Insider threats

Trust issues

It is no secret that the U.S. government is desperate to prevent another large-scale leak of classified information like the one carried out by Edward Snowden last year. And the role technology is playing in this pursuit could have long-term consequences for federal agencies' relationships with their employees.

Experts say developments such as more sophisticated employee key cards and the segmentation of login privileges for systems administrators could play important roles in safeguarding government information. The efforts do not involve whiz-bang technology but rather prioritizing and developing existing tools to cope with a basic government need: to communicate securely on internal networks.

As is the case for most policy challenges, there is no technological panacea for insider threats. If there were, reports of another government leaker of classified information would not have emerged in recent weeks. But as technologies mature and agencies learn which practices are most effective, the security equation is changing.

The National Security Agency has acknowledged that Snowden's disclosures altered its approach to insider threats. The agency recently accelerated pre-existing measures to counter insider threats, such as the use of centrally managed thin clients, and has imposed two-person controls on systems administrators, a position Snowden held.

John DeLong, NSA's director of compliance, said at a security conference in August that the policy and technology changes seek to "make sure people are set up for success, so that rules are consumable, trainable, testable; that machines can incorporate them directly into people's workflows; that we have spot checks, etc."

More from FCW

For the print version of this article, and the rest of the Sept. 15 issue of FCW magazine, please see our digital edition.

An NSA spokesman declined interview requests for this story. But one needn't divine what the spy agency is up to for a look into the future of insider-threat detection. The topic is so broad and the U.S. government has such a vast canvas of networks that efforts to thwart insider threats inevitably vary by agency and differ in classified and unclassified environments.

Insider threats speak to basic issues of trust and have been around far longer than the processing chip. "It's true at the NSA and it's true at McDonald's," security technologist Bruce Schneier said. "Organizations have to put people in positions of trust; otherwise, the organization doesn't function."

In other words, as long as federal agencies are staffed by humans and not machines, insider threats will remain a challenge.

Starting with physical access

Taken broadly, the term "insider threat" encompasses both digital and physical threats to government infrastructure and employees. The violent attacks by military personnel at Fort Hood in 2009 and 2014 and by a contractor at the Washington Navy Yard in 2013 have driven home the need to secure access to military facilities. And some of the potential solutions are digital.

18 steps to address insider threats

The CERT Division of Carnegie Mellon University's Software Engineering Institute has a list of best practices for combating insider threats. It includes IT-specific and smart management recommendations:

  1. Clearly document and consistently enforce policies and controls.
  2. Incorporate insider threat awareness into periodic security training for all employees.
  3. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
  4. Anticipate and manage negative issues in the work environment.
  5. Know your assets.
  6. Implement strict password and account management policies and practices.
  7. Enforce separation of duties and least privilege.
  8. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
  9. Institute stringent access controls and monitoring policies for privileged users.
  10. Institutionalize system change controls.
  11. Use a log correlation engine or security information and event management system to log, monitor and audit employee actions.
  12. Monitor and control remote access from all endpoints, including mobile devices.
  13. Develop a comprehensive employee termination procedure.
  14. Implement secure backup and recovery processes.
  15. Develop a formalized insider threat program.
  16. Establish a baseline of normal network device behavior.
  17. Be especially vigilant regarding social media.
  18. Close the doors to unauthorized data exfiltration.

For example, Ken Ammon, chief strategy officer at network security software company Xceedium, said there is more to the Defense Department's Common Access Card than meets the eye. A recent pilot project at a limited number of military bases triggered an instant background check when a CAC was swiped, which resulted in a number of convicted felons being prevented from entering the base, he said.

"That's an example of a simple use case that's available to today's IT systems that dramatically can reduce your risk [and] certainly begin the process of managing the risk of who you treat as an insider," he added.

Moving to CDM

Preventing convicted criminals from entering a facility is one thing, but detecting anomalous downloads and keystrokes from vetted employees and contractors is much more difficult. After all, Snowden had no criminal history when he stole an estimated 1.5 million documents, many of them classified, as an NSA contractor.

Moreover, the addition of technologies such as cloud computing and personal mobile devices have mostly erased any "clean line between insiders and outsiders," said Ammon, a former Air Force intelligence officer and liaison to NSA.

Government officials have responded to the additional security vulnerabilities by instituting a Continuous Diagnostics and Mitigation (CDM) program overseen by the Department of Homeland Security. In that risk-based approach to cybersecurity, sensors detect weaknesses on agency networks, prioritize them based on potential impact and alert administrators via a dashboard.

DHS has launched the next phase of CDM through an approach called critical application resilience. It tackles a layer of vulnerabilities inherent in software code and other add-ons to agency networks. That greater level of visibility into networks could help agencies spot insider threats more quickly.

