Is the Defense Department getting serious about insider threats?
In the months following the arrest of Airman 1st Class Jack Teixeira, a member of the Massachusetts Air National Guard, for leaking national security secrets to...
In the months following the arrest of Airman 1st Class Jack Teixeira, a member of the Massachusetts Air National Guard, for leaking national security secrets to his friends on Discord, the Defense Department has released new policies and procedures for how it handles classified information.
According to the reporting, most of the measures revolve around steps that should have been taken long in the past.
These are items like:
Bringing the DoD’s Secret Compartmented Information Facilities (SCIFs) into line with the standards of other intelligence agencies.
Making sure that everyone touching sensitive information has a valid NDA on file.
Performing an accounting of who has clearance to access classified information.
With any luck, the DoD team will get on top of these basic-yet-tedious and necessary tasks, playing a bit of catch up to get back to a respectable starting point. And they will probably have their hands very full.
After all, the government is a significant target for data breaches, with insiders making up 30% of the actors responsible for these incidents according to the Verizon Data Breach Investigations Report for 2023.
Beyond this initial banality, one part of the announcement stood out, with the intention to open a new office within the DoD whose job is specifically to handle insider threats.
This new office will likely draw from the example of the National Insider Threat Task Force (NITTF) that works out of the Office of the Director of National Security. While the details are still sparse for this new DoD office, it raises the question of what took them so long to start this initiative — or perhaps more likely, what it is replacing?
Is it taking staff and budget from an existing counterintelligence department inside the DoD?
Leaky ships and loose lips
News of these new measures come at an opportune time as the Navy released in August that they had arrested two sailors on charges of spying for China.
The two men are accused of passing along sensitive information to Chinese intelligence officers, including sensitive engineering manuals for Navy ships operating in the Pacific theater, blueprints for radar stations in Japan, as well as detailed updates about maritime exercises.
There may be more that was passed on that has not been made public, but suffice to say that these two sailors caused significant exposure for the U.S. Navy for China’s benefit.
Clearly troubling news, since as they say, loose lips sink ships.
Especially when there is some cash in the mix. At least one of the sailors is said to have received $5,000 for passing along the illicit materials and info to his handler. A small sum when considering the life altering consequences of his actions.
It is possible that additional pressure was brought to bear on the men, as both likely still have family back in China that could have been used to encourage their willing participation in the espionage.
While fairly unsettling due to the sensitive nature of the data being shared, we should expect plenty more of these stories in the near future as competition between the U.S. and adversaries like China heats up in the next few years over questions like Taiwan and dominance in the Pacific theater.
The Chinese government has been running a successful campaign of cyber espionage attacks over the past decade, scooping up information on American personnel with the hack of the Office of Personnel Management (OPM), hotels, and healthcare, as well as more recent breaches via Microsoft Exchange servers for listening in on decision makers.
3 indications of a possible insider threat
So given the probable rise in the number of spies and oddball insiders, we need to know what to be on the lookout for moving forward.
Below are a number of indicators worth keeping in mind, followed by mitigations for stopping these insider threats before they can cause harm to your organization.
Accessing files unrelated to their work
Sensitive information should be segmented between departments and roles so that no one person has access to too many resources. It is hardly the most efficient way to work, but it adds a healthy dose of friction that can make an insider have to work harder to access more sensitive data.
If an employee makes regular, out of the ordinary attempts to gain access to files that their role does not justify, then this may be an indicator of a higher risk individual.
Be aware as well if employees in your organization try to escalate their access by asking colleagues to help them with their access. Edward Snowden infamously was able to steal such a wide range of assets because he got unknowing help from his colleagues.
Excessive downloading or file copying
In case after case, we see insiders downloading sensitive data from government systems. Not a file here or there, but copious amounts that end up splashing on the pages of Wikileaks.
Insiders are aware of the restrictions and protections against sending large amounts of data over email so they often go old school with dead trees.
While the likes of Snowden and Chelsea Manning were able to download large quantities of data, putting them on disk on keys or CDs, Reality Winner found herself jailed for printing out a couple of pages that were then used to identify her.
Inappropriately taking work home
In the time since COVID hit in 2020, many government workers who never would have dreamed of working from home suddenly found themselves working from the kitchen table instead of the office.
This allowance has been a necessary yet tricky move as it opens up more opportunities for unsupervised work with sensitive information. While certain assets are likely to be restricted to SCIFs in keeping with regulations, not all data that is valuable to an adversary is necessarily labeled top secret.
