Same obstacles plague small and large agencies in setting up insider threat programs

A handful of agencies met the December 2016 deadline to achieve final operating capability on an insider threat program. The Office of Personnel Management was the sixth agency to hit FOC and did so on Nov. 29, 2016, according to the agency’s inspector general, which recently evaluated OPM’s program.

But those six agencies have hit milestones that most departments haven’t. The National Insider Threat Task Force (NITTF) has been working with more than 90 agencies to help them build their own programs. And the story has been the same for the past two years: a combination of “organizational culture, legal questions and resource identification” are among the many obstacles preventing agencies from meeting the White House goal.

Task force leadership didn’t express outright frustration with the slow pace that agencies are moving. But smaller civilian agencies who say they can’t possibly meet the requirements of the program, aren’t so different from their counterparts at large agencies, the task force said.

“A lot of the problems that the smaller agencies have are very common to smaller agencies, but you’d be surprised how much of that is common to the larger agencies,” Wayne Belk, co-director of the National Counterintelligence and Security Center’s National Insider Threat Task Force, said during the Intelligence and National Security Alliance’s April 10 insider threat summit. “It’s not as different of a problem set between the bigger agencies and the smaller agencies.”

Advertisement

Cultural barriers are tough to climb, and many agencies have the wrong mindset in approaching insider threat, Belk said.

“A lot of times you don’t know what’s walking out your door until you have a program like this,” he said. “One of the biggest problems that some of the smaller organizations have is, that’s an [intelligence community] problem, that’s a DoD problem. We don’t have that issue. We don’t have that kind of problem. The next thing they know, they do have that kind of problem.”

Getting leadership on board with the program has been another challenge, Belk and other insider threat task experts said.

The key to getting agency leadership — and the organization’s human resources function — to buy in to the insider threat concept is to think of it as a two-way, collaborative street, said Sandy MacIsaac, a senior manager at Deloitte.

“Typically, there can be a tendency from insider threat to go in and just say, ‘You have great data. We’d like to bring in that data,’ and leave it at that,” he said. “You’re basically taking something and they’re not really getting anything in return. Offer them something in return. What you offer them is deep insight from a cultural perspective, possibly, that can improve performance management.”

Many agencies also are consistently scared off by legal, privacy and civil liberties questions as they attempt to achieve initial operating capability.

The lack of resources is another challenge — a perennial problem with unfunded mandates like the one the Obama administration handed to agencies in 2012.

“There are creative ways to address these issues,” Belk said. “If you look at the requirements for the insider threat program, whether it be the IT requirements for user activity monitoring or the training requirements, there are potential opportunities across the organization for coupling things that are already in your budget. There are ways that you can find opportunities to leverage. … [With] personnel, it’s the same thing.”

Most agencies don’t have dedicated professionals who focus on insider threat. The NITTF is developing a program now that would professionalize the insider threat function. It’s a long term effort, Belk said.

Though agencies might not have every piece in place, insider threat experts also balk at the idea that departments lack the technical solutions to implement these programs.

“It’s not a capability discussion,” Mike Seage, director of the Defense Insider Threat Management and Analysis Center (DITMAC) at the Defense Security Service, said. “We have the capability right now.”

Rather, Seage said agencies should focus on how they’re communicating their insider threat programs to their employees and contractors. His office is currently developing a communications strategy, designed to inform the workforce about DoD’s activities as it further develops a program.

Cleared members of industry and employees will receive tailored messages, Seage said, because different generations or professionals may have different reactions to the insider threat concept.

“How do you then take and craft your language and craft your strategy so that you’re talking not just to the specific person who’s sitting right in front of you or to the left and right of you, but your workforce and the context of the generational differences, the cultural difference, the cultural differences in terms of where they may or may not work?” he said. “I would also urge you to think about … your stakeholders.”

Ultimately, Seage said future administrations and Congress will have to examine the insider threat and provide deeper fixes. In the meantime, agencies will continue to cobble together the answers to these questions.

“Congress is going to have to sit down and give this a good thorough think,” he said. “They’re going to have to balance that tension between the civil liberties and the privacy and the effectiveness of a good insider threat program. We have to honestly … ask ourselves as a culture, how far do we want to go down that road? What are we willing to sacrifice for security? I don’t think it’s been given a good, deep review.”