Charles Hessifer, a federal sales engineer at continuous monitoring firm Tenable Network Security, said the use of CDM tools on federal networks has increased markedly in recent years. "As the industry is moving forward and progressing, so are the requirements of the federal government," he said. "They can no longer just sit there and potentially do one scan a month, one audit a month."

CDM is meant to offer a holistic view of network vulnerabilities that covers external and internal security threats. One way it can help with insider threats is through the ability to isolate who has access to specific information on a network.

The government has shown greater interest in gaining the ability to separate login privileges for various users since the Snowden disclosures, said Hessifer, whose clients include the Defense Information Systems Agency.

More from FCW

For the print version of this article, and the rest of the Sept. 15 issue of FCW magazine, please see our digital edition.

Preventing insider threats has "become more and more important and a greater focus to different organizations," Hessifer said, adding that improvements in insider-threat prevention are mostly due to maturing technology rather than something new.

Log correlation engines, for example, have been around for a few years, but agencies have shown greater interest in the technology since the Snowden leaks, he said. The engines store and analyze logins and other user activity on thousands of network devices.

Tracking administrators

Snowden used his position as a systems administrator to persuade as many as 25 people working for NSA to give him their login credentials, Reuters reported in November. Experts say compartmentalizing the information to which systems administrators have access should be a priority in addressing insider threats.

"The fact that identity is treated as…a distributed responsibility [in some federal agencies makes it] very difficult to even know who the person was behind the role that you were giving them access to," Ammon said. "So [systems administrators] would have an enormous amount of authority either to download an entire database or jump from network to network, and you really couldn't trace it back to any single user."


The ability to track systems administrators at agencies might be improving, however. Ammon said his firm's product for monitoring privileged users in the cloud "provides a DVR-like recording, as if you're on the person's shoulder watching the screen for everything that these privileged users are doing." When system administrators change shifts, their mouse clicks and downloads are distinguishable rather than invisible under a generic administrative login.

Ammon said DHS, the Defense Department, intelligence agencies and other civilian agencies have each deployed at least 10,000 Xceedium platforms.

John Pirc, chief technology officer at NSS Labs and a former cybersecurity researcher for the CIA, echoed Ammon's advice of focusing on systems administrators to thwart insider threats. But he also pointed to technology's limitations.

More from FCW

For the print version of this article, and the rest of the Sept. 15 issue of FCW magazine, please see our digital edition.

"I think we need to move to a model where if there's a specific program, [then] whoever is a system admin is a system admin over that data, and everything is highly locked down on that individual's workstation or laptop," he said.

He added that the intelligence community's priorities for managing the information security factors of people, processes and operational workflow had been "extremely misaligned," but Snowden's leaks changed that. The disclosures have focused officials' minds on how improving people-to-people relationships can help the agency better safeguard information, Pirc said.

DISA's role in insider threats

In May, DISA Director Lt. Gen. Ronnie Hawkins cited Snowden's leaks and then-Pfc. Bradley Manning's disclosures to WikiLeaks in 2010 in a speech underscoring the need for defense and intelligence agencies to move to the Joint Information Environment, an ambitious effort to develop a single enterprise IT platform for all of DOD. The rationale behind such data consolidation is that Snowden and Manning were enabled by the intelligence community's widely dispersed network of data.

DOD is loath to give up the ability of its officials worldwide to access classified intelligence. So the government's success in safeguarding classified intelligence would seem to rest, in part, on its ability to implement JIE. Consolidating data would reduce the "attack surfaces" of DOD networks and allow security measures to be deployed simultaneously, according to DISA.

JIE's virtual cloud environment would also enable DOD and the intelligence agencies to ensure that even stolen data would be encrypted, then-NSA Director Gen. Keith Alexander said in July 2013. When fully implemented, JIE will connect DOD's consolidated data centers and networks on a secure cloud, and U.S. Cyber Command will have visibility into that cloud, then-DOD CIO Teri Takai told Foreign Policy magazine in August 2013.

Since becoming acting DOD CIO in May, Terry Halvorsen has on multiple occasions expressed his eagerness to see JIE in action while also emphasizing that it is more of a concept than a program. His office is set to unveil a series of cloud-based pilot projects for JIE to help identify DOD's acceptable level of risk for high-impact but unclassified data. The projects will help focus cloud efforts related to business systems and unclassified information. Halvorsen was unavailable for an interview for this story.

The intelligence community is also addressing insider threats holistically by developing a set of best practices for preventing them, with the help of the public/private Intelligence and National Security Alliance. The organization's Cyber Insider Threat Task Force is set to release its recommendations in the coming months.

Ammon said the result, although well intentioned, might be more academic or theoretical than practical. It is therefore the responsibility of the "vendor community to align our solutions around what is an academic approach and provide more of a road map in which [agencies] can stair-step their way" to better security, he said.

Vendors will want to stay involved in the intelligence community's response to insider threats. Given human nature, it seems there will always be a market for their services.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected