Creating an Insider Threat Program

NCMS June 2015

Agenda

• Introduction

• History 101

• Recent Events

• What is Insider Threat and Why We Need A Program?

• The National Archives Program

• NISPOM Requirements

• What is a Program?

• Sources of Data and the HUB

• Scope and Assets

• Base Line (What is Normal?)

• Implementation

• Case Studies (Data Use)

• Q & A

• Resources…

Samuel Slater (June 9, 1768 – April 21, 1835)

In the UK he was called "Slater the Traitor

What about these?

• Wen Chyu Liu

• Kexue Hauang

• Yaun Li

• Elliot Doxer

• Sergey Aleynikov

• Michael Mitchell

• Shalin Jhaveri

• Hanuajn Jin

• Greg Chung

• Chi Mak

• Conspired with internal employees

• Foreign Travel

• Foreign Contacts• Business• Government

• Download and copied• MBs of data• Thousands of documents and files

Recent Events…..

• Many of the documents leaked by Manning to Wikileaks and Snowden have shown us a new wave of threats by personnel that have access and training that can damage national security.

What is an Insider Threat and Why do We Need A Program?

What is an insider threat?

• It is a threat posed to U.S. national security by someone who has authorized access to classified information but who misuses or betrays that access to provide classified information to another entity not authorized to possess it. That entity could be another government, another individual, or even the media.

Why does the United States need an Insider Threat Programs?

• The exposure of hundreds of thousands of classified and sensitive USG documents by the WikiLeaks internet site demonstrated to the government and the public that current sharing and safeguarding procedures for classified information were inadequate and put our nation’s security at risk.

• In November 2012, after an interagency review of the NITTF’s work products, the President issued the National Insider Threat Policy and the Minimum Standards for Executive Branch Insider Threat Programs via a Presidential Memorandum.

National Archives and Records Administration

Why does the National Archives need an Insider Threat Program?• NARA is responsible for the safety and protection of holdings

which include information classified by every department and agency authorized to do so, as well as electronic systems used as part of our work with those holdings or to otherwise support NARA operations. Hundreds of NARA staff, other agencies' employees, and Federal government contractors have access to this information and these systems every day in the course of their work. It is our responsibility, as directed by the President, to prevent individuals with access to NARA's classified holdings and systems from giving classified information to individuals or organizations not authorized to possess it.

Back Ground NARA

• We have 600 plus Employees and Contractors have access to National Security Information

• We have the most mosaic collection of classified information in the US government.• Presidential Libraries

• Intelligence Community Records

• Department of Defense (Armed Services and Combatant Commands)

• Departments of State, Energy, Commerce, Treasury, etc, etc,

• We have generational media types, disks, tapes, textual, maps, photos, etc, of highly sensitive national security information.

ITP is within the Chief Operating Officers Office

NARA ITP

• Developed Policy NARA 242• On going development of Implementation Guide

• Developed Training

• Hired Staff (1 IT Security Specialist and 1 Program Analyst)

• Currently Base lining our Agency• Gather Data

• Developing Priorities

• Reviewing Policies and Process

The Challenge

• Educating Leadership and Staff on what is and is not the Program is…..

• 46 Locations across the United States plus affiliated Archives and Records Facilities.

• We own the records but NOT the classified information and the records a PERMENANT!

• We do not classify records and most of our classified electronic systems are standalones and LANs.

• Plus we have 100’s of other Federal Employees and Contractors assisting in the review of classified information for declassification.

Economic Impact of the Insider Threat…

“In the last fiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion…economic espionage and theft of trade secrets are increasingly linked to the insider threat…”

-Christopher Munsey, FBI Counterintelligence Division (2013)

“The average cost per Insider Threat incident is $412,000. Average loss per industry is $14 million/year. Multiple incidents have exceeded $1 billion.”

-Patrick Reidy, FBI CISO, Black Hat Conference (2013)

Source Global Skills Exchange, CORP.

NIPSOM Requirements

What is your Challenge!?

• Establish a program that:• Has a designated Senior Official and Insider Threat Official who will

• Gather, integrate, and report potential or actual insider threat

• Maintain pertinent records to insider threat for when requested and rendering assistance if necessary

• Report events that may indicate the employee poses an insider threat or affect proper safeguarding of classified information

• Training Requirement

Requirements

• Senior Official

• Establish a Program

• Train Staff

• Maintain Necessary Records and Documentation

• Report

What is the Program?

• Proactive

• Behavioral

• Risk Management

• Overlaid onto Existing Programs

• Integrates Data from MULTIPLE sources

• Discrete

Sources of Information

• Information flowing into the HUB can be passive and active. Active information is that information requested when it is believe that a staff member is engaged in malicious behavior. Passive information will feed into the HUB by electronic feeds with no human action.

