The federal government should do more to protect its most sensitive information from potentially being deleted or leaked by insiders, according to a new report from the intelligence community inspector general (ICIG).
The Office of the Director of National Intelligence (ODNI) must “improve controls to efficiently and effectively manage and mitigate the risk that a trusted privileged user could inappropriately access, modify, destroy, or exfiltrate classified data,” the intelligence community inspector general, Michael Atkinson, writes in the report.
The potential for trouble extends even to classified information that is restricted to a trusted few at the ODNI, the report says. The ICIG’s specific recommendations about how to address the issue, of course, are classified.
The semiannual report, released Tuesday, details a number of ongoing intelligence community programs and audits meant to boost the cybersecurity of the ODNI and the intelligence community writ large, among them projects on overhauling the security clearance process and efforts to cut down on procurement fraud.
The U.S. intelligence apparatus is no stranger to the impact of leaked government secrets. Although Edward Snowden’s massive leak of National Security Agency secrets happened approximately six years ago, the U.S. government is still reeling from his actions — it just filed a civil suit against the former NSA contractor over his new memoir about the disclosure. And just this summer, another former NSA contractor who stole 50 terabytes of classified information, Harold T. Martin, was sentenced to nine years in prison.
Over the course of the next year, the inspector general’s inspections and evaluations division will review clearance reciprocity — the practice of transferring a security clearance obtained for work at one agency to a position at another — according to the report. It’s an issue that government leaders have said locks talented individuals at certain agencies for, at times, arbitrary reasons.
The inspector general’s audit division will also assess whether the government is using the right information to try cutting down on the security clearance backlog, which currently has some candidates waiting hundreds of days to start work in the government.
Previous efforts to improve the security clearance process for the intelligence community, the inspector general notes, have not made significant strides. The intelligence community includes military and civilian agencies, from the NSA and CIA to the Bureau of Intelligence and Research at the State Department.
Cyberthreat indicator sharing assessment
The inspector general is also running an ongoing audit on the government’s information sharing about cyberthreat indicators. The review intends to provide an assessment of how different officials react to and use these threat indicators as they are shared across the federal government, how the indicators are classified, and what barriers to sharing them currently exist.
In recent months the NSA has launched a new division, the Cybersecurity Directorate, to address barriers to sharing, namely the over-classification of threat indicators it shares with other government partners. It’s an acknowledgment that recipients of NSA threat data need information that is more helpful and relevant to defend against nation-state threats.
So far, a little over a month in to the directorate’s operations, it has shared several unclassified advisories, including information about Russian hackers masquerading as Iranians and a warning that state-backed actors are exploiting VPNs to spy on users around the world. But work remains to declassify the right information at the right time, the director of the new directorate has said.
Procurement risks abound
The inspector general’s report also touches on the risks in acquisition and procurement in the intelligence community, and assesses that a recent initiative on managing enterprise systems in the IC will “significantly improve” its cybersecurity posture. The inspector general intends to release a report by the end of the year assessing the “effectiveness and maturity” of ODNI’s information security program.
Risks in procurement are an ongoing issue for the U.S. government, according to the inspector general. The CIA, National Reconnaissance Organization and the Department of Homeland Security recently convened a summit to discuss fraud in procurement, an issue that has bubbled up recently in charges the Department of Justice has brought against a New York company. The firm, Aventura Technologies, is alleged to have sold Chinese surveillance equipment with known cybersecurity flaws while claiming the technology was made in the U.S.
At the summit, participants discussed ways to catch fraud like this in the future.
“[E]ach presented procurement fraud cases and discussed how auditors can look for indicators of procurement fraud and handle situations that may involve criminal activity,” the inspector general writes. “The presenters emphasized the importance of soft skills in eliciting information and the use of data analytics to proactively identify procurement fraud indicators.”