Changing the “Gotcha” Approach to Insider Threats

May 12, 2017 | Michael Seage

With the help of big data analytics, the Department of Defense Insider Threat Management and Analysis Center — better known as the DITMAC — is looking to transform the DoD’s approach to the threats trusted insiders can pose to personnel and information.

Developed in the wake of the 2013 shooting at the Washington Navy Yard, when a Navy civilian contractor killed 12 people, the center serves as the Department’s central hub to quickly receive, examine, and prioritize the wealth of information that comes in related to insider threats. The DITMAC focuses on information sharing and analysis, collecting and coordinating data as it works across the 43 DoD components to promote best practices and innovative methods to deal with this significant challenge.

The center, which is still in its early days, is a key part of the Department’s effort to better detect and mitigate the insider threat — everything from leaking classified information to potential workplace violence. Michael Seage, DITMAC’s director, spoke with The Cipher Brief’s Mackenzie Weinger about shifting the insider threat paradigm, balancing civil liberties and privacy, and what’s next for the center.

The Cipher Brief: How can data analytics and artificial intelligence help stop insider threats? What technological approaches — beta programs or behavioral analytics or the like — are being implemented by the DITMAC to try to mitigate the insider threat?

Michael Seage: We’ve created — it’s a rather grandiose title — but we call it the DITMAC System of Systems (DSoS). This system is both a case manager and a workflow manager, and it allows data storage and internal communications to ensure the personal information that might come our way.

Within that workspace, we do have some AI tools that are being developed, and we also have some expert systems that we’re using. The capability itself is big data analytics. It allows us to look at text-based information, and we can also look at jpeg files, imagery-based gifs and things like that. And we’re working our way towards, but we haven’t yet started assimilating, biometrics. That’s primarily predicated on privacy concerns, so we’re still sort of working our way through the biometrics issue.

If somebody receives a report in one of those DoD components, and they believe it meets one of the 13 thresholds we’ve established — something like an attempt at espionage being committed or related to personal conduct or behavioral considerations, for instance — they will use the DSoS and then come up to us. We have analysts on staff, and when they receive it, they’ll triage it and make the determination as to whether it is a threshold reporting event or not. Then they’ll start doing data queries, and we use both commercial and government data sources.

They’ll aggregate that data and put together a holistic view of the individual. Then we have behavioral scientists, data scientists, LE and CI [law enforcement and counterintelligence] folks on staff who will try to provide context to make sure we don’t misrepresent what we’re seeing and what we’re hearing or what we’ve done. With that, we’ll send it back down to the DoD component and try to use best practices, either across industry or government, to make recommendations on mitigation measures.

TCB: You mentioned the privacy issue in dealing with insider threats. That’s one of the biggest concerns in both the public and private sector, especially when you’re starting to use data analytics and AI. There are worries some people who are potential whistleblowers or unwitting insiders, rather than true insider threats, could be picked up.

MS: You’re exactly right, and the protection against that starts with the security controls that you’ve got in place. We’re working internally within the DoD to develop security controls that are specific to insider threat.

They help us winnow out both the unwitting and the potential whistleblowers, because there are certain characteristics that go along with that. So that’s where we would start in trying to understand. And then, there are different sets of rules for whistleblowers both internal to the Intelligence Community and outside the IC, so we work with the DoD Inspector General and the service IGs.  For each of the DoD components, it’s a requirement for them to coordinate and have the IG as part of their insider threat management team so that if something like that comes up, they’re cognizant of it, we can sort of fence that out and make sure we leave those activities alone.

The other thing that we’re trying to do is just ask questions. When we receive a report, one of the questions that we’ll ask is, “Is this person known to us in another way?” We don’t specifically say whistleblower, but are they known to us in some way or is there something else that management is working on with them? We try to make sure that our TTPs [tactics, techniques and procedures] are of such a nature that we recognize that A, there’s protections for whistleblowers, and B, there are certain things that have to be done to communicate we’re aware of it.

On the unwitting insider issue, when we receive the data, we frankly have to do a lot of analytics on this. And the AI aspect helps out a little bit. It’s not exactly as advanced as some people would like it to be — there are good systems out there, but the human-in-the-loop is critical, at least in terms of my experience. With the human-in-the-loop, we try to look for those indicators that help us understand from a behavioral perspective whether someone is witting or unwitting.

