ArchiveOODA OriginalPremium AnalysisTechnology

US Government Agency Insider Threat Planning

Federal Cyber Security professionals have long considered the “insider threat” as the most insidious, hardest to protect against threat vector. This has always been the toughest form of threat, even before computers were created. Now that every employee in the entire organization must have access to IT the cyber version of this threat is just far more complex. Part of the complexity comes from the fact that the actions taken to find one malicious individual can have a negative impact on the productivity of all the good ones in an organization. This is also a challenge because a good person who is known and trusted may one day change their intent. How can you spot this one? There are very interesting human dynamics to this challenge.

Although federal cyber security professionals had long worked this issue, the summer 2010 arrest of Bradley Manning and discovery of the extent of his treason during subsequent investigations brought this matter to a head in the federal government. Working groups were established in multiple agencies to try to deal with the insider threat in a more coherent fashion, and eventually a formal cross-government mechanism was established to coordinate appropriate policy for reducing the insider threat. While this was underway, every firm in the nation that had any technology that could mitigate any part of this threat made a bee-line path to DC in the hopes of serving the mission and growing their firm. We were able to review many of these technologies and saw many with great promise of addressing key aspects of the challenge. But the biggest part of this challenge consists of non-technical factors: things like training and policy and design.

The conclusions of cross-agency study were captured in an executive order on structural reforms, and that order contains many common sense measures.  It is interesting to note, however, that in the opinion of our researchers, perhaps the most important step that could have been taken to mitigate this threat was not taken. We feel that the human dynamic is the most important dynamic in this field. In the case of Bradley Manning, reports are that he was being abused, threatened and even beaten by members of his unit. This type of attack must have directly contributed to his state of mind and cause him to seek to harm his country. When as person seeks to covertly harm his or her organization there is very little that can be done to stop that harm (although steps can be taken to smartly mitigate it). Therefore, a piece of any solution should be to make absolutely certain that no units exist anywhere in government that inappropriately haze, bully, beat or mistreat co-workers. That sort of behavior does not excuse a malicious actor, but it can certainly contribute to the rise of evil in an individual.

Although that conclusion seems to have been overlooked in the nation’s response, many other actions were coordinated. Any firm or outside individuals who seek to help the government serve in this domain should review the  Executive Order 13587 signed by the President on 07 October 2011.

That executive order directs many structural reforms, but it seeks to do so in a way that does not impede information sharing. Among the many reforms called for, every agency will implement an insider threat detection and prevention program. This program will carry out the guidance of a broader effort called the Insider Threat Task Force. So, at a national level, the task force coordinates action, then at an agency level, a program head executes the guidance.

Although actions are underway now at both the task force and agency level, a formal plan with standards is not due till one year after the signing of the executive order, which will be October 2012.

More on the task force and guidance for agencies is available at:

Bob Gourley

Bob Gourley

Bob Gourley is the co-founder and Chief Technology Officer (CTO) of OODA LLC, the technology research and advisory firm with a focus on artificial intelligence and cybersecurity which publishes Bob is the co-host of the popular podcast The OODAcast. Bob has been an advisor to dozens of successful high tech startups and has conducted enterprise cybersecurity assessments for businesses in multiple sectors of the economy. He was a career Naval Intelligence Officer and is the former CTO of the Defense Intelligence Agency.