As the fiscal 2018 National Defense Authorization Act (NDAA) winds its way through Congress, it is worth noting how differently the House and Senate are treating matters related to reducing threats from insiders.
In the FY17 NDAA, the final bill had an entire section (951) devoted to “enhanced security programs,” which included requirements on insider threat detection capabilities. This year’s House version contains no Section 951 — and very little language about insider threats throughout the version that passed in July.
The House emphasizes only two areas of insider concern: 1) ‘green-on-blue’ attacks by military partners overseas; and 2) operations by nations such as China and Russia aimed at espionage and exploitation of technologies and institutions. These are indeed important provisions. However, there is nothing in the House version that addresses insider threats as the term has come to be known today: threats from insiders who have knowledge and access to proprietary systems that allow them to bypass security measures through legitimate means.
The Senate bill, however, focuses directly on insider threats — what it sees as the inability of the U.S. Department of Defense to “orchestrate the creation of an integrated, automated, enterprise-wide insider threat detection and analysis capability.” It goes on to say that it is concerned that “the Department’s leadership has not realized the level of resource commitment and time that will be involved in creating digital access and analysis capabilities to the data collected and held by all the different functional organizations — counterintelligence, personnel security, human resources, physical security, combatant commands…”
This language goes to the heart of a serious challenge at DoD — namely, the inability of the department to access and integrate data to effectively and efficiently prevent malicious and accidental insider incidents. However, Senate authorizers did not address several other areas of critical importance:
- Data quality: Much of the data provided to security and insider threat programs is woefully incomplete or filled with ‘false positive’ alerts. A strategy should be considered to improve the DoD’s access to the right data to help make decisions.
- Non-network behavior: The Department continues to invest heavily in cybersecurity tools to detect anomalous behavior on the network. But as any insider threat analyst will tell you, detection of network incidents is only part of the solution. Insiders intent on stealing material or damaging the department in some other way generally exhibit behaviors of concern best detected in the personnel-security and human-resources realms. Yet the CIOs who are responsible for network security are often given the job of overseeing the creation of insider threat detection programs. Insider threat money flows to CIO shops, not to personnel security, HR or other appropriate units.
- Risk-based approaches: Related to the above challenge is the need to coordinate the many ongoing research projects to determine key insider risk indicators and other insider threat causes and effects on the assumption that understanding where risk lies will improve resource allocation. Some agencies, such as the Defense Security Service (which runs the Defense Insider Threat Management and Analysis Center) are doing great work in this area, but it is striking that neither NDAA version talks about risk-based approaches to insider threat reduction.
What’s needed is a holistic risk-based approach to insider-threat mitigation. Technology exists today revolving around a ‘whole person’ probabilistic model that analyzes individual trustworthiness using a wide array of information — not just narrow data on network or device activity. The model can reason like a team of experts and ‘connect the dots’ like a team of analysts without ever needing sleep, food or vacations.
It’s hard to know yet what the final NDAA will look like when it heads to the President’s desk later this year. At this stage, however, we cannot ignore the odd lack of real emphasis on insider threat program improvements, especially when comparing the FY18 draft language to the FY17 NDAA. We have no reason to believe that insider threats will become less of a problem in the future. Quite the reverse, in fact. The final NDAA ought to address this important issue with specific language.
Tom Read is Vice President for Security Analytics at Haystax Technology.