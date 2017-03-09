By Dustin Volz and Jonathan Landay
documents describing secret CIA hacking tools shows that
intensified U.S. government efforts to prevent leaks by
intelligence agency employees and contractors have largely
failed, cybersecurity professionals and intelligence officials
say.
If the Central Intelligence Agency disclosures are confirmed
to be the work of an intelligence agency contractor, as
government investigators currently suspect, it would be at least
the third public case in recent years in which special software
and human resources programs intended to catch so-called insider
threats have not worked.
The anti-secrecy group WikiLeaks, which published the CIA
documents Tuesday, said it obtained the archive after it
circulated among former U.S. government contractors in "an
unauthorized manner."
Part of the problem in combating leaks is that the number of
government employees and contractors with access to highly
sensitive information has exploded in recent years, due in part
to greater information-sharing across the government that was
mandated in the wake of the Sept. 11, 2001, attacks.
Budget constraints that force agencies to rely on
contractors rather than permanent staff have also contributed to
the problem, intelligence officials say. Government estimates of
how many people have been granted Top Secret clearances range
from the high hundreds of thousands to more than a million
across thousands of public agencies and private companies.
Government agencies estimate that there is one insider
threat for every 6,000 to 8,000 employees, an intelligence
agency contractor said, speaking on condition of anonymity for
fear of upsetting his employer. The contractor said there is too
much sharing of information internally, with many workers having
access to material they do not need.
Recognizing the dangers, former President Barack Obama
signed an executive order creating the National Insider Threat
Task Force in 2011, following the disclosures of hundreds of
thousands of State Department cables that were stolen by former
Army private Chelsea Manning and provided to WikiLeaks.
The order covered virtually every federal department and
agency, including the Department of Education, the Peace Corps
and other offices not directly involved in national security.
The program requires federal employees to monitor co-workers
for suspicious actions based on behavioral profiling. Those who
fail to report high-risk people or behaviors could face
penalties, including criminal charges.
Insider threat investigations can also be launched when
computer network monitoring detects “suspicious user behavior,”
according to government documents.
Monitoring of prospective and current government employees
has only increased in recent years. Under a directive issued in
May 2016 by James Clapper, the former director of national
intelligence, U.S. officials evaluating whether employees should
continue to have access to classified information can collect
publicly available social media posts of those workers.
Despite the new initiatives and a raft of innovative
employee monitoring technologies developed by the NSA and
private-sector tech companies, insider threats remain "the
greatest worry across government and industry," said Curtis
Dukes, the former head of cyber defense at the National Security
Agency who now works at the Center for Internet Security, a
non-profit organization committed to protecting against cyber
threats.
CIA "GOLD STANDARD"
Tuesday's leaks came at a time when U.S. intelligence
agencies were already reeling from the discovery that former
contractor Harold Martin had allegedly spent 20 years stealing
secrets from the NSA and three other intelligence agencies
before finally being caught last summer.
Martin worked for Booz Allen Hamilton, the same consulting
firm that employed Edward Snowden, who in 2013 exposed details
about U.S. spying programs.
This week's dump of CIA files is especially alarming because
the spy agency is considered the "gold standard" for monitoring
and tracking insiders, according to Larry Pfeiffer, chief of
staff to then-CIA director Michael Hayden.
Leo Taddeo, chief security officer at Cryptzone and a former
special agent with the Federal Bureau of Investigation's cyber
crime division in New York, said the Sept. 11 attacks prompted a
significant expansion in the number of facilities and government
contractors who had access to sensitive information. A 2003
report on the attacks concluded the plot could have been
disrupted if not for lapses of communication between the CIA and
FBI.
That finding and others forced a restructuring of how U.S.
intelligence agencies share information, overcoming resistance
by some officials who worried the new arrangement could create
new problems.
"We need for the right people to see the right dots, so they
can connect them, but the counter argument is you increase the
insider risk and that compromise has a greater impact," Taddeo
said.
Chris Inglis, former deputy director of the NSA, gave a
presentation entitled "How to Catch a Snowden" to a jam-packed
room last month at the RSA cybersecurity conference in San
Francisco. The talk was so popular that conference organizers
had Inglis present twice.
Inglis said companies, as well as governments, need to
embrace continuous monitoring of employees and the use of
behavioral analytics to spot potential leakers, and to directly
involve human resources departments in detection efforts.
Some companies have been hesitant to adopt such strategies,
Inglis said, but a raft of breaches in recent years has led to a
growing embrace of more aggressive approaches.
"The unfortunate truth is you’re only going to suffer this
one in a million times, but that one in a million can kill you,"
he said.
