Insider Threats Part I: Background and Organizations Working to Counter Insider Threats
Yet, the seriousness of Insider Threats motivates the ongoing efforts to implement systems and processes to inhibit their effects. As the first in a three-part series on Insider Threats, this blog seeks to address the following:
Part (1) What are the key organizations working on the Insider Threat problem (the post below, followed by the next two parts).
Part (2) current and recommended strategies to countering Insider Threats, and
Part (3) potential future strategies to counter Insider Threats.
Defining an Insider Threat
The National Insider Threat Policy defines an “Insider Threat” as a person or persons that threaten U.S. national security by misusing or betraying, wittingly or unwittingly, their authorized access to any U.S. Government resource. The policy states that Insider Threats include those seeking to do “damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of department resources or capabilities.” The definition of an Insider Threat includes violent actors, exemplified by the 2013 Navy Yard Shooter, or a non-violent actor like Chelsea Manning. This policy defines the general responsibilities of Departments and Agencies and “leverages existing federal laws, statues, authorities, policies, programs, systems, architectures and resources” to counter the Insider Threat.
An internet search of the term “Insider Threat” yields a plethora of articles and research on the topic. Though the term is commonly used in association with government organizations, commercial entities are in no way exempt from the threat. In their 2015 report titled Grand Theft Data, the computer security company McAfee reported that 43% of all serious data breaches resulted from internal actors at the 1,155 companies interviewed. For this reason, the commercial sector has great interest in developing systems and technologies to protect their proprietary information and facilities from Insider Threats, as well.
Three Key Organizations Working on the Insider Threat Problem
Most Federal agencies have implemented Insider Threat programs as part of their security plans in response to the recent spate of Insider Threat attacks. However, three organizations are key to achieving the goal of detecting and preventing Insider Threat attacks: The National Insider Threat Task Force, the National Background Investigative Bureau, and the Department of Defense Insider Threat Management and Analysis Center.
National Insider Threat Task Force (NITTF): Within the Federal agencies, Executive Order 13587 directs the efforts to eliminate Insider Threats. Pursuant to the order, the NITTF—jointly led by the Attorney General and the Director of National Intelligence—was established in 2011 to help executive branch agencies develop insider threat detection and prevention programs that deter, detect, and mitigate actions by employees who may represent a treat to national security. Adopting a risk management framework, the NITTF must (NITTF Mission Fact Sheet):
- Account for an agency’s distinct needs, missions, and systems while developing the policies, objectives, and priorities used to establish and integrate security, counterintelligence, user audits and monitoring, and other safeguarding capabilities within the agencies;
- Develop standards to monitor user activity on U.S. Government networks, including triggers for alerting organizations to anomalous user behavior;
- And, set the standards for the continuous evaluation of personnel security information that can be used to compliment anomalous user behavior for identifying Insider Threats.
National Background Investigative Bureau (NBIB): Self-described as “the first line of defense against Insider Threats,” the creation of the NBIB represents the government’s most recent effort to improve its personnel security and subsequently decrease the threats from insiders. As the government agency charged with conducting background investigations for 95% of the Federal agencies, the NBIB currently executes the continuous evaluation piece of background investigations on behalf of non-Defense agencies and departments. The NBIB supports the continuous evaluation of participating agencies’ employees by providing updated criminal history and credit checks on enrolled employees back to the agencies, who then use the information to identify risky individuals. Currently, agencies are required to enroll only 5% of their cleared workforce into the continuous evaluation program. While the current process is implemented manually, the NBIB is partnering with Defense to build the IT systems and infrastructure to facilitate the automated collection and assessment of this information using big data analysis techniques. In a previous blog, Dan Chenok, executive director of the IBM Center who has been a chair and member of numerous cyber advisory boards and commissions for government, provided a high-level summary of how some commercial best practices could be adopted by the NBIB to improve the security clearance and continuous evaluation processes.
Department of Defense Insider Threat Management and Analysis Center (DITMAC): Defense established its own Insider Threat organization, DITMAC, specifically in response to the 2013 Navy Yard shooting. DITMAC is charged with overseeing the mitigation of all types of Insider Threats to DoD, including both violent and non-violent threats. Per DITMAC’s deputy chief of implementation, the organization’s aim is to use advances in big data analysis to predict all types of Insider Threats, rather than react to them. Reinforcing DITMAC’s effort, in May 2017 the Office of the Undersecretary of Defense commissioned the “Defense Science Board Task Force on Strengthening Counterintelligence Capabilities against the Insider Threat” (see the Task Force’s Terms of Reference). Among other things, the task force is specifically tasked to explore two lines of inquiry related to the unauthorized disclosure of national security information:
- Enhance the ability of counterintelligence organizations to identify, track, and locate Insider Threats through the application of advanced science and technology (e.g. artificial intelligence), enabling the U.S. government to take appropriate measures to protect sensitive data and prevent its loss or compromise, or failing that, to provide insights into “insider” behavior that produced the loss of data to assure an evidentiary base for effective enforcement measures against such insiders.
- Make it more difficult for insiders to steal or divert U.S. government data to unauthorized users. Specifically, employ modern technology to make the theft of sensitive data more difficult and to facilitate detection and tracking of its onward distribution.
Each of these three key organizations charged with eliminating Insider Threats has engaged on a path towards improved security. Specifically, each of the organizations discussed above identified the need to use advanced IT systems and analytic techniques to automatically detect potential Insider Threats.
The next blog in this series will discuss strategies for detecting and preventing Insider Threats, both those currently employed and recommendations for a “whole-person” risk-based methodology.
Disclaimer: The ideas and opinions presented in this paper are those of the author and do not represent an official statement by the U.S. Department of Defense, U.S. Army, or other government entity.