Whether an employee intends to steal information to use against their employer or accidentally clicks a phishing link in an email, the risk of insider threat in the United States is a real problem.

The Insider Threat Task Force — created in 2011 through an executive order by the Obama administration after the Edward Snowden leaks — is made up of rotating members and representatives from all departments and agencies within the executive branch. About 30 members are on the force at any given time, sometimes including contracted personnel, as well as appointed government employees.

But what exactly were they created to do?

Wayne Belk, co-director of the task force at the Office of the Director of National Intelligence, joined Federal Drive with Tom Temin to discuss the program’s role in helping to thwart off the threat of employees leaking classified information from within the agencies. Belk said it is their job to ensure federal employees are educated enough to know exactly what to look for in terms of somebody who may cause cybersecurity vulnerabilities within an agency. He said the reason behind the leaking of information is irrelevant.

Advertisement

“Being witting or unwitting of the threat isn’t really a relevant point,” he said. “The problem with insider threat is that it is kind of independent of the causality behind it. It doesn’t matter what the reason is … it’s about activity and abnormal behavior.”

Each piece of information received by the task force is often nothing on the surface. The insider threat program software that is or will be integrated into the agencies should be able to pick up small discrepancies and unusual behavior — such as an employee downloading large amounts of data to a thumb drive or using a badge to access the office at an unusual time of day.

Belk said the task force shouldn’t be called for every little thing.

“This is not a big brother program. We are not trying to turn the workforce against each other. It’s exactly the opposite,” he said. “We all have that personal sense of the people that we work with on a day-to-day basis … you will have a sense if something doesn’t feel right, look right or sound right.”

Insider Threat Month - June 21, 2017 https://federalnewsradio.com/wp-content/uploads/2017/06/Belk-Federal-Insights-Insider-Threat-061317.mp3

The task force itself is not an operational entity. Instead, its mission is to give the executive branch departments and agencies a helping hand in terms of implementing the 26 minimum requirements published within the executive order.

Some of the responsibilities of the task force include:

Monitoring user activity on classified government networks.

Evaluating personnel information for each agency and department.

Training employees to be aware of the risk of insider threat, and what the task force does and doesn’t do.

Providing assistance, analysis, reports and response.

Individual offices of the executive branch such as human resources, security or counterintelligence all have legitimate purposes, but each have a single functional area to focus on. Belk said the insider threat program is the opposite of that and has the mission of working to create and help develop mitigation programs under those standards that are more proactive than in the past.

The force is meant to advise and inform the agencies of activities that are not normal across the employee workforce, and keep employees and leaders aware of possible problems.

“You want your workforce to know the program is there. You want them to understand generally what its function is and how it operates,” he said. “You want them to accept it as something that is there to protect them. [It] is not a ‘gotcha’ program.”

Though required by the president, Belk reassured that this order did not give the government the right to spy on private conversations — even the ones made at work.

“Phone calls and monitoring of telephone conversations are not part of the minimum standards under the executive order and the national policy. So the insider threat program has no element in it within those requirements that deals with telephone conversations,” he said.

“We always want to educate the workforce that if they do see, feel, hear [or] think something is just not right, [not] to try to figure it out,” he said. “Call the insider threat program and let them figure it out.”

Classified and unclassified channels are both at risk for insider tampering. However, the classified channels provide more information because employees must consent to have their private information shared on the databases.

And something being a little out of the ordinary is not cause for worry. Belk said it is up to the individuals at agencies to set the threshold for when to contact the task force.

It is then the task force’s job to take the information shared, dig a little deeper and find the context.

The force is equally there to “protect the individuals in the workplace as much as it is the information on the networks,” he added.