Inadvertent Disclosure: Knowing The Risk

Things to consider when an employee releases sensitive data -- intentionally or not

 

By Christopher Burgess

May 07, 2013 — CSO —

"I'm sorry, it appears the information was inadvertently released."

"He was acting in a rogue manner. How were we to know?"

With those words, the security crisis management team red lines are identified as having been crossed.

Data which was expected to be protected is discovered to not have been afforded that appropriate protection. Or an employee is actively breaking internal processes and procedures and placing the enterprise at risk.

In either case, the subsequent damage assessment will either evolve into a productive introspective review or the age-old cover-your-backside exercise. Do these types of events really happen? You bet they do, and with great frequency. Let's take a walk through some recent instances.

Also see: "The Complete Guide to Security Breach Disclosure"

On 10 April 2013, the US Department of Defense was afforded a surprise during a hearing on 10 April 2013 of the House Armed Service Committee when Representative Doug Lamborn (Republican-CO) began quoting from an "unclassified" Defense Intelligence Agency (DIA) report on the nuclear capabilities of North Korea. Chairman of the Joint Chiefs of Staff, General Martin Dempsey appeared to be surprised and even though Lamborn read from the document, and asked Dempsey if he agreed with the assessment, Dempsey demurred with "I can't touch that one" and they sparred over the "unclassified" findings of a classified DIA analysis and whether or not it can be made public. The DIA apparently neglected to place appropriate classifications on the North Korea assessment (Lamborn/Dempsey exchange).

What are the ramifications? This inadvertent disclosure put in the hands of a potential adversary (North Korea) the findings of the US Department of Defense re: their nuclear capabilities. If this happened to the DIA, could it happen to entities which fall under the National Industrial Security Programs of the DOD? Absolutely, the annual training requirement contained in NISPOM section 3 requires a minimum of one annual training event for each cleared individual is important to know what you have in your NISPOM security training deck.

Over the course of the last several years, the US Department of Justice has been collecting some very notable fines from companies which from any optic should have had controls and processes in place to detect the inadvertent disclosure, illegal business practices, Foreign Corrupt Practices Act (FCPA) violations, Security and Exchange Commissions (SEC) violations,Export Administration Regulation (EAR),International Arms Control Act (ITAR) and Arms Export Control Act (AECA) violations, all of which constitute a violation of various US federal laws and regulations.

Add to the mix the number of times which employees compromise their employer's business ethics, be it motivated by greed, ego or simply inattentiveness, the size of the issue becomes staggering.

Also see: "Insiders pose 'accidental' threat to business data, Symantec says"

Examples of the fallout:

• US$800 million fine to Siemens AG under the FCPA and ¬395 million fine from the Munich Public Prosecutors Office was levied against Siemens AG for activity which occurred from 1997-2007. What was the end result following admissions of guilt, wholesale clearing of the C-suite at Siemens.
• US$400 million to BAE PLC for attempting to defraud the United States; US$79 million for violating the AECA and ITAR and ¬30 million to the United Kingdom's Serious Fraud Office.
• US$75 million to United Technologies Corporation for ITAR and AECA violations.

As of February 2013, the US DOJ has more than 100 active major cases open which fall under the rubric of US Export Enforcement, Economic Espionage, Trade Secret and Embargo-Related crimes:

• Feb 2013 - Thermal imaging scopes and cameras to Belarus
• Feb 2013 - Ammunition to Jordan
• Feb 2013 - Ammunition and Night Vision Goggles to Mexico
• Jan 2013 - Trade Secrets to China
• Jan 2013 - Sensitive Microwave Amplifiers to China and India
• Jan 2013 - Hawk Air Defense Missile Batteries to Iran
• Dec 2012 - Missiles, Aviation Equipment & Submarine Design Information to Terrorist Organization
• Dec 2012 - Computer Components to Iran
• Dec 2012 - Dual-Use Programmable Logic Devices to China
• Dec 2012 - Information Technology Services and Support to Iran
• Dec 2012 - Coatings for Rocket Nozzles and other goods to China and Taiwan
• Dec 2012 - Carbon Fiber and Other materials to Iran and China
• Dec 2012 - Prohibited Exports to Iran
• Dec 2012 - Aircraft and Aircraft Components to Iran
• Dec 2012 - Specialty Coatings to Pakistani Nuclear Facility
• Nov 2012 - Inertial Navigational Units to UAE and Turkey
• Nov 2012 - Military Antennas to Iran
• Nov 2012 - Military Aircraft Parts to Iran
• Oct 2012 - Restricted Microwave Amplifier Technology to China
• Oct 2012 - Stolen Tactical Laser Illuminators Overseas
• Oct 2012 - Military Aircraft Engines to Venezuela

The list goes on and on, 85 pages worth of such cases. As my co-author Richard Power and I wrote in "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century," "Intellectual Property is your enterprise's lifeblood; is it safe or are you in danger of being put out of business because a predator has shed that lifeblood? We found two profound but common misconceptions about intellectual property theft and economic espionage. One & the threat of economic espionage or trade secret theft is of limited concern; the other & the nature of the threat is sufficiently understood and adequately addressed"

The sheer number of such instances demands a new look at how data is classified, tagged and handled internally within an enterprise. If not to protect trade secrets and intellectual property, to ensure your ability to conduct commerce and stay out of DOJ prosecutors' target sights should be enough incentive.

Clearly we can no longer rely on government "classifying" officers to manually review every document for appropriate classification, nor should we simply drop a high level "Top Secret" classification on a document not requiring such. Similarly within enterprises, inadvertent sharing of protected data internally with international colleagues may be as damaging for a company as placing it in the hands of a foreign government. Again, data custodians and originators are expected to classify appropriately within their infrastructure to ensure the information is only available to those with a need and authority for access.

Many would say this is a data loss prevention (DLP) problem and there are a plethora of solutions available to thwart data from exiting via email, downloads, or such. How many of the aforementioned instances would appropriately configured DLP been able to thwart? Some. Maybe none? What we need is to think about the solution from a different angle, and think of the issue from an assurance, compliance, privacy and data protection goal, within the company infrastructure.

Every company knows what is important, be it the cutting edge technological development or the customer/partner data that is entrusted to them, But do they know where it is? What is their degree of confidence they know all locations where this highly valuable data is stored? Some absolutely do a "keyword" search through the entire corpus of an enterprise and highlight, tag and reclassify all documents containing the keyword. In the inadvertent disclosure of the DIA assessments findings on North Korea, it appears the classification markings were the keyword of choice, when in reality, the content of the entire document should have been the arbiter. Keywords work great as long as everyone uses them.

What is required is recognition of concepts and rules generation surrounding such concepts, across all documents within the corporate data set at creation or edit. In this manner, the originator is availed the strength of the enterprise's compliance rule set and with such recommendations on appropriate classification, tagging, and storage can be made to the originator. With such a system, integrated into one's DLP solution, you have your data protected from creation through edit to dissemination.

Thus the inadvertent disclosure becomes less likely to occur. In those instances where a rogue employee adjusts the content or otherwise games the system, detection is early in the edit cycle. In all cases it is a win for the enterprise, a win for the customers and a win for the enforcement entities. We all would prefer the enforcement entities expend their limited resources ensuring compliance against those entities that are created specifically to conduct criminal activity vice those highly ethical enterprises which have stumbled in the past or lacked sufficient oversight.

Christopher Burgess is president and principal analyst of Prevendra LLC, a safety, security, intelligence and privacy focused enterprise.