In this series of articles, the Insider Threat is described based on Presidential Executive (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, and Presidential Memorandum’s, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. The definition of insider threat is any trusted person within a cleared defense contractor network, who deliberately or accidentally causes damage to national security. It’s been thrown into the spotlight into the wake of the significant security breach caused by disgruntled employee Edward Snowden.
Cleared defense contractors are expected to combat the threat of employees leaking classified information. Soon, DoD 5220.22-M, The National Industrial Security Program Operating Manual (NISPOM) will provide guidance when updated. Until then, facility security officers can proactively tackle requirements according to referenced policies and memos. To begin, Facility Security Officers (FSO) should develop a training program to teach employees how to identify, deter, prevent, and report the insider threat. This training can be standalone or in conjunction with scheduled security awareness training.
Three critical training topics: The what, who and how of incidents
What needs to be protected?
Employees, vendors, consultants, subcontractors and any other team members should be alerted to what needs protection (assets). Assets are already identified and easy to recognize with classification markings. Employees are usually trained to recognize and handle classified information. However, typical training doesn’t always enforce need to know.
A great place to begin this Insider Threat Training is to identify methods of enforcing access, need to know, documentation and monitoring. Training employees to use contractual or program specific relationships as a basis for need to know can further tighten controls. Additionally, measures can be put in place and employees trained to monitor access based on need to know. Many employees intent on walking off with government data aren’t satisfied with just their own access protocols – Edward Snowden accessed some of his information after gaining administrative access to coworkers’ computers.
Typical training might include how to read classification levels, apply derivative markings, lock items in the appropriate GSA approved container and perform end of day checks. These countermeasures are primarily to prevent unauthorized persons from stealing classified information after breaking in. However, how does one transition to protecting against authorized users taking advantage?
Some controls to be aware of include:
Monitoring and auditing access to information systems (IS) (i.e., computers, fax / copy machines, and the growing number of storage media available. Cleared defense contractors do well to set up IS permissions allowing authorized user and denying non-authorized user access based on clearance level. However, the second part of the equation is to observe authorized user behavior.
Identifying insider threats – risky business.
Our security clearance determination relies upon continuous evaluation processes. We currently train cleared employees to report adverse information on themselves and fellow employees. This information includes easily identifiable behaviors such as sudden affluence, drug and alcohol problems, disgruntled behavior and even dabbles in employees working late and making excessive copies.
Though those indicators are helpful, FSOs could place further emphasis on limiting and monitoring access of hard and soft copy files. Such limitations include requiring permissions to burn copies, access printers, copiers, and fax machines. Others solutions include monitoring such activities to ensure IS are used properly. Training would educate employees on how to work with the implemented countermeasures and report adverse information.
How to report incidents?
In light of Bradly Manning and Eric Snowden cases, where insiders threatened national security, FSOs should teach employees to recognize and report insider threat incidents. Packages of classified information walked out of the door with Robert Hanson, the Walkers and Aldrich Ames, and the same can happen today with media and email. Cleared employees must be trained to recognize authorized users conducting unauthorized activities.
Insider threat training should include recognizing reportable incidents such as the unauthorized use of sensitive information, downloading, copying, or infiltrating classified information detected through monitoring should be reported to the FSO. Next training should teach gathering reportable information details and how to get the information to the FSO.
The insider threat is one of the toughest to tackle. Employees should be trained to recognize and report authorized employee access to information while conducting unauthorized activities. Employees should be trained on privileges and limitations as well as how to operate within their allowances. With this training in hand, the cleared defense contractor could do a better job with due diligence and the continuous evaluation process.