Hackers pose myriad threats to government organizations, but vulnerabilities aren’t all coming from the outside. Insider threats – both malicious and unintentional – may be even more dangerous.
Roughly half of Federal agencies suffered an insider threat in the past year and almost one-in-three lost data in a breach, according to a MeriTalk study that surveying 150 Federal IT managers knowledgeable about their agencies’ cyber security programs.
The National Insider Threat Program was established in Executive Order 13587 four years ago to deter, detect and mitigate compromises of classified information by malicious insiders. The order requires Federal agencies to establish their own insider threat detection and prevention programs under guidance from the National Insider Threat Task Force (NITTF).
The NITTFT was established in response to the Wikileaks scandal in which thousands of classified U.S. government documents were published online as a result of breaches by U.S. Army soldier Pvt. Bradley (now Chelsea) Manning and sent to the Wikileaks website run by Internet activist Julian Assange. In a subsequent breach, government independent contractor Edward Snowden released thousands of additional documents to media. Both Manning and Snowden downloaded documents without being detected, causing international reverberations once details of classified programs and communications became public. Manning has since been convicted for leaking an archive including 700,000 government files. Snowden remains in self-imposed exile in Russia, where he fled to escape arrest.
While Manning and Snowden are poster children for the insider threat, unintentional insider threats – risky cyber behavior by usually well-meaning employees – may be the greater problem. Such unintentional threats can unwittingly open doors to hackers who can exploit system vulnerabilities to access and acquire vast amounts of data. Such was the case with the massive data breaches this year at the Office of Personnel Management.
Some 51 percent of respondents to MeriTalk’s Insider Threat survey, underwritten by cyber security software and services supplier Symantec, said it was common for employees to fail to follow appropriate protocols. Another 40 percent of respondents said employees access off-limits government information at least once weekly.
Michale Theis is assistant director for insider threat research at the CERT Insider Threat Center, at Carnegie-Mellon University (CMU). The Federally-funded research and development center within CMU’s Software Engineering Institute, has been tracking insider threat cases since 2001 and compiled a database of more than 1,200 cases.
“There’s no one type of insider, there’s no one type of threat,” Theis told GovTechWorks. “We have insider threat for fraud. We have insider threat for IT sabotage, for espionage, for intellectual property theft. Recently, we’ve added unintentional insider threats.”
For each threat profile, the center develops models to better understand the causal circumstances and then tries to develop solutions to mitigate those threats. For example, research has shown that intellectual property theft usually occurs in the 30 days preceding an employee’s announced resignation. Knowing that, organizations can be attuned to employees downloading or emailing extensive amounts of data and look for patterns that will identify a potential problem before it blows up into an outright threat.
Steve McIntosh is the Insider Threat Program Coordinator with the Defense Intelligence Agency (DIA). “For DIA the program is set up to monitor the behavior of the workforce, to detect that behavior which could be of concern and to put that behavior into context to determine whether or not it poses a risk, threat, or vulnerability to the agency,” he said. A retired officer with the Air Force’s Office of Special Investigations McIntosh said the idea is to monitor employee behavior, assess risk, and respond appropriately– which could mean anything from counseling an employee to suspending access.
“We’re dealing with human beings,” McIntosh said. “There will be lots of behavioral indicators that will tell us whether an individual is getting off-center and may need some help.”
DIA’s program is built around a threat mitigation cell where employee data is collected, examined and put into context. Sources include both electronic and non-electronic data from both inside and outside the agency. In addition, a user activity monitoring tool tracks, such as when the employee arrives and leaves work, what apps he or she accesses on the network and so on. When the system detects a change in usual patterns, that employee is flagged for additional examination.
“We monitor activity for behavior that is out of the norm, that could be considered to be of concern,” McIntosh said.
DIA’s monitoring tools track and learn employee behavior patterns. “The tool actually learns the employee,” McIntosh explained. “It knows when you come to work, it knows when you go home, it knows what you do online [at work]. And it ingests all this data and gets a profile of you, and tells us when something has changed.” DIA also has access to external data, he said. But its direct monitoring is limited to at-work activity.
Privacy concerns are paramount in all such programs. CERT’s Theis said agencies need to work closely with their legal and human resources teams to ensure employees understand the monitoring to which they will be subjected – and that they agree to it through controls and acknowledgements when they log into government systems.
There is no one solution for combatting or stopping insider cyber risks. End-user education and training, improved security technologyand additional controls and guidance, are all seen as effective parts of a program by Federal IT managers.
“Insider threats are people issues,” Theis said. Not all those issues will show up by monitoring the network. He said behavioral issues ranging from on-the-job performance to arguments with other employees can all be indicators of disgruntlement and potential risk.
All agencies with access to classified information are required to have their own insider threat programs. Other agencies may choose to implement one as well. Among the 150 Federal IT managers surveyed by MeriTalk in September, more than half said their agency had a formal insider threat program in place. Those that did were more likely to have annual in-person security training and a system of real-time alerts for inappropriate access and data loss.
Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.