Creating an Insider Threat Program NCMS June 2015
Agenda Introduction History 101 Recent Events What is Insider Threat and Why We Need A Program? The National Archives Program NISPOM Requirements What is a Program? Sources of Data and the HUB Scope and Assets Base Line (What is Normal?) Implementation Case Studies (Data Use) Q & A Resources
Samuel Slater (June 9, 1768 April 21, 1835) In the UK he was called "Slater the Traitor
What about these? Wen Chyu Liu Kexue Hauang Yaun Li Elliot Doxer Sergey Aleynikov Michael Mitchell Shalin Jhaveri Hanuajn Jin Greg Chung Chi Mak Conspired with internal employees Foreign Travel Foreign Contacts Business Government Download and copied MBs of data Thousands of documents and files
Recent Events.. Many of the documents leaked by Manning to Wikileaks and Snowden have shown us a new wave of threats by personnel that have access and training that can damage national security.
What is an Insider Threat and Why do We Need A Program?
What is an insider threat? It is a threat posed to U.S. national security by someone who has authorized access to classified information but who misuses or betrays that access to provide classified information to another entity not authorized to possess it. That entity could be another government, another individual, or even the media.
Why does the United States need an Insider Threat Programs? The exposure of hundreds of thousands of classified and sensitive USG documents by the WikiLeaks internet site demonstrated to the government and the public that current sharing and safeguarding procedures for classified information were inadequate and put our nation s security at risk. In November 2012, after an interagency review of the NITTF s work products, the President issued the National Insider Threat Policy and the Minimum Standards for Executive Branch Insider Threat Programs via a Presidential Memorandum.
National Archives and Records Administration
Why does the National Archives need an Insider Threat Program? NARA is responsible for the safety and protection of holdings which include information classified by every department and agency authorized to do so, as well as electronic systems used as part of our work with those holdings or to otherwise support NARA operations. Hundreds of NARA staff, other agencies' employees, and Federal government contractors have access to this information and these systems every day in the course of their work. It is our responsibility, as directed by the President, to prevent individuals with access to NARA's classified holdings and systems from giving classified information to individuals or organizations not authorized to possess it.
Back Ground NARA We have 600 plus Employees and Contractors have access to National Security Information We have the most mosaic collection of classified information in the US government. Presidential Libraries Intelligence Community Records Department of Defense (Armed Services and Combatant Commands) Departments of State, Energy, Commerce, Treasury, etc, etc, We have generational media types, disks, tapes, textual, maps, photos, etc, of highly sensitive national security information.
ITP is within the Chief Operating Officers Office
NARA ITP Developed Policy NARA 242 On going development of Implementation Guide Developed Training Hired Staff (1 IT Security Specialist and 1 Program Analyst) Currently Base lining our Agency Gather Data Developing Priorities Reviewing Policies and Process
The Challenge Educating Leadership and Staff on what is and is not the Program is.. 46 Locations across the United States plus affiliated Archives and Records Facilities. We own the records but NOT the classified information and the records a PERMENANT! We do not classify records and most of our classified electronic systems are standalones and LANs. Plus we have 100 s of other Federal Employees and Contractors assisting in the review of classified information for declassification.
Economic Impact of the Insider Threat In the last fiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion economic espionage and theft of trade secrets are increasingly linked to the insider threat -Christopher Munsey, FBI Counterintelligence Division (2013) The average cost per Insider Threat incident is $412,000. Average loss per industry is $14 million/year. Multiple incidents have exceeded $1 billion. -Patrick Reidy, FBI CISO, Black Hat Conference (2013) Source Global Skills Exchange, CORP.
