Email this Article Email   

CHIPS Articles: What is "Insider Threat?"

What is "Insider Threat?"
By Deputy Chief of Naval Operations for Information Warfare (OPNAV N2N6) - October-December 2016
According to SECNAV Instruction 5510.37, dated 8 August 2013, an insider threat is "a person with authorized access who uses that access, wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities."

Simply put, insider threat means the unauthorized or unlawful disclosure of classified information that damages national security; or violence that results in injury, loss of life and/or damage to Navy resources.

Although the Navy has experienced a number of destructive and debilitating insider incidents over the years (the Walker-Whitworth espionage case of the 1980s, for example), a continuous spate of information disclosures and workplace violence has compelled a more focused institutional examination of the threat.

The tragic events of the shooting at Fort Hood in 2009, the damage to USS Miami (SSN-755) in 2012, the Washington Navy Yard shooting in September 2013, the National Security Agency contractor Edward Snowden in 2013 and U.S. Army Private First Class Bradley Manning’s massive classified information disclosures in 2010, as well as the recent revelations that the FBI apprehended an NSA insider who had been stealing classified information for years — all clearly fall within the definition of insider threat.

In each case, the actions of these perpetrators could likely have been prevented had their colleagues been alert and attentive to their behaviors and, most importantly, reported it.

Why is Insider Threat Important?

With the most powerful military and the largest economy in the world, the United States is an attractive target not only to our adversaries, but to insiders who seek to harm us or weaken us through compromised information. Insiders are particularly dangerous because, through our confidence and trust, they have been granted access to systems, capabilities, or people they otherwise would not have the opportunity to access. For example, an insider threat to our cybersecurity may target specific sensitive information, classified programs or operations and through witting collusion, may compromise that information to the detriment of our national security.

As a consequence, through the assistance of the insider, adversaries may then gain knowledge of methodologies and procedures which they can later use for operational purposes, negatively impacting vital streams of intelligence or operational details essential for protecting U.S. lives and property.

As the recent high profile cases have demonstrated, system administrators with privileged user status, the ubiquity and speed of our information systems, our workforce's broad access to sensitive systems, and the comparative ease with which data can be transferred all greatly compound this issue. As a result, the Navy has moved aggressively to deter, detect and mitigate threats from both witting and unwitting insiders.

What Motivates Someone to Consider Acting in This Way?

A feeling of injustice, a loss of something valuable, disregard of a system of protections, the need to feel important, or an antithetical moral obsession could transform an otherwise trustworthy service member or employee into a disgruntled insider or an unwitting potential target for an adversary to exploit. Equally threatening are those who may be stressed by circumstances beyond their control, and who may choose to sell information to alleviate their problems or resort to violence in retaliation for some perceived wrongdoing.

Criminal behaviors that may manifest as a consequence of these motivations include theft, espionage, unauthorized disclosure of sensitive information, sabotage against the United States, and workplace violence. Although our primary focus is on those that would bring harm upon the Navy or its resources, we must also be wary of the well-intended insider that wears a Fitbit or carries a smartphone into a Sensitive Compartmented Information Facility (SCIF). This can result in just as dangerous a compromise of national security information as malicious intent.

The Navy Insider Threat Program

To combat these insider threats, the Secretary of the Navy signed SECNAV Instruction 5510.37 on August 8, 2013, implementing the Department of the Navy (DON) Insider Threat Program (InTP). According to the instruction, the DON shall:
• Ensure existing and emerging insider threat training and awareness programs are developed, updated and implemented.
• Enhance technical capabilities to monitor user activity on all systems in support of a continuous evaluation program.
• Leverage Antiterrorism/Force Protection (AT/FP), Counterintelligence (CI), Human Resources (HR), Information Assurance (IA), Law Enforcement (LE), Security and other authorities to improve existing insider threat detection and mitigation efforts.
• Detect, mitigate and respond to insider threats through standardized processes and procedures.
• Ensure legal, civil and privacy rights are safeguarded.
• Promote awareness and use of employee assistance programs (EAP) to enhance interventions for employees in need. (This link provides additional information, resources, and guidance for Employee Assistance Programs:

In support of SECNAV's policy and to increase awareness throughout the entire workforce, the Chief of Naval Operations published OPNAV Instruction 5510.165A in October 2015, designating the Director of the Navy Staff (DNS) as the Navy’s Senior Official for Insider Threat, establishing a Navy Insider Threat Board of Governance (NITBOG) to address the problem across the entire OPNAV Staff, and organizing a cross-functional Insider Threat Working Group under the DNS to address Navy Insider Threat programs and policies.

