Can we Learn From the Blunders of U.S Officials on Their Handling of Classified Information?
2016 revealed many glaring issues with improper handling of classified information. A few examples: President-elect Donald Trump’s nominee for National Security Advisor, Michael Flynn, was investigated in 2010 for inappropriately sharing classified information with foreign military officers. David Petraeus, a (former) short-list nominee for Secretary of State, is currently on probation for sharing classified information. Hillary Clinton was investigated by the FBI for exposing classified information on a personal email server, then cleared, and then re-investigated days before the election.
Clearly, we have a problem in this country with senior leaders maintaining integrity of classified information. Worse yet, the lack of accountability sets a poor example for the average military or government worker.
From an IT security perspective, we can learn from the challenges that the US government faces – specifically, how to approach the challenge of classifying unstructured data.
The US government classification system
The US classification system is based on the sensitivity of the information it protects; that is, an estimate of the level of damage to national security that a disclosure would cause. There are three levels of sensitivity or classification – Confidential, Secret and Top Secret – with rising levels of sensitivity in that order.
Classification is not arbitrary, but uses a six-step process to determine whether the information should be classified and at what level. Executive Order 13526 is the current instruction on the “Original Classification Authorities” (OCAs). Each new president updates this executive order as they take office, but generally speaking, the agency that creates the information is responsible for classifying it. While there are criticisms against procedure, at least the government has a system to classify data, and a corresponding method for determining access.
Classification and control systems in industry
While industry classifications and controls are typically not as formal, we do see company confidential labels on sensitive information like financials. Typically, privacy-protected information, such as HR documents, healthcare records, and intellectual property, has additional controls in place to prevent data leakage. In place of a system that relies on levels of classification, we might see models for segmenting data or information. And, often times, there are privileged account management tools used as access controls, and to record activity for potential prosecution.
Beyond these controls, however, the challenge is similar to that of the government – how to determine what information requires classification or controls, and to what extent. The vast majority of organizations spend very little effort classifying information, resulting in an accumulation of unclassified, or unstructured data that often leaves sensitive information unprotected.
We see the consequences when strategic plans in a presentation wind up in the hands of a competitor via a careless supplier. Or sensitive personal information stored in a spreadsheet falls into the hands of criminals.
Reducing the risk of unstructured data with classification
Much of the effort to reign in unstructured data has centered on machine learning applied to big data. But this is largely an effort to detect anomalous behavior that might indicate malicious abuse of the data. Potentially a worthwhile effort, but certainly expensive.
Perhaps a more measured approach would be to establish OCAs and a six-step process within the enterprise. For example, the head of development can decide levels of classification for source code. A line of business manager can determine whether strategic plans need additional layers of protection. Simply authorizing leaders in an organization to make these decisions, and arming them with a method of classification, can improve the security posture of that information. And workers can be trained to handle the information appropriate to policy as part of standard security training efforts.
Whether US government officials improve their handling of classified information in the new administration or not, industry can certainty learn from the blunders and reduce the risks that unstructured data presents by adopting more formal means of classifying it.