Agency Insider Threat Planning

Federal Cyber Security professionals have long considered the “insider threat” as the most insidious, hardest to protect against threat vector. This has always been the toughest form of threat, even before computers were created. Now that every employee in the entire organization must have access to IT the cyber version of this threat is just far more complex.  Part of the complexity comes from the fact that the actions taken to find one malicious individual can have a negative impact on the productivity of all the good ones in an organization. This is also a challenge because a good person who is known and trusted may one day change their intent. How can you spot this one? There are very interesting human dynamics to this challenge.

Although cyber security professionals had long worked this issue, the summer 2010 arrest of Bradley Manning and discovery of the extent of his treason during subsequent investigations brought this matter to a head in the federal government. Working groups were established in multiple agencies to try to deal with the insider threat in a more coherent fashion, and eventually a formal cross-government mechanism was established to coordinate appropriate policy for reducing the insider threat.

It is interesting to note that in the opinion of our researchers, perhaps the most important step that could have been taken to mitigate this threat was not taken. We feel that the human dynamic is the most important dynamic in this field. In the case of Bradley Manning, reports are that he was being abused, threatened and even beaten by members of his unit. This type of attack must have directly contributed to his state of mind and cause him to seek to harm his country. When as person seeks to covertly harm his or her organization there is very little that can be done to stop that harm (although steps can be taken to smartly mitigate it). Therefore, a piece of any solution should be to make absolutely certain that no units exist anywhere in government that inappropriately haze, bully, beat or mistreat co-workers. That sort of behavior does not excuse a malicious actor, but it can certainly contribute to the rise of evil in an individual.

Although that conclusion seems to have been overlooked in the nation’s response, many other actions were coordinated. Most were captured in the Executive Order 13587 signed by the President on 07 October 2011.

That executive order directs many structural reforms, but it seeks to do so in a way that does not impede information sharing. Among the many reforms called for, every agency will implement an insider threat detection and prevention program. This program will carry out the guidance of a broader effort called the Insider Threat Task Force.  So, at a national level, the task force coordinates action, then at an agency level, a program head executes the guidance.

Although actions are underway now at both the task force and agency level, a formal plan with standards is not due till one year after the signing of the executive order, which will be October 2012.

More on the task force and guidance for agencies is available at:

Also see