As federal agencies and U.S. industry bolster their cybersecurity defenses, foreign intelligence agencies are likely to ramp up their targeting of trusted insiders, according to the director of the National Insider Threat Task Force.
Bob Rohrer, who has led the task force since January, said the successful implementation of zero trust architectures and other least-privilege principles could make it harder for foreign spies to pilfer U.S. secrets by exploiting gaps in network defenses. President Joe Biden has directed agencies to adopt zero trust architectures as part of his May cyber executive order.
“In the long run, from my experience, an intelligent adversarial threat that’s very capable of moving across those threat vectors, you harden the attack surface, it just means that if they still want your information, or they still want to go after your resources, then maybe they have to go after your humans a little bit harder,” Rohrer said in an interview with Federal News Network. “As we go forward, I think it’s just as important to keep the insider threat discussion as robust as the cyber threat discussion, because they go hand in hand.”
Rohrer said the task force is advocating for organizations to institute “active collaboration” across insider threat programs, personnel security offices, information security teams and other offices that could see different elements of an attack.
When a chief information security officer learns of an attempted cyber attack on a given program, for instance, it might mean managers also inform workers to be particularly careful about phishing attempts through email and social media.
“Largely, it’s a leadership decision, but it has to be kind of this orchestrated defensive effort as we go forward that gives you this enterprise threat mitigation practice,” he said.
It’s been a decade since an executive order from then-President Barack Obama directed agencies to set up insider threat programs to improve protection of classified information. The EO also established the task force to develop government-wide policies and guidance for mitigating insider threats.
Now, 100 departments and agencies have insider threat programs, which are essentially “a centralized capability to look at various different behaviors across the workforce, contextualize them, and do something about that,” Rohrer said.
An established community of insider threat professionals now exists as well. The Defense Counterintelligence and Security Agency houses the Center for the Development of Security Excellence, which puts out training materials. And there is a codified career path for insider threat within the intelligence community.
“We’ve created not just a concept and not just a program, we’ve created a mission space here that is, again, not just thriving within the federal government, but is really taking root in our public and private sector partners out there for the greater national security interest of protecting critical infrastructure and protecting our economic security,” Rohrer said.
The task force is among those counterintelligence entities warning that foreign intelligence agencies are targeting controlled unclassified information, which Rohrer said can include the “crown jewels,” such as large-scale thefts of personally identifiable information.
Rohrer said his office is partnered with the National Archives and Records Administration’s Information Security Oversight Office, which oversees the handling of controlled unclassified information. He also noted that implementing an insider threat program is considered a “control” under the National Institute for Standards and Technology risk management framework.
“We’re all kind of pushing from different directions to say, this is at least a best practice to have an insider threat program that is scoped to cover the whole of workforce, that can address the hole of threats that an organization might face,” he said.