Federal agencies need to get into second gear in their efforts to defend against insider threats, as outlined in the “Insider Threat Program Maturity Framework” released this month by the National Insider Threat Task Force (NITTF). Agencies must move past the minimum standards many have established and become more proactive in countering what the task force said is a dynamic threat that has moved beyond basic defenses, according to the framework.
The task force, a joint effort of the Federal Bureau of Investigation and the Director of National Intelligence, said the “[T]he threat landscape is continually evolving, technology is rapidly shifting, and organizations are changing in response to various pressures. Our collective efforts to address the insider threat require constant evaluation, fresh perspectives, and updated approaches to address current and future risk.”
The existence of insider threats has been persistent, and the effects can be significant. MeriTalk’s most recent Federal Insider Threat Report, from 2017, noted that while the rate of insider incidents had remained static from its previous report in 2015, the number of incidents was still significant, with 42 percent of respondents reporting incidents over the previous year, compared with 45 percent in 2015. Nearly a quarter of them said they had lost data in those incidents. What’s more, respondents said that insider threats hadn’t become any easier to detect and mitigate, pointing out that the continuing move to cloud computing had proved to be a complicating factor.
Agencies have made some progress since the Obama administration in 2011 first ordered them to create insider threat programs–including training, awareness education, and credentialing processes, among other steps–but progress has been slow, with just a half-dozen agencies meeting a December 2016 deadline to have their programs in full operation. And while MeriTalk’s threat report found that 86 percent of respondents had some form of formal insider threat program in place, the task force’s framework says it’s time to get to the next level.
The NITTF, created in the wake of former National Security Agency contractor Edward Snowden’s release of classified documents in 2013, was established to develop “a national insider threat program with supporting policy, standards, guidance, and training,” according to its mission fact sheet.
NITTF has been working with about 90 agencies to get their insider threat programs up to speed. The Maturity Framework outlines how agencies can improve on 19 specific elements of current minimum-standard areas. Those elements cover areas from leadership, program personnel, and employee training. It also covers access to information, monitoring user activity, information integration, analysis, and response.
Insider threat programs need to address a range of potential vulnerabilities, from high-profile, damaging breaches like Snowden’s to the more common inadvertent mistakes made by employees and leadership, which account for more than two-thirds of insider incidents. IBM’s X-Force Threat Intelligence Index 2018 also found that security incidents generated by inadvertent actors are on the rise, particularly those involving misconfigurations and phishing attacks.
Agencies also have been taking other steps to combat the insider threat. ODNI’s National Counterintelligence and Security Center–which oversees NITTF–is working with the Department of Defense to bolster the insider threat workforce. DoD last month also expanded its successful Hack the Pentagon program, which invites white hat hackers to find vulnerabilities in DoD networks, to include detection of insider threats.