JD

Insider Threat Program Lecture Review

Insider Threat Program Fundamentals and Policies

  • Executive Order 13587 (EO 13587): Mandates the establishment of an Insider Threat Program by government agencies with classified information. These programs are created with the guidance of the National Insider Threat Task Force (NITTF).
  • DoD Directive (DoDD) 5205.16: A crucial insider threat policy document that mandates all insider threat information and program activities must adhere to all applicable laws and DoD policy issuances, ensuring legal and regulatory compliance.
  • DoD Instruction (DODI) 5205.83: Establishes the policy, assigns responsibilities, and prescribes procedures for the Defense Insider Threat Management and Analysis Center (DITMAC), which serves as the DoD's enterprise-level capability for insider threat information integration and management.
  • DoD Directive (DoDD) 5400.11: Delegates specific authorities and responsibilities for the effective administration of the DoD Privacy Program.
  • DoD Instruction (DODI) 7050.01: Establishes the policy and assigns responsibilities for the DoD Hotline Program. This program offers a confidential and reliable channel for individuals to report fraud, waste, abuse, violations of law, rule or regulation, mismanagement, and classified information leaks within the DoD.
  • DoD Instruction (DODI) 2000.26: Reissues previous DoD Instructions to establish policy, assign responsibilities, and provide procedures for implementing eGuardian as the DoD Law Enforcement (LE) suspicious activity report (SAR) system.
  • DoD Manual (DODM) 5200.01: Provides comprehensive guidance and procedures for the protection of classified information within the DoD.
  • DoD Manual (DoD 5220.22-M) (NISPOM): Known as the National Industrial Security Program Operating Manual, this document prescribes the requirements, restrictions, and safeguards essential for preventing the unauthorized disclosure of classified information in industrial facilities.
  • Executive Order 12333 (EO 12333): Charges the Intelligence Community (IC) with the responsibility of providing the President and National Security Council with essential information needed for decision-making. It also prescribes a uniform system for the classification, safeguarding, and declassification of national security information across the U.S. government.
  • Security Executive Agent Directive (SEAD) 5: Addresses specific guidelines for the collection and use of publicly available social media information in security contexts.

Key Organizations and Responsibilities

  • National Insider Threat Task Force (NITTF):
    • Co-chaired by the Attorney General (AG) and the Director of National Intelligence (DNI).
    • Responsible for establishing national insider threat policy and minimum standards for all government insider threat programs.
    • Lays out best practices for Insider Threat Programs, notably in documents such as the "2017 Insider Threat Guide."
  • Defense Insider Threat Management and Analysis Center (DITMAC):
    • Serves as the DoD’s enterprise-level capability for insider threat information integration and management.
    • Responsible for developing enterprise-level risk criteria and thresholds within the DoD Counter Insider Threat Program.
    • Authorized to share adverse personnel security information with DoD Components that have an official interest and with the Consolidated Adjudications Facility (CAF).
  • Under Secretary of Defense for Intelligence and Security (USDI(S)): Serves as the Senior Official for the DoD Insider Threat Program and is responsible for monitoring its overall effectiveness and implementation.
  • Consolidated Adjudications Facility (CAF): Receives adverse personnel security information from DITMAC.
  • Defense Counterintelligence and Security Agency (DCSA): The DoD organization responsible for conducting background investigations, adjudicating security clearances, and providing oversight for DoD insider threat programs and mitigation efforts.
  • Attorney General (AG): Executive Branch agencies are required to report to the AG if they suspect an employee or officer of that agency has committed a federal criminal law violation.
  • Office of Inspector General (OIG): Fraud, waste, and abuse referrals are typically directed to the OIG, which is responsible for investigating such allegations within government agencies.

Structured Analytic Techniques (SATs)

