In today's heightened threat environment, the Department of Defense (along with affiliated agencies and military contractors) faces a growing threat from insider risks. If realized, these risks can expose classified data, endanger lives, and mar organizational reputations.
To effectively safeguard against insider exposure, the DoD and other organizations need holistic insider risk management (HIRM) programs. These programs identify insider risks across the enterprise; assess the impact of these risks to organizational operations and missions; mitigate those risks; and consistently scan the digital landscape for emerging dangers. Doing so helps organizations protect against:
- Violent or malicious activity
- Cybercrimes, including network intrusion and cyber espionage
- Personnel vulnerable to counterintelligence or counter-espionage efforts
The difference between risks and threats
What’s an insider risk? How does it compare to an insider threat?
The military often uses the phrase “left of boom” to describe a series of events occurring before a notable incident. (Originally, the incident was an explosion — hence the use of the word “boom.”) The further an event from a notable incident, the further “left of boom” that event is.
How does this concept apply to insider risks and threats?
Insider risk is inherent to every organization: It is simply the possibility that an employee or contractor will negatively affect the organization’s people, data, resources, or mission. Insider risks sit further to the left of boom than threats do. For the DoD, a threat is a risk of violence or malicious activity that has been validated and is much more likely to lead to a “boom” if left unaddressed.
Consider data leaks as an example. A service person excited about his career writes a social media post touting the value of military service. He inadvertently includes information about his job that could be considered sensitive or classified. This employee presents a risk for a data leak. If that same service member, who has no history of independent wealth, is later found to be planning the purchase of a $14.2 million, 5-bedroom mansion, he presents a leak threat. That money is coming in from somewhere — perhaps from the sale of confidential or damaging information.
Building a holistic insider risk management program
DoD officials may envision a future insider risk management state that quickly identifies, assesses, and mitigates risks. But there are many steps needed to reach that state. Babel Streets suggests starting by writing a strong insider risk management policy and forming a multidisciplinary leadership team. The DoD can then educate employees and obtain their buy-in. Advanced technologies for open-source intelligence (OSINT) can be deployed for the deepest possible risk insight.
Let’s take a closer look at each component of a successful HIRM program.
The development of a cohesive policy for identifying, assessing, and mitigating risk is of paramount importance to an effective HIRM program. Right now, that’s a challenge for the DoD.
In 2011, President Barack Obama issued Executive Order 13587. The order establishes an Insider Threat Task Force and requires the development of minimum standards for a government-wide insider threat policy. For the DoD, this mandate accompanies Directive 5240.16, which prescribes new Department of Defense Insider Threat Management Analysis Center (DITMAC) procedures to “prevent, deter, detect, and mitigate the threat insiders may pose to DoD and U.S. Government installations, facilities, personnel, missions, or resources."
Unfortunately, according to panelists in a recent Babel Street webinar, this directive lacks teeth, although they noted that DITMAC is now devising a mandatory DoD instruction based on the directive. The instruction will list policies and procedures for insider risk management. Once issued, webinar panelists believe it will give the DoD a cohesive foundation for HIRM development at the base, installation, and command levels.
Strong holistic insider risk management leadership is vital both to securing the financing needed for program implementation and for generating employee buy-in. The DoD needs multidisciplinary leadership teams. They should consist of senior DoD officials, risk management specialists, lawyers, and human resources personnel. These leaders should implement and communicate HIRM procedures to personnel in alignment with DITMAC policy.
Increasingly, effective HIRM programs also require DoD communication, coordination, and liaison with organizations such as the Defense Counterintelligence and Security Agency, the Office of Special Investigations, the FBI, Naval Criminal Investigative Services, and local law enforcement.
Proactive engagement, education, and training engender personnel’s trust in HIRM programs. This is important because personnel constitute the first line defense against insider risk. They won’t actively participate in a program they don’t trust.
Proactive engagement starts by educating employees on the ways they and their colleagues may — intentionally or unintentionally — put the DoD at risk.
Data exhaust is one common example of how DoD employees unintentionally endanger the organization. “Data exhaust” is a term used to describe online activities that mistakenly reveal more information than the poster intends. A software engineer working for a military IT contractor posts on a networking site about how much he values attending a certain conference. If his is like most profiles, it contains his job title and the name of the company he works for. Foreign entities now know that a full-stack developer working for a known military contractor will be attending a certain conference, on certain dates, in a certain city. If one of these entities is seeking a way to access DoD computer systems, it now has a way to start: by making contact with this coder at the conference.
