Consider the Insider Threat. It’s a great bumper sticker and we’ve heard it a million times, but what does it mean? The thought should bear more weight to the practice of preventing the insider threat than to serve as a slogan. It is tempting to pay homage to the thought of insider threats, but those who successfully deter insider threats realize these thoughts take critical analysis to put them into action. Consider the fortresses many defense contractor organizations have become. Best practices to protect organizational, employee, materiel and cyber assets from outside actors are evident. Such careful contemplation must be made to counter the harmful accidental and deliberate actions of a trusted employee.
Insider Threat Defined
The insider is any trusted person who has any access to assets. For this article’s purpose, we’ll define the insider threat trusted person who deliberately or accidentally causes damage to national security. This article address requirements found in Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. Threats include acts of sabotage, theft, terrorism, unauthorized disclosure of classified information, and espionage.
While contemplating the insider threat, the analyst should be aware that anyone can exploit any level of permissions to steal, damage, or manipulate whatever they can affect. This includes the full and part time employees, vendors, consultants or others with the ability to touch or impact assets. The insider could have full range of motion throughout the organization or limited by technical or physical restrictions. These permissions give them some to negatively impact the organization. An example would be a trusted employee with access and need to know going through the proper permissions to accessing classified information. That same employee then takes advantage of privileges and removes the classified items unhindered and provides them to unauthorized persons.
The same opportunities exist for those accidental harmful occurrences, incidents or events that can harm an organization or their reputation. They could accidentally bypass safety, security and other countermeasures and cause major damage. For example, an employee introduces a harmful computer virus to the network by clicking on an email hyperlink. Also, consider a situation where an organization gives a tour of their production facility. A visitor ignores the rules and damages a sensitive electronic device while the overwhelmed escort is distracted answering questions from the other visitors. These unintentional events will harm the organization just as real as a deliberate threat would.
Evaluate your Insider Threat Policy and prepare now
Now that we have identified ways an insider could harm an organization, let’s take a look at what the organization can do to deter, detect and prevent incidents. EO 13587 directs government agencies and task forces to evaluate and protect classified information from the influences of an insider threat. Though not yet a requirement on industry, policies and regulations may soon follow directing cleared contractors to take the appropriate steps to address the insider threat. These requirements may soon manifest in updates to DoD 5220.22-M, The National Industrial Security Program Operating Manual (NISPOM) or other policies.
Now is the time for cleared defense contractors to prepare for those directives by instituting policy addressing the insider threat. The Presidential Memorandum’s, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs spells out requirements that can be adapted for cleared defense contractor use. The memorandum states these requirements as the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.
Addressing Insider Threat: two easy steps
Cleared defense contractors can easily incorporate two of these requirements and meet the intent of future NISPOM guidance. These two efforts include:
Monitor employee use of classified networks.
This requirement can also be applied to unclassified networks hosting FOUO, technical data, proprietary, intellectual property, personally identifiable information, and other sensitive unclassified information. The first step is to understand what sensitive information (classified and unclassified) exists and develop controls that facilitate monitoring. For example, an unclassified network may host proprietary information critical to the organization’s product success. This information could be tagged in the information system and appropriately monitored. This effort is similar to document and inventory control. Authorized users would then be given access and controls set in place to limit viewing, printing, downloading, copying, and etc. What would be monitored? Access. The second step would be to identify those with need to know and allow their access to the information. Monitoring would then include ensuring only those with need to know are able to access the information.
Access is now limited to a specific group of insiders. Monitoring would now include how insiders are accessing and what they are doing with the information. An authorized insider with malicious intent could be easily recognized and stopped by a system audit to see who accessed, how they accessed and what they did with it (printed, downloaded, manipulated or viewed it). Flags could easily be raised when controls are bypassed. If information is missing or unaccounted for, an audit would provide the answer.
Threat awareness training.
Employees would be educated concerning what needs protection (assets), who an insider is, what the impact of damage could be, how to prevent it, and how to report incidents. Employees would be briefed on access and need to know privileges and limitations as well as how to operate within their allowances.
Cleared Defense Contractors should be aware of the insider threat and make the concept more than a bumper sticker. Real analysis is required to go above the gates and guards approach to keeping out the malicious actor. With the insider threat comes the question of how to limit access to those with need to know and protect sensitive information from exploitation by authorized personnel. The President has issued EOs and memorandums to address this issue as applied to government agencies. Cleared defense contractors can be proactive and protect their organizations from the insider threat by analyzing the requirements and creating a system to meet those requirements.