Fridays announcement of a huge data spill of classified documents from a Navy contractor is gaining lots of traction. Several public sources corroborate the spill. This article has the most sound judgement and recommendations of those that I have read:
http://observer.com/2018/06/china-steals-of-department-of-defense-navy-secrets-security-breach/
Security is not cheap. Being able to come home at the end of the day after winning a skirmish with a bad actor is what having the upper hand in intel, weaponry, tactics and diplomacy is all about. We cannot win if we have no advantage.
We practitioners have our jobs cut out for us. We have not arrived because we have the (ICS)2 shingle(s) in the form of a CISSP, CSSP, etc. certification. That process was just the start. We have to educate, promote and defend integrity, sound judgement and qualified skills in the future to counter these practices of the past.
I firmly believe that all future DoD contracts should have some penalty clause for data spills if they don't already exist. The penalty should be so severe that it cripples the offender to the point of being brought to the brink of financial ruin. Corporate officers, board members (if one exists) should not be exempt from the penalties.Termination of ALL DoD contracts should be immediate if the contractor has more than one.
This is national security at stake. We shouldn't be this sloppy.
How does an announcement like this affect you?
Hows does this affair or scandal affect me? Personally, it does not. It does affect our nation's security posture which does inadvertently affect me. It affects our nation as a whole and wound's me as a veteran of our armed services.
It bothers me greatly that the military seems to have lost its way more and more this century as the emphasis, something I have seen since the 1980s-2000s, on new priorities like inclusion and safe sex training and less time working on unit preparedness and operational security.
As far as technology goes this should have been a no-brainer. Egress filtering and DLP are NOT exotic technologies - look into a webinar if these are new terms for you.
Mark,
I appreciate your outrage. I also appreciate the outrage that is apparent in the tone of the article.
@Flyslinger2 wrote:Fridays announcement of a huge data spill of classified documents from a Navy contractor is gaining lots of traction. Several public sources corroborate the spill. This article has the most sound judgement and recommendations of those that I have read:
http://observer.com/2018/06/china-steals-of-department-of-defense-navy-secrets-security-breach/
How does an announcement like this affect you?
I have an issue with the some of the emotive language used in this piece though. It takes away from my identifying the problem behind the problem.
Reducing the ranks of folks that exhibit poor decision making skills and impulse control (alcohol abuse, sexual assault, etc.) among those having a clearance is the right way to go in my opinion. It is a step toward increasing the percentage of folks with good decision making skills and impulse control with a clearance. The granting of a clearance is a privilege not a right. It's the same type of evaluation you might make of someone who handles money for your organization.
The risks and the rewards on either side of the equation are both significantly higher for the military; not *just* the risks. A business implements security and chooses between implementing a security measure, or doing operations a certain way that slightly reduces revenue in favor of increasing security; while the military chooses between implementing a security measure, or doing operations a certain way that slows or prevents successful operations that result in loss of life in favor of increasing security. I believe that this causes a significant number of misunderstandings about why risks with information storage and transmission are still taken by the military.
The first thing is that the article glosses over in my opinion, that the information that was allegedly collected was Unclassified. It was still not supposed to be public, but at the same time, the information was identified as not rising to the level needing protection as classified information.
The second thing is that this alleged disclosure was the result of action by an advanced adversary to circumvent what might have been appropriate security for Unclassified information; not an accident or inappropriate security measures for Unclassified information. It may very well be that the company put in place all of the necessary security to protect Unclassified IT systems.
The final thing is that aggregating lower security information into a higher security collection is a living process. It is often an indefinite opinion – that may change as information custodians or security managers come and go - on what point that the collection tips the scale upward in its protection requirements.
It’s not really apparent how the alleged breach occurred, but it came across to me as though all this information was stored in one place. I think in that case it would be because of a failure to identify when a collection of Unclassified information reached the threshold of it becoming classified. And instead of punishing anyone other than the hackers that steal information, setting a more directive review policy and providing additional training on recognizing when Unclassified collections become Classified is in order That training should be specifically for information custodians and security managers (as opposed to everyone, although everyone could have access to it).
Thanks for bringing this up for discussion!
Sincerely,
Eric B.
I've been a DOD contractor since the 80's, and seen some "Interesting" things occur. I was once awarded a "Coin", for stopping the loss of over 60,000 SSNs.
For the most part people give lip service to security and privacy concerns and we are the bad guys for insisting things be done properly. After all it adds overhead, consumes system resources and costs money to keep things secure. Developers need to remember to include us at the beginning of a project, not 1/2 way through. Baking in is so much better than bolting on, but some how we're seen as part of the problem, not the solution.
All this being said...I'm always employed and never in need of more work!