  • Structured Analytic Techniques are systematically employed to mitigate cognitive biases, ensuring more objective and rigorous analysis by forcing analysts to consider alternative hypotheses, challenge assumptions, and explore different perspectives.
  • Imaginative Techniques: Designed to encourage new perspectives, generate fresh insights, and explore alternative scenarios.
    • Brainstorming: Commonly used at the initial stages of a project to generate a broad range of hypotheses, ideas, or potential scenarios related to an issue.
    • Red Team Analysis: Models the behavior of an individual or group by attempting to replicate how an adversary would perceive and think about a particular issue.
    • Alternative Futures Analysis.
    • Outside-in Thinking: Identifies and analyzes the full range of external, basic forces, factors, and trends that might indirectly shape or influence an issue, preventing an internal, myopic view.
  • Diagnostic Techniques: Aim to enhance the transparency of assumptions and logical arguments, allowing for a clearer understanding of the analytical process and its foundations.
    • Key Assumptions Check: Requires analysts to explicitly list and critically review the fundamental working assumptions underlying their judgments and analyses.
    • Quality of Information Check.
    • Indicators or Signposts of Change: Used to periodically review observable events or trends to track events, monitor targets, identify emerging trends, and provide early warnings of unanticipated changes. Especially employed when an analyst needs to track an event longitudinally, monitoring and evaluating changes over an extended period.
    • Analysis of Competing Hypotheses (ACH): Particularly useful when dealing with large amounts of data, as it systematically evaluates multiple hypotheses against all available evidence to identify the most consistent explanation.
  • Contrarian Techniques: Challenge existing assumptions and perspectives or conventional wisdom.
    • Devil's Advocacy.
    • Team A/Team B.
    • What If Analysis.
    • High Impact/Low Probability analysis.

Legal Frameworks and Civil Liberties

  • U.S. Bill of Rights: Considered the primary vehicle for the protection of civil liberties in the United States, outlining fundamental individual freedoms and protections from government overreach.
  • First Amendment: Highly applicable to the counter insider threat field, protecting freedoms of speech, religion, assembly, press, and petition, particularly when considering reporting mechanisms and protected disclosures.
  • Fourth Amendment: The legal doctrine of "Fruit of the Poisonous Tree" refers to the Fourth Amendment. It holds that evidence obtained illegally cannot be used in court, nor can any evidence derived from it.
  • Privacy Act of 1974: Establishes a comprehensive code of fair information practices, governing the collection, maintenance, use, and dissemination of personally identifiable information held in systems of records by federal agencies, ensuring individual privacy rights.
  • Freedom of Information Act (FOIA) Exemptions: The most common exemptions from FOIA include personnel records, law enforcement sensitive information, and classified national security information, protecting sensitive data from public disclosure.

DoD Personnel Security and Counter Insider Threat

  • National Adjudicative Guidelines: The DoD Personnel Security Program utilizes these guidelines to make security clearance determinations, assessing an individual's trustworthiness and reliability.
  • User Activity Monitoring (UAM):
    • UAM requirements include file shadowing and keyboard collection but typically do not include video surveillance.
    • UAM is specifically required on Top Secret networks to enhance security and detect potential insider threats.

Espionage, Stressors, and Predisposition

  • Components of an Espionage Relationship: Motivation, communication, travel, and collection of intelligence or sensitive information.
  • Types of Stressors: Insider threat cases frequently involve three primary types of stressors that can act as motivators for malicious insider activity: personal, professional, and financial.
  • Personal Predisposition: Refers to an individual's inherent susceptibility or inclination to engage in certain behaviors or actions, a factor considered in insider threat assessments alongside stressors.

Cognitive Biases

  • Mirror Imaging: A cognitive bias characterized by the inclination to assume that foreign leaders or adversaries would behave, think, and react in a similar manner to one's own leaders or cultural norms under comparable circumstances.
  • Anchoring: The tendency to rely too heavily on an initial piece of information (the "anchor") when making decisions.
  • Confirmation Bias: The tendency to search for or interpret information in ways that confirm preconceived notions, preferences, and assumptions.

Pillars of Insider Threat Programs

  • The "Insider Threat Mitigation Responses Student Guide" outlines the foundational pillars of effective insider threat programs:
    • Law Enforcement: Reports of court records should be referred to this pillar.
    • Security.
    • Counterintelligence: Deals with aspects such as contact with foreign nationals, foreign visits, and foreign travel, assessing potential foreign influence or exploitation.
    • Cybersecurity: Encompasses numerous technical monitoring and data analysis activities, including managing enterprise audit monitoring tool logs, authentication of users, User Activity Monitoring (UAM) for data analysis, developing UAM triggers (e.g., for indicators of suicide, workplace theft, or violence), analyzing profile data, printer log data, privileged user activity, trusted agent actions, and download history.
    • Mental Health/Behavioral Science.
    • Human Resources (HR): Issues pertaining to basic employment, disciplinary actions, and performance reviews are typically referred to HR as part of an insider threat program's response framework.
    • Legal.

Record Keeping and Data Handling

  • Record Retention: Records related to insider threat activities and mitigation results are required to be maintained for a period of 25 years.
  • Insider Threat Hubs: Mandated to maintain comprehensive records, including initial reports and documentation of the results of all mitigated insider threat activities, ensuring accountability and historical tracking.