons for this expansion are explored in the next section. Participants also repeatedly emphasized the fact that security (be it in a classified or unclassified environment) is not simply a matter of appropriate technology application. There are psychological, social, managerial, and legal issues that manifest themselves. These issues are elaborated upon in section 3. Any security solution is a mixture of technology and of people following well-designed procedures. Some of the technological approaches that may prove helpful are discussed in section 4. Section 5 outlines possible suggested next steps for CSTB. 2. High-Grade Threats and High-Value Targets Meeting discussions made clear that the distinction between classified and unclassified systems was artificial from the point of view of both the technology and, in many cases, the threat. The participants concluded that the focus should be on high-grade threats against high-value targets. These targets may be classified or unclassified, but they have the property that they tend to attract attacks by organizations (including nations) that are well planned, well funded and sustained if necessary. High-value targets also have the property that they are worth the expense of protecting them in whatever way is technically and managerially feasible. In an attempt to elucidate what is meant by the terms ‘high-value target’ and ‘high-grade threat,’ the participants discussed the relevant differences between threats to classified and non-classified information, the differences between the systems themselves, and how such differences might have an impact on the approaches taken to combat the threat. They noted that the fundamental issue is the value of the information. Corporations protect highly sensitive and valuable information, just as the government does. Such non-governmental, non-classified, highly sensitive information (for example, an individual’s medical records or a pharmaceutical company’s drug research data) is deserving of strong protection. The anticipated threats will have an impact on what kind of protective measures (both in the research community and in the practitioner community) need to be undertaken; significant threats (sometimes by the same adversary) are now made against both the government (‘traditional’ espionage) and against corporations (industrial espionage). These threats may well involve insiders, but participants were reluctant to focus exclusively on insiders, due in part to the difficult boundary and definitional problems raised by the use of the term (see section 3). Participants spent some time attempting to characterize the problem in a way that would encompass a broad set of significant attacks while remaining constrained enough not to include all attacks on information systems of any sort.