Malicious and trusted insiders pose a range of challenges in terms of counterintelligence risks and physical threats, and experts say policy needs to catch up quickly to the new technologies available to help mitigate the problem.
“There’s a lack of willingness to share information, and that’s why I still believe we need to spend a lot more time on the policy side of this, of sharing, the cultural side, the comfort side, far more so than the tech, because the tech is already far ahead of where we are on policy,” Todd Rosenblum, former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs, told The Cipher Brief’s Annual Threat Conference in Sea Island, Georgia on Friday.
Rosenblum noted that following a comprehensive review at the Pentagon in the wake of the 2009 mass shooting at Fort Hood military post, when a U.S. Army major and psychiatrist killed 13 people, and the 2013 shooting at the Washington Navy Yard, when a Navy civilian contractor killed 12 people, the Department of Defense found there are laws, policies, and a culture that often prevents the sharing of information that would be helpful in potentially identifying and mitigating the threat.
The Pentagon also faces problems with a lack of sharing between the services and a reluctance of people to put concerns about fellow employees into evaluations, according to Rosenblum.
In the private sector, some companies “have much broader leeway in terms of looking at their employees” than the government in the context of privacy protections, Mark Kelton, the former CIA Deputy Director of the National Clandestine Service for Counterintelligence, said.
But whether it’s the Intelligence Community or a business, the “essential element of any good insider threat program is education,” Kelton told attendees.
It also requires that leadership “reaches out and says we are doing this not to spy on you, but to protect you, to protect this company, protect what this organization does,” he said. And training programs are “absolutely essential” to combating insider threat because they eliminate “a lot of the false positives you get in looking for anomalous activity,” Kelton added.
And those in the public and private sector should use training to specifically lay down what is expected of employees and inform them of the consequences of “willfully violating the rules, either because that’s their personality or they decide they have to cut corners in order to get something done,” Kelton said.
Putting into place effective training programs will help employers “remove the background noise so you can focus on people who are truly malicious actors,” Kelton said.
Many companies have difficulty recognizing that “their employees are their biggest threat,” Steven Bay, who was Edward Snowden’s boss when the National Security Agency leaker fled the United States, told conference attendees.
The majority of breaches come from trusted employees who fall victim to things like phishing scams, he said. Companies overlook simple solutions to push back against the insider threat problem, such as monthly training sessions and boosting basic cybersecurity understanding, Bay added.
“When I talk to customers, there’s a lot of focus on the fact that yes, your malicious insiders, the people you already have inside your organization who have malicious intent, they’ll inflict the greatest amount of damage, but they’re a little less likely,” he said. Where as trusted employees are more likely to “Whereas your trusted employees have a much higher likelihood of the impact they may have.”
Kelton, who was Deputy Director of Counterintelligence at CIA when Snowden went missing, also addressed the challenges of contractors in connection with the insider threat problem. Post-Snowden and Harold Martin, the NSA contractor indicted in February for allegedly stealing massive amounts of classified information, government contractors need to start thinking in terms of how they are not “just providing bodies to the government,” he said. They need to have genuine insight into the people they are sending to work.
With contractors, the perception that it is a “tiered” workforce where a “percentage of our community is viewed as less than” also creates a “breeding ground in some ways for vulnerabilities,” Rosenblum noted.
“We would be stronger from an insider threat prevention standpoint if we just sized and built the workforce acknowledging that these were all the same staff people at the end of the day,” he said.
The IC treats contractors the same as staff employees in terms of the clearance process and the standards to which they are held, Kelton noted, but culturally there is a significant divide. A lack of organizational loyalty can be a vulnerability, as can the feeling amongst some of being “second-class citizens” within the organization, he said.
Overall, good insider threat programs “focus on deterrence, education, messaging, detection, and the last thing I’d add is learning or adaptability,” Kelton said.
“Programs that sit static become vulnerable,” he said. “That’s true particularly of the IC, but private industry as well.”
Mackenzie Weinger is a national security reporter at The Cipher Brief. Follow her on Twitter @mweinger.