The executive order set up an Insider Threat Task Force led by the FBI and Office of the Director of National Intelligence. The goal of the task force and policy is to ensure that another WikiLeaks release of classified information doesn’t happen again. But the mandate also didn’t want to set back the government’s progress to “connect the dots” in the post-9/11 intelligence world.
John Swift, who works for the task force and ODNI, said the draft is one piece to a bigger effort that will take time to implement.
“The National Policy on Insider Threat is in draft and will probably move its way to the White House National Security Staff in the next month or two, which is pretty fast in the federal scheme of things,” said Swift during a panel discussion on the insider threat at the FOSE trade show in Washington Wednesday. “However, in order to actually implement a program, you will want to have standards. Those standards are being developed now by the task force, and all the interagency members that are working on it. Those standards have to be issued by October of this year.”
He said the standards are not necessarily part of the draft strategy. The executive order called for the standards one year after the President signed the mandate, but there is no hard deadline for the insider threat strategy.
Swift said nearly every agency has some sort of initiative or program to identify troubled employees who could be threats to the agency, and reduce the risk of insider threats.
But the standards will help set a minimum baseline for all.
Standards to focus on several areas
Swift said while it’s still too early to say where the standards effort will focus, he could see standards around training and awareness, the integration of information and insider indicators, which are mechanisms to see a problem and decide how risky an employee is.
The task force also is looking across the government for best practices that already exist and to decide what can be scaled to all agencies.
In the meantime, while the task force and White House finalize the policy, agencies could turn to the secure identity cards under Homeland Security Presidential Directive-12 to help limit insider threats. Rob Carey, the Defense Department deputy chief information officer, said during another session at FOSE that the card can also prevent unauthorized access to data and promote information sharing at the same time along with improving the cybersecurity of an agency’s network.
“We have a database. We have an authoritative source of our identities, called the DEERs database so I have a root definition of who I am. I have an enterprise identity number that describes me and only me,” he said. “From there, I can get into the networks. I can get into the applications and I can get into websites and do what I need to do. That’s the key to the future being able to understand where Rob is allowed to go based upon privileges and roles and where more importantly where he is not allowed to go.”
Carey said DoD is rolling out public key infrastructure to the secret or classified network, which will not only add another layer of security while also letting officials know who is on the network, when they were on the network and what they were doing there.
The Defense Information Systems Agency is putting in place the technology and data to create this authentication and access based control. DISA officials said enterprise email gives them to parts to create the roles and responsibilities for all users.
DoD moving to data-centric security
In all, using the Common Access Card to define what an employee can see or which database they can access is one step in how DoD is moving toward data-centric security and away from machine centric security, meaning they want to secure the data and not necessarily the computer.
Additionally, Carey said DISA and NSA are testing how to do PKI based authentication without a secure ID card. He didn’t offer too many details except to say it’s a token on the device itself.
The insider threat panelists said HSPD-12 is one of many tools to help address the problem.
Diana Braun, who is a member of the Insider Threat Task Force and works for the FBI, said identity management is one of five near term ways to strengthen systems against insider threats.
But the panel also said the fight against insider threat is more than just a technical solution. It has to incorporate people, indicators and analysis. “I don’t think there really is a purely secure system,” said Gordon Snow, the FBI’s assistant director of the Cyber Division. “Our systems that run on different protocols in the classified area, where the executive order talks about, obviously rides on the Internet, communicates on the Internet, but doesn’t really touch the Internet in a direct fashion. There are protocols in place that makes it a closed network itself. PKI is a great thing, but it has to be a layered defense.”
Snow said agencies need to understand the anomalies in the system or can analyze logs, but the key is getting into the mind of the person who could be an insider threat.
Under the executive order, agencies must report annually on how they are reducing their risk and setting up programs to identify potential insider threats.
The Insider Threat Task Force developed a baseline of where agencies are in preventing these threats in the December-January timeframe.
“What it demonstrated to us is there is a lot of moving parts and there is a really serious need to align resource requirements with what agencies have,” Braun said. “What this led to is a more concerted effort to work closely with OMB to develop budgets for several next fiscal years to align them with meeting the requirements of the executive order. But essentially, basic general conclusions are we are moving in the right direction.”
Agencies have until Oct. 7 to submit to the White House their first annual report on how they are meeting the requirements of the executive order.