Arlette Hart is the chief information security officer (CISO) at the Federal Bureau of Investigation. As CISO of the FBI, she has a unique perspective.
On the one hand, she is tasked with securing vast amounts of highly sensitive information. On the other, she has the inside track on the emerging cyber-threats, and some of the nation’s top law enforcement specialists are right there in her organization. When we asked her recently how the FBI approaches information security and privacy, she said the FBI faces the same challenges as every other organization. What is different is her very personal passion about preventing data breaches and identity theft, because as part of the FBI, she sees firsthand how victim’s lives are affected. She says, “When a criminal organization steals a million records, that makes the news, but when they steal an individual’s identity, it becomes personal. It affects lives. People feel violated in a way that you would never expect. That’s what we’re working to prevent.”
Just Do It
Hart says that the threats of personally identifiable information (PII) breach and identity theft are the same for the FBI as for any other organization: “You ask ‘What are the implications to the rest of the organization, and what are the implications to that person and their ability to do their job?’ The theft of PII puts everyone on edge. The individual wonders, ‘Can I trust the institutions that I have historically been able to trust to protect me?.’ A PII breach erodes trust in institutions and organizations significantly. That’s one of the reasons the Bureau at large is so dedicated to fighting this kind of cyber crime. At the FBI, we see a lot of risk of stolen PII being used to manipulate people. So, for example, when we assess risks, we look at the potential for stolen information to be used for spear phishing. But the risk of social engineering being used to gain access exists for other organizations as well.”
Hart also says there’s no secret sauce for securing PII. Her advice is simple: “Do the things you’ve known you needed to do for a while. Make sure you know where your critical assets are, make sure they’re patched, and make sure you know who’s accessing them.” She emphasizes that the biggest thing you can do is to make sure software security patches are installed and up to date. “You want a nice, clean environment—the best you can get. No, it won’t stop every attack, but it’s simple, inexpensive, and it will stop a lot of them, right out of the gate, so you can use your time and resources to fight other threats.”
When incidents do happen, Hart says to be prepared. “Work out your incident response plan: It’s the fire drill of corporations at this point. Know the answers to ‘What happens if?’ Know how to report and who to report to. And get to know your law enforcement who can help you.”
The Technology Challenge: Capability vs. Security
Hart says that new technology is one of the challenges that keeps her up at night. “My job is to enable the FBI’s mission, and new technology can be a major enabler of that mission. But to use that new technology securely, we need to look at it the way criminals are looking at it and anticipate the risks.” Hart says a lot of cutting edge technology—connected homes, cars, personal devices, and more—was designed initially without security in mind. Criminal organizations will be quick to exploit those vulnerabilities, so her team has to figure out how to quickly make the capabilities available while meeting the Bureau’s security requirements. “It’s the same challenge any business has with new technology. How can you use technology to drive innovation while still maintaining security? And it’s not just a business problem. Some of us remember when we first got electronic garage door openers. The signals weren’t all unique, and people suddenly realized that someone else could come along and open your garage door. Well, now we have technology creating the same kind of issue in every part of our lives. Someone else could turn on your refrigerator, open your doors, take control of your car . . . And it’s way more complicated now because the infrastructure is owned by someone else. Both businesses and individuals need to ask questions when they consider new technology: Who’s securing this? How is it being secured, and who has the liability if it’s compromised. Is their liability limited to refunding the cost of the device? If so, that’s a long way from compensating you for what you might lose in a data breach or a burglary. You absolutely want to use technology to support your mission, but approach it carefully and ask the right questions. As Ronald Reagan used to say, ‘Trust, but verify.’”
Managing the Insider Threat
Obviously, the FBI is thorough in screening staff before hiring, and the organization is security-minded at its core. But Hart says her organization still has to consider risks from people, as well as technology. When asked about how the FBI guards against insider threats, she laughs. “This is a new term, but it’s one of the oldest vices in the world. There have always been people with their hands in the till. That said, the nature of it has changed because of computer enablement: vast amounts of valuable information are accessible, so you can lose things at a much bigger scale. In the digital age, it can be harder to know where your till is.” She says a successful defense, again, goes back to those basics: identifying and managing critical assets and knowing who’s accessing them. The other critical piece is to teach staff how to spot and report potential problems. “It’s important to give people a way to report. I’m not a fan of anonymous reports because they can allow people to throw rocks. So be sure you have protections in place as far as procedures and protocols, both so people can feel safe in reporting and so reporting is used responsibly.”
Hart is also mindful of the other kind of insider threat: not the malicious actor, but loyal employees who can unwittingly compromise security. In particular, she says the whole issue of personal devices at work is challenging, especially in a technology-enabled organization. “To separate technology from people is to make an artificial separation. Technology is ubiquitous, and it is overrunning society because people can come up with cool stuff that invades your privacy and security and doesn’t have privacy and security built into it. The best way to solve the problem is through positive social reengineering: using the technology to reinforce good behavior. In other words, make it easy for people to do the right thing and hard for them to do the wrong thing. For example, if you’re worried about them accessing internal systems with personal devices, set it up so they can’t connect to the Internet via the internal network, but provide a guest network that they can use instead.”
“We’re All in This Together”
Hart says her security organization does have one advantage over some others. Because the FBI is on the frontlines of cyber crime, they know they are constantly under threat, whereas other organizations may not realize the risks they face. The bottom line: “If you have something of value, someone is after you.” But she also points out that knowing there’s a risk is not the same as knowing what to do about it. “These are problems that didn’t exist 10 years ago, and even 5 years ago, they were much smaller problems. What we need to do now, as industry and government, is to help people know what to do.” Her advice for both organizations and individuals is to be aware of the threats around you, don’t put information online without making sure there is some security in the infrastructure, and keep aggressive track of your accounts or your identity.”
But Hart also acknowledges that security incidents will happen, despite everyone’s best efforts, and when their identities are stolen or they are breached, they can sometimes be made to feel like the criminal. She wants people to know that the FBI is in their court. “We’re all in this together, and we’re all fighting the same fight. There are a lot of smart people working really hard, with good will and integrity, to make the environment safer and better. On behalf of our cyber crimes team, I want people to know that when they are victimized, we don’t treat them like the problem. We recognize that they are the victim, and we are here to help.”
Paul Norton is Director of Government Sales at ID Experts, which helps companies and consumers recover from data breaches and identity fraud.