If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.
Government cannot survive without consuming, digesting, and generating masses of information on a routine basis. Much of this information is sensitive and must be actively protected from an increasingly sophisticated security threat landscape.
The profiles of attackers within this modern threat landscape vary considerably—they may be based locally or internationally; and they may be motivated by financial greed, competitive advantage, or even terrorism. However, across all of these various profiles some general trends have emerged: attackers are becoming more resourceful, possess increasingly varied skill sets, and are willing to engage their targets for longer periods of time in order to achieve their aims.
One high profile incident occurred in June of 2015, when hackers stole sensitive personnel data related to every current or retired federal employee from the Office of Personnel Management (OPM). The information included their names, addresses, social security numbers, and even some fingerprints. The leak included information from background investigations into prospective employees, which concerned intimate details about their families and friends. The OPM incident was certainly not the only recent breach to attract considerable attention from the mainstream news media. In the last few years alone there has been a steady drumbeat of cyber incidents in the news: Anthem Insurance, Home Depot, JPMorgan Chase, Ashley Madison, and T-mobile, to name a few.
However, this obsessive focus on cyber hacking has obscured the fact that there are many pathways to access sensitive information. Cyberspace is not always the preferred avenue, and technology is not always the preferred tool. There is no denying that most information is stored on computers and transmitted across computer networks these days, but a significant volume of information is still stored on paper and transported by hand. Perhaps an even greater volume is stored in the minds of employees and shared at their discretion in conversations.
Path of least resistance
So here is a truism many of us will agree with: attackers will take the path of least resistance to achieve their goals.
Often, the easiest way to transmit information is verbally or by simply handing someone a document. So, why does government cling to the belief that information security is essentially the responsibility of the organizational IT function, and that information assets can be adequately protected using technological solutions alone?
Of course there are reasons for the obsessive focus on cyber hacking. The framing of issues by media outlets is partially to blame, as is the inertia of existing systems and practices. The threat perceptions of key decision makers are heavily influenced by news media. IT hacks such as the OPM incident can be readily packaged as a news item; they attract attention from the general population and they reinforce existing beliefs that the Internet is the “Wild West.” Contrast the IT hack with an errant conversation between two senior executives or even a leaked hardcopy document: which is more likely to make the headlines?
The technological perspective on information security is also reinforced in organizations by the ways in which these organizations are typically structured. The responsibility to protect information generally falls to the Chief Information Security Officer (CISO)—who very likely reports to the Chief Information Officer (CIO)—and here the term ‘Information’ is widely interpreted to mean bytes of data rather than paper documents, knowledge, or conversations. The CIO’s primary responsibility is to maintain the availability of information infrastructure, which typically means IT services. Although preserving the confidentiality of information falls within their scopes of duty, information outside of the digital environment is widely agreed to be outside this area of responsibility.
A recent review of Information Security courses taught at colleges and universities revealed that the curricula are dominated by IT-related content, with little or no mention of paper-document- or human-communications-related security management techniques.1 This kind of techno-centric myopia can also be found in academic research projects and Information Security textbooks intended to prepare our future generations of scholars and practitioners.
So, if organizational notions of Information Security are oriented toward technological problems and solutions, who is normally responsible for protecting information outside of the digital environment? In most organizations, the answer is “nobody.”
The way forward
We need to change how we view the government’s interaction with information. We often think of government organizations as being “information machines” that work quite predictably insofar as they follow rigid patterns and routines. In doing so, we tend to discount the entropy associated with human behaviour. We must pay close attention to the social contexts within which work actually takes place.
Dr. Atif Ahmad is a Lecturer in the Department of Computing and Information Systems, University of Melbourne. He is interested in the Information Security Management, specifically how strategy development, risk management, and incident response are practiced in organizations.
Dr. Piya Shedden is a Client Manager in the Cyber Risk Advisory service line of Deloitte Australia. He is an expert in Information Security with an emphasis on Risk and Privacy. Piya completed his PhD and Bachelor degrees at the University of Melbourne.
Information assets are not necessarily discrete, enumerated objects that can be easily inventoried on a spread-sheet. Nor can they be necessarily captured in formal representations of organizational processes. Rather, information assets are fluid; they exist in rich organizational environments where their roles evolve and change as they are applied to different formal and informal work activities. This work environment is a flexible and ‘messy’ field of activity in which individuals often pursue work-around approaches and shortcuts according to their own initiative.
