Since a contract employee shot and killed 12 colleagues at the Washington Navy Yard two years ago, the government has inched cautiously toward fulfilling a key recommendation: establish insider threat programs. Some companies that do business with the government are far ahead and waiting for agencies to catch up.
Defense officials now consider aerospace giant Lockheed Martin’s program as a model.
“What was most impressive to me was the fact that they’ve somehow tackled what I see as the biggest challenge in this transition to continuous evaluation and insider threat, which is the cultural aspect,” said Carrie Wibben,the director for security and policy oversight within the office of the undersecretary of Defense for intelligence, the day after she visited Lockheed’s Bethesda, Maryland offices in September. “How do you change the culture of the workforce so they don’t see this increased vetting as ‘big brother’?”
Lockheed launched its continuous evaluation program at roughly the same time as the Navy Yard task force issued its recommendations, although the motivation was not exactly the same. Lockheed’s program was concerned about workplace violence and an increase in attempts by nation-states to steal trade secrets from U.S. companies. To date, the company’s program has led to 13 employees being fired, said Doug Thomas, Lockheed’s director of counterintelligence.
“Quite frankly, I don’t understand how a company or government agency can afford not to have a program like this, because the threat is so pervasive,” he said.
But Thomas, who worked for defense and intelligence agencies before coming to Lockheed, said many organizations do not have a 24/7 program. They look at a prospective employee’s background when making a job offer. Workers with security clearances are scrutinized every few years when their clearances must be renewed. But the only continuous monitoring at many agencies and companies is electronic, he said. They employ technology that looks for the odd network behavior, such as watching porn or downloading sensitive company information.
“That’s half of the pie,” Thomas said. “You also have to understand the human behavior aspects if you’re going to have an insider threat program.”
But he said he understands why organizations are reluctant to embrace a tool that monitors employees’ behavior both on- and offline. Lockheed’s corporate leaders were more than willing to support a counterintelligence that would spot and mitigate external threats to the company, he said. But some balked at an internal program.
“I received some pushback along the lines of, ‘Is this in line with our corporate values?'” he said.
Like Defense officials today, Lockheed leaders worried that such a program would infringe on employees’ privacy. In response, Thomas’ team drafted a “concept of operations” that included system checks. Leaders in the company’s legal, ethics, human resources, corporate information security and security divisions formed a steering committee that met quarterly. The program would submit to annual audits. Internal and external lawyers combed over the details before declaring them sound.
That was the easy part. Thomas’ office spent nearly two years convincing employees that an insider threat program was in their best interest before it launched.
“We made sure people understood that they’re threatened and the company is threatened,” Thomas said. “It has national security implications. It has job implications. And it has revenue implications if something bad along these lines were to happen.”
He found the slightest tweak of language mattered. Employees in a focus group rejected a message that urged them to “report” odd behavior.
They said something “along the lines of ‘you don’t want to create a culture of snitches,’ which is exactly what we did not want to do,” Thomas said. “So we changed the word ‘report’ to ‘engage.’ We want all employees to be engaged in this effort, if you will.”
Thomas’ team focused on winning over frontline supervisors in particular, on the theory that they were most likely to notice strange behavior in colleagues. Thomas reassured them that they did not have to understand the motivations behind that behavior. A tip to his office was enough .
Today, the program covers all 112,000 of Lockheed’s employees. When they notice something amiss with an employee, Thomas’ team launches an investigation that combines shoe-leather detective work with analysis of information security, personnel and security data. They may do it when they learn that employee is about to be fired. More often, they rely on employees to provide information.
Most of the time, there’s nothing to worry about, Thomas said. But he believes the program is successful.
“We can see how many leads go out and we can see how many of those turn into righteous counterintelligence investigations,” he said. “We can see how many policy violations are done, which also have to be investigated. And we can see results relative to how many files we stopped leaving the company.”
He won’t share details about the 13 people who have been fired as a result of their investigations, except to say that some of them downloaded information that the company did not want to get out. All of them left Lockheed before any damage was done to the company. To date it has not suffered any insider threat of which Thomas says he’s aware.
That’s precisely the point of the program.
“The tool identifies people much earlier in the game,” he said. “The longer someone is doing badness within the company or agency, the more harm they can do to a company or agency.”