At the end of June 2023, the Secretary of Defense released a memo which in essence created a new entity to address insider risk within the DOD. This memo came about, because of the security review of the USAF Airman, Jack Teixeira’s unauthorized and illegal exposure of classified information to members of a Discord community. As you read the memo, you may experience a fair bit of déjà vu, and you would not be wrong.
Déjà vu
The National Counterintelligence Security Center shares on their site how in “October 2011, the President issued Executive Order (E.O.) 13587 establishing the National Insider Threat Task Force (NITTF), under joint leadership of the Attorney General and the Director of National Intelligence. The President directed federal departments and agencies, with classified networks, to establish insider threat detection and prevention programs.” The impetus for the establishment of the NITTF was the result of Wikileaks publication of thousands of classified documents from across the government.
Then just three years later, in 2014, following a horrific shooting at the U.S. Navy Yard, the Department of Defense created the DOD Insider Threat Management and Analysis Center (DITMAC). With DITMAC the DOD had formed an “enterprise insider threat hub.” The hub’s purpose was to “oversee mitigation, prepare risk assessment and recommendations, and to synchronize responses to potential and actual insider threats.”
Joint Management Office for Insider Threat and Cyber Capabilities
Now seven years later, following another insider risk actualized, we again have another entity created, the Joint Management Office for Insider Threat and Cyber Capabilities. This new entity is to oversee “user activity monitoring (UAM) and improve threat monitoring across all DOD networks.” Which seems to these jaded eyes to fall short of what is needed and only addresses the obvious shortcomings of the culture present within the instance where Teixeira was operating.
ClearanceJobs spoke to members of industry on their thoughts and found while the Secretary of Defense’s directive is a step forward, it is a baby-step at best.
Stepping forward
“A joint insider threat office that oversees User Activity Monitoring (UAM) is another step forward in consolidating the insider threat function across the DoD. However, the real area of focus should be on updating the original requirements for UAM,’ observed Rajan Koo, co-founder, and CTO of DTEX Systems. He then explains how, “The requirements for UAM were created over a decade ago and focus on user surveillance, where the data captured is only useful after a data leak has occurred. In other words, most UAM tools capture reactive data that can’t be actioned to stop leaks occurring in the first instance.”
“To assess insider threats and respond with accurate threat modeling capabilities, this office should make identity governance and administration (IGA) capabilities a priority for federal agencies. The proliferation of third-party contractors and suppliers widens the risk aperture. IGA allows organizations to understand what resources users can access, what they can do with that access, how they got that access, why they need it, and how long they should retain that access. Being able to answer those questions can help organizations move toward zero trust by provisioning the least privilege access and entitlements required to do their jobs,” opined Kevin Orr, President RSA Federal.
Orr is spot-on with the philosophy and implementation of least-privileged access as table stakes in the world of data protection and access control. And Koo may have said it best imploring the joint insider threat office to “modernize the requirements for UAM by prioritizing early warning indicators and behavioral analytics to proactively detect, deter, and disrupt insider risks before they turn into threats.”