Those are the protections we have in the systems and processes right now. I’m sure there’s others we haven’t thought of. We’re always looking for best practices. We do interact with industry, we interact with the whole-of-government, and there’s a number of working groups that I sit on. Privacy and civil liberties are two of the key issues we talk about.

TCB: The DITMAC just achieved initial operational capability in October — what does that mean? What can we expect to see from the center going forward?

MS: Since our initial operating capability went into effect in October, we’ve been receiving reports from components. What it has meant for us is — well, we’re new. People don’t really understand what the DITMAC is. So first, we had to have a strategic communications plan, sort of let people know who we are, what we can do, what we can’t do. And that involves both stakeholders at the workforce as well as at the senior decision-making level. And, frankly, part of my job is to be both the voice and the town crier, if you will, about what insider threat is related to the Department of Defense. So I’ve got a lot of people to talk to.

We’ve created a toolkit that talks about themes, messages, and ways to communicate with the workforce. We try to break it down by recognizing that there are generational differences. The other thing we try to do is provide them ideas and methods about how to communicate. One size, unfortunately, does not fit all. We’re a relatively complex and diverse department, in addition to being big.

So that toolkit really can’t be, “Do it once, and everybody do it the same way.” We had to build it with flexibility and adaptability in mind. It’ll be out of legal review, I’m hoping soon, and then as soon as it’s done, we’ll release it within the Defense Department.

We’ve also had interest external from some of the Executive Branch folks, and that’s one of the ways we try to move from IOC [initial operational capability] to FOC [full operational capability]. When we go to full operational capability, it’s more than just the ability to technically do our jobs. It also has to be that we have buy-in, in as much as we can, from the workforce and our stakeholders.

We’re constantly trying to understand the environment, the ecosystem that we work in. We are engaged with a number of organizations trying to do behavioral science research projects to make sure that we’ve got the right way of looking at ourselves and understanding the threat. At the same time, we’re also just trying to find better gadgets and applications, so we work with a couple of different organizations who are doing research, as well as some commercial vendors, on helping us develop better tools and applications.

TCB: I wanted to get your thoughts on one of the things that’s often talked about in the context of insider threat — how to change the paradigm from a focus on monitoring above all else to possibly a prevention model? What does moving from just trying to catch insiders involve, and how can you get buy-in to this concept?

MS: I was a special agent for 37 years, and in that time frame, my job was to look for issues related to espionage — we thought of what we were doing as insider threat. Now the whole concept of insider threat has evolved. It’s not just spies or terrorism anymore. People are concerned about intellectual property and a whole host of other things. So insider threat as a definition has changed.

As I look at insider threat, it’s not, “We’re trying to catch spies and we’re trying to play a game of gotcha.” That’s not what we want to do. With that mindset, all we’re going to do is disenfranchise our workforce. When I talked about trying to change the paradigm from a catch ya, gotcha mentality to a prevent, intervene and protect mentality, that has to start from the top down and be accepted from the bottom up.

That strategic communications plan I was talking about before, it all starts with trying to communicate to the workforce that we really are trying to, heaven forbid use the phrase, we’re here to help you. In government, when someone hears that phrase, it’s not always perceived positively. But we are trying to make this a true cooperative effort between ourselves and the workforce.

The way we can assist and prevent is by having the right tools at hand, whether it’s a psychologist or a police officer. Somebody to intervene and protect either the workforce or the individual themselves. We also need to make sure we train management properly.

One of the things that jumps out at me is that many of our own problems are created because we have managers who create these issues, or we have an ecosystem or a culture that doesn’t look at things properly or doesn’t understand things properly. They make judgments that can lead to somebody who is disgruntled or being disenfranchised finding themselves with an opportunistic chance to leak something, send something out in a blog, or say something to a friend. We want to make sure that as we train the workforce, we also train the management, from the lowest possible level to the highest possible, so that they understand the paradigm shift. It’s not gotcha — it’s got to be how can we help you. 

The Author is Michael Seage

Michael Seage is a director of the Defense Department's Insider Threat Management and Analysis Center, also known as DITMAC. 

Learn more about The Cipher's Network here