|
Noted correspondent and author Bill Gertz has recently written two articles which appeared in the November 5 and 17 (2005) issues of the Washington Times. The columns describe a Chinese spy ring operating in the Los Angeles area.
Gertz wrote that “… four persons arrested in Los Angeles are part of a Chinese intelligence-gathering ring, federal investigators said, and the suspects caused serious compromises for 15 years to major U.S. weapons systems, including submarines and warships. U.S. intelligence and security officials said the case remains under investigation but that it could prove to be among the most damaging spy cases since the 1985 one of John A. Walker Jr., who passed Navy communication codes to Moscow for 22 years.” Gertz further stated while quoting an official: "The Chinese now know more about our military than we know about their entire country."
One of these spies worked for a government contractor where he had access to over 200 defense contracts. Holding a secret clearance while employed by this contractor, the spy was able to obtain sensitive electronic documents at will over a long period of time. As is noted through a reading of Gertz’s reporting, the damage done to the United States is incalculable.
What is even more astounding is that this type of loss is entirely preventable. Furthermore, there are undoubtedly other spy rings operating with impunity right now on behalf of those countries or groups who would do harm to our economies, our military assets, and our way of life.
Why was the Walker ring operating for 22 years before being detected? Why has this Chinese spy ring been able to obtain a significant body of highly sensitive data and to have been able to successfully pass this on to the Chinese government for 15 years? In both these cases, our national security was significantly compromised, and research, development and deployment of high technology for use in warfare has, in some cases, been made ineffective. In addition to the obvious increase to our America’s defense vulnerability, the American taxpayer has taken it on the chin … again.
I have written about data security and information assurance for some time now. It has also noted that there is a need for a far more robust data security model than what exists today, and what the United States Government considers as secure. This model is fraught with vulnerabilities. The greatest one is that there exists (still) a long-held notion that as long as one gathers trusted individuals “inside” a trusted network, the necessary protection exists. This notion is seriously flawed.
There is no magic here. There should be a single objective: protect the data at all costs. Be able to assure each and every sensitive data element and be able to log every usage of it -- every usage of it. Data assurance requires will and determination, and it requires a far more aggressive and modern form of thinking about data protection.
Today, much of our government’s classified data is simply compartmentalized by level of security. This practice has been around for more years those most would admit. We have a notion that if we were ever to combine secret data with top secret, our nation’s security would somehow be compromised. We are trapped in our traditional way of thinking that the solution lies in compartmentalizing by functional groupings, which effectively makes it more difficult to operate logically, rather than the alternative of assuring that all sensitive data be encoded to such a degree that we exercise highly specific control over the information.
With the absence of transactional data logging in place, spies can continue to operate with impunity, as there is no methodology to employ repeat or other access pattern recognition or to compare data access with policy or need. We must quickly adapt if we are to protect ourselves from those who wish to do us harm, for it is the predictable nature of our data practices that has made us vulnerable to incidents such as those that Gertz had reported.
Information assurance has come of age. Complete logging of all data usage and all conditions pertaining thereto have also come of age. Networks and appliance devices do not adequately protect our government, nor will they fully protect any organization. Unless we re-systemize the manner in which data is stored, used, rendered, accounted for, grouped, and policy complied with, in conjunction with a comprehensive risk assurance model which addresses vulnerability, accountability and productivity, we are bound to repeat our mistakes.
A well designed and implemented multi-level security and data assurance software system will inquire against every user, every data item, every usage, and every collaborative event, every time. Most importantly, every transaction can be permanently logged for audit. The time has arrived for the implementation of such advanced capabilities throughout our commercial, military, government, industrial and economic data infrastructures. The cost of not doing so remains incalculable.
About the Author
Ronald I. Koenig is the president and Chief Executive Officer of VIACK Corp. He has more than 40 years of software design, development, sales and senior management expertise.
Go Back
|
