Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Handling Classified Information: Lessons Learned

Can we Learn From the Blunders of U.S Officials on Their Handling of Classified Information?

Can we Learn From the Blunders of U.S Officials on Their Handling of Classified Information?

2016 revealed many glaring issues with improper handling of classified information. A few examples: President-elect Donald Trump’s nominee for National Security Advisor, Michael Flynn, was investigated in 2010 for inappropriately sharing classified information with foreign military officers. David Petraeus, a (former) short-list nominee for Secretary of State, is currently on probation for sharing classified information. Hillary Clinton was investigated by the FBI for exposing classified information on a personal email server, then cleared, and then re-investigated days before the election.

Clearly, we have a problem in this country with senior leaders maintaining integrity of classified information. Worse yet, the lack of accountability sets a poor example for the average military or government worker. 

From an IT security perspective, we can learn from the challenges that the US government faces – specifically, how to approach the challenge of classifying unstructured data.

The US government classification system

Protecting Classified Government DataThe US classification system is based on the sensitivity of the information it protects; that is, an estimate of the level of damage to national security that a disclosure would cause. There are three levels of sensitivity or classification – Confidential, Secret and Top Secret – with rising levels of sensitivity in that order.

Classification is not arbitrary, but uses a six-step process to determine whether the information should be classified and at what level. Executive Order 13526 is the current instruction on the “Original Classification Authorities” (OCAs). Each new president updates this executive order as they take office, but generally speaking, the agency that creates the information is responsible for classifying it. While there are criticisms against procedure, at least the government has a system to classify data, and a corresponding method for determining access. 

Classification and control systems in industry

While industry classifications and controls are typically not as formal, we do see company confidential labels on sensitive information like financials. Typically, privacy-protected information, such as HR documents, healthcare records, and intellectual property, has additional controls in place to prevent data leakage. In place of a system that relies on levels of classification, we might see models for segmenting data or information. And, often times, there are privileged account management tools used as access controls, and to record activity for potential prosecution.

Beyond these controls, however, the challenge is similar to that of the government – how to determine what information requires classification or controls, and to what extent. The vast majority of organizations spend very little effort classifying information, resulting in an accumulation of unclassified, or unstructured data that often leaves sensitive information unprotected.

We see the consequences when strategic plans in a presentation wind up in the hands of a competitor via a careless supplier. Or sensitive personal information stored in a spreadsheet falls into the hands of criminals.

Reducing the risk of unstructured data with classification

Much of the effort to reign in unstructured data has centered on machine learning applied to big data. But this is largely an effort to detect anomalous behavior that might indicate malicious abuse of the data. Potentially a worthwhile effort, but certainly expensive. 

Perhaps a more measured approach would be to establish OCAs and a six-step process within the enterprise. For example, the head of development can decide levels of classification for source code. A line of business manager can determine whether strategic plans need additional layers of protection. Simply authorizing leaders in an organization to make these decisions, and arming them with a method of classification, can improve the security posture of that information. And workers can be trained to handle the information appropriate to policy as part of standard security training efforts.

Whether US government officials improve their handling of classified information in the new administration or not, industry can certainty learn from the blunders and reduce the risks that unstructured data presents by adopting more formal means of classifying it.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...