Original posting: http://www.usni.org/magazines/proceedings/2012-11/comment-discussion
November 7, 2012

The article has overlooked that the opening of a next war may occur after an enemy has accumulated intelligence about our cyber defenses from insiders. Insiders are people with access to classified knowledge. They include Navy personnel, contractors, auditors, manufacturers or coalition staffs. Even though the Navy restricts access to secure information there will be always insiders who acquire classified information and transmit it to our adversaries.

There is no question that the Navy must maintain information dominance through battlefield awareness, secure C2, unified combat information, integration of kinetic actions and through the deployment of a superior information workforce. However, to our enemies the most valuable source of secrets will come from insiders. Our adversaries will patiently collect classified data for years and then piece together what they discover. The technology for fusing purloined bits of data into a coherent picture is already in place.

A cadre of computer experts is available globally for collecting data on cyber targets. Such efforts are compartmentalized. Disclosure of who is collecting data is disguised. Cyber spying is the most cost-effective way of gaining an understanding how defenses are organized. It is also the least risky and the most deniable method for preparing an attack.

Insider breaches can never be prevented. Therefore the Navy must re-examine its approach to systems design. It must place the protection against insider compromises in its requirements. The objective of insider-proof protection should be a rapid interception of unauthorized leaks. An emphasis should be placed on the organization of counter-intelligence before putting into place defense software.

A system design that protects against insiders is radically different from what is the prevailing approach that depends on intrusion detection hardware and software. All personnel in sensitive posts will have to be tagged with their current identification of missions and responsibilities. Outbound communications will have to be screened according an individual's roles and not according to their security clearance. The patterns of outgoing communications, which includes tracking of removable media and printing, will be kept for years because suspected exfiltration calls for correlations of traffic. Diverse messages, such a mobile communications as well as personal messages must be segregated into controlled enclaves. All documents will have to be filed on private clouds, with exceptions allowed only for unique cases.

We must remember that insider breaches must be caught by intelligence personnel and not by computers. Computers can check only for procedural compliance. Intelligence analysts may depend on computers for discovering atypical events or outliers that signal potential malfeasance, but not for the discovery of a well-protected spy.

We must extend our thinking about cyberspace from viewing it as an extension of the doctrines of warfare. We must recognize it as a new form of intelligence that screens thousands of outgoing messages per day.

Mr. Strassmann, I do not have a single argument for your comments, as software and human experts trained to look for the insider threat must be part of the IT protection solution set. However, if the network can be picked apart at ease by an adversary, why would they even be concerned about the use of insiders?

We have to make access MUCH more difficult for those trying to get the information with architecture changes, monitoring tools and people trained to use the architecture and tools to their full capability — then, we have a chance of catching those insiders as we develop means to force the outside AND inside threats to give themselves away.

Thanks for the comments — we always desire and respect your opinions!