(Colin Kelly / Staff)
Nearly a year after President Obama ordered agencies to install programs to thwart insider threats, some still have not done so.
Some departments are still hashing out how their programs will operate under the national policy, how they will meet minimum program standards and how to coordinate with privacy and legal officials on issues like records retention and employee privacy, according to officials familiar with the effort.
“That’s hard, [because] it’s sort of specialized to each department and agency, their mission history, culture and how they work,” Dennis Keith, co-director of the National Insider Threat Task Force, said in an interview.
Some agencies have not yet finalized their insider threat policies, said George Stukenbroeker, the other task force co-director. Drafting policy requires coordination across several internal departments, including information technology, information assurance, human resources, security and others. The task force aims to assist agencies in developing and implementing insider threat programs.
Other agencies, especially in the intelligence community, are finding it easier to implement the national policy because of longstanding investments and a focus on issues like counterintelligence and information assurance, Keith said.
Among the tasks agencies were ordered to do under the presidential directive:
■ I ssue a departmentwide insider threat policy detailing how their programs will operate.
■ Create an initial plan for implementing the policy.
■ Designate a senior official with authority to oversee the program and make resource recommendations.
Those are the basics for launching an effective insider threat program, and requirements in the policy seemed straightforward — at least on paper.
Since that policy was issued, the devastating leaks by former National Security Agency contractor Edward Snowden occurred. And that has riveted the attention of many agencies on what Keith calls the super-empowered insider, who has unprecedented access to sensitive information today at their desktops and the ability to do serious harm to the government. Keith said insider threat professionals are not less trusting than they used to be about the national security workforce and contractor force, but they are more fearful that a single person is now capable of moving large quantities of data in undetectable ways that have tremendous consequences.
“It is very difficult to develop a program that could stop every variety of insider, and what we want to do by establishing these programs is … deter insiders so that it reduces the number of insiders that ever try anything and also increase[s] the opportunity and ability to catch a certain degree of those that engage in that activity,” Stukenbroeker said.
But agencies aren’t standing flat-footed in the wake of the NSA leaks. Keith said there is a sharpened focus on insider threat programs. People interacting with the task force are being told by their senior leaders “we do not want a situation like what happened at NSA to happen here,” Keith said. Leaders are asking what they need to do to help prevent something of that magnitude from happening.
A host of technical and personnel security changes are under consideration in the wake of the NSA disclosure. Gaps disclosed in the NSA incident will impact how background checks and clearances are handled in the future, Keith said.
The Snowden effect
Speaking at an Intelligence and National Security Alliance Summit this month, Director of National Intelligence James Clapper said NSA may have been able to detect Snowden had the IC rolled out its shared information technology strategy.
Clapper didn’t detail the specifics, but IC chief information officer Al Tarasiuk has promoted the strategy’s security features. Tarasiuk said systems administrators will only have access to information they need to do their jobs, and there will be automated monitoring similar to what is already in place at the agency level. However, agencies’ capabilities will be reduced as the IC develops a shared security monitoring service for agencies.
But insider threats aren’t solely an IT problem.
“If I go into an organization and all they talk about is their technology, then I would be suspect as to how robust their program is,” said Dawn Cappelli, director of insider risk management at Rockwell Automation. “I think the key is getting the organization to work together. Raising awareness is the first step.”
Human resources and hiring managers play a key role.
“We count on the agencies having in place the appropriate screening mechanism through their security and HR department ... to ensure that the people who are hired are trustworthy,” Stukenbroeker said. If there is some indication during the hiring process that a person is a threat, then that information would be shared with the insider threat team to be pursued and analyzed.
Some HR departments have experienced staff who can detect behavioral issues, Cappelli said. Then there are others where it’s a check-the-box activity, and they aren’t trained to interview people.
“There is a tendency to trust — if someone has a clearance, then they’re OK,” Cappelli said. “It’s important not to solely rely on that clearance as the trust factor.”
Hiring people who break into systems under the assumption they will protect your networks is a false premise, said Stephen Band, an independent consultant and founder of Behavioral Intelligence Specialists, which provides behavioral science training, research and consulting services.
While at Carnegie Melon’s CERT Insider Threat Center, Cappelli helped develop assessments for organizations to determine the effectiveness of their programs. For instance, does the organization require its contractors do background checks, and can they see the results? Are there audits of the contractor’s insider threat measures?
Where privacy comes in
Cappelli said one of the biggest challenges agencies face is the issue of employee privacy.
“It should be figured out across the board rather than having different agencies trying to figure it out alone,” she said. Agencies have to clearly define who can know what information about potential insider threats.
“Each corporate entity [and] government entity is its own kingdom, and they operate to the best interest of their stakeholders and to their client groups, Band said. “Every once in a while a … Snowden happens and everyone becomes hyper vigilant and at high alert.”
All agencies required by the White House to have an insider threat program in place either have a program or are in the process of establishing capabilities, said Gene Barlow Jr. with the Office of the National Counterintelligence Executive (NCIX).
In crafting governmentwide standards for insider threat programs, the task force made them broad enough to be applicable to all agencies and give them flexibility to create programs that reflect their mission. Those standards include monitoring employees’ use of networks with access to classified and sensitive data and materials, and training employees on what the threat is and how to identify and report potential insider threats.
Some standards may need to be more narrowly defined, Stukenbroeker said. For example, behavior monitoring on computers can be broadly defined, so there may be more specifics about what that should entail.
What isn’t clear is how long it will take agencies to fully implement insider threat programs because there is no deadline for them to do so. Considering the current budget environment and other competing priorities, there isn’t an exact date for implementing programs, Keith said.