Insider Threats in the Private Sector
When document archive Wikileaks started posting secret and classified information about the U.S. government’s role in the Iraq and Afghanistan wars in 2010, the federal government scrambled to address the security of classified information. President Barack Obama passed an executive order that called for the establishment of minimum standards for executive branch insider threat programs in 2012. But the guidance failed to address the private sector. This was made painfully clear when defense contractor Edward Snowden leaked thousands of classified documents.
The U.S. federal government is now poised to make changes to the 2012 National Insider Threat Policy, which requires government agencies handling classified information to develop an insider threat program. And with 90 percent of the nation’s classified information originating within the industrial environment, government defense contractors by extension must adhere to the policy. That’s where the National Industrial Security Program (NISP) enters the picture, explains John Fitzpatrick, the director of the Information Security Oversight Office (ISOO).
Every defense contractor that works with classified information must adhere to the NISP Operating Manual (NISPOM), which prescribes requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information.
The idea of the NISP is to have a mechanism for safeguarding classified information that is appropriately tailored to the industry environment, because companies are different from government agencies, according to Fitzpatrick. “The level of protection, once tailored, needs to be the same. That’s what the NISP does,” he explains.
A mandated insider threat program for the private sector is critical, because the damages caused by fraud, theft of intellectual property, IT sabotage, and espionage are on the rise, averaging $15 million over the last 10 years, according to a white paper by the Intelligence and National Security Alliance. The 2013 survey, A Preliminary Examination of Insider Threat Programs in the U.S. Private Sector, found that just over half of the 13 organizations interviewed have a formal insider threat mitigation program, and those programs were mostly technology-focused, monitoring network traffic and people that display suspicious online behavior.
However, the study points out that the insider threat is a person, not a computer, and “organizations must identify psychosocial events—anomalous, suspicious, or concerning nontechnical behaviors.”
The paper also recommends that companies develop an insider threat mitigation program that spans the entire organization, implements technical and nontechnical employee monitoring, practices an effective training and awareness program, and conducts counterintelligence inquiries and investigations.
The NISP Policy Advisory Committee (NISPPAC) announced in March 2014 that the organization was coordinating with the U.S. Department of Defense (DoD) to release the industry interpretation of the National Insider Threat Policy, finally producing a mandated insider threat program that is similar to the national policy. This guidance, called Conforming Change Two, will be officially added to the NISPOM by the end of July, contractually requiring all defense contractors that interact with classified information to develop an insider threat policy.
Taking an executive order aimed at government agencies and turning it into a cost-effective, industry-applicable standard isn’t an easy task. The NISPPAC, which represents NISP in creating standards, includes 13 representatives from executive branch agencies as well as eight representatives from the private sector, and is currently led by Fitzpatrick. He explains that the group’s goal is to take the applicable parts of the National Insider Threat Policy and edit it to be more easily understood and implemented by defense contractors.
The industry-interpreted insider threat program will require contractors to gather, integrate, and report relevant information indicative of a potential or actual insider threat, according to a DoD official. All contractors will have to complete yearly training on insider threat awareness and the security risks involved in handling classified information. A senior official from each organization must personally accept responsibility for the security of classified information systems. Contractors must also report any indications of an insider threat by using counterintelligence, security, information assurance, and human resources records.
Another change is shifting the responsibility of incident management from the contractor to the government. Under the new guidance, an appointed counterintelligence representative at the organization will serve as the point of contact with federal investigators if that company’s insider threat program has created an inquiry.
The core concept of the program puts more responsibility on the contractors to collaborate and take an active role in collecting information on potential insider threats, explains Daniel McGarvey, director of security programs at Global Skills X-change and the chair of the ASIS International Defense and Intelligence Council. Security, legal, human resources, and IT personnel will have to collaborate to successfully implement the program.
The collaboration between IT and human resources also places a much-needed emphasis on the behavior of a potential malicious insider—or even someone prone to workplace violence, McGarvey points out.
“It is pushing us to actually relook at how we handle insider threats—not only the theft of assets, but violence,” he explains. “Traditionally we’ve separated the two, but in terms of behavioral characteristics, we’ve realized it really isn’t a separate event, it’s just how people handle issues. This is forcing us to think through it using current technologies.”
Fitzpatrick agrees. He says that being able to detect the change in a trusted person that would lead them to suddenly put classified information at risk should be built into the security environment. “What the insider threat emphasis through this national policy does is to remind organizations that they have more tools than simply locks on the doors, passwords on the computers, and periodic reinvestigations to assess that risk,” Fitzpatrick explains. “You need supervisors that notice that, ‘something’s wrong with that guy over the last couple months—what is that and why?’”
Fitzpatrick says the most important part of the NISPOM update is clarifying for contractors exactly what role they play in information-providing versus actively investigating an employee. Company liability concerns are a big issue, he says, and companies that currently investigate potential insider threats will have to give that responsibility to federal agencies instead.
“What is the line between what the government agencies will do in cooperation with the company, and what the government expects the company to do in response to a government requirement?” Fitzpatrick notes. “That’s the fine line that we have to make sure we make clear. We’re not asking companies to launch investigations, but we might ask them for information to support a government investigation.”
McGarvey has been working with the ASIS Defense and Intelligence Council, as well as members of the NISPPAC and the Defense Security Service, to preemptively address challenges before the conforming change is published—the DoD will require all cleared contractors to implement the changes within six months of publication.
One concern McGarvey raises involves the counterintelligence representative each organization is supposed to appoint—who should that individual be, and what training should they have? These questions aren’t outlined in the NISPOM change, McGarvey notes.
“There is no current counterintelligence training of any kind for security officers,” McGarvey says. “The only formal training is done by the government for federal counterintelligence officers. A security officer doesn’t need to know the full range of counterintelligence techniques and tradecraft, but there are selected areas they do need to know.”
To address this issue, McGarvey and the Defense and Intelligence Council has been analyzing aspects of the counterintelligence position and determining what critical skills are needed for the job. The council has put together a number of working groups—comprising both industry and government participants—to look at not only how the policy is written, but the impacts of implementation. Those groups will work to either develop an implementation approach or change the policy to make implementation feasible.
Another concern is the inevitable cost of implementation—one of NISP’s biggest roles is curbing the costs involved with implementing an executive order meant for government agencies. To tackle this, McGarvey says the council has created an insider threat certificate workshop that teaches cost-effective implementation tactics as well as how to use security metrics to increase the value of the conforming change.
“A lot of what we looked at was not adding anything, but repurposing some of the existing capabilities,” McGarvey explains. “We took what was mandatory and added to it to make it effective.”