Let’s stop getting robbed

The full breadth of the U.S. government has now woken up to the need for data-layer security following the devastating internal CIA report revealed recently, that faulted obvious lapses for the 2016 theft of some of the agency’s most valuable secrets.

Among the CIA’s findings was the discovery that the agency’s elite hacking team had failed to put into place tools that could monitor who had access to its sensitive information.

As a result, the agency not only failed to detect the theft by a rogue employee until Wikileaks published the contents — ironically, secret tools that the CIA used to hack into foreign government networks. Even then, the agency couldn’t determine the scope of the loss after they found out about it. The report characterized the theft as the greatest data loss in the agency’s history.

Data-layer security could have prevented that theft. It would have certainly prevented the massive 2017 Equifax breach in which Chinese hackers stole the names, birth dates and social security numbers of nearly half of all Americans. And it would have prevented many, many more.

Advertisement

Cybersecurity began as an effort to wall off organizations from the outside world, protecting trade secrets, customer data and other sensitive information from unauthorized people. Since then, data has become increasingly important even as it has been moved to the cloud and accessed through the Internet.

The result has been a steady increase in ways for criminals to get that data, and a steady drumbeat of increasingly spectacular breaches, with criminals stealing everything from credit card and social security numbers to the blueprints for nuclear power plants. Threat vectors are raining down like arrows at Agincourt.

The CIA, and the government more broadly — not to mention corporations — need to adopt data-layer security and an overall zero-trust model: Rather than worrying about the castle gates, so to speak, focus on protecting the crown jewels instead. And assume that everyone, even those with the proper login credentials, is a threat.

Cybersecurity is complicated; there are many layers starting with people and devices up to the data itself. The data are the crown jewels. Yet few government agencies or corporations employ data-layer security. That’s in part because legacy protections were built further away–at the castle gates–at a time when the world wasn’t as data-focused as it is today.

The gap is partly because, until recently, data-layer protections just slowed things down.

But there are innovative data privacy and data encryption tools coming out of research institutes and startups that are faster and lighter. New automated data-layer security watches all activity touching data, spotting suspicious behavior when it starts. It shuts the activity down, preventing theft, if the activity does not fit normal patterns- even if the person accessing the data has the proper credentials and permissions. Constant auditing features immediately spot any change in the underlying data.

The CIA’s stolen tools were on computer systems that not only lacked data-level monitoring, but had no auditing function. That is one reason why they did not discover the theft until they were alerted by the media.

Zero trust originally emerged as a profound rethinking of security after Chinese attacks on U.S. companies a decade ago. There is little excuse for the stewards of our nation’s secrets to ignore it. Yet, in the wake of the CIA report, Sen. Ron Wyden (D-Ore.) sounded an ominous warning in a letter to the Director of National Intelligence: “The lax cybersecurity practices documented in the CIA’s WikiLeaks task force report do not appear limited to just one part of the intelligence community.”

COVID-19 has made the issue more critical by forcing an unprecedented migration away from offices. Never before in its short history has the internet handled so much traffic. Few virtual private networks were built to handle the kind of load now being placed upon them. The result is an explosion of new vulnerabilities that many organizations are not prepared to withstand.

But governments, and corporations, are notoriously slow to act. Until they adopt these solutions, their data and our data will continue to be vulnerable to criminals, both inside and out.

Manav Mital is computer scientist and cofounder of the cybersecurity firm Cyral Inc.