More than 50 years ago, a massive dossier of classified information was leaked to the New York Times revealing damaging revelations about the U.S. war in Vietnam. The Pentagon Papers was one of the first, but certainly not the last, of many high-profile government leaks in modern U.S. history.
Last week, we learned of a new Pentagon leak in which a 21-year-old Massachusetts Air National Guardsman was arrested for disseminating classified information to a Discord gaming channel. Among previous government leaks, this one is particularly troubling, as the information revealed contemporaneous “signal-based intelligence” that could compromise crucial intelligence-collection methods and sources.
Immediately following the leak, much of the recent news coverage has centered on the question of the leaker’s motive. Did he regard himself as some type of heroic whistleblower, or was he just trying to “gain clout” among his social media peers?
However, discerning motives often becomes a subjective and fruitless exercise – one that’s often beside the point. It also distracts from the questions that truly matter: Did the government know of the leak? And, why did it take three months to take action to remove the materials from Discord?
Most pressing of all: If this could happen to one of the world’s most sophisticated and well-funded government institutions, what might that mean for private companies with fewer resources at their disposal?
Four questions to help assess insider risk
An “insider threat” gets used as the umbrella term that refers to any risk that comes from an employee, contractor, or other parties with authorized access to either knowingly or unwittingly compromise an organization’s systems and data.
Last year’s Verizon Data Breach Incident Response (DBIR) report noted that assets were far more likely to be lost by employees than stolen by someone who does not work for the organization, while according to the 2023 Data Exposure Report, CISOs ranked “insider risk” as the most difficult threat to detect.
Obviously, the scale and scope of insider threats are very different for a government agency than they are for private enterprises. So in the wake of this news, what questions should security and business leaders ask themselves to evaluate their potential exposure to insider threats?
- When access is required, does the organization also need to monitor? Similar to the U.S. government, every enterprise grants broad entitlements to back-end administrators over the many applications and systems that power their daily operations. These users often require expansive privileges to do their jobs. However, in doing so, they are also afforded unfettered access to a wide range of intellectual property, sensitive customer data, and trade secrets. This will not change. Every organization needs to give certain insiders access to data. But what can change is the monitoring that organizations have in place to ensure that data gets properly accounted for. It’s critical that companies put proper monitoring in place to ensure data stays within the protection of the entity and if it does fall outside of proper protection, the security team can respond immediately.
- Do we know where all of our most sensitive data is stored? Critics of the government say that so much information has been labeled classified that it has become a meaningless designation. As too many businesses have come to learn the hard way, it’s largely ineffective to classify data and restrict access based on classification. It creates a frustrating experience for resourceful users who, regardless of what their intentions, will find a workaround when necessary.
- How quickly can we detect and respond to an insider threat? One of the most troubling revelations of this leak is that these classified materials circulated online for several months before action was taken. The longer a leak goes unresolved, the harder it becomes to mount an effective response. Studies have also shown that organizations that have a mature insider threat program in place are better able to quickly distinguish the signals of anomalous behavior and can accelerate remediation.
- Can we measure and quantify insider risk? “If you can’t measure it, you can’t manage it,” has become a common refrain heard in the boardroom. To properly assess the impact of insider threats, CISOs need to have meaningful metrics at their fingertips to effectively communicate those risks to the business. These metrics might include the number of data exposure events or the time it takes to respond to an insider risk event. Insider risk cases that result in unmanaged data loss can have impacts that extend far beyond the initial loss event.
The federal government will no doubt have a lot on its plate in the next few months as they work to mitigate the damage and repair diplomatic relationships. For business and security leaders, this should serve as a reminder that the most dangerous and insidious threats are potentially those working in plain sight.
Jadee Hanson, CIO and CISO, Code42