The US Department of Defense (DoD) has announced plans to establish an insider threat office in response to a recent leak of classified intelligence on the messaging platform Discord. The initiative, outlined in a memo signed by the Secretary of Defense, aims to enhance monitoring of employees and prevent future security breaches.
The creation of the Joint Management Office for Insider Threat and Cyber Capabilities will oversee user activity monitoring (UAM) within the DoD. While this move is commendable, it highlights a broader issue regarding the effectiveness of current UAM data requirements.
The current UAM data collection capabilities are primarily reactive, which limits their ability to proactively identify and prevent insider threats. The Committee on National Security Systems Directive (CNSSD) 504, issued in 2014, outlines the minimum technical capabilities that should be implemented by government departments and agencies for collecting user activity data. These capabilities include keystroke monitoring, full application content capture, screen capture, file shadowing, and user attribution.
However, these requirements, although necessary, are insufficient in actively mitigating insider risks. The DoD has millions of employees who are eligible to access classified information, making surveillance a significant concern in terms of privacy and the concept of a trusted workforce. Additionally, relying solely on surveillance as a primary mechanism for detecting insider threats is impractical, as it often detects them only after data exfiltration has occurred.
To effectively protect national secrets, a more proactive approach is required. The focus should be on collecting and analyzing actionable data that can identify potential insider risks before they escalate. Early warning indicators play a crucial role in this regard, providing analysts with valuable insights to preemptively address insider threats.
In the case of the recent leaks at the Pentagon, several early warning indicators could have been leveraged to prevent data loss. These indicators include unusual volumes and frequencies of data access, accessing sensitive information beyond an individual’s job function, engaging in activities beyond the scope of their role, HR notifications of unauthorized or antisocial behavior, and unusual search behavior on corporate networks.
By correlating and aggregating data from human, organizational, cyber, and physical sensors, it becomes possible to develop a holistic understanding of insider risks. These early warning indicators, when combined with other relevant data, including an individual’s online presence, can significantly enhance the proactive detection of insider threats.
Moving forward, it is crucial for the Joint Management Office for Insider Threat and Cyber Capabilities to prioritize the identification and utilization of early warning indicators. By doing so, the DoD can effectively detect and resolve insider risks before they lead to incidents of data loss. Implementing mechanisms for swift and responsible action based on these indicators will be critical for the office’s mission to safeguard national secrets.
In conclusion, while the establishment of an insider threat office within the DoD shows a commitment to addressing security concerns, it is essential to address the limitations of current UAM data requirements. By focusing on early warning indicators and proactive risk mitigation, the DoD can significantly improve its ability to protect classified information and national security.