Wayne Belk, co-director of the National Insider Threat Task Force, wants feds to know that insider threat programs are there to protect them, not to get them in trouble.
“The insider threat program is not a ‘gotcha’ program,” he said on Insider Threat Month. “It’s not meant to catch everything that goes wrong in the agency. It’s meant to advise and to inform the agency on the activities that are not normal across the employee workforce.”
He’s careful to explain what “normal” means in this context, though. Insider threat programs rely on a “see-something-say-something” dynamic with employees, but they’re not there to police behavior.
“You want to be very careful not to turn your workforce into an ‘every time something bothers me I call the insider threat people.’ That’s not what you want,” Belk told the Federal Drive with Tom Temin. “This is not a big brother program. We’re not trying to turn the workforce against each other. It’s exactly the opposite. But we all have that sense, that personal sense of the people we work with on a day-to-day basis.”
Instead, he said insider threat programs want to establish what he calls “baseline normal,” referring to professional activities and behavior rather than personal. So they’re not particularly interested if your normally quiet coworker suddenly becomes talkative this week. However, if your coworker never works weekends, but network logs register him logging in at 2 a.m. on a Saturday, that’s something insider threat programs would consider abnormal, and want to look deeper into.
But the primary focus of insider threat programs is to deter insider threat from ever happening. Belk said if a program is set up correctly, it should be proactive, focused toward stopping employees from doing something wrong, whether they intend to or not.
“Being witting or unwitting of the threat isn’t really a relevant point,” Belk said. “The problem with insider threat is that it is independent of the causality behind it. It doesn’t matter what the reason is per se; it’s about activity — abnormal activity and abnormal behavior. Whether a person intends to steal information — they plug a thumb drive in to download a lot of data to exfiltrate it; or whether they inadvertently click on a phishing link, the results can be the same.”
That’s one of the reasons the National Insider Threat Task Force focuses on training insider threat groups in each agency. This training is open to anyone within an agency who has anything to do with insider threat — cybersecurity, civil liberty and privacy, legal and even human resources employees can attend.
The only mandatory attendee is the agency’s senior official for insider threat, which minimum standards requires every agency to designate.
“We typically push for it to be as high as possible, and somebody who has either direct control over all of those functional areas, such as security, counter-intelligence, HR, those types of things. Or at least has direct influence over those who do control them. A chief of staff comes to mind, in a lot of these agencies,” Belk said.