The US Department of Defense (DoD) will create an insider threat office to monitor employees following a review into the leak of classified Pentagon intelligence on Discord.
A June 30 memo signed by the Secretary of Defense calls for the establishment of a Joint Management Office for Insider Threat and Cyber Capabilities to “oversee user activity monitoring (UAM).”
While any effort to stop insiders from leaking data is promising, there is a bigger issue at play that has everything to do with the UAM requirements, as defined by the Committee on National Security Systems Directive (CNSSD) 504 in 2014.
In brief, current UAM data requirements are insufficient for proactively stopping insider risks from becoming threats that turn into data-loss incidents (“proactively” being the key word).
Déjà Vu All Over Again
On hearing about the Joint Management Office for Insider Threat and Cyber Capabilities, many insider-risk practitioners likely experienced a good spell of déjà vu. And within reason.
Let’s recap history:
Indeed, there has been a lot of effort into consolidating the insider threat function across the whole of the DoD. But if the endgame is to protect classified intelligence in the interests of national security, then there are bigger issues to address.
The Real Issue: UAM Data Requirements Are Reactive
The biggest hindrance to proactive insider-risk mitigation within the DoD is that the required UAM data collection capabilities are reactive (at best).
According to CNSSD 504, every executive branch department and agency should have five minimum technical capabilities to collect user activity data. They are:
- Keystroke monitoring
- Full application content (e.g., email, chat, data import, data export)
- Screen capture
- File shadowing for all lawful purposes (i.e., the ability to track documents when the names and locations have changed)
- Attributing all collected UAM data to a specific user
As of 2019, 4.2 million individuals were eligible to access classified information. Many of the capabilities listed above rely on employee surveillance, which is a serious issue with respect to privacy and the trusted workforce philosophy. But to rely on surveillance as a primary mechanism for finding the needle in a haystack is just not feasible. Even on the off chance it does work, most insider risks will go unnoticed until exfiltration occurs and it’s too late. This reactive approach sets a low bar, especially in the context of national security.
When it comes to protecting national secrets, having the right data is the difference between proactive insider risk management versus reactive damage control.
Keystrokes and screen capture cannot be used to stop leaks from occurring; this data is only ever useful after the fact, and even then, its use is limited because the damage is already done.
There is a significant need to modernize the requirements for UAM by prioritizing data that can be used early to proactively mitigate insider risk. This is why early warning indicators are so powerful; they afford the opportunity of time to detect, deter, and disrupt insider risks well before data loss occurs.
Pentagon Leaks: How Early Warning Indicators Could Have Changed History
If the goal is to proactively mitigate insider risk, then having actionable data that precedes a potential exfiltration is everything. It is not enough to have a UAM solution capture data during or after a data loss event has occurred.
Early warning indicators afford analysts the privilege of time to proactively escalate, investigate, and remediate insider risk before data is lost.
In the case of the Pentagon leaks, there were several early warning indicators that could have been leveraged to provide the necessary context to proactively identify risk and prevent data loss.
Knowing what to look for and how to make sense of the right data is prudent. Insider risk cannot be determined in isolation. It should be a holistic, calculated effort based on the correlation and aggregation of data from human, organizational, cyber, and physical sensors over time.
Here are five potential early warning indicators from the Pentagon leaks:
- Volume and frequency: Accessing large volumes of data within unusual frequencies, especially when compared with an individual’s peer group
- Sensitivity: Searching, accessing, or aggregating highly sensitive data that may be unusual based on the individual’s job function
- Job function: Any other activity deemed to be beyond the scope or seniority of the individual’s job function and department
- HR notifications: Any notification of unauthorized or antisocial employee activity — no matter how small (“see something, say something“)
- Search: Searching or researching the corporate networks (in this case, the Joint Worldwide Intelligence Communication System) in unusual ways, times, and frequencies
These are just a handful of potential early warning behavioral-based indicators. While they might seem harmless in isolation, the individual’s risk profile is elevated when the indicators are aggregated and correlated, especially with other data including the accused’s controversial online presence.
Going forward, understanding early warning indicators and having a mechanism for capturing and acting upon them swiftly and responsibly will be critical in enabling the proactive detection and resolution of insider risks. Here’s hoping the Joint Management Office for Insider Threat and Cyber Capabilities considers this in its mission to protect national secrets.
