Oftentimes more frustrating to the U.S. government than the threat of an emboldened Russia or Chinese economic espionage is the trusted insider.
Insider threats have disclosed and improperly removed troves of sensitive information from government networks that compromise secrets and highly secretive security programs. While various technical and cyber-enabled monitoring tools have been applied to prevent such actions, the intelligence community's top counterintelligence officer believes understanding the human element is the most important component.
"The mind of the insider threat: That is what I believe to be the critical component of stopping, if we can," the individual that wants to be nefarious and do malicious behavior, said William Evanina, the national counterintelligence executive within the Office of the Director of National Intelligence.
Speaking during a Monday event hosted by the Intelligence and National Security Alliance in Arlington, Virginia, he said monitoring these insider threats is "almost impossible" because the intelligence community, government or private sector are not going to create a draconian environment where they search people on their way in and out.
The question, then, does not become one of technological solutions — some of which use analytics to monitor certain cyber activity — but rather how to get "left of an event" by identifying the individual and providing a venue to act out. These venues, he said, could be as simple as an employee assistance program, an interview with someone in the security department or a peer consultation.
There are highly capable tools to track keyboard strokes and data, but it will not identify an individual that was passed up for a promotion or the individual going through a divorce or financial difficulties, Evanina said. "There is no technological monitoring that can detect that."
He said there are three categories that are key to understanding and identifying the insider threat: narcissism; Machiavellianism (the ability or a want to manipulate others); and a callous, cold personality.
The key to success for curbing insider threats will be to marry these three categories by understanding the individual’s mindset and have robust monitoring on the individual's systems and data, Evanina said.
The Department of Defense has previously examined and applied certain technological and behavioral analyticsto monitor threats.
INSA released a white paper outlining behavioral models that can improve the monitoring of insider threats. "Both goals — improving early warning of vulnerability and understanding individual complexity — entail not only defining psychological models but also seeking methodologies and tools that can assist in swift, continuous identification and assessment," the white paper reads. "Most efforts to data have focused on characterizing individuals at a specific point in time — during an initial or periodic investigation — but employers now recognize the importance of leveraging innovative technology and data sources to monitor and evaluate individuals on a continuous basis."
With the boom in social media, the report notes that leveraging certain tools can help identify certain individuals and personalities at risk for insider threats. These include personality mapping (psycholinguistics), life-event detection (text analytics) and emotion detection (sentiment analysis).
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.