Major update to governmentwide cyber manual takes on WikiLeaks

Worried that an employee may be about to take your agency's digital crown jewels to the anti-secrecy website WikiLeaks? The draft edition of a biennial catalog of federal information security standards advises agencies on how to spot conduct that may signal an employee plans to spill sensitive information to the public.

The last time the National Institute of Standards and Technology updated Special Publication (SP) 800-53 in August 2009, no one had heard of Pfc. Bradley Manning, the soldier who allegedly divulged a mass of classified materials to WikiLeaks.

"When one of your employees starts to exhibit behaviors that may be abnormal, there needs to be some communication between the system administrators -- the people who control privileges for employees -- and the human resources offices," said NIST fellow Ron Ross, author of the draft cybersecurity bible released Tuesday evening. "If you have an employee who goes rogue, or goes bad, those privileges that they have been given on the system may need to be revoked." This 4th revision of the publication, which does not explicitly name WikiLeaks or Manning, is expected be finalized in July.

The 375-page handbook is nearly 140 pages thicker than the 2009 version, with additions that include smartphone controls and procedures to prevent tampering throughout the manufacturing lifecycle.

But NIST is not trying to overregulate departments, Ross said. Instead, agencies are supposed to pick and choose from among the safeguards that best suit their missions. For instance, an air traffic controller doesn't need a locked screensaver to pop up on his computer when he is trying to route a flight in real time.

"The vast majority of the additional controls are optional," Ross said, comparing the catalog to a parts bin. "The worst thing that we can do is try to impose one-size-fits all controls on all of our federal agencies." The document was produced by leaders from the departments of Commerce and Defense, the Office of the Director of National Intelligence, and the Committee on National Security Systems, as well as private consultants.

The insider threat provisions state indicators of a potential turncoat can include "inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow colleagues, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, and/or practices."

NIST recommends training personnel on how to communicate concerns about disturbing behaviors they observe. Dealing with a malevolent employee should be a concerted effort among agency branches -- including technology, human resources, legal, personnel security and physical security offices.

"Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by non-technical behaviors in the workplace (e.g., ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues)," the handbook states.

About a year ago, NIST decided for the first time to solicit employees for topics that past editions had not covered.

Ross said he received many responses across the civilian, defense and intelligence communities. One topic flagged was advanced persistent threats, or undetectable system intrusions that can last for months, as a virus traverses the network to obtain specific intelligence.

"The APT is probably one of the more troublesome areas because the adversary is not looking for a quick win," Ross said. "They are investing for the long run." To address APTs, the guidelines recommend an agency place parts of a system in separate physical locations, be it different racks in the same room or different buildings, so that if a worm creeps into one component it can't easily travel through the whole network.

"This makes it harder for the adversary to get in, and makes it harder for the adversary [to operate] once they get in," Ross said.

Other new items this year include directions to ensure business information on a smartphone can be remotely purged if the device falls into the wrong hands. Many controls address supply chain risks, such as "backdoor" software installed during production that can be used to sabotage system operations.

The book outlines measures government contractors should take to stop intentional or inadvertent tampering throughout the product pipeline, throughout manufacturing, warehousing, shipping, and resale.

Vulnerabilities in "firmware," the permanent code inside electronics hardware, also are addressed. For example, computers should be designed to detect unauthorized changes to the Basic Input Output System, or BIOS, which boots up the operating system and controls the keyboard, disk drives, and other peripheral devices.

Agencies need not halt acquisitions or system development to take advantage of the new standards. For instance, the General Services Administration recently picked certain protections from the 2009 edition to create a uniform security checklist for purchasing cloud services, dubbed FedRAMP. Ross said this week's release will not disrupt the certification program. "When revision 4 becomes final, FedRAMP will update their controls," he said. "Nothing stops because a new [revision] comes out."

NIST e-privacy protections drafted last summer have since been folded into this publication. Ross said the move made sense, partly because of cloud computing, or working with an offsite data center that shares hardware and software among multiple users through an online connection. "The privacy of citizens' information in the cloud is essential," he said.