The False Security of Classified Data



The Joint Chiefs of Staff is investigating a hack of their unclassified email server. Is that better than a hack of their classified email? Don’t be so sure.

We all know that, in the geography of data loss, e-mail is the Amazon River. Email communications in and out of a company are the conduit through which so much sensitive information flows between company employees, business partners, law firms and customers. Inevitably, some of the data that sails out of an organization in the body of an e-mail message should have stayed put.

Coming in the other direction, e-mail is one of the main channels through which sophisticated attacks flow, in the form of malicious email attachments (still a big problem) and sophisticated spear phishing attacks that can result in the placement of malware on high value endpoints and the compromise of valuable accounts.

It is with those sobering thoughts that we consider the latest news from Washington D.C., where a spokesperson for The Joint Chiefs of Staff disclosed that The Pentagon has shut down their unclassified e-mail server over concerns that it has been hacked.

In a statement to reporter Eric Chabrow of the news web site GovInfoSecurity.com on July 29, Pentagon spokesperson Army Lt. Col. Valerie Henderson said that the Joint Chiefs of Staff’s unclassified network was down for all users.

"We continue to identify and mitigate cyber security risks across our networks," Henderson says. "With those goals in mind, we have taken the Joint Staff network down and continue to investigate.”

That’s worrying news, especially given the recent, bombshell revelations about breaches at the Office of Personnel Management (OPM) and private sector data troves managed by everyone from Anthem Healthcare to (reportedly) United Airlines. It suggests that the wholesale and frontal attack on the U.S. government, military and – indeed – ordinary Americans continues unabated.

As this article in The Washington Post notes, the accumulation of data is the common thread that ties together a long string of attacks on data-rich organizations in the healthcare and public sectors. While the ultimate objective of these forays is unclear, one theory is that foreign nations are building a comprehensive database of Americans’ personal information: from their health data to addresses and bank account information, to their travels and (in the case of OPM) possibly even sensitive data on financial and marital troubles, substance abuse problems and so on.

The goal there would be clear: using the same data analytics tools that retailers use to figure out that you’ve moved, are concerned about your weight or are pregnant, interested parties in China, Russia or elsewhere could tease out who is doing sensitive work for the government or who might be a fruitful target for espionage or to be recruited as a spy.

As for that bit in the story about the email network being “unclassified?” My advice would be not to put too much faith in that. For one thing, attackers who have a wealth of data on the users of classified networks need not show their hand conducting frontal assaults on those networks. Instead, they can bide their time: waiting and watching for their victims to access data from that network individually and then siphoning that data off for their own purposes. With enough time (and access), such an operation would yield a trove of classified data and – even more important – the classified data that is of interest to U.S. government operatives here and now.

Second, as the imbroglio over former Secretary of State Hillary Clinton shows, classified data often finds its way onto unclassified networks, anyway. As reported by the Wall Street Journal last week, then Secretary Clinton sent at least four emails containing classified information from a private e-mail account run from a server she, herself, managed. The simple truth is that the government’s current system of data classification – which stretches back to before the Second World War – is badly out of step with the world in which we live. Reports going back more than two decades have highlighted the problem of over classification of government data, which is often used to shield information from Freedom of Information Act (FOIA) requests, rather than to protect truly sensitive information that is vital to national security.

As a practical matter, over classification makes the work of government sclerotic and the operation of government opaque. In the current threat environment, the government’s classification of data also offers a false sense of security: creating the impression that such data is walled off from prying eyes by bureaucratic, physical and logical impediments whereas evidence disclosed in reports of recent hacks suggests otherwise.

What’s to be done? Data classification is as relevant a notion today as it was sixty years ago – maybe even more so. But a modern era and an information driven economy demand a new approach to data classification that goes beyond rubber stamps and ham fisted sorting of documents into “Top Secret,” “Secret,” “Classified” and so on. Data classification needs to be granular – with policies set at the level of individual pieces of data, rather than at the document or container level. And as much as possible, classification of data should be automated and follow that data wherever it goes.

Alas, we’re a long way from that. And, as long as the U.S. government holds to old ways of doing things, its likely that none of its data – classified or unclassified – will stay safe for long.

Paul F. Roberts is the Editor in Chief of The Security Ledger.

Paul Roberts

Please post your comments here

Better Data Classification for Better Data Security

Learn why data classification is foundational for data security and the 5 key elements for a successful data classification program.

Download the whitepaper

Related Articles
2018: The Year Security Regulations Get Their Teeth

Even if no new laws are passed, the next year will see the stakes raised for weak security and data leaks in both the EU and U.S.

Digital Guardian User Training Goes Online

Digital Guardian Training recently transitioned to a completely online delivery model! This move allows us to focus all of our efforts on providing more high-quality, online content for our customers and partners. Read on to learn more about our new training options.

Bankruptcy Filings A Treasure Trove for Identity Thieves

A case against Raleigh-based WakeMed is just the latest showing healthcare firms violating patient privacy as they pursue unpaid bills.