IT Tools Available to Stop NSA-Type LeaksBut U.S. Government Doesn't Always Deploy Logs, IAM Effectively
It's possible that somewhere within the thousands of U.S. federal government databases, information can - or perhaps will - be found that tracks Edward Snowden's activities leading up to his leak of top secret information. But is appears that government systems are inadequate to alert authorities in real time to potential leaks.
Snowden, who was fired June 10 as a systems administrator assigned to the National Security Agency by government contractor Booz Allen Hamilton, admits that he was the source of news reports that the NSA collects metadata from communications of millions of Americans in programs, including one called Prism, that the government claims are aimed at ferreting out potential foreign terrorists [see NSA's Prism: Balancing Security, Privacy].
The federal government uses a variety of tools that could identify the activities of employees. Those include keylogging software and computer logs that pinpoint staff members' whereabouts and actions within federal IT systems and networks, sources familiar with the federal government's security clearance systems say. But having the tools in place - and not all tools are used by all agencies at all times - doesn't mean that the proper authorities are alerted in a timely manner to activities that could jeopardize the nation's security.
"It's very cumbersome to manage identity and access controls unless you have a tightly managed process - and most companies and most agencies do not," says Patricia Titus, the former chief information security officer at Homeland Security's Transportation Security Administration as well as IT security provider Symantec and IT integrator Unisys.
High Cost of Implementing IAM
Titus explains that identity and access management systems are very labor intensive to maintain, and because the government relies on many legacy systems, implementing adequate IAM systems proves costly. "To set up individual profiles of thousands and thousands of government employees is very difficult," she says.
Even if evidence exists in databases that could prevent a Snowden-type leak, there's no guarantee that it could stop someone who wants to collect data to release to unauthorized outsiders.
"In the time it may take an alert to make its way up the chain, someone could have downloaded a few gigabytes of classified information on a thumb drive and put it in their pocket," says Evan Lesser, managing director of Clearancejobs.com, a website that focuses on jobs requiring government security clearances. "We're playing a game against technology, and unfortunately, it will take more technology to keep the current technology and people in check."
But at a time of budget cuts and sequestration - the across-the-board trimming of government spending - the federal government isn't spending the money that many experts believe is needed to beef up defenses against insiders with security clearances who might want to reveal secret information.
Robert Bigman, who retired last year after 15 years as the CIA's CISO, says the Defense Department and the intelligence community continually rejected the idea of using digital rights management tools to restrict access to specified content in order to secure intelligence reporting. "They need to re-evaluate that decision," he says.
Centralizing Log Analysis
There's no shortage of ideas about how to mitigate insider leaks, though the proposals aren't cheap. Titus envisions the creation of a governmentwide security operations center where all agencies would be required to send their logs relating to classified data to be analyzed frequently, not just occasionally.
"A lot of companies and agencies collect logs, and they do nothing with the data," she says. "They just collect it so they can check the compliance box to show they comply with regulations. And one person might look at those logs, one hour, one day a week and say, "Yes, we look at the logs.' But that's not the intent of compliance standards. We have an opportunity from regulatory and compliance perspectives to lower the boom on some of this and say, 'We don't mean one hour a day. We need log management systems that are looking for anomalous behavior.'"
Now, Titus says, the government must figure out how to employ its arsenal of tools to prevent those with security clearances from doing the nation harm by leaking top secret information.