Insider threats defense plan in the works, but will it work?
The administration last year mandated a national program to defend against insider threats in government, and a national policy with standards for enforcement are expected by year’s end, officials said.
“It’s going to take a while to implement,” said John E. Swift III of the Office of the Director of National Intelligence and assistant director of the Insider Threat Task Force.
A policy is in draft form and is expected to go to the White House for review by the national security staff in the next month or two, Swift said April 4 at the FOSE conference in Washington. Standards development is waiting for the police to be completed, but are due to be issued by October.
Beware threats from outside insiders
DARPA program seeks early detection of insider threats
“It’s going to take a while before agencies have a hard list of standards to follow,” Swift said, and it will take a “considerable time” to implement them once available. But although the creation of a coherent national program on insider threats is new, most agencies already are collecting data and have some components of a program in place. “No agency is starting from scratch.”
The insider threat program was called for in Executive Order 13587, in October 2012 in the wake of the Wikileaks exposure of a cache of classified documents. The order’s goal is “to ensure the responsible sharing and safeguarding of classified national security information on computer networks.”
Combining the appropriate levels of security while enabling necessary sharing and respecting the privacy of employees is a delicate balance, said Gordon Snow, assistant director of the FBI’s Cyber Division.
The FBI and ODNI are the lead agencies in a Senior Information Sharing and Safeguarding Steering Committee that is developing the policy.
“The insider threat has existed for as long as we have had secrets,” Snow said. “What makes it difficult today is the amount and the speed with which that information can be exploited.”
Technology is one key to protecting data and ensuring accountability, and tools such as the smart ID cards mandated for government use are only part of the solution. But it is not a panacea, officials said, and implementing use of a common, electronic ID for both logical and physical access is not a simple process.
“We have a cultural acceptance problem with many of the agencies,” Snow said.
“Thinking that we can tackle the problem with only a technology solution is a mistake,” said Deanna Caputo, lead behavioral psychologist at Mitre Corp.
Behavioral profiling has been identified as a priority for identifying potential insider threats, and Caputo is working with the task force to develop a set of indicators that can be used to predict risk. The goal is to create clusters of indicators so that potential problems can be identified at a high level without violating privacy, using information already being gathered routinely on government employees, especially those with high security clearances.
Caputo said there is no restriction on broadly monitoring for behavioral indicators an entire population of employees, but that targeting specific employees for monitoring for specific characteristics or activities could require a finding that justifies a closer look or a formal investigation. Panelists emphasized that the policy is intended to respect privacy.
“This order shall be implemented consistent with applicable law and appropriate protections for privacy and civil liberties, and subject to the availability of appropriations,” the order says.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.