Welcome to the first edition of Counter-Insider Threat Research Practice, a publication designed for researchers, operators, and policymakers who are interested in the insider threat domain.
Now, admittedly, “counter-insider threat” is not a global term (yet). So, it would be fair to ask, “What is counter-insider threat?” As the person who coined the phrase almost seven years ago for the Department of Defense (DoD), I would like to explain the genesis of the term and what it evokes about the evolution of the insider threat program (a.k.a., the scope of this journal).
Although the genesis of the problem and approach began in a DoD environment, the observations in this article apply broadly across government and commercial/industrial sectors
To truly grasp the meaning of counter-insider threat, it is important to understand the starting point for the DoD—and the United States Government (USG)—as the “Insider Threat” program, codified in an Executive Order (E.O.) and national policy in November 2012. Both directives mandated the establishment of programs throughout the Executive Branch and set the requirements for all USG insider threat programs. In response to this initial guidance and direction, the USG Departments and Agencies have steadfastly pushed to meet Full Operational Capability (FOC) requirements. But this merely represents the start of a long evolution.
Understanding the Program Requirements
While DoD’s efforts to meet FOC standards continues in earnest, program leaders and staff realized early on that there were some important points to note about the prescribed requirements and the field of “insider threat.” First, although the November 2012 national policy set the requirements for all insider threat programs, they were issued as minimum standards, implying that additional requirements (or enhancements) would be needed in the future. The National Insider Threat Task Force (NITTF), stood up by the E.O./national policy at ODNI/NCSC, has promoted additional elements under the “Maturity Model Framework” to address the evolution in implementation and address the risk environment. However, since these elements are issued as best practices rather than requirements, implementation across the USG has been uneven at best. Second, the requirements were more of a “checklist” than a performance measure for operational efficiency or effectiveness. (Note: The quest to define a “better, faster, stronger” endpoint, and how to measure success, has been the subject of many panel discussions, articles, and opinions). Third, the topic of “insider threat” received significant interest and focus due to the Wikileaks/Manning situation and the requirements were consequently designed to counter the loss (and disclosure) of classified information by a cleared insider. Beyond this, Departments and Agencies were left to determine the breadth and depth of their own programs with respect to the covered population (cleared; uncleared; visitors), defining what was to be protected (people, facilities, networks, equipment, financial assets), and enumerating the threat vectors (unauthorized disclosure, theft, kinetic violence, espionage, sabotage, etc.) based on Senior Leader input and legal authorities. Individual agencies were also left to determine how early the organization would engage the risk prior to a threatening act. Lastly, it soon became clear that this new pursuit would have to compete vigorously for policy and funding support with DoD’s full set of missions.
To understand any new model or framework, one must understand the context (or environment) in which it operates.
Evolution of the Landscape
With the above background in mind, the following are the considerations regarding the threat and the mission that the Department has had to take into account (based on lessons learned over time) that have led it to evolve the insider threat program.
The threat has evolved over time. Although the original purpose of the program was geared toward the threat of a spy for a foreign state, the threat now includes a wide variety of damaging actions (threat vectors), including unauthorized disclosure and kinetic violence.
The risk (or threat equation) includes the human, the threat vector, and the treasure being protected. It is up to the organization to balance the variables within this equation. However, at its core, insider threat is a human centric problem; not a problem of various threat vectors (e.g., cyber, violence, etc.) used by the human, or of the treasure being attacked by the human (i.e., information, facilities, financial data, personnel).
The insider threat is a challenge for almost all organizations, regardless of their location. This threat is not confined to the United States, the USG, or even the DoD. The Defense Industrial Base, academic institutions, and commercial organizations (airlines, Wall Street, and banks, etc.) all face and must deal with the potential threat from insiders.
The consequences of an insider threat event have increased due to technology and process efficiencies that have empowered individuals and removed or hindered checks and controls—creating a “strategic corporal” effect where one person, regardless of rank or position in the organization, can do a lot of damage. In addition to direct damage, these same efficiencies (and interdependencies) have significantly increased second- and third-order consequences.
Each Department and Agency ultimately owns its own risk. However, for organizations to make effective risk management decisions they must be well informed. Thus, senior leadership must ensure that they understand the full scope of the threat and individual component vulnerabilities when determining the most effective implementation of counter-insider threat programs. In most cases, implementation of minimum standards alone will not provide adequate risk mitigation strategies.
Most insiders do not join an organization to harm it. Rather, they evolve into a threat to the organization.
Most after-action reviews of insider threat incidents indicate that early behaviors of concern were recognized by those around the threat, but were ignored and no action was taken.
Behaviors of concern (and the risk from an insider) are not completely observed, owned, or contained within a single organization. Individuals often have and use multiple affiliations across society, and, in the context of the USG, across Departments and Agencies: These overlapping affiliations inform the “whole person” picture as it relates to behavior and risk.
