Vault 7 leak highlights insider threat

Questions continue to swirl in the wake of the WikiLeaks "Vault 7" release of alleged CIA hacking and surveillance program information, not the least of which is: who gave WikiLeaks the classified data?

According to WikiLeaks, a former government hacker or contractor -- an insider, as opposed to a nation state or an outside hacking group -- provided the trove of documents.

That's of particular concern to one former intelligence official who told FCW that insider threats are still the biggest cybersecurity danger to both the government and the private sector.

Curt Dukes, former head of the National Security Agency's former Information Assurance Directorate, said that ever since Chelsea Manning provided hundreds of thousands of classified and sensitive documents to WikiLeaks in 2010, the government has not done enough to minimize the insider threat.

Dukes, currently executive vice president at the Center for Internet Security, said despite the difficulty of finding a balance between trusting and monitoring or restricting those who work with classified data, there are concrete steps that government can take to reduce insider threats.

"One area where there ought to be more effort is digital watermarking," he said. According to Dukes, the technology imprints digital documents with watermark code that shows who accessed them and when, which would allow officials to track the documents  and ultimately discourage leaks.

Dukes also said that agencies can better empower the workforce to report suspicious behavior by coworkers.

In addition, organizations can do a better job of configuring network access to ensure that users only have access to what they are required to and that other data is out of reach, he said.

"Anytime there's a security incident, the good news is the private sector will rush in with solutions," he said, in reference to behavior-based detection systems that can monitor users for atypical activity on a network.

Technology is maturing, he said, and "behavior-based detection is step in the right direction," but it's not a panacea.

"What you may find is that you end up with false positives," which then have to be investigated, and there is a potential for security staff to get numb to those alerts.

"If nothing else, based off of this most recent revelation, the new administration should look at how effective our insider-threat policy is and whether it needs revision in the wake of this incident," he said.

The White House did not respond to questions about whether the cyber executive order that was to be released more than a month ago is being revised in light of the Vault 7 revelations. Dukes did say that policies in leaked drafts of the order that emphasize making agency heads accountable for cybersecurity should drive efforts to combat insider threats.

Beyond the insider threat question of the WikiLeaks release, Dukes said that Vault 7 also raises concerns about the security of the "internet of things" and cyber hygiene in general.

Many of the surveillance tools and tactics in the Vault 7 release -- infecting phones and TVs to turn them into monitoring devices -- have been around for years, and hackers and other nation states have long had such capabilities, he said.

"From basic telephones on the desk to [voice over internet protocol phones] to mobile phones … we've always seen this as a threat vector," he said, adding that the WikiLeaks release "is another wake up call for the IT sector," to ensure it is building better security into modern devices.

That's all the more reason, he argued, that IT staffs  must practice better cyber hygiene -- patching and updating systems and software in particular -- especially as they acquire more and more connected devices.

"If you're not at the most current patch level, then you're just inviting people to exploit you," he said. "To me this is the new normal that we all have to work through."