Thinking about the case of the missing Navy manuals and plans for exercises that got passed on to the Chinese handler, it is possible that these two would have gotten caught earlier if their co-workers would have noticed what kinds of materials they were walking out the door with.
3 steps for mitigating insider threats
With these challenges in mind, here are a few tips and tricks for catching insider threats before they act, and speeding up investigations when incidents do occur.
1. Monitor user behavior to detect suspicious activity
Looking back at most cases of insider threats, the signs were there if only co-workers and managers knew to look for them.
The patterns of an insider attack generally follow the same course when it comes to accessing data that is within and outside of their normal purview, and then finding ways to exfiltrate it.
Utilizing user behavior analytics tools to continuously monitor for anomalies to the expected, legitimate patterns can help defenders flag a potential insider before they are able to complete their illicit mission. They can also be a big help for investigating what else the suspected insider may have accessed or altered during the course of their operation.
2. Keep track of classified data
You cannot really protect what you do not know you have. The problem of overclassification in government agencies is well-worn territory, creating a situation where keeping track of all these documents can be challenging.
Use scriptable rules to discover classified files in your network and keep track of who is accessing them.
Monitor for suspicious behavior with your users’ access to these files, ensuring that you have eyes on controlled materials and can prioritize efforts where they matter most.
3. Monitor document printing
Hopefully you are already managing issues when it comes to locking down digital transfers of files to external devices like USB sticks or hard drives.
But what about dead trees? It is old school but effective.
Make sure that you know who is printing what and can quickly use this information in a forensic investigation if necessary.
You can even use your monitoring of classified files to set rules that will issue alerts if an individual starts to print out classified documents in a way that is incongruent with normal behaviors.
The second oldest profession
Espionage and getting trusted government workers to betray their countries is one of the oldest games in the book.
All governments benefit from spying, and there are even some good arguments that a little bit of illicit information gathering can help to avert conflicts when it helps better understand an adversary’s intentions.
And intelligence officers are always going to find that one insider motivated enough to help them gather the information they are looking for, so do not expect this game to end anytime soon.
But that does not mean that we have to make it easy for them. With the right tools and practices, we can flag potential insiders early and put enough obstacles in their way to lead them to slip up sooner than later. Hopefully empty handed.
Isaac Kohen is Chief Product Officer & Founder of Teramind.
Is the Defense Department getting serious about insider threats?
In the months following the arrest of Airman 1st Class Jack Teixeira, a member of the Massachusetts Air National Guard, for leaking national security secrets to...
In the months following the arrest of Airman 1st Class Jack Teixeira, a member of the Massachusetts Air National Guard, for leaking national security secrets to his friends on Discord, the Defense Department has released new policies and procedures for how it handles classified information.
According to the reporting, most of the measures revolve around steps that should have been taken long in the past.
These are items like:
With any luck, the DoD team will get on top of these basic-yet-tedious and necessary tasks, playing a bit of catch up to get back to a respectable starting point. And they will probably have their hands very full.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
After all, the government is a significant target for data breaches, with insiders making up 30% of the actors responsible for these incidents according to the Verizon Data Breach Investigations Report for 2023.
Beyond this initial banality, one part of the announcement stood out, with the intention to open a new office within the DoD whose job is specifically to handle insider threats.
This new office will likely draw from the example of the National Insider Threat Task Force (NITTF) that works out of the Office of the Director of National Security. While the details are still sparse for this new DoD office, it raises the question of what took them so long to start this initiative — or perhaps more likely, what it is replacing?
Is it taking staff and budget from an existing counterintelligence department inside the DoD?
Leaky ships and loose lips
News of these new measures come at an opportune time as the Navy released in August that they had arrested two sailors on charges of spying for China.
The two men are accused of passing along sensitive information to Chinese intelligence officers, including sensitive engineering manuals for Navy ships operating in the Pacific theater, blueprints for radar stations in Japan, as well as detailed updates about maritime exercises.
There may be more that was passed on that has not been made public, but suffice to say that these two sailors caused significant exposure for the U.S. Navy for China’s benefit.
Clearly troubling news, since as they say, loose lips sink ships.
Read more: Commentary
Especially when there is some cash in the mix. At least one of the sailors is said to have received $5,000 for passing along the illicit materials and info to his handler. A small sum when considering the life altering consequences of his actions.
It is possible that additional pressure was brought to bear on the men, as both likely still have family back in China that could have been used to encourage their willing participation in the espionage.
While fairly unsettling due to the sensitive nature of the data being shared, we should expect plenty more of these stories in the near future as competition between the U.S. and adversaries like China heats up in the next few years over questions like Taiwan and dominance in the Pacific theater.