Monitoring your own activities can be challenging. It’s even more challenging for some personnel to willingly monitor the behavior of their colleagues. But this type of monitoring is necessary for a successful holistic insider risk management program.
One best practice entails communicating the important role the bystander plays in insider risk management. DoD employees sit next to each other all day, every workday. They know about each other’s lives. They know that an Air Force Major is taking a family trip to Shanghai. She has top secret clearance, but never alerted her facility security officer to her travel plans. Could she surreptitiously be communicating with Chinese authorities? DoD employees know that an Army Sergeant’s home is at risk of foreclosure. Does this type of terrible financial pressure make him vulnerable to elicitation from foreign intelligence entities seeking access to classified information?
What’s in a name?
The road toward employee involvement starts with the name of your HIRM program. Though used throughout this post for the sake of clarity, phrases such as “insider risk” or “insider threat” have negative connotations for employees. Better to use positive descriptors such as “employee protection” and “insider trust” when discussing HIRM programs.
DoD personnel often find it difficult to acknowledge the risks coworkers present to the organization. HIRM leaders, therefore, must educate and reeducate the workforce on risk indicators and the importance of developing and maintaining a safe and secure environment —for each other, and for the nation. Employees must see themselves as part of the risk-management solution.
For this to happen, the DoD must overcome the too-prevalent view of insider risk management programs as punitive. DoD leadership must recast these programs as efforts to improve “employee safety” or “employee assistance.” This spin on HIRM programs is not dishonest. Consider the case of a Marine Master Sergeant who divulges sensitive information when he’s had too much to drink. And he often has too much to drink. Alerting the DoD to this problem not only secures sensitive information, it empowers the DoD to refer the Master Sergeant to employee assistance programs to help him curb his drinking.
Adoption of OSINT technologies
Existing procedures and technologies to help the DoD manage insider risk include background investigations (including Trusted Workforce 2.0), personnel security programs, physical security programs, and counterintelligence programs. The DoD has also deployed user activity monitoring (UAM) software to track computer keystrokes. This helps the DoD maintain security and detect the theft of sensitive information.
But the tracking capabilities of UAM and related technologies are insufficient for the digital age; they provide information only on the use of DoD-issued or authorized devices. They cannot track user activity on employee-owned devices. Supplementing the information obtained from UAM systems with AI-powered OSINT technology that actively scans publicly available information (PAI) and commercially available information (CAI) can close this security gap. OSINT technology enables the DoD and other organizations to examine personnel’s online behavior regardless of the device employed.
Think of it this way. UAM software can alert command if an Army Major who typically works from 0900–1700 Monday through Friday suddenly starts accessing military networks at 2200 on a Saturday. But searching PAI and CAI for insight into the Major’s online behavior — regardless of whether that behavior took place over military computers or personal devices — can tell the DoD much more.
Identity intelligence culled from OSINT is a key component of any effective HIRM program. OSINT platforms can help the DoD compile all available PAI for a comprehensive view of a user’s online behavior. This view can illuminate pertinent risk indicators associated with a specific individual — either as an enhancement to an existing investigation or as an advanced warning system for potential insider threat activities. Babel Street believes that the DoD should pay particular attention to the online activity of personnel afforded access to critical assets who also have a history of disciplinary issues, life stressors, or other situations which may make them a foreign nexus: make them more likely to commit data exfiltration; or render them a threat to physical or network security.
A matter of privacy
Any time an OSINT platform is deployed to search employees’ online activities, questions of privacy arise. Almost certainly, the insider threat instruction now being developed by DITMAC will strive to balance DoD risk management policies with personnel’s right to privacy. However, it is important to note that, in the interest of national security, DoD personnel enjoying any type of clearance have already consented to a certain level of scrutiny of their personal lives.
At Babel Street, we understand the critical importance of the DoD protecting itself from the risk of insider threats. We believe that HIRM programs can help bolster security within the DoD. Deploying OSINT platforms such as Babel Street Insights can enhance existing risk management technologies, giving the DoD a more comprehensive view of those who would threaten the organization and the nation.
1. The White House, “Executive Order 13587 — Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information,” October 2011, https://obamawhitehouse.archives.gov/the-press-office/2011/10/07/executive-order-13587-structural-reforms-improve-security-classified-net
2. United States Department of Defense, “Directive Number 5240.16,” August 2012, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/524026p.pdf
All names, companies, and incidents portrayed in this document are fictitious. No identification with actual persons (living or deceased), places, companies, and products are intended or should be inferred.