Breach, Threat Intelligence, Data Security, Incident Response, Network Security, TDR

Countering insider threats: Part One of a series

Since July 2010, the WikiLeaks website has disclosed hundreds of thousands of secret U.S. government documents and files on the wars in Iraq and Afghanistan, as well as classified State Department cables and reports. Most of these secrets were disclosed, they say, by U.S. Army PFC Bradley Manning, a low-level intelligence analyst deployed to Iraq.

Manning has now been charged with 22 criminal counts, including “aiding the enemy,” and his court-martial trial is now underway. Manning's alleged actions put his case in the same company as other notorious espionage cases involving U.S. government employees, including Ronald Pelton, Aldrich Ames, Robert Hanssen, Ana Montes and, unfortunately, many others. His alleged disclosures are said to have caused significant harm to national security and diplomatic relations.

Meanwhile, the U.S. National Counterintelligence Executive, in a report released in February, cites examples of billions of dollars worth of losses as part of a widespread and sophisticated economic and industrial espionage campaign being carried out by the People's Republic of China and other countries and actors against the U.S. government and American private sector companies.

While not all of these losses involve classified information or traditional espionage, they are no less damaging to national security. “It's the greatest transfer of wealth in history,” General Keith Alexander, director of the National Security Agency, said in January at a security conference.

Many of these illicit transfers of information – whether of sensitive diplomatic cables, classified military secrets or invaluable corporate intellectual property – have been carried out by trusted insiders willing to betray their nation and/or their company for greed, ideology or other reasons. They used their access to computer networks to exploit weak or non-existent security features to read, copy, transfer and remove massive amounts of data.

The WikiLeaks disclosures clearly served as a wake-up call for some in government and as a catalyst for new policies and direction to federal departments and agencies to implement effective insider threat detection and mitigation solutions. For example:

  • In October 2011, President Barack Obama issued Executive Order 13587 that created two new interagency oversight bodies, and called for a series of measures to strengthen U.S. government and defense industry capabilities to protect classified information on computer networks.
  • Senior Department of Defense (DoD) and intelligence community officials have issued numerous technical and programmatic directives and instructions aimed at ensuring that federal departments and agencies, as well as U.S. defense industrial base companies, adopt appropriate standards and capabilities for monitoring government and private sector computer networks and reporting on suspicious and anomalous behavior.
  • Congress passed legislation requiring the Secretary of Defense and the Director of National Intelligence to establish counter-insider threat programs across their respective organizations, and to achieve initial operating capability no later than Oct. 1, 2012, and full operating capability no later than Oct. 1, 2013.

These belated actions may reflect a serious commitment to countering insider threats, but it remains to be seen whether the president will insist on full compliance, and hold department and agency heads accountable for complying with the new guidance and direction, and whether adequate funding will be provided to launch and sustain effective insider threat detection and mitigation programs. Likewise, it is unclear whether the government will follow best practices and adopt already proven and accredited tools and solutions, or if they will instead waste time and scarce resources on a host of new, unproven technologies and approaches.

It is important to note that there is no silver bullet for determent, detection or the defeating of insider threats. However, thanks to the foresight and actions of a few prescient government officials more than a decade ago, proven and sophisticated technological solutions do exist and must be implemented. But, technology alone will not solve the problem. The government also needs to bolster counterintelligence and counter-espionage resources and capabilities; the DoD and IC must be more rigorous in applying “need to know” policies and principles, even as they promote information-sharing within and across communities; and stronger personnel security practices also are important in this regard.

The Office of the Counterintelligence Executive NCIX reports, “Today more information can be carried out the door on removable media in a matter of minutes than the sum total of what was given to our enemies in hard copy throughout U.S. history. Consequently, the damage caused by malicious insiders will likely continue to increase unless we have effective insider threat programs that can proactively identify and mitigate the threats before they fully mature.” 

Evidence of the real and growing threat posed by trusted insiders is overwhelming. As Gen. Alexander's comment makes clear, the losses to date are truly staggering. It's time for the U.S. government and the private sector to work together to halt this massive, illegal transfer of American know-how and secrets.


Christopher Williams has held senior positions in the Department of Defense and the U.S. Congress. This is part one of a series on insider threat. Click here for part two.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.