The ‘static’ and isolated view of information assets largely ignores the social elements of information systems—which are made up of people, processes, and informal practices and activities, in addition to data and technology. This is a major problem because these social, practice-based elements can be significant sources of information security risk. For example, individuals who create their own assets (e.g. spread-sheets, used for their own work tasks, that incorporate sensitive data taken from a secure computing system), can engage in informal activities that involve the uncontrolled copying of information between digital and physical information ‘containers.’ This can in turn present vulnerabilities for organizations. What was formerly secure owing to limited accessibility is then easily passed on in spoken conversation or hardcopy documents.
Discussion of mundane threats like these is conspicuously absent from most media treatments of information security. Perhaps this is because evidence is difficult to come by, as there are obvious disincentives for self-reporting, or perhaps more likely, this kind of thing is just not that exciting for the average person to read about. Regardless of the reason no one is saying much about information security, ignoring the issue will not make it go away. An informal review of unclassified government reports spanning the last 5 years showed considerable evidence of information security incidents that owed to information leakage via non-technological means. For example, a recent GAO report found over 67,000 “information security incidents” in the fiscal year of 2014. Of these, 25 percent were classified as ‘non-cyber’. The report described such incidents as ‘spillage or mishandling’ of ‘hard copies or printed material’.2 For example, David Major’s expert testimony to the House of Representatives in 2013 recounted evidence of US government employees’ verbal disclosure of sensitive information to foreign agents at overseas universities and conferences.3 There have also been a large number of incidents of hardcopy paper theft, such as an incident at the Brooke Medical Center in 2010, where a three-ring Army binder containing the personal health records of over a thousand patients was stolen from a car belonging to one of the Center’s case managers.4
In the interest of security, governments need to be able to keep certain kinds of information secret. Given the reality that 25 percent of 2014’s information security incidents did not take place in cyberspace, this means that government organizations must resist the temptation to fixate wholly on technological solutions while sensitive information continues to be leaked in other ways. Instead, decision-makers must recognize that government organizations are ecosystems of ‘information work,’ where work practices and the broader security culture directly impact the ability to keep secrets.
The implications of taking this broader view are significant. Government needs to redefine roles and responsibilities to accommodate a more holistic view of information work in the organization. This includes appointing an executive officer with broader security responsibilities and commissioning a multi-disciplinary support team of professionals with skills ranging from IT to behavioral and organizational psychology.
Research into security culture is still in its infancy. Measuring security culture given the increasing casualization of the workforce is a challenging problem (see a second GAO report that suggests up to 40% of the workforce may be on temporary, contract and other forms of non-standard employment).5 Creating a security culture that addresses the information security needs of an organization in a routine fashion is a problem of a higher order of difficulty.
At the very least, government must change the way it perceives the problem of information security. Security cannot be achieved by tending to some sources of vulnerability while ignoring others. This is not an effective approach to safeguarding information. As Khalil Gibran points out, the problem lies in the ability to keep secrets, not in the technology that reveals them.
1See Ahmad, A., Maynard S. (2014). Teaching Information Security Management: Reflections and Experience. Information Management and Computer Security. vol 22(5).
2Government Accountability Office. (2015). Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies. (GAO Publication No. 15-758T). Washington, D.C.: U.S. Government Printing Office.
3Vest, C. M., Wortzel, L., Van Cleave, M., & Major, D. G. (2013, May). Espionage Threats at Federal Laboratories: Balancing Scientific Cooperation While Protecting Critical Information. CONGRESSIONAL BUDGET OFFICE (US CONGRESS) WASHINGTON DC.
4Christensen, S., (2010, April 20). BAMC reveals possible theft of info on 1,272 patients. My San Antonio. Retrieved from http://www.mysanantonio.com/news/military/article/BAMC-reveals-possible-theft-of-info-on-1-272-790715.php
5Government Accountability Office. (2015). Contingent Workforce: Size, Characteristics, Earnings, and Benefits. (GAO Publication No. 15-168R). Washington, D.C.: U.S. Government Printing Office.