Taking Heed to NSA's Assumption on Security Breaches Is Sound First Step

News Analysis: Real security depends on a belief that somebody, somewhere, will get into your network. The real question is, what do you do about it?

When Deborah Plunkett, the head of the National Security Agency's Information Assurance Directorate, said at a security conference that systems must be built with the assumption that adversaries will get in, her statement wasn't exactly a revelation. True security is multilayered, and it's designed from the top down to assume that there will be breaches. The goal is to minimize those breaches and to figure out who is doing them and where they're coming from.

A failure to compartmentalize highly sensitive information led directly to the current WikiLeaks scandal that has embarrassed the U.S. State Department and the U.S. Army. PFC Bradley Manning was able to gain access to the sensitive State Department messages because the entire secure messaging system was open to anyone who could gain physical access to the secure network. No attempt was made to limit access by individuals to what they actually needed to do their jobs. It was just an open bucket of secrets waiting to be harvested.

Now, I'm pretty sure that the NSA doesn't have any Bradley Mannings around waiting to copy some more secrets onto their Lady Gaga CD. But the point that Ms. Plunkett was making is that you have to be prepared for the eventuality that there could be someone that has been given access to a secure system that should not have such access.

Even in a system with intrusion prevention and good security monitoring, it's unlikely that Manning would have been detected while he copied those messages. He was, after all, an authorized user. And the military and the State Department were trying an information sharing process that was designed to allow access to important information without requiring that there be a formal request process-something that could take weeks, given the normal speed of the federal government.

In the case of the information sharing effort, the biggest mistake the State Department made was in allowing anyone with the proper security clearance to have access to the information. But this is likely one of the problems that Plunkett was referring to when she said that you have to assume that your security will be breached. Once you assume that this is the case, you have to design your security so that just because you've breached the network, that doesn't mean you're achieved access to anything except one set of limited data.

To make this work, you have to compartmentalize your network security system. Each user who requests access to a particular section of a secure system must be cleared for that specific system. In the case of PFC Manning, there was no rational reason for him to have access to messages regarding Russia, for example. He was at a forward operating base in Iraq.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...