NIPSOM Requirements
What is your Challenge!? Establish a program that: Has a designated Senior Official and Insider Threat Official who will Gather, integrate, and report potential or actual insider threat Maintain pertinent records to insider threat for when requested and rendering assistance if necessary Report events that may indicate the employee poses an insider threat or affect proper safeguarding of classified information Training Requirement
Requirements Senior Official Establish a Program Train Staff Maintain Necessary Records and Documentation Report
What is the Program? Proactive Behavioral Risk Management Overlaid onto Existing Programs Integrates Data from MULTIPLE sources Discrete
Sources of Information Information flowing into the HUB can be passive and active. Active information is that information requested when it is believe that a staff member is engaged in malicious behavior. Passive information will feed into the HUB by electronic feeds with no human action. 4/3/2015 DRAFT DRAFT DRAFT 20
Data Sources UAM Data Financial Disclosure Physical Security Insider Threat Hub Foreign Contacts Foreign Travel Metrics Leads Human Resources Behavioral Assessments EAM Data Personnel Security Insider Inquiries Manual or Automated Processing ANALYST Reports 4/3/2015 21
Office Stakeholders Office of Human Capital Labor/Employee Relations and Benefits Staffing and Recruitment Business Support Services Facilities and Property Security Management Information Services IT Security External Owners of Classified Networks May need an MOU 4/3/2015 22
Labor/Employee Relations and Benefits Staffing and Recruitment DATA Name (First and Last) Organization Code, Office Symbol, and Description Pay Plan, Occupational Series, Position Title and Grade Supervisory Status Employees Supervisor Location (Physical) Employment Status Start Date Other needed Information Anniversary Dates Termination Date Performance Ratings Transfers, Promotions, and Details to other Offices that require different access Administrative Leave or other Disciplinary Action Work Hours, Flex Time, 4/10s etc Date in Current Position 4/3/2015 23
Security Management Information Via Forms Foreign Travel, Contacts (name and nationality), official or personal. Dates, Destination, and Unusual changes in itinerary Clearance Level and Access Security Infractions and Violations Statement of Personal History SF 86 Classified Room Access Logs Employee financial disclosure reports as appropriate Government Official Passport holders Requests for Access or Keys to Areas not within Staff Scope of Work Staff needing temporary pass Notifications via E-mail Changes in relationship status (divorced, widow, marriage) or cohabitation Financial Problems (bankruptcy, garnished wages, or leans) Arrests (for any reason), or other involvement with the legal system Psychological or Substance abuse counseling does not need reporting if sought on your own initiative. Outside Activities or Employment that could create an apparent conflict of interest Notification of pending termination or under special watch by Security Incident while attempting to leave through baggage checks 4/3/2015 24
IT Security Websites visited or repeated attempts Downloads from websites or Access to E-mail after work areas? Weekend? Holidays? Accessing shared drives after hours. Downloading off Attempting to access unauthorized drives during or after hours Attempts to bypass security protocols Attempts to encrypt data on drives Requests for new user accounts Remotely accessing the system and performing task atypical to the individuals responsibilities Elevating or assigning administrator roles to unauthorized users or accounts Accessing another users computer when left unattended Failing to follow policies and controls Accessing user s and administrators accounts after termination of employment. Using computer resources to conduct a side business Anyone staff member having been recently terminated, disciplined, demoted or changed duties and roles. 4/3/2015 25
SCOPE and Your Assets.
What is the scope of your Insider Threat Program? Will you only monitor staff that have direct access to classified national security information? Will you monitor trusted business partners? Will you monitor all system administrators? Unclassified networks? Where is your DATA? Who has access? How soon to new hires get access?
HUB Priorities All New Employees and Contractor s Moderate Risk Offices and Staff High Risk Offices or Staff Problem Employees or Watch List Highly Sensitive Information Offices and Staff Other Agency Staff and Contractors HUB IT Program Staff Low Risk Offices and Staff Special Studies and Audits 4/3/2015 28
User Activity Monitoring (UAM) USER Analyst Workbench Analytic HUB (Private Enclave) ANALYST 4/3/2015 29
Baseline What is your normal? 16 14 12 10 Foreign Travel 8 6 4 2 0 Base Travel 2014 2015
Implementation Have a written Policy And Implementing Guide Engage the C Suite Educate and Inform Internal Communication on the Program ICN Web Be Transparent Train, Train, and Train staff Set Reasonable Goals when beginning Document and Record your internal activities Stay Current with your organization
Turning on the Switch
Case Studies
Resources FBI http://www.fbi.gov/about-us/investigate/counterintelligence/the-insiderthreat CERT https://www.cert.org/insider-threat/ NCIX DSS www.ncix.gov/issues/ithreat/ http://www.dss.mil/documents/ci/insider-threats.pdf
My Contact Information Neil C. Carmichael, Jr. Program Manager Insider Threat Program National Archives and Records Administration 301-837 3169 (office) 301-502-3704 (bb) neil.carmichael@nara.gov Member NCMS Chesapeake Bay Chapter