Why Classifying Data Is a Security Issue
By Carl Herberger, VP of Security Services, CyberSheath
Most of the rhetoric we hear in cyber defense boils down to protecting data. It’s such a familiar concept that we often forget why it’s so important.
We’ve become accustomed to defining data breaches by risk or fallout. In the case of Cash App’s recent transgression, the company claims no user’s personal data was leaked. On the other side of the spectrum, a Russian delivery service was hacked and reportedly revealed the names, contact information, and dining habits of Russia’s secret police.
We’re left to wonder how this could have happened in an era when we have laws that require compliance for protecting data, like Cybersecurity Maturity Model Certification (CMMC) for Department of Defense (DoD) contractors. Why aren’t more companies auditing their records to determine how to classify, control, and protect their data?
Let’s take a look back at how we arrived at the current state of data classification, why it’s important, and what it means for security.
A dozen years in the making
The most impactful legislation on data classification came via executive order in 2010 when President Obama created the program for controlled unclassified information (CUI). The intent was to organize sensitive information protected by federal law. Until the executive order, a litany of agencies all handled it differently, with varying terminology.
The executive order directed the National Archives and Records Administration to own the CUI program. Creating CUI was both ahead of its time and the key to a successful data security platform. Recent headlines show the consequences when institutions don’t follow through on those efforts.
CUI has become the federal standard, but not all sectors find compliance to be so substantial. While CUI is mandated for agencies like NASA, DARPA, and DHS, most of the conversation revolves around the DoD because it adopted CMMC in November 2020.
Some DoD data is grouped as you might expect, with labels like critical infrastructure, defense, intelligence, and nuclear. The scope of CUI is much broader and involves a registry that’s organized by categories that aren’t synonymous with the military, like finance, legal, and statistical information.
All of this is under the microscope with CMMC 2.0, the updated model that the DoD announced in November 2021, which is expected to become law within the next two years. Non-compliance can have some legal consequences, but there are other reasons to make data classification a priority.
Why data classification is important
Beneath the surface, we label nearly everything. Consider social media, where metadata classifies everything from where something was posted to the accounts tagged, titles, or images.
That metadata becomes the currency that fuels the commerce of social media. It could be used for good, like tracking disease patterns, or as a vector for nefarious attacks like the Mailchimp breach that targeted cryptocurrency customers.
Just like gold is highly valuable and thus requires security, or someone’s home is highly valuable and thus requires security, data is both highly valuable and requires security. CUI was instituted to define the sensitive information that has been protected by federal law, and certain regulations, like CMMC, require safeguards to meet compliance.
Similar to Obama’s executive order, the DoD appears to be setting the table for what’s to come. The Department of Homeland Security has been monitoring the CMMC program as it evaluates the cyber hygiene of its own contractors and likely won’t be the last federal agency to explore a similar framework.
Some companies have seen the writing on the wall. They know that compliance is likely coming for them too, and they figure it’s best to get ahead of the curve since the attack landscape is only looking more dangerous.
Tying data classification to security
There are plenty of examples of government initiatives that don’t stick. The public tends not to forget them or let government entities forget them. In the case of Executive Order 13556, creating the CUI program was a worthy effort to harmonize scattershot terminology of data classification.
This proved to be more than just an exercise in simplifying an inefficient, ad hoc process. Requiring safeguards for sensitive information is table stakes for any business these days and, particularly for the federal government, a matter of national security. Nation-states and hackers are always targeting data. Sometimes the data itself is the commodity, and other times it’s just a breadcrumb that leads to another asset like a bank account or crypto wallet. Whatever the motive, it’s clear to see why data needs to be secured and why classifying it correctly may change what those safeguards look like.