This interview is an excerpt from GovLoop's recent research brief, Combating Insider Threats.
Insider threats are constant and varied within government, which can lead many agencies to think they are an inevitable occurrence. In reality, there are a number of tactics that agencies can pursue to mitigate the risk of an internal breach.
To better understand how government can minimize insider threats, we spoke with Patricia Larsen of the National Insider Threat Task Force. Larsen began our discussion by impressing the need for every agency that holds classified information to create an insider threat program.
Customize Your Strategy
Larsen explained that most insider threat controls should be created and maintained by individual agencies. “Every different agency has a different mission, and they all know what’s normal for their agency; what authorities their individual system administrators are supposed to have. So the analysis is best done closest to the point of where the mission is being accomplished.”
This is especially important because indicators of potential threats must be customized to individual use cases. “There is no one single thing that you can point to and say that’s an indicator of an insider threat,” said Larsen. “You might see someone’s doing an awful lot of printing late at night. That seems odd until you discover they work in a watch center so that’s what their job is. You can’t simply leap to a conclusion based on one indicator.” However, this one indicator, coupled with previous incidents of questionable behaviors, could be valuable in determining if an individual is still clearance worthy.
Indicators of insider threats can be anything inconsistent with an individual’s normal behavior. “It’s identifying what’s outside the norm for that individual or what kind of behavior that person is exhibiting that’s different,” said Larsen.
To identify those inconsistencies requires understanding individual roles and users. It also requires creating a mechanism to alert security to potential changes in behavior. Larsen said, “Agencies really need to have a system in place that will detect and flag if they see a massive exfiltration of information, for instance."
Scrutinize User Privileges
Larsen recommended three action steps to safeguard against insider threats. First, each user’s privileges should be scrutinized. “We need to verify the access and privileges that each administrator has,” she said. “Make sure they’re commensurate with their job functions, their level of responsibility, and with their span of control that’s required to do their job.” Again, an agency-level understanding of user roles is crucial.
Among users, certain groups are more capable of committing large-scale insider threats. “Network administrators are a highly unique risk group,” said Larsen. “They have access to a significant amount of information. They’re often given the proverbial keys to the kingdom.”
However, Larsen also said, “That’s only if we let them… If we err on the side of convenience where we just grant more and more people network administrator access without thinking about who needs to do what, we’re setting ourselves up for failure.”
For this group, Larsen advises creating a second level of security to limit the privileges of any single administrator. Larsen suggested, “Enforce things like separation of duties so no one particular system administrator can do every possible function. And then you can require some sort of two-person control. So, if you have a sensitive location or network, you can require two people to be involved in protecting or servicing it.” This ensures that any administrator access does not go unsupervised.
Finally, once privileges are diligently assigned to both administrators and less-privileged users they should be periodically reviewed on an individual and agency-wide basis to ensure they remain appropriate. Adjustments should be made as users are promoted, demoted, or exit the organization.
Communicate Your Strategy
Once an agency has created a program to monitor potential insider threats, it’s important to communicate the strategy to employees. Effective communication can both build buy-in for your program and strengthen your tactics’ effectiveness.
Larsen explained that many agencies don’t consider themselves part of the national security framework, and therefore don’t think insider threats are a paramount concern at their organization. “One of the challenges that we’ve been facing is that we’re asking for cultural change in some agencies that don’t have a traditional national security mission. Their primary mission is something else to support the American population, and so they don’t think about national security considerations first and foremost.”
To combat this misconception, Larsen’s team emphasizes how each agency serves a national security purpose and how their information could be compromised. “We give them examples of how adversaries have tried to target non-traditional information that their agencies hold. That gets their attention,” said Larsen. When employees understand why protocols are important to security, they are more likely to follow them.
Additionally, agencies must communicate the tactics they will use to safeguard against insider threats. “You’re not effective if you don’t have a transparent program,” said Larsen. “We have to set in general terms what is expected of employees.”
Larsen also recommends encouraging employees to come forward if they see troubling or suspicious behavior. This mechanism provides an extra layer of security on the ground in your agency. It also creates an outlet for employees to seek help before they feel forced to commit unsafe actions. And while some employees may be reticent to vocalize concerns, Larsen said, “If you explain that you are here to help a person, not simply march them out the front door, then employees will be more supportive of the program. The goal is to protect the investment we have made in our people and our information.”
This communication is admittedly a fine line. Larsen said, “Obviously you can’t give a specific list of triggers and things that you’re going to be looking for. You can’t give away your playbook.” This lesson returns to the need for customization. Depending on the scenario, agency mission, and individual user, the appropriate level of transparency will change.
Ultimately, agencies must determine how their mission fits within broader national security concerns. Larsen concluded, “Each agency has access to incredibly important information, and your agencies are critically important to our entire national security mission, not just to what you do as an individual department.” Insider threat programs that are cognizant of that unique role are necessary to safeguard employees and their information.