Security breaches highlight human role in infosec

Federal security regulations designed to protect secret information are generally good, but two recent security breaches highlight the problem of government workers placing sensitive data onto unsecured computers.

Government officials say the two notorious cases in which government officials downloaded classified information into nonsecure computers expose a human problem, not a technological one.

The most recent case involved former CIA director John Deutch, who the CIA says in 1996 put highly sensitive national security secrets onto a home computer that had an unsecured connection to the Internet. While there is no indication that Deutch's computer was hacked by outsiders, there is no way to tell for sure that it wasn't, the CIA said.

Deutch is known to have taken classified information home so he could work on it there, but has not been accused of breaking any laws.

The other case involves Energy Department scientist Wen Ho Lee, who is accused of placing nuclear weapons secrets on unsecured computers and storage tapes. Government prosecutors say Lee may have passed the secrets to China.

But both cases raise the question of what constitutes adequate security in the Information Age, said Daniel Goure, a senior defense analyst at the Center for Strategic and International Studies. "What do you do to secure this kind of stuff? Put tattletales on everyone's computers?"

CIA spokeswoman Anya Guilsher said the rules are clear regarding information and computer systems. All classified and sensitive information and equipment used to process that information is to be used, stored and transported and — when necessary — destroyed in a secure manner to protect it from unauthorized access, disclosure, destruction or theft.

Information that leaves CIA headquarters outside Washington, D.C., must be transported in a secure manner according to established mechanisms, Guilsher said.

Senior agency officials are allowed to take classified information home to work on it, but they are supposed to take security measures, including keeping the information in a safe, using computer hard drives that lock, and not connecting computers with classified information to any unclassified network.

Computer security also is a concern at the Defense Department, which issues more security clearances than any other agency. Clearances are issued to tens of thousands of military personnel, civilian employees and contractors.

"We feel we have a pretty good process," said Susan Hanson, a Pentagon spokeswoman. "But we're always looking for ways to improve it."

About a year ago, DOD began requiring personnel who received security clearances to take an oath pledging to protect sensitive information. And the agency provides training to make sure everyone knows that procedure, Hanson said.

"The rules are adequate," said a former high-level official from the Social Security Administration. The problem, at least in the Deutch case, seems to have been a lack of compliance. "I would like to think that if there weren't laws against it — and there are plenty — that someone that high up would exercise better judgment."

It's a matter of "sheer irresponsibility," said Goure, who has had government security clearances for years. "Everybody understands that basic computer security means you do not download sensitive stuff onto a nonsecure computer."

It would be possible for the CIA and other agencies to do more intensive monitoring of employees' computers, Goure said, "But there's no way to screen out gross negligence."