Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Handling Classified Information: Lessons Learned

Can we Learn From the Blunders of U.S Officials on Their Handling of Classified Information?

Can we Learn From the Blunders of U.S Officials on Their Handling of Classified Information?

2016 revealed many glaring issues with improper handling of classified information. A few examples: President-elect Donald Trump’s nominee for National Security Advisor, Michael Flynn, was investigated in 2010 for inappropriately sharing classified information with foreign military officers. David Petraeus, a (former) short-list nominee for Secretary of State, is currently on probation for sharing classified information. Hillary Clinton was investigated by the FBI for exposing classified information on a personal email server, then cleared, and then re-investigated days before the election.

Clearly, we have a problem in this country with senior leaders maintaining integrity of classified information. Worse yet, the lack of accountability sets a poor example for the average military or government worker. 

From an IT security perspective, we can learn from the challenges that the US government faces – specifically, how to approach the challenge of classifying unstructured data.

The US government classification system

Protecting Classified Government DataThe US classification system is based on the sensitivity of the information it protects; that is, an estimate of the level of damage to national security that a disclosure would cause. There are three levels of sensitivity or classification – Confidential, Secret and Top Secret – with rising levels of sensitivity in that order.

Classification is not arbitrary, but uses a six-step process to determine whether the information should be classified and at what level. Executive Order 13526 is the current instruction on the “Original Classification Authorities” (OCAs). Each new president updates this executive order as they take office, but generally speaking, the agency that creates the information is responsible for classifying it. While there are criticisms against procedure, at least the government has a system to classify data, and a corresponding method for determining access. 

Classification and control systems in industry

While industry classifications and controls are typically not as formal, we do see company confidential labels on sensitive information like financials. Typically, privacy-protected information, such as HR documents, healthcare records, and intellectual property, has additional controls in place to prevent data leakage. In place of a system that relies on levels of classification, we might see models for segmenting data or information. And, often times, there are privileged account management tools used as access controls, and to record activity for potential prosecution.

Advertisement. Scroll to continue reading.

Beyond these controls, however, the challenge is similar to that of the government – how to determine what information requires classification or controls, and to what extent. The vast majority of organizations spend very little effort classifying information, resulting in an accumulation of unclassified, or unstructured data that often leaves sensitive information unprotected.

We see the consequences when strategic plans in a presentation wind up in the hands of a competitor via a careless supplier. Or sensitive personal information stored in a spreadsheet falls into the hands of criminals.

Reducing the risk of unstructured data with classification

Much of the effort to reign in unstructured data has centered on machine learning applied to big data. But this is largely an effort to detect anomalous behavior that might indicate malicious abuse of the data. Potentially a worthwhile effort, but certainly expensive. 

Perhaps a more measured approach would be to establish OCAs and a six-step process within the enterprise. For example, the head of development can decide levels of classification for source code. A line of business manager can determine whether strategic plans need additional layers of protection. Simply authorizing leaders in an organization to make these decisions, and arming them with a method of classification, can improve the security posture of that information. And workers can be trained to handle the information appropriate to policy as part of standard security training efforts.

Whether US government officials improve their handling of classified information in the new administration or not, industry can certainty learn from the blunders and reduce the risks that unstructured data presents by adopting more formal means of classifying it.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...