It has been over ten years since the President signed Executive Order 13587 (The White House, 2011) and set into motion a series of government policies and practices to counter “insider threat.” In the last decade, nearly 100 executive branch departments and agencies have established insider threat programs for the protection of classified information, and the more mature programs are addressing the full scope of the insider threat to include manifestations ranging from compromise of sensitive information to acts of violence committed by cleared and uncleared personnel. More significantly, we have seen the insider threat narrative evolve from a basic observe-respond model to robust discussions on the role of organizational justice and citizenship, inclusion, and workplace culture. Despite this progress, addressing the threat requires continued evolution in risk mitigation practices supported by social and behavioral science research in these areas.
The National Insider Threat Task Force (NITTF) has a decade of experience working extensively with departments and agencies across the executive branch as well as outreach to the public and private sectors. Research over the last decade has also progressed. We have moved well beyond individual-focused behavioral theories. Through a community of social and behavioral scientists, we now look deeper at the negative and positive organizational roles in the counter-insider threat mission. As we know from communities’ experiences, engagement of the workforce to counter insider threat demands not only the evaluation of the individual, but also the implementation of security practices that are inclusive and not intimidating.
Most often, the focus of insider threat programs is preventing the individual from turning on himself or others. Building upon applied research in the security and human capital world, the concept of protecting the workforce and the organization by promoting practices that improve job satisfaction and organizational citizenship is now foundational to the insider threat community. However, traditional personnel security efforts remain focused on identifying behaviors that meet the 13 adjudicative criteria (Office of the Director of National Intelligence, 2017). While workforce reporting of those criteria is important, the breadth of potential information that the workforce has access to is far greater. Security efforts in general are less focused on leveraging the workforce as a “crowd source” to identify adversarial behavior, both internal and external to the organization. Because of this, the workforce remains the greatest untapped resource for organizational risk mitigation.
Modern clearance reform (“Trusted Workforce 2.0”) acknowledges that the vast majority of the cleared population can and will be trustworthy. Accordingly, we recognize the extensive resources spent doing in-depth periodic reinvestigations most often identify no new information relevant to an individual’s suitability to access sensitive information. That said, the movement towards the “trusted workforce” model is largely an economic decision, not a systematic change of thought in personnel security.
Coopting the workforce and creating an environment where the employee identifies as part of the security mission is a challenge for even the best programs, and this is not unique to the insider threat community. Expanding upon the lessons learned by the insider threat community, we can better defend against all threats across the enterprise by including the workforce in the solution. In any organization, the workforce is its greatest asset. Strategic direction, mission performance, and intellectual capital is all built upon human capital. Arguably, the workforce is often the least cultivated security partner. Across the public and private sectors outside the cleared world, the general workforce is not well versed in the threats posed by competent adversaries. Cybersecurity programs may promote anti-phishing campaigns, or internet security training, but many organizations fall short of ensuring their workforce is aware that they are as much of a target, if not more, than the networks they work on. Further, outside the cleared world the workforce is rarely viewed as a source of threat information.
Ironically, the cybersecurity world has adopted the term “zero trust” to describe a system security practice of locking down all objects and ensuring only trusted and authorized subjects access them. In contrast, from operating system errors and firewall alerts to endpoint detection, the systems are designed to report anomalies. In general, cybersecurity professionals can trust the system to report, and the system has no apprehension or concern in reporting.
This level of trust does not translate to the interpersonal world. The relationships between individuals, the people they work with and for, and the organizations they report to are not binary (report? Yes/no). However, leveraging the “trusted workforce” is key to reducing organizational risk. Security professionals must take this term literally. The workforce should be trusted and included as part of enterprise security, especially the federal workforce, who largely came to civil service with a sense of national loyalty and duty.
How do we build a system of human information into all our security and counterintelligence practices? How do we create a workplace where employees trust their organizations and reach out when they see a coworker in need? How do we crowdsource the workforce to get a better picture of adversarial tactics, techniques, and practices in social media, at trade events, or other areas in which humans interact (virtually or in the real world)?
These hard problems are just a few of a massive volume of questions and challenges the insider threat community must address. The good news is that the community has matured to allow these conversations to happen, and the social and behavioral science world is actively engaged in solving them.