Continuous evaluation, social media remain sticking points for insider threat policy

Harnessing the power of predictive analytics will help agencies develop their insider threat initiatives from programs that react to an incident, to ones that prevent them.

Programs within the intelligence community are more mature, while others like the Defense Department are knee-deep in implementing their programs. Many are still determining how certain data sets — like those collected from social media or continuous evaluation — will inform their insider threat plans. Others, though, have a longer way to go, said Patricia Larsen, co-director of the National Insider Threat Task Force.

“We have some civilian agencies that don’t view national security as their priority or their number one mission set,” Larsen told Federal News Radio. “So for them it’s more of a culture change, and that’s just a little slower to make progress in. We have a lot of buy-in across government that this is important.”

Free e-book on the latest federal government cybersecurity initiatives. Download now.

Larsen said the next steps for those agencies is answering some of the technical and legal questions about specific parts of their respective programs.

Advertisement

Insider threat and security clearance reform is listed as one of the 15 cross-agency priority goals for 2016-2017, according to the Office of Management and Budget. It’s been a CAP goal since President Obama released his fiscal 2015 budget proposal.

Another next step for the task force as a whole is to finish implementing continuous evaluation, which lets agencies run automated checks on an employee’s financial, travel and criminal history records.

Continuous evaluation will eventually be a part of the insider threat program, Larsen said Oct. 13 during a panel discussion at the Predictive Analytics Conference in Washington .

The concept isn’t a new one, but Larsen said the technology is just beginning to show the results they need.

“We’re at the point where we can list names and run them through about seven different data sources that give different dimensions of you as a person: your finances, your criminal history, your travel, etc.,” Larsen said. “Run those automated records checks on a fairly frequent basis and then you get more information about the person. That information then is put into your insider threat program so you have more data about the individual than you did before.”

Steve McIntosh, insider threat program coordinator for the Defense Intelligence Agency, said his agency can ingest information from all data sources, but it still needs to build the right algorithms for automatically processing that information.

Tracking social media opens up other questions for the Insider Threat Task Force and individual agencies.

Larsen said the task force is grappling with the right social media policies and it has started different test pilots to look into those challenges. Agencies need to make sure they’re looking at the right people online and understand that the context behind an employee’s online posts might be ambiguous, she said.

‘What we need to do in the near-term is develop more pilots to determine what is the value of using the information compared with the costs of obtaining it, [to] see if we learn things that we didn’t get from any other means, because this is a bit more intrusive,” Larsen said. “It’s somebody’s online behavior that they’re doing on their own time. So we have to understand if that’s really the bang for the buck.”

McIntosh said DIA is one of those agencies that’s “testing the waters” in social media monitoring.

“We don’t have unlimited pockets, so we have to look at what that return is on investment,” he said during the panel.

Adding the HR, human behavior pieces

Combating the insider threat is as much of a data issue as it as a human resources issue, said Jeff Maille, deputy insider threat program manager at the National Geospatial Intelligence Agency’s Security and Installations Directorate.

When a new director came on board at his agency, Maille said he gave his supervisor a full progress report on insider threat projects. Having buy-in from the agency’s top leadership is key, because as Maille reminded his director, “it’s your program.”

McIntosh suggested agencies gather the data they already have from their human resources offices, analyze it and present it to top leadership as a way to justify more work on the insider threat program.

At DIA, a human psychologist helps McIntosh’s agency analyze the data he collects.

“There is no one tool that does it all,” he said. “It’s a suite of tools and a suite of different skills.”

Studying human behavior is critical, Larsen said, because “the insider is still a person.”

“How do I test loyalty?  What are the outward signs that I can quantify, and measure, and merge it with other factors, like financial, criminal records,”  she said. “It’s really hard.”