4/3/2015 DRAFT DRAFT DRAFT 20

Insider Inquiries

Data Sources

Manual or AutomatedProcessing

MetricsLeads

Reports

Insider Threat Hub

ANALYST

4/3/2015 21

FinancialDisclosure

PhysicalSecurity

Foreign Contacts

ForeignTravel

EAM Data

HumanResources

PersonnelSecurity

BehavioralAssessments

UAM Data

Office Stakeholders

• Office of Human Capital• Labor/Employee Relations and Benefits• Staffing and Recruitment

• Business Support Services• Facilities and Property• Security Management

• Information Services• IT Security

• External Owners of Classified Networks• May need an MOU

4/3/2015 22

Labor/Employee Relations and Benefits Staffing and RecruitmentDATA

• Name (First and Last)

• Organization Code, Office Symbol, and Description

• Pay Plan, Occupational Series, Position Title and Grade

• Supervisory Status

• Employees Supervisor

• Location (Physical)

• Employment Status

• Start Date

Other needed Information

• Anniversary Dates

• Termination Date

• Performance Ratings

• Transfers, Promotions, and Details to other Offices that require different access

• Administrative Leave or other Disciplinary Action

• Work Hours, Flex Time, 4/10s etc

• Date in Current Position

4/3/2015 23

Security Management

Information Via Forms

• Foreign Travel, Contacts (name and nationality), official or personal.

• Dates, Destination, and Unusual changes in itinerary

• Clearance Level and Access

• Security Infractions and Violations

• Statement of Personal History SF 86

• Classified Room Access Logs

• Employee financial disclosure reports as appropriate

• Government Official Passport holders

• Requests for Access or Keys to Areas not within Staff Scope of Work

• Staff needing temporary pass

Notifications via E-mail

• Changes in relationship status (divorced, widow, marriage) or cohabitation

• Financial Problems (bankruptcy, garnished wages, or leans)

• Arrests (for any reason), or other involvement with the legal system

• Psychological or Substance abuse counseling does not need reporting if sought on your own initiative.

• Outside Activities or Employment that could create an apparent conflict of interest

• Notification of pending termination or under special watch by Security

• Incident while attempting to leave through baggage checks

4/3/2015 24

IT Security

• Websites visited or repeated attempts

• Downloads from websites or

• Access to E-mail after work areas? Weekend? Holidays?

• Accessing shared drives after hours.

• Downloading off

• Attempting to access unauthorized drives during or after hours

• Attempts to bypass security protocols

• Attempts to encrypt data on drives

• Requests for new user accounts

• Remotely accessing the system and performing task atypical to the individuals responsibilities

• Elevating or assigning administrator roles to unauthorized users or accounts

• Accessing another users computer when left unattended

• Failing to follow policies and controls

• Accessing user’s and administrators accounts after termination of employment.

• Using computer resources to conduct a side business

• Anyone staff member having been recently terminated, disciplined, demoted or changed duties and roles.

4/3/2015 25

SCOPE and Your Assets….

What is the scope of your Insider Threat Program?• Will you only monitor staff that have direct access to classified

national security information?

• Will you monitor “trusted business partners”?

• Will you monitor all system administrators? Unclassified networks?

• Where is your DATA?

• Who has access?

• How soon to new hires get access?

HUB Priorities Highly

Sensitive Information Offices and

Staff

Other Agency Staff and Contractors

Low Risk Offices and

Staff

All New Employees

and Contractor

s

Special Studies and Audits

Moderate Risk Offices

and Staff

High Risk Offices or

Staff

Problem Employees or

Watch List

HUB IT Program

Staff4/3/2015 28

USER

User Activity Monitoring (UAM)

Analyst Workbench

Analytic HUB(Private Enclave)

ANALYST

4/3/2015 29

Baseline

• What is your “normal”?

0

2

4

6

8

10

12

14

16

Foreign Travel

Base Travel 2014 2015

Implementation

• Have a written Policy• And Implementing Guide

• Engage the C Suite• Educate and Inform

• Internal Communication on the Program

• ICN

• Web

• Be Transparent

• Train, Train, and Train staff

• Set Reasonable Goals when beginning

• Document and Record your internal activities

• Stay Current with your organization

Turning on the Switch……

Case Studies

Resources

• FBI• http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-

threat

• CERT• https://www.cert.org/insider-threat/

• NCIX• www.ncix.gov/issues/ithreat/

• DSS• http://www.dss.mil/documents/ci/Insider-Threats.pdf

My Contact Information

Neil C. Carmichael, Jr.

Program Manager

Insider Threat Program

National Archives and Records Administration

301-837 3169 (office)

301-502-3704 (bb)

neil.carmichael@nara.gov

Member NCMS Chesapeake Bay Chapter