The critical path taken by insiders is often susceptible to multiple events and influences. Some, such as organizational policies, processes, training, and culture not only affect the critical path but they also affect insider risk across the enterprise (e.g., our policy, processes, and training for detecting and mitigating toxic leaders affects insider risk). Similarly, the support and programs offered to help employees resolve personal issues/problems, handle stress, and make good life-decisions, have positive effects on combat readiness and manpower availability.
Given the importance of the human factor, the Department has recognized the need to evolve the approach, both in name and capability.
Evolution of the model – Key Principles to Counter-Insider Threat
With all of this as background and the additional reliance placed upon the insider threat operational program from other missions (e.g., Continuous Vetting), the Department realized a new approach was needed. This has led to a philosophical shift from insider threat to counter-insider threat. And with this shift, four key principles took root.
Get ahead of crises by understanding the entire human. According to E.O. 13587, the goal of the program is to prevent, deter, detect, and mitigate the threat posed by an insider. Prevention requires action well before an insider threat event – early enough that the focus can be on providing assistance to the individual facing certain stressors that may turn into motivators for concerning behavior. Prevention efforts also require an understanding of the person at risk (using social and behavioral science research) and engagement with the person using proper management and mitigation approaches. Thus, for counter-insider threat staff to understand individuals as a potential threat, they must understand the totality of that person—the whole person. And, by engaging early, the individual can get the training, help, and/or assistance they need early in the critical path (when the best chance for a win-win outcome exists).
Understand the Organizational-Human interaction and reduce Insider Risk at scale. To maximize early detection and mitigation (moving “left of crisis”) requires understanding the intersection of the human and the organization. Furthermore, it requires identifying “nodes” within an organization that can minimize or increase the risk of an insider threat, such as a poor command climate, toxic leadership, training deficiencies, poorly written workforce behavior policies, poor hiring decisions and/or procedures, or ineffective employee awareness/training/assistance programs. By understanding and addressing these organizational factors, prevention and mitigation of “insider risk” can be done across the organization and “at scale.”
Move from a program mindset to a mission mindset. Like other enduring and evolutionary challenges faced by organizations, success in the insider threat arena requires a suite of efficient and effective capabilities layered together. This suite of capabilities must be leveraged across the organization, permeate all layers of management and organizational culture, as well as in engagement with other partners (USG and international), the Defense Industrial base, and perhaps the commercial sector. In other words, things like employee assistance programs, behavioral prevention programs (domestic violence), and threat management units must all be working off the same “playbook” and with solid processes and the same goal. Thus, the mindset to counter the insider threat must shift from a narrow context of a singular program to mitigate a single event to a broader organizational context as an eco-system made up of stakeholders (across positions and “stovepipes”) who are focused on minimizing risk from an insider. This joint approach will create a network of responsibility, policies, awareness, information sharing, and training for the eco-system that will prevent and mitigate insider risk.
Promote and embrace our integrated partnerships across the DoD Enterprise, while addressing the threats or risks associated with non-organic support elements. DoD is the country’s largest employer, encompassing several components and communities. DoD components engage daily with and depend on multiple community members operating in their own organizational spheres, including contract labor and equipment from defense industrial base companies; DoD schools; international allies and partners; and reservists in the civilian labor force. Mindful that our safety is only as strong as its weakest link, DoD will elevate its leadership and partnership role to collaborate, and assist all affected stakeholders to mitigate and counter threats posed by insiders.
Counter-insider threat is one perspective, and just a point of departure…but a good umbrella for this journal.
For the Department of Defense, moving beyond the NITTF standards meant moving beyond the term “insider threat”. And, while many fora across society have held discussions about the best name for an “insider threat” program, the term “counter-insider threat” fit with the characteristics of the approach and the culture of the Department. In the end, counter-insider threat is a framework, a goalpost to get to, a “north star” to align organizational policies/capabilities under, and a mission that needs executing to mitigate risk across the organization. All that said, there are many risk frameworks, models, or concepts for insider threat, and “where you sit is where you stand.” In other words, some organizational approaches will be different—perhaps narrower in design and application—because of their priorities, mission, resources, priorities of items protected, and/or concerning threat vectors. Thus, the DoD’s concept will not be the best solution for all, but we believe it’s the best for the Department at this time. It is where we have evolved and it is a solid concept. But, I have no doubt that the Department’s approach will evolve further, with additional maturation of thought in the field, understanding of the organizational eco-system of insider risk, evolving threats at the individual level, and developed capabilities. Yet, the benefit of this approach (especially for this journal) is that the scope of mission and its research needs are very broad. This in turn opens up the journal for diverse research across the full spectrum of social & behavioral science fields (both applied and early research) for the full range of customer missions – policy, operations, and training.