How the Government is Bracing for the Insider Threat and Why It Will be Harder Than You Think
Updated: Aug 7, 2020
For years, the concept of cybersecurity centered on protecting computer networks from malicious outsiders bent on sneaking past or breaking through firewalls and gaining access to sensitive systems.
But recent events in government and the private sector have pointed to the specter of the insider threat, which can be as damaging as traditional threats and often remain secret. A recent Deloitte- and CSO magazine-sponsored survey found that, increasingly, the insider threat is viewed as the most costly to an organization.
Government-contracting firms that develop tech solutions for the government have taken notice — not only because of the expanding market for insider threat solutions, but also out of self interest as well. These firms, themsel
ves, are susceptible to malicious insiders.
Zal Azmi, senior vice president at government-contracting giant CACI, which recently held a cybersecurity forum specifically about the insider threat, told Defense News virtual browsers, which can prevent the copying of files, could be the key in fending off insider threats.
However, while the corporate world has much to lose from insider threats, government has also learned its lesson the hard way summed up in one word: WikiLeaks.
The dump of sensitive government information onto the so-called whistle-blower website and then onto the front pages of newspapers worldwide served as a powerful example of how protecting the government’s networks against the insider threat is complicated by efforts to promote information sharing.
Pfc. Bradley Manning, a U.S. Army soldier and intelligence analyst, is alleged to have downloaded classified information from SIPRNet — the Secret Internet Protocol Router Network, which is used by the Defense and State departments to share and transmit information, appearing to exploit the information-sharing apparatus put in place after 9/11.
SIPRNet was designed to provide soldiers in forward-operating bases with access to information that could impact their security. But, the ease with which Manning is accused of accessing information and downloading it onto a homemade Lady Gaga disc, of all things, has caused DoD to question how information sharing may make the insider’s nefarious work easier.
The Defense Advanced Research Projects Agency has been working on a project called CINDER — short for Cyber Insider — a threat-detection program that would establish patterns of suspicious behavior, a large-scale systemwide surveillance of Pentagon networks.
“The goal of CINDER will be to greatly increase the accuracy, rate and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest networks,” according to a request for solicitations from contractors in the fall when the agency first began rolling out the program.
But even with the sophisticated technology at DARPA’s fingerprints, detecting the insider threat is difficult.
“What sets the insider threat apart from other adversaries is the use of normal tactics to accomplish abnormal and malicious missions,” DARPA officials said at the outset of the CINDER program.
So, if technology is not fail safe, what else are federal policymakers doing to prevent leaks? Following the most recent disclosures, which featured frank and, at times, embarrassing correspondence from U.S. diplomatic headquarters around the world, the Office of Management and Budget jumped into the action.
Whereas DARPA’s solutions focused on the technology, OMB’s proposed solutions set its sights on evaluating employee behavior, to head off any potential Bradley Mannings before they even begin downloading.
NBC Investigative reporter Michael Isikoff reported in January the Office of Management and Budget had instituted a series of insider threat programs “to ferret out disgruntled employees who might be inclined to leak classified documents.”
OMB Director Jacob “Jack” Lew distributed an 11-page memo to all federal agencies, which among other directives, instructed agencies to use psychologists to evaluate employee behavior, with a close eye on “despondence” and “grumpiness.”
But, if technology is notoriously unpredictable at picking up the signals of the malicious insider, it’s likely psychological profiling may be equally unreliable. J.R. Reagan, a principal with Deloitte, told The New New Internet last fall the insider threat is one “which we wrestle with a lot.”
All of the proposed solutions boil down to one simple question: “How do you make change the culture at an organization that makes their employees feel they are part of the solution,” he said, “and not … an unwitting part of the problem?”
The Obama administration is also waging a robust legal offensive to counteract the insider threat, in the form of leakers of classified information.
Politico recently reported, in the span of a little more than two years, the Obama administration has filed criminal charges in five different cases surrounding the leaking of classified national security information.
Contrast that with the government’s previous record of dealing with leakers: only three such cases over a span of about 40 years. It’s clear, in a post-WikiLeaks world, the federal government is taking the insider threat seriously — whether it’s technological fixes, psychological profiling or a get-tough prosecutorial approach.
The insider threat’s multifarious nature requires a number of approaches to combat it. But what’s less clear is whether the current approaches — or any — will be enough.