Feds to unveil insider threat defense plan by year end
- 05 April, 2012 07:53
In the aftermath of the embarrassing leak of hundreds of thousands of sensitive government and military documents to the whistleblower website WikiLeaks, the Obama administration formed an interagency task force to refine the government's defenses against insider threats.
That effort, which could inform private-sector security practices and will have a significant impact on security-cleared defense contractors, is set to wrap up this year, with an initial report expected to be issued to the White House and senior national security authorities in the next month or two, and a final set of standards and guidance for implementation likely to roll out to the departments and agencies in October, federal officials said Wednesday here at the FOSE government IT conference.
"If you were going to put it in one word, it's focusing on the threat posed by malicious insiders," said John Swift, senior policy advisor to the Insider Threat Task Force for the office of the director of national intelligence.
President Obama issued the executive order establishing the task force in October in response to the alleged exfiltration of huge stores of classified documents by Pfc. Bradley Manning, and their subsequent publication in various global media outlets.
The executive order directs all agency heads who deal with classified information to designate a senior official to oversee the organization's activities surrounding the sharing and protecting of sensitive files, and to implement a program to detect insider threats once the task force issues its final guidelines. Those agencies will also be charged with conducting self-assessments of their compliance with the new standards and policies, and required to submit those reports to a new steering committee that the executive order established. Affected agencies will also be expected to dispatch staff, as needed, to the task force and a new Classified Information Sharing and Safeguarding Office.
That will mean a variety of new mandates for cash-strapped agencies -- always a source of concern in the government -- though the president's executive order allows that implementation of the directive is subject to the availability of funding.
Officials formulating the guidelines for deterring insider threats sought to downplay the impact their work would have on agency operations, and noted that they are seeking input from all corners of government to ensure they arrive at a practical implementation strategy that will prevent another WikiLeaks-like episode without establishing an onerous compliance burden or trampling on government employees' privacy or civil rights.
"On a macro level almost you can't be looking at one aspect of this directive. You have to be looking at systems and people," said the FBI's Diana Braun. "In other words, nobody's sitting in an ivory tower and coming up with policies that aren't possible to implement in the field."
Braun explained that the task force is not approaching the issue of insider threats with a "one-size-fits-all" mentality, but will provide agencies with some flexibility to implement the standards in accordance with the nuances of their organization.
What's more, members of the task force are urging agency heads to continue to evaluate and strengthen their existing procedures for detecting insider threats ahead of the final directive, noting that any government arm that handles or accesses classified data should already be acting in concert with a set of best practices. Even though the final standards and guidelines from the task force aren't due out until October, the administration has already tasked agencies with firming up their stance on other factors often involved in a data breach, such as the policies governing removable media, online identity management, access control and enterprise auditing.
"No agency is starting from scratch. That's the good news," Swift said. "It's going to take a while before agencies have a hard set of written standards to follow."
The precise impact that the forthcoming insider threat standards will have on the private sector is unclear, but it will likely be limited. While defense contractors with access to classified military networks will almost certainly have to hew to the forthcoming guidelines for insider threat detection, Swift explained that the president's executive order explicitly does not extend to private companies writ large. At the same time, the guidelines the government develops could inform or serve as a template for the best practices that businesses put in place, just as the task force is doing its work in consultation with the private sector.
"The executive order applies to federal agencies and departments. It doesn't apply to the private sector as a separate entity. Now, the insider threat standards that will be developed will be of use to individual companies and corporations. There's no reason why they wouldn't be of use," he said. "Having said that, the task force itself and others are reaching out to bring in the expertise of private-sector corporations so those standards are not developed in the blind."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.
Read more about government in CIO's Government Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Agentless Security for Virtual Environments
Virtualised datacentres, desktops, and cloud computing should be secured by the same strong protection technologies as physical machines. However, traditional agent-based solutions that are not architected for virtualisation can result in a number of significant operational security issues. Find out more about the first agentless security platform solution.
Clearing the Clouds for Midmarket Businesses
Cloud computing promises to help midmarket companies reduce cost and complexity in the IT equation – and gain the flexibility and agility they need to thrive. Yet charting a clear course to the cloud isn’t always easy. In this paper, we aim to clear the clouds. We examine different cloud computing models, discuss the types of requirements that each can best address, and consider what midmarket businesses should look for in a cloud solutions provider.
Bring Your Own Device FAQs
This report covers the frequently asked questions associated with the implications of BYOD devices in the workplace. Any solution in this space needs to be built on simplicity, scalability and security. Click to find out how to address the IT security challenges.