Sunday, July 12, 2015

Data Rupture: The Risk of Over-Classification...

As a result of the latest "data rupture" at the U.S. Office of Personnel Management (OPM), there are several Operational Risk factors.  The issues that most people are focused on, dwells on a lack of proper information security controls or antiquated technologies, that have not kept up with the speed of the modern day asymmetric threat.

However, this is not the primary problem that needs to be resolved.  The problem definition has been discussed in the wings of government for many years.  The root of the discussion is really a personnel hiring process combined with a human resource function.  The next level of the debate has to do with the classification of information.  The process by which certain types and kinds of information is classified at different levels of sensitivity.

In terms of the private sector vetting of an employee for employment vs. the government employee (contractor) it is very similar for non-executive personnel at the "Secret" level of classification.  You could leap to the analogy, that once you move to an executive level in the private sector, you may be vetted more thoroughly including more extensive looks into references, interviews with others and a deep dive into financial affairs.  This is more in line with the "Top Secret" level clearance in the government.
Call it a “data rupture”: Hack hitting OPM affects 21.5 million
Highly personal data from background clearances are a data bonanza to spies.


by Dan Goodin - Jul 9, 2015 6:10pm EDT

Last year's massive hack of the US Office of Personnel Management's security clearance system affected 21.5 million people, including 1.8 million people who didn't apply for a background investigation, officials said Thursday, making it official the breach was the worst in US government history.

The new figure includes most, if not all, of the 4.2 million people the agency previously said were exposed in a separate breach of personnel files. The much larger number resulted from the hack in June or July of last year on the system used to conduct background checks on contractors and other private sector employees, as well as federal workers. Some 1.1 million of the stolen records included applicants' fingerprints. Background checks for people applying with the Central Intelligence Agency weren't affected because that agency conducts its own security clearance investigations.
 The tagging of information at the point of creation, inside the walls of the private enterprise or government is the key problem set.  Then making the decision on who and why a person needs this information for them to do their job, is the secondary factor.  We all need information to do our assigned jobs and tasks.  When information is tagged as "For Official Use Only", "Confidential" "Secret" or "Top Secret" in the government, there is a reason.  The Classification system:
The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic.[1] Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.[2]
The desired degree of secrecy about such information is known as its sensitivity. Sensitivity is based upon a calculation of the damage to national security that the release of the information would cause. The United States has three levels of classification: Confidential, Secret, and Top Secret. Each level of classification indicates an increasing degree of sensitivity. Thus, if one holds a Top Secret security clearance, one is allowed to handle information up to the level of Top Secret, including Secret and Confidential information. If one holds a Secret clearance, one may not then handle Top Secret information, but may handle Secret and Confidential classified information.
When you work as an employee of a private company, there is a documented personnel hiring process.  The early part of the process in some cases is outsourced to recruiting agencies, just as the government uses contractors to process many of it's back ground investigations.  In both cases, the reason is evident.  Does this person being considered for employment, pose a risk to the enterprise?

 The purpose of the discussion now is to look at the information.  The tagging of information at its origin.  Whether in the private sector or government.  Who decides what sensitivity to put on the document, picture, video, spreadsheet, text, audio or other data element?  How do you keep only certain people from viewing and reading or listening to the information with the correct level of security clearance? (Access Controls)  Certainly the viewing of the salary levels of all employees inside the private sector company is sensitive and only certain people have the authority and need to see this information.  The assurance of information is critical:  Confidentiality, Integrity and Availability.  No different in the government.  So what is the common thread?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).[1]
The failure at OPM is complex and no different than the complexity of the data breach failure at Target Corporation.  Both incidents were and are the basis for case studies in Information Security classes at the academic level.  Each has idiosyncrasies, in terms of the actual data breach methodologies and the tools used by adversaries.  So what?

One has to question the need for so many people to have "Top Secret" security clearances in the government.  When you look at the numbers it is staggering.  It almost seems that the process for hiring good people in the government made it a requirement, that someone have the ability to obtain a "Top Secret" clearance.  Even though the likelihood that this person would ever be exposed to or asked to review "Top Secret" information was low.  The failure is that so many people were required to obtain Top Secret clearances, when it was not really a factor for the job they were doing or would ever do.

Now that the "Chinese hackers" (the so called suspects) have our SSN, DOB, previous addresses, (same for family members), financial and other references in their database, time will only tell what individuals will be targeted and for what.  So for those "Chinese hackers," here is a news flash:

"NOT ALL THE PEOPLE WITH GOVERNMENT TOP SECRET CLEARANCES HAVE REVIEWED TOP SECRET INFORMATION"

This is why, much of the hiring and background process that is part of the human resources systems is out of synch, with the information classification process and what someone needs to do their particular tasks in the enterprise.  The level of security clearance has unfortunately become a badge of acceptance and of perceived importance.  Just look at the number of "Linkedin profiles" today, where someone openly declares their "particular level of security clearance" with the government.  Why do people do this?

What is part of the solution to the defined problem set?

1.  Thoroughly address the defined problem of over-classification.

2.  Depends on the success of solving #1.

Operational Risk Management (ORM) is about the risk of loss resulting from inadequate or failed processes, people and systems or from external events.