January 06, 2012

Personnel Security: A Musical Journey, guided by Warren Zevon

(previously published elsewhere, now back home)

Warren Zevon: An Infosec Musical Journey

One analogy I learned early in my career is that Information security is a three-legged stool, consisting of Computer Security, Physical Security and Personnel Security.  Compromise one of these legs and the stool falls over.

In some cases involving access to highly sensitive information, personnel security involves plumbing the depths of people's personal histories, up to and including very intrusive interviews and polygraphs.  This part of information security is something that most practitioners and managers don't have to deal with, other than interfacing with HR or the personnel security office during the hiring process.

Where is the nexus between personal conduct and being trustworthy to protect sensitive information?  That depends, amongst other factors, on the level of sensitivity of the information and the type of organization granting access to the information.

Let's take a musical journey through personnel security and rediscover an old classic, Lawyers, Guns and Money, by Warren Zevon.

According to Zevon, he wrote the lyrics to Lawyers, Guns and Money on wet cocktail napkins, while on vacation in Kauai, "after a long day of improbable and grotesque mischief."

http://www.youtube.com/watch?v=S5puAN1PGQw (mostly safe for work, has one four letter word that starts with S).

Let's analyze what we can learn from Zevon's lyrics as practitioners of information security, assuming that the subject of the song has sensitive information in his head and is being targeted for exploitation:

I went home with the waitress, the way I always do
How was I to know she was with the Russians too?

This is a classic honeypot situation, where an adversary uses an attractive person to get the target into a compromising position, in quite the literal sense, after which the target may be coerced to betray his country or captured for interrogation, or just killed.

Honeypots are fixtures of spy movie plots, from the James Bond franchise to Munich to The Good Shepherd.

One real life case of 'she was with the Russians' is that of Clayton Lonetree, who was in a sensitive US embassy security position in Moscow... http://www.hanford.gov/c.cfm/oci/ci_spy.cfm?dossier=72

A more recent example, more on point to information security, is the case of the missing Blackberry belonging to the aide to the British Prime Minister during a visit to China.

More lyrics:

I was gambling in Havana
I took a little risk
Send lawyers, guns and money
Dad, get me outta this

This is another classic weakness that can result in becoming a more exploitable target, since gambling can become an addiction and result in grave financial hardship. Eventually someone with bad intentions may notice the weakness and may attempt to recruit the subject by using coercion or quid pro quo services demanded by people seeking cooperation from the target.  "We give you money to take care of the gambling debts, the loan sharks won't break your bones and hey, no big deal, it's just some information, not like it's gonna hurt anybody..."

Next, we hear Zevon's character denying responsibility for his situation, declaring himself a victim of circumstance and bad luck:

I'm the innocent bystander
and somehow I got stuck
between a rock and a hard place
and I'm down on my luck

This denial of responsibility displays a lack of maturity and ability to recognize and correct personal flaws, which we all have to some degree.  This is perhaps the worst offense committed by the subject of the song.

The US State Department website has a listing of the elements of the Whole Person concept that may be relevant to the adjudication of a background investigation for a security clearance.  (Note that different parts of the US Government have different security-related priorities and bureacratic mechanisms, so there is not one place for a federal clearance).


If you read through the webpage, you'll find that Zevon's lyrics included behavior that would fall under several areas of concern in the Adjudicative Guidelines for Determining Eligibility to Classified Information:

Guideline D on Sexual Behavior, referring to "sexual behavior that causes an individual to be vulnerable to coercion, exploitation, or duress" as one of the specific concerns in the guideline.

Guideline F on Financial Considerations (explicitly mentioning compulsive gambling), and

Guideline E on Personal Conduct, which includes lack of full and open cooperation with investigators who are charged with determining if the subject of the investigation is trustworthy enough to obtain and keep a clearance. Specifically,  "Refusal to provide full, frank and truthful answers to lawful questions of investigators, security officials, or other official representatives in connection with a personnel security or trustworthiness determination."

One good site for more specific examples of personnel security decisions is the Defense Office of Hearings and Appeals (DOHA), you can read about actual situations where people were denied clearances or lost them and appealed their cases to DOHA.  These cases illustrate the balancing act involved in deciding whether to grant or deny a clearance and the legal underpinnings of the clearance adjudication process.

Many years of actual cases, including the latest ones from December 2011:

The Adjudicative Desk Reference may be used as a guide by administrative judges and others in determining the outcome of personnel security matters.  http://www.dhra.mil/perserec/products.html#ADR   The reference was created by the Defense Department's Personnel Security Research Center (PERSEREC) as a tool to assist in making difficult decisions regarding suitability for cleared work.

Other products from PERSEREC may be of interest to those involved in HR, Insider Threat and Workplace Violence and other areas of research: Use with caution, this is not an exact science...  The first link includes a pointer to a 2011 "Ethnographic Analysis of Second Life."  http://www.dhra.mil/perserec/reports.html and  http://www.dhra.mil/perserec/products.html

No comments: