Well, here we go again. Harold Martin, a contractor formerly working for the National Security Agency, was arrested by the FBI for allegedly stealing and disclosing classified computer codes. We're in for another round of investigations, wonderment and questions of: "How could you have let this happen?" My brain hurts just thinking about all the commotion, damage and accusations that are destined to come.
This story, which will inevitably take months to sort out, got me thinking about an old Chilton car repair manual I used to have.
In the past, I enjoyed working on cars. I could fix carburetor, transmission and engine problems by referring to a Chilton manual and having the right wrenches and other tools at my disposal. I usually got the car up and running despite temporary damage to my pride, my knuckles or both. I recall one incident when the transmission on my Triumph Spitfire went out. While reading my Chilton manual and removing the last retaining bolt, I learned a valuable lesson about gravity and the weight of a transmission thanks to not having the proper hydraulic lift in place.
Old and reliable meets new and unfamiliar
When I look at my old Chilton manual and attempt to apply it to repairing today’s vehicles, it just doesn’t work out. Modern cars are not the same as my 1974 Triumph. Technology and innovation have completely altered the car repair world I used to enjoy. I get the same feeling when I tell the younger generation I work with to turn counterclockwise to loosen a nut or bolt. They don’t get the concept — most digital timepieces no longer have sweep secondhands and the reference is lost on them.
Well, it continues to be a nagging idea in the back of my mind that we are using outdated manuals in our quest to counter insider threats. We continue to follow policies and procedures that no longer apply in the fast-paced and ever-changing world of the digital age when dealing with insider threats and cyberattacks.
For example, the age-old background investigation conducted on those people who work in the classified realms and with government secrets is outdated. I have personally been through many background checks and periodic reviews. I always find it fascinating that the government continues to verify where I live, talk to my neighbors, and look through police and financial records to prove again and again that I am me. I wonder how many spies have been caught using this process.
In my professional opinion, the number is very likely close to zero. Background checks are good at verifying the past but absolutely useless at predicting future behavior.
I presume that Snowden, Manning and Martin all passed background checks and other screening devices like polygraph examinations. But in the end, they and others made choices after being screened to do the wrong thing — regardless of their stated intentions. I’m not here to judge their intentions; in the end, however, they each took data that did not belong to them.
It just feels like the government is using an old Chilton manual to fix the differential on a 2016 Mustang GT.
Point of entry
One area that keeps coming to mind is the endpoint. Everyone has to use some device to enter any system and access information. Whether it’s typing commands on a computer keyboard, the touchscreen of a smartphone or using a voice-activated assistant like Apple’s Siri, access begins somewhere and people are the universal endpoint.
Endpoint devices are often overlooked sources of evidence for a variety of reasons, but that can’t continue. The intelligence that these devices can provide us is a key indicator for which behaviors might indicate nefarious activities are taking place.
The Chilton-manual methodology we’ve employed for so long can’t cope with the mountain of evidence generated by these endpoints, and there isn’t a wrench in our traditional toolkit that fits the bolt we’re trying to loosen. Both our approach to facing these threats and the tools we use to accomplish that task need to be upgraded — likely by more than a couple of iterations.
Another reason I believe insider threat programs fail is organizational failure.
Too many times, I’ve heard someone say: "Oh, that is an IT issue;" or "That is a cyber issue;" or "Why doesn’t law enforcement take this action?" These statements are symptomatic of a rigid and limited approach to a dynamic and evolving issue.
If you follow my logic, we continue to rely upon our old ways of doing things in a digital world. If you open the hood of your car, it is no surprise that yesterday’s Chilton manual is no longer applicable. And in the insider threat world, it no longer applies that we can segregate all the various departments and disciplines from each other and be successful. In order to be agile enough to counter threats, organizations must be built for agility.
As organizations, we are stuck in the mode of naming who’s responsible for the leakage or what department should be responsible for a particular event. That seems like another Chilton response in a digital world. I believe a better and more successful way to combat the threat is not to attempt to parse responsibility but to have the counter-insider threat organization be responsible for all events.
With advocacy, authority and agility granted to the program while bringing the supporting policies, procedures and operations into the digital world, the program has at least a decent chance of success.
Keith Lowry is the senior vice president of Nuix USG and Nuix's Business Threat Intelligence and Analysis division. He served as chief of staff to the deputy undersecretary of defense for human intelligence, counterintelligence and security at the Pentagon, as well as an information security consultant in the private sector.