A few weeks after the discovery of the Sunburst data breach the BBC interviewed Brian Lord, the former deputy director of cyber-operations at the UK intelligence agency GCHQ. Mr. Lord agreed that the cyber-attack that compromised multiple US Federal agencies, including the Departments of Treasury, State, Homeland Security, and Energy, was a devastating loss of government information. However, he said, “I think it is fair to say that the additional layers of security around top secret and highly classified [records] will be protected by internal controls, so direct access to those is unlikely.”
What internal access controls was Mr. Lord referring to? Who is responsible for those access controls? And, most importantly, what would happen to sensitive and classified Federal records if those access controls were never actually implemented?
When it comes to information lifecycle management – the work records managers have performed for thousands of years – ‘security’ and ‘access’ are two very different things.
Not long ago, in the days when recorded information was almost exclusively preserved on paper, security was the fence, razor wire, video cameras, and barred windows surrounding the company records center; access was the corporate records manager verifying a person who wanted to view a company record had permission to do so.
Electronically stored information is no different. A typical corporate IT system has a long list of both hardware and software security solutions for their networks. Firewalls, anti-virus protections, whitelisting, blacklisting, network segmentation solutions, encryptions tools. The list is virtually endless.
But, as recent news has shown again and again, no combination of these security solutions has proven to prevent determined and well-funded bad actors from gaining entrance to some of the world’s most secure networks. This is where the access controls that an organization’s records managers are responsible for play a critical role in mitigating the damage done by a data breach.
For the last two and a half decades, virtually all ‘records management applications’ sold to US Federal agencies have been modeled on (and certified against) the DoD 5015.2 Electronic Records Management Software Applications Design Criteria Standard. In fact, DoD 5015.2-certified solutions are the only applications specifically mentioned in the Federal regulation describing appropriate recordkeeping systems for agency electronic records, 36 CFR § 1236.20.
Here is how the DoD 5015.2 Standard defines ‘access control’:
The Standard has numerous requirements for implementing access controls in a certified records repository. As an example, here is an access control matrix used by the Defense Information Systems Agency in DoD 5015.2 baseline certification testing:
Notice these test users are assigned three levels of access control: a ‘Clearance Level’, a custom metadata-based level (in this example, based on a user-defined field called “Project Name”), and a ‘Supplemental Markings’ level. All three of these different forms of access control are required for baseline certification.
In a DoD 5015.2-certified solution, a records manager can apply these controls in an infinite combination to single records, record sets, folders, and subfolders throughout the repository’s file plan. And if a bad actor breaches the organization’s information security system, these controls will prevent them from gaining access to any information in the repository. These are the “internal controls” Mr. Lord was referring to when he was asked about the Sunburst data breaches.
But what if no Federal agency (including NARA!) ever actually implemented a DoD 5015.2-certified solution in a production environment, as detailed in this February 2020 article in the Epoch Times?
Tragically, it would mean none of these critical access controls were ever applied to any of the agency’s recorded information, and anyone who circumvented the agency’s network security system was free to wonder around the agency’s records sources stealing, modifying, or destroying information at will.
It would also mean the 2015 OPM data breach, the Sunburst cyber-crimes, and now the thefts of Microsoft Exchange email records by state-sponsored Chinese hackers are exponentially more destructive than anyone in the tech industry or the government is willing to admit.
The enemies of records management want you to believe that ‘security’ and ‘access’ are the same thing because they want unrestricted control of the world’s most valuable commodity: information. Until the access controls that are the responsibility of an organization’s records management program are consistently applied to records across the enterprise, the world’s most critically important information is at a terrifying level of vulnerability and the these devastating data breaches will continue unabated.
Next up, The Four Lies Destroying Records Management – Lie #4: Records vs Non-Records