The Chinese government has been running a successful campaign of cyber espionage attacks over the past decade, scooping up information on American personnel with the hack of the Office of Personnel Management (OPM), hotels, and healthcare, as well as more recent breaches via Microsoft Exchange servers for listening in on decision makers.
3 indications of a possible insider threat
So given the probable rise in the number of spies and oddball insiders, we need to know what to be on the lookout for moving forward.
Below are a number of indicators worth keeping in mind, followed by mitigations for stopping these insider threats before they can cause harm to your organization.
Accessing files unrelated to their work
Sensitive information should be segmented between departments and roles so that no one person has access to too many resources. It is hardly the most efficient way to work, but it adds a healthy dose of friction that can make an insider have to work harder to access more sensitive data.
Sign up for our daily newsletter so you never miss a beat on all things federal
If an employee makes regular, out of the ordinary attempts to gain access to files that their role does not justify, then this may be an indicator of a higher risk individual.
Be aware as well if employees in your organization try to escalate their access by asking colleagues to help them with their access. Edward Snowden infamously was able to steal such a wide range of assets because he got unknowing help from his colleagues.
Excessive downloading or file copying
In case after case, we see insiders downloading sensitive data from government systems. Not a file here or there, but copious amounts that end up splashing on the pages of Wikileaks.
Insiders are aware of the restrictions and protections against sending large amounts of data over email so they often go old school with dead trees.
While the likes of Snowden and Chelsea Manning were able to download large quantities of data, putting them on disk on keys or CDs, Reality Winner found herself jailed for printing out a couple of pages that were then used to identify her.
Inappropriately taking work home
In the time since COVID hit in 2020, many government workers who never would have dreamed of working from home suddenly found themselves working from the kitchen table instead of the office.
This allowance has been a necessary yet tricky move as it opens up more opportunities for unsupervised work with sensitive information. While certain assets are likely to be restricted to SCIFs in keeping with regulations, not all data that is valuable to an adversary is necessarily labeled top secret.
Thinking about the case of the missing Navy manuals and plans for exercises that got passed on to the Chinese handler, it is possible that these two would have gotten caught earlier if their co-workers would have noticed what kinds of materials they were walking out the door with.
3 steps for mitigating insider threats
With these challenges in mind, here are a few tips and tricks for catching insider threats before they act, and speeding up investigations when incidents do occur.
1. Monitor user behavior to detect suspicious activity
Looking back at most cases of insider threats, the signs were there if only co-workers and managers knew to look for them.
The patterns of an insider attack generally follow the same course when it comes to accessing data that is within and outside of their normal purview, and then finding ways to exfiltrate it.
Utilizing user behavior analytics tools to continuously monitor for anomalies to the expected, legitimate patterns can help defenders flag a potential insider before they are able to complete their illicit mission. They can also be a big help for investigating what else the suspected insider may have accessed or altered during the course of their operation.
2. Keep track of classified data
You cannot really protect what you do not know you have. The problem of overclassification in government agencies is well-worn territory, creating a situation where keeping track of all these documents can be challenging.
Use scriptable rules to discover classified files in your network and keep track of who is accessing them.
Monitor for suspicious behavior with your users’ access to these files, ensuring that you have eyes on controlled materials and can prioritize efforts where they matter most.
3. Monitor document printing
Hopefully you are already managing issues when it comes to locking down digital transfers of files to external devices like USB sticks or hard drives.
But what about dead trees? It is old school but effective.
Make sure that you know who is printing what and can quickly use this information in a forensic investigation if necessary.
You can even use your monitoring of classified files to set rules that will issue alerts if an individual starts to print out classified documents in a way that is incongruent with normal behaviors.
The second oldest profession
Espionage and getting trusted government workers to betray their countries is one of the oldest games in the book.
All governments benefit from spying, and there are even some good arguments that a little bit of illicit information gathering can help to avert conflicts when it helps better understand an adversary’s intentions.
And intelligence officers are always going to find that one insider motivated enough to help them gather the information they are looking for, so do not expect this game to end anytime soon.
But that does not mean that we have to make it easy for them. With the right tools and practices, we can flag potential insiders early and put enough obstacles in their way to lead them to slip up sooner than later. Hopefully empty handed.
Isaac Kohen is Chief Product Officer & Founder of Teramind.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Is the Defense Department getting serious about insider threats?
Pentagon releases zero trust strategy to guide DoD cybersecurity priorities
Is the Defense Department getting serious about insider threats?