His request seemed straightforward. He wanted the secretary to arrange meetings with ‘high profile people at NSA who can tell me about NSA’s computer infrastructure.’ Good that this secretary turned him down, if only on general suspicion that even though he was one of the most senior officials of the FBI, Robert Hanssen’s need to know seemed vague. Hanssen was discovered to be the most damaging spy in FBI history. In fact, one of his last deliveries to the Russians was a thousand-page trove of documents from the FBI’s automated case support system. He betrayed everything he could access.
The 22-year espionage career of Hanssen for his Soviet, later Russian, intelligence masters is notorious. His damage assessment continues to this day. His commentary after arrest is a warning for clearance holders. Regarding this huge breach of the case system, he said, “Any clerk in the bureau could come up with stuff on that system. What I did is criminal, but it’s criminal negligence…what they’ve done on that system.”
Damage is High When Employees Understand Vulnerable Systems
Our federal government is instituting new computer security certifications for its systems. This will apply across all government contracts. It is because of people like Hanssen, whose true ability was an early awareness of the vulnerability of computers, that such common security measures will be implemented. Companies need to have well-trained and certified computer specialists who can understand what it means to block, air-gap, and compartment information. Sharing of data is always problematic, because need to know must always be a factor.
In May of 2021, an Executive Order was issued to try to limit even further the threats to our computer systems. In fact, several measures were implemented immediately. For example, it was recognized that several Federal investigative agencies were blocked from sharing investigative data about security breaches. “Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of…