This blog post is an excerpt from GovLoop’s Industry Perspective, “Humanizing the Way Government Tackles Insider Threats With Cognitive Computing“
When you consider insider threats in government, you probably think of computers and networks. It’s important to remember, however, that the entire population of potential internal threat actors is made up of humans who are just that: human. Behind every insider threat is an individual who maliciously or inadvertently compromises government information or plans to do physical harm.
To detect these threats and better protect government information, agencies have turned to modernized digital systems and technologies to strengthen firewalls and monitor access. But traditional cybersecurity technologies and approaches have been heavily focused on detecting threat actors coming from the outside. Trusted insiders planning nefarious activities have no external firewall to break through – they already have access to facilities and data. As such, these threats are not readily detected by current methodologies. Yet the consequences from insider threats can be catastrophic, including dangerous compromises to national security and loss of human lives.
Insider threat strategies must look beyond current detection methods that only address access log data or authentication management. To better thwart attacks before irreparable damage is done, agencies need a holistic picture of the threat landscape and the people behind those threats.
That’s why government agencies are exploring cognitive computing technology to establish continuous monitoring programs while ensuring a trusted workforce. By analyzing electronic communications, social media and web activity, along with human resources records, cognitive computing can help agencies spot erratic behavior and prevent insider threats before they become a problem.
GovLoop sat down with the following experts from Digital Reasoning, a company that derives knowledge by merging computational logic with an understanding of context in order to build software that understands human communication:
- Marten Den Haring, Chief Product Officer
- Bill DiPietro, Vice President of Product Management
- Aaron Nelson, Director of Applied Analytics
Government Threat Landscape
Insider threats are some of the most pernicious risks to government. Whether malicious attacks, such as those executed by Edward Snowden and Chelsea Manning, or inadvertent misuse of information, they can do grave damage to national security interests and place human lives in danger.
An insider threat arises when a person with authorized access to U.S. government personnel, facilities, information, equipment, networks or systems, uses that access to intentionally or unintentionally share government information with unauthorized sources or to plan physical attacks. Not only are insider threats increasing, but they are also especially difficult to address due to their complex nature. According to a recent study from Raytheon Cyber:
- 88 percent of industry and government sources believe insider threats will increase
- 69 percent find it hard to identify threats because security tools offer little context
- 56 percent complain that security tools produce too many false positives
Traditional threat-detection methods comprise identity access management technologies where password credentials and badges are used for authorized access, and where agencies monitor networks and physical systems to flag potential concerns. But those approaches provide minimal or no insight into a user’s intent and most often result in excessive false positives. More importantly, they typically only generate warnings after data has been compromised. Yet there are key indicators in human communications data that can provide vital clues into behaviors and intentions to dramatically reduce false positives and provide a more proactive defense.
For example, let’s say John Doe, a disgruntled employee at X agency is experiencing financial difficulties. An external bad actor offers him money in exchange for confidential information. Key indicators that Doe could pose an insider threat can be found within his emails, social media posts and other unstructured data, including indicators concerning his attitude and personal finance problems. This information typically remains unobserved and underutilized with traditional detection methods, but is clearly a rich source of insights and a clue to the individual’s future intentions.
That’s why to more effectively mitigate the potential loss of data and lives, agencies need to marry structured indicators, such as atypical file access, work hours and other anomalous behaviors with insights into behaviors and intentions that are buried within human communications.
The Need for Human-Like Computers
Cognitive computing is the simulation of human thought processes in a computerized model. It can help read and understand a variety of forms of electronic communications data, including emails, social media and open source news sources. Cognitive computing analyzes context and complex relationships with human-like acuity.
Cognitive computing involves self-learning systems, data mining, pattern recognition and natural language processing to mimic human behavior. It uses a process called machine learning, which helps computers learn from data to make more accurate predictions over time. By accumulating context and filling in knowledge gaps concerning human behavior, over time the system can then rely on statistical patterns and generalize from examples.
“Cognitive computing looks more into the way the human brain works,” Den Haring said. “It also applies aggregation, where you can remember and learn things through association or knowledge. Humans are good at complexity and ambiguity, and to train a computer to do that, you need a cognitive learning platform.”
Understanding behaviors and intent is key to detecting insider threats. Cognitive systems can resolve entities and relationships and understand complex, nuanced communications in context to identify anomalous behaviors and intentions that could indicate a new threat. Without the help of a cognitive system, these indicators might otherwise go unnoticed.
“A lot of the systems today are built on programmable rules that are rigid and deterministic,” DiPietro said. “Cognitive systems are designed to deal with complexity and probability. They can better handle unstructured sources by focusing more on entities and behaviors.”
With the behavior analytic capabilities of cognitive systems, anomalous activity that could indicate an insider threat can be spotted earlier. By establishing normal patterns of activity, outliers can be identified, including work schedules, file and facility access that are outside the norm, or new life events such as divorce or bankruptcy that could make an employee more vulnerable to bribes. Cognitive systems can also flag indicators of anti-American sentiments buried within communications that could be a precursor to espionage or terrorist activity. With cognitive computing, agencies can continuously monitor electronic communications or web and social activity and layer them with insights from legacy solutions to achieve holistic knowledge of threats, their source and their cause.
Insider threats are increasingly complex for government agencies to address, because humans are complex. While computers are able to rapidly crunch numbers and perform tasks in sophisticated ways that people never could, they lack the complexity, emotional intelligence and spontaneity that comes with being human. Cognitive computing provides the enhanced capability to analyze vast amounts of data and reveal insights into concealed risks and relationships, identifying erratic behaviors and intentions that could compromise a government entity. With cognitive computing, government agencies can better scrutinize larger volumes of data and respond to all types of threats with greater speed and accuracy, protecting national security interests and human lives.