White House Releases National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs
The White House recently released a national insider threat policy and standards to guide federal agencies on how to prevent data leaks. However, there were still some things missing from the directive, security experts said.
While the White House announced the guidelines in a Nov. 21 memo to the heads of federal agencies and departments, the actual National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs has not been publicly released. The new insider threat policy is designed to prevent information leaks, espionage, and "violent acts against the Government or the Nation," according to the memo.
The national policy comes more than two years after U.S. Army Pfc Bradley Manning was arrested for copying hundreds of thousands of classified government documents and leaking them to whistleblower site WikiLeaks. In October 2011, Pres. Barack Obama outlined "structural reforms" in an executive order to protect classified information and networks.
The standards are intended "to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security," according to the memo.
The Minimum Standards for the programs set forth baseline requirements for agencies to follow when implementing insider threat programs, such as an ability to analyze and respond to threat-related information and monitor employee use of classified networks.
The directive is a "step in the right direction" and consistent with what Imperva has identified as best practices for mitigating insider threats, Rob Rachwald, directory security strategy at Imperva, told SecurityWeek.
According to the memo, the minimum standards outlined in the policy provide departments and agencies with minimum elements necessary to establish effective insider threat programs, including the capability to gather, integrate, and centrally analyze and respond to key threat-related information.
The insider threat policy won't just help prevent insider threats, but would also stop external attacks, as well. Since agencies would improve their ability to monitor and detect threat-related information, including attempts to access classified data, they will also get better at detecting external incidents where stolen employee credentials are used to access classified data, Jaime Blasco, AlienVault Labs Manager, told SecurityWeek.
"It won't only help to detect insider threats but also external actors that are able to compromise government systems," Blasco said.
The memo doesn't say how the agencies are supposed to obtain the "key threat-related information" in the first place, Darien Kindlund, senior staff scientist at FireEye, told SecurityWeek. Organizations get attacked by many forms of malware on a daily basis, giving them many opportunities to learn about the threat and a large pool of samples to study. That isn't the case with insider threats, as the effects aren't always immediately apparent, and the number of incidents to learn from is smaller than the amount of malware, Kindlund said.
There would be problems implementing the program if the policy doesn't consider how to police instances when authorized insiders abused their access, Francis Cianfrocca, CEO of Bayshore Networks, told SecurityWeek. The policy also has to take in to account that malicious insiders aren't always rogue employees, but could be external attackers who'd already breached the network and already had access to internal systems.
"Determined abusers have many ways to make their activities look normal," Cianfrocca said.
Considering how frequently foreign actors compromise insiders in their attempts to attack U.S. networks, an insider threat mitigation program must address the issue, Rachwald said.
There was no reference to deploying technology systems that can identify "aberrant behavior" when it comes to intellectual property and classified material, Rachwald said. Manning copied over 280,000 classified files without triggering any alerts. If such a system had been in place, the abnormal activity would have been flagged.
Government employees should know they are being watched when handling sensitive or classified information. Humans tend to behave differently when they know they are under observation, and that alone can "substantially mitigate" insider threats, Rachwald said.
The memo does specifically call out offering federal employees with insider threat awareness training, which Cianfrocca called a "critical need." Affected agencies may also treat the memo as a "green light" to allocate more funding on internal counter-intelligence operations, of which insider threat detection is a big portion, Kindlund said.
Related: The Psychology of the Insider Threat