Unlocking the Fortress: Unveiling 5 Crucial Early Warning Signs to Safeguard National Secrets

The US Department of Defense Establishes Insider Threat Office to Monitor Employees

Déjà Vu All Over Again

The US Department of Defense (DoD) has announced the creation of an insider threat office to monitor employees following a recent leak of classified Pentagon intelligence on Discord. This move comes after a review of the incident and a recognition that more proactive measures must be taken to prevent insider threats from turning into data-loss incidents.

This is not the first time the DoD has taken action in response to insider threats. In 2011, President Barack Obama issued Executive Order 13587, establishing the National Insider Threat Task Force (NITTF) in the wake of the WikiLeaks release of classified documents. And in 2014, the DoD established the DoD Insider Threat Management and Analysis Center (DITMAC) following the shooting at the Washington Navy Yard.

While these efforts to consolidate the insider threat function across the DoD are commendable, there are still larger issues that need to be addressed in order to effectively protect classified intelligence in the interests of national security.

The Real Issue: Insufficient UAM Data Requirements

The biggest hindrance to proactive insider-risk mitigation within the DoD is the reactive nature of the current User Activity Monitoring (UAM) data requirements. The Committee on National Security Systems Directive (CNSSD) 504, established in 2014, outlines the minimum technical capabilities that executive branch departments and agencies should have for collecting user activity data.

These capabilities include keystroke monitoring, full application content monitoring, screen capture, file shadowing for lawful purposes, and attributing all collected UAM data to a specific user. However, these requirements are insufficient for proactively stopping insider risks from escalating into threats and data-loss incidents.

With 4.2 million individuals eligible to access classified information as of 2019, relying solely on employee surveillance as a primary mechanism for finding insider risks is not feasible. Surveillance can only detect incidents after they have occurred, and by then it may be too late to prevent data loss.

To effectively protect national secrets, the UAM data collection requirements need to be modernized to prioritize data that can be used early to proactively mitigate insider risk. This requires the implementation of early warning indicators that provide analysts with actionable data before a potential exfiltration occurs.

Pentagon Leaks: The Power of Early Warning Indicators

To demonstrate the significance of early warning indicators, let’s consider how they could have changed the outcome of the recent Pentagon leaks. Several indicators could have provided crucial context to proactively identify and prevent the data loss.

These indicators include the volume and frequency of accessing large amounts of data, sensitivity in searching or accessing highly classified information, engaging in activities beyond an individual’s job function and department, HR notifications of unauthorized or antisocial behavior, and unusual patterns of searching or researching the corporate networks.

While these indicators may seem harmless in isolation, their significance increases when correlated with other data and the accused’s online presence. The aggregation and correlation of data from human, organizational, cyber, and physical sensors over time is crucial for a holistic and calculated approach to insider risk mitigation.

Understanding and acting upon early warning indicators swiftly and responsibly is essential in enabling the proactive detection and resolution of insider risks.

Editorial: Balancing Security and Privacy

The establishment of an insider threat office to monitor employees raises important questions about the balance between security and privacy. Employee surveillance is a serious issue that should be approached with caution and respect for individual privacy rights.

While the protection of national security secrets is of utmost importance, it is equally crucial to safeguard the privacy and rights of employees. Any monitoring program must be implemented within a framework that respects privacy laws and regulations, and includes clear guidelines for data collection, storage, and usage.

Transparency and accountability are key. Employees should be informed about any monitoring activities taking place and understand the reasons behind them. Additionally, there should be mechanisms in place for employees to raise concerns or report any potential abuses of the monitoring system.

It is essential to strike a balance between the need for security and the preservation of privacy rights. Overreaching surveillance measures can erode trust between employees and employers, and could have unintended consequences such as stifling innovation and creativity.

Advice: Strengthening Insider Risk Mitigation

In order to strengthen insider risk mitigation efforts, the US Department of Defense should consider the following actions:

1. Modernize UAM Data Requirements: The DoD should prioritize the collection of data that can be used proactively to detect and mitigate insider risks. This may involve updating CNSSD 504 to include new capabilities and indicators that provide early warning signs.

2. Implement Early Warning Indicators: The DoD should develop a comprehensive set of early warning indicators that can be used to identify potential insider risks before data loss occurs. These indicators should be based on behavioral analysis and the correlation of data from various sources.

3. Ensure Transparency and Accountability: Any employee monitoring activities must be carried out transparently, with clear guidelines and policies in place. Employees should be informed about the purpose and extent of monitoring and have mechanisms to raise concerns or report potential abuses.

4. Balance Security and Privacy: It is crucial to strike a balance between security and privacy. Overreaching surveillance measures can have a detrimental impact on employee trust and may undermine the effectiveness of insider risk mitigation efforts. Privacy laws and regulations must be respected and privacy rights safeguarded.

5. Invest in Training and Education: The DoD should provide comprehensive training and education programs for employees to raise awareness about insider risks and promote a culture of security. This includes promoting responsible digital behavior, educating employees about the potential consequences of insider threats, and providing resources for reporting suspicious activities.

By taking these actions, the DoD can strengthen its insider risk mitigation efforts while respecting employee privacy rights and maintaining the trust of its workforce. It is crucial to adapt to the evolving threat landscape and leverage modern technologies and strategies to safeguard national security secrets.