According to SECNAV Instruction 5510.37, dated 2013, an Insider Threat is "a person with authorized access who uses that access, wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities." Simply put, Insider Threat means the unauthorized disclosure of classified information that damages national security, or violence that results in injury, loss of life and/or damage to Navy operational resources.
Although the Navy has experienced a number of destructive and debilitating insider incidents over the years (the Walker-Whitworth espionage case of the 1980s, for example), a recent spate of information disclosures and workplace violence has compelled a more focused institutional examination of the threat.
The tragic events of the shooting at Fort Hood in 2009, the damage to USS Miami (SSN-755) in 2012, the Washington Navy Yard in September 2013, and massive classified information disclosures by U.S. Army Private First Class Bradley Manning in 2010 and National Security Agency contractor Edward Snowden in 2013, all clearly fall within the definition of insider threat. In each case, the actions of these perpetrators could likely have been prevented had their colleagues been alert and attentive to their behaviors and, most importantly, reported it.
Why is Insider Threat Important?
With the most powerful military and the largest economy in the world, the United States is an attractive target not only to our adversaries, but to insiders who seek to harm us or weaken us through compromised information. Insiders are particularly dangerous because, through our confidence and trust, they have been granted access to systems, capabilities, or people they otherwise would not have. For example, insider threats to cybersecurity may target specific sensitive information on programs or operations and reveal what an insider may perceive to be unjust policy or intelligence. As a consequence, adversaries may then gain knowledge of methodologies and procedures which they can later use for denial of information purposes, negatively impacting vital streams of intelligence essential for protecting U.S. lives and property.
As the recent high-profile cases have demonstrated, system administrators with privileged user status, the ubiquity of our information systems, our workforce's broad access to sensitive systems, and the comparative ease with which data can be transferred all greatly compound this problem.
What Motivates Someone to Consider Acting in This Way?
A feeling of injustice, a loss of something valuable, the need to feel important, or an antithetical moral obsession could transform an otherwise trustworthy service member or employee into a disgruntled insider or potential target for an adversary to exploit.
Equally threatening are those who may be stressed by circumstances beyond their control, and who may choose to sell information to alleviate their problems or resort to violence in retaliation for some perceived wrongdoing. Criminal behaviors that may manifest as a consequence of these motivations include theft, espionage, unauthorized disclosure of sensitive information, sabotage against the United States, and workplace violence.
The Navy Insider Threat Program
To combat insider threats, the Secretary of the Navy signed SECNAV Instruction 5510.37 on 08 August 2013, implementing the Department of the Navy (DON) Insider Threat Program (InTP). According to the instruction, the DON shall:
• Ensure existing and emerging insider threat training and awareness programs are developed, updated, and implemented.
• Enhance technical capabilities to monitor user activity on all systems in support of a continuous evaluation program.
• Leverage Antiterrorism/Force Protection (AT/FP), Counterintelligence (CI), Human Resources (HR), Information Assurance (IA), Law Enforcement (LE), Security and other authorities to improve existing insider threat detection and mitigation efforts.
• Detect, mitigate, and respond to insider threats through standardized processes and procedures.
• Ensure legal, civil, and privacy rights are safeguarded.
• Promote awareness and use of employee assistance programs (EAP) to enhance interventions for employees in need. (This link provides additional information, resources, and guidance for Employee Assistance Programs http://www.militaryonesource.mil.)
In support of SECNAV's policy and to increase awareness throughout the entire workforce, the Chief of Naval Operations published OPNAV Instruction 5510.165 on 01 October 2015, established a Navy Insider Threat Board of Governance and organized an Insider Threat Working Group under the Director of the Navy Staff to address Insider Threats.
CNO's Insider Threat Program (InTP) working group focuses on measures aimed at preventing future workplace violence as well as the unauthorized disclosure of classified information. In close coordination with stakeholders from across the OPNAV staff and the Navy, this team issues directives and recommends policy changes that reinforce the safety and security of both our people and our information. A core member of the team, OPNAV N2/N6 focuses on the significant cybersecurity aspects of Insider Threat.
To address this responsibility, the Deputy Chief of Naval Operations for Information Dominance, N2N6, established the Insider Threat to Cybersecurity (ITCS) Office in 2013. The ITCS Office was created to lead the focus on the intelligence, counterintelligence (CI), information assurance (IA), User activity Monitoring (UAM), and continuous evaluation (CE) elements of Navy Insider Threat.
The ITCS Office is charged with overseeing Insider Threat activities within these specific areas, and coordinating with related efforts across the antiterrorism/force protection (AT/FP), human resources (HR), law enforcement (LE), security and other mission areas within the operational Navy. The ITCS Office is also charged with improving information sharing on insider threat deterrence, detection, and mitigation efforts.
