Whether or not you believe, as some pundits appear to, that the call for an inquiry into cybersecurity practices in the House of Representatives after the details of an ethics committee inquiry were disclosed is a smoke screen designed to divert attention away from the behavior under investigation, the situation provides a useful illustration of what can happen when user desires for convenience trump security controls. According to numerous reports, the inquiry information was inadvertently disclosed by a staffer who both put sensitive information on a personal computer and also exposed the contents of that computer by running peer-to-peer file sharing software. As you might expect, copying official files to personal computers goes against existing security policy, and while there are presumably no policies governing whether employees choose to install and use P2P on their personal computers, the federal government has long recognized the particular risk posed by P2P technology, to the point that the FISMA report that agencies fill in and submit to OMB includes questions specifically about P2P (both about banning its use within agencies and making sure that security awareness training addresses P2P file sharing).
The general scenario is reminiscent of the aftermath of the well-publicized laptop theft from the home of an employee of the Veterans Administration, who was not using a personal computer, but who had placed VA records with personally identifiable information on his laptop to work on at home, in direct violation of VA security policy. In both of these cases it seems unlikely that the government employees meant any harm through their actions, and were seeking only to extend their government workdays by taking work home with them. This tension between the restrictions or constraints on business practices imposed by security and the demands of information economy workers to have access to their work whenever and from wherever they want it is something security managers have to deal with every day.
Every organization must find the right balance point between appropriate security measures, security policies, and the mechanisms put in place to enforce those policies when voluntary compliance is ineffective. In a few key ways the legislative branch is especially susceptible to erring on the side of employee convenience at the expense of security. While the houses of Congress are sometimes considered cohesive organizational entities, the reality is that just about every member of Congress and committee has their own information technology operations, and for the members in particular, there is a need to conduct business not just in Washington, DC but also from office locations in their home states and districts. This results in what is essentially a wide area network with at least 535 remote locations, from all of which elected officials and their staffs need to be able to conduct their business just as if they were on Capitol Hill. The geographical distribution of computer system users, along with office personnel that vary widely in terms of their security awareness and technical savvy, combine to produce a bias in favor of facilitating work at remote locations (including local storage of sensitive information), rather than imposing security-driven constraints on business operations. The technical means are readily available to help avoid the recurrence of events such as this latest disclosure, but what must first change is the organizational bias in favor of letting workers, no matter how well intentioned, perform actions in the name of convenience or efficiency that put sensitive information assets at risk.
Bejtlich Teaching at Black Hat USA 2014
1 day ago