The insider threat by the very concept is a difficult threat
to face. As professionals operating in a National Industrial Security
Program Operating Manual environment, we pay homage to these deviant but
trusted employees without really addressing the issue. Of course we conduct the
required insider
threat program training, document it, and report the existence of our
insider threat programs as required. In other words, it is easy to recognize
the existence of the potential of an insider threat. We can even assign an
impact level should we have an insider that goes to the dark side, but few can
go beyond the recognition to implementing preventative measures.
What if you can’t
identify a threat, do you still have a risk?
Insider threat programs and training requirements spend much
effort on convincing that the insider threat is “real” and that if activated,
they can cause a level of “damage” to national security, depending on the level
of classified information exploited.
However, the mitigations are not well discussed. Many are looking for a
level of threat assessment required prior to assigning a risk rating. It’s the
old, Likelihood / Feasibility x Impact / Severity = risk (L x I =R or F x S =R)
formula so often used. This is typically derived from an identified threat associated
with the feasibility or likelihood part of the formula. However, the danger occurs
with not having a smoking gun or specifically identified threat; which, we
usually don’t. For example, if we don’t have any indication of employee x as
going rogue, we have no threat report or adverse information on an employee,
then we don’t have countermeasures to implement. In this case, well-meaning
security managers may not see the need of applying countermeasures.
This is what the continuous evaluation process should
expose. However, the logic would have you remove the threat that the evaluation
process revealed. The truth may very well be, if you had a credible threat or
report on your cleared employees, the mitigation would be to fire them or
separate them from the classified work. Thus you get rid of the risk and no
longer have a threat.
Let’s propose another way to perform risk management.
What if there was no
smoking gun? What if you had no threat report? What’s the next step?
One solution is to assume a threat. Consider Manning and
Snowden. Both are poster models for the insider threat; trusted cleared
employees, one military and one contractor. Both performed their missions
successfully and were probably rewarded for great work. However they
exfiltrated classified information without anyone’s knowledge until the damage
was done. By then it was too late.
Many who perform risk assessments absolutely capture the
impact of how the insider can damage the mission of the organization as well as
national security. Without an actual
threat report from a credible source, they are still able to consider that a
threat may exist from the inside and assign a risk level. We can see this
application of notional threat applied often with loss prevention disciplines
in major corporations, banks, casinos, and stores. Even though most employees
are honest and hardworking, some may be rogue.
These risk managers are not
tasked to identify which employees will go bad, they are only tasked with how
to make it harder for rogue employees to steal. They employ mitigations such as
audits, security cameras, anomaly searches and high tech solutions to catch
thieves in the act.
How can this be
applied by Security Managers?
Security managers can make it more difficult for an insider
to sabotage a program or steal classified
information using the following steps:
- Determine what high value items exist: classified information, personal identifiable information, technical data, proprietary data, etc.
- Determine where high value items exist: security container (s), location in building, in computers, in warehouse, etc.
- Identify who has access to the high value items by name and location
- Use technology or locking devices to prevent access to unauthorized persons: GSA Security container, high security locks, password protection, segregated networks, segregated computers and hard drives.
- Control access to printers, faxes and computers. System administrators, ISSMs, ISSOs and others can use technology to limit downloads, print jobs, copying and etc. Technology can monitor and approve who conducts these tasks, time of day, and amount of data transferred.
- Require permission to access high value items: An employee’s use of information technology should be treated as a privilege, approved, monitored, audited, by and authority and violations reported.
The traditional risk model includes identifying a threat.
Many who use the traditional risk model find themselves inadequately protecting
high value information because there has not been a history of adverse activity
and they have not identified adverse activity from trusted employees. However a
good risk assessment assumes that a threat exists, working to ensure authorized
employees operate only as permitted.
If you would like more information on insider threat training, just visit http://www.redbikepublishing.com/insiderthreat/
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".