Major elements of ITCS
Mission
To deter, detect, mitigate, exploit, and deny the activities of insider threats operating against DON programs, information, and operations, while fostering a workforce environment in which employee issues are identified and addressed prior to the advent of inappropriate behavior.
Vision
To implement and execute the full scope of ITCS, consisting of the development of policies and procedures, a governance structure, employee assistance activities, enhanced continuous evaluation, centralized user activity monitoring, an analytic and response capability, and a random polygraph program for privileged users that provides a timely response to potential threat information derived from AT/FP, CI, IA, HR, LE, security, and other sources, as necessary.
Guiding Principles
To effectively and efficiently develop and execute the U.S. Navy ITCS Program, ITCS will align with National, Department of Defense, SECNAV, and the larger U.S. Intelligence Community Insider Threat activities and initiatives; partnering wherever possible, to maximize effective insider threat prevention and mitigation.
The Effort
• Deterrence and sustained vigilance. Take immediate actions to enhance safeguards and decrease the likelihood of insider activity, focusing on the compromise or loss of sensitive or classified information. These actions include:
-- Enhanced continuous evaluation of those in trusted positions;
-- Security review and update;
-- Network upgrades and network hardening efforts;
-- Deploying Two-Person Integrity in case of sensitive networks and critical infrastructure;
-- Mandatory random polygraphs for privileged users and system administrators;
-- Continuous validation of privileged user accounts;
-- Training the workforce; and
-- Creating an environment of trust.
• Compliance: An All Hands Issue. Sailors, civilians, and contractors have been entrusted with unique access to sensitive information and information systems, most of which are directly or indirectly related to our national security. Consequently, those personnel must adhere to appropriate security policies and procedures designed to safeguard personnel, facilities, information, and systems. Compliance with governing law, policies, and procedures is a command responsibility and commanders must ensure appropriate implementation of security policies, processes, and procedures.
Insider Threats Are Real
All threats, no matter how subtle, are real. The highly publicized aforementioned Insider Threat incidents represent extreme cases where lives were lost and classified information was leaked on an unprecedented scale. A successful Insider Threat incident, however, doesn't have to be as dramatic or explosive as those to cause serious or grave damage to the national security.
The threat can be much more subtle, and still have crippling consequences. The fact that SECNAV and CNO have instituted Insider Threat programs for the Department and the Navy reinforces the concern. We must be cognizant of the motivations that could lead a Sailor or employee to become a malicious insider. We must be aware of the behaviors and indicators exhibited by potential malicious insiders. And we must be resolute in our individual responsibility to report questionable activity.
Insider Threat Behavioral Indicators – Know the Signs – When to report or show concern:
Information Collection:
• Keeping classified materials in an unauthorized location
• Attempting to access sensitive information without authorization
• Obtaining access to sensitive information inconsistent with present duty requirements
Information Transmittal:
• Using an unclassified medium to transmit classified materials
• Discussing classified materials on a non-secure telephone
• Removing classification markings from documents
Additional Suspicious Behaviors:
• Repeated or unrequired work outside of normal duty hours
• Sudden reversal of financial situation or a sudden repayment of large debts or loans
• Attempting to conceal foreign travel
• Repeated attempts to introduce Personal Portable Electronic Devices into SCIFs
The above list of behaviors is just a small set of examples. You should report any additional observed behaviors that may parallel or exceed the concerns listed in this article.
Know Your Responsibility – Report Suspicious Behavior
Navy personnel need to be especially observant. Follow standard OPSEC procedures and be alert if someone asks about information for which they do not have a need to know. Be cautious of anyone showing unusual or unnecessary interest in your job, or who may inquire about deployment plans, mission, readiness, timetables, technology, organizational morale, or personally identifiable information.
Follow the common sense rules that protect access to your Navy accounts. Be particularly mindful of information you post on social media sites and do not broadcast your financial concerns or personal challenges. Instead, seek support through the numerous resources the Navy, Marine Corps, and federal government have to offer. The information you make available can add up to a bigger picture, one that may make you a potential target for exploitation. Remember, you do not have to be the most valuable target, just the most available one.
Espionage, workplace violence and other national security crimes leave a long line of victims. Recognize the indicators. Prevent harm. If you see something – Report it!
Report Insider Threat Concerns to:
• Chain of Command
• Security Manager
• Special Security Office
• NCIS:
-- www.ncis.navy.mil
-- Text “NCIS” + tip info to CRIMES (274637)
-- “Tip Submit” Android and iPhone App (select NCIS as agency)
-- 1.800.543.NAVY(6289)