CNO's Insider Threat Program (InTP) NITBOG and working group focus on measures aimed at preventing future workplace violence as well as the unauthorized disclosure of classified information. In close coordination with stakeholders from across the OPNAV Staff and the Navy, this team issues directives and recommends policy changes that reinforce the safety and security of both our people and our information. A core member of the team, OPNAV N2N6, focuses on the significant cybersecurity aspects of insider threat.

To address this responsibility, the Deputy Chief of Naval Operations for Information Warfare, N2N6, established the Insider Threat to Cybersecurity (ITCS) Office in 2013. The ITCS Office was created to lead the focus on the intelligence, counterintelligence (CI), information assurance (IA), analytical hub operations, User Activity Monitoring (UAM), and continuous evaluation (CE) elements of Navy Insider Threat.

The ITCS Office is charged with overseeing insider threat activities within these specific areas, and coordinating with related efforts across the antiterrorism/force protection (AT/FP), human resources (HR), law enforcement (LE), security and other mission areas within the operational Navy.

The ITCS Office is also charged with improving information sharing on insider threat deterrence, detection and mitigation efforts. The ITCS office has been working diligently since 2013 to envision, pilot, research, program for and implement an effective and efficient Navy insider threat program. This office is complementary with the non-cyber aspects of insider threat and serves to identify potential insiders before they have the opportunity to significantly compromise national security.

Major elements of ITCS

To deter, detect, mitigate, exploit and deny the activities of insider threats operating against DON programs, information, and operations, while fostering a workforce environment in which employee issues are identified and addressed prior to the advent of inappropriate behavior harmful to National Security.

To implement and execute the full scope of the Insider Threat to Cybersecurity Office, consisting of the development of policies and procedures, a governance structure, employee assistance activities, enhanced continuous evaluation, centralized user activity monitoring, an analytic hub and response capability, and a random polygraph program for privileged users that provides a timely response to potential threat information derived from AT/FP, CI, IA, HR, LE, security, and other sources, as necessary.

Guiding Principles
To effectively and efficiently develop and execute the U.S. Navy ITCS Program, ITCS will align with National, Department of Defense, SECNAV, and the larger U.S. Intelligence Community Insider Threat activities and initiatives; partnering wherever possible, to maximize effective insider threat prevention and mitigation.

The Effort

• Deterrence and sustained vigilance. Take immediate actions to enhance safeguards and decrease the likelihood of insider activity, focusing on the compromise or loss of sensitive or classified information. These actions include:
-- Enhanced continuous evaluation of those in trusted positions;
-- Security review and update;
-- Network upgrades and network hardening efforts;
-- Deploying Two-Person Integrity in cases of sensitive networks and critical infrastructure;
-- Mandatory random polygraphs for privileged users and system administrators;
-- Continuous validation and monitoring of privileged user accounts;
-- Implementation of User Activity Monitoring across all Navy networks;
-- Training the workforce;
-- Creating an environment of trust; and
-- Monitoring the cleared workforce through an analytical hub.

• Compliance: An All Hands Issue. Sailors, civilians and contractors have been entrusted with unique access to sensitive information and information systems, most of which are directly or indirectly related to our national security. Consequently, Navy personnel must adhere to appropriate security policies and procedures designed to safeguard personnel, facilities, information and systems. Compliance with governing law, policies and procedures is a command responsibility and commanders must ensure appropriate implementation of security policies, processes and procedures.

Insider Threats Are Real

All threats, no matter how subtle, are real. The highly publicized aforementioned insider threat incidents represent extreme cases where lives were lost and classified information was leaked on an unprecedented scale. A successful insider threat incident, however, doesn't have to be as dramatic or explosive as those to cause serious or grave damage to the national security. The threat can be much more subtle, and still have crippling consequences.

The fact that the President, Secretary of Defense, SECNAV and CNO have all instituted insider threat programs for the nation, the Defense Department and the Navy reinforces this concern. We must be cognizant of the motivations that could lead a Sailor or employee to become a malicious insider. We must be aware of the behaviors and indicators exhibited by potential malicious insiders. And we must be resolute in our individual responsibility to report questionable activity.

Insider Threat Behavioral Indicators – Know the Signs – When to Report or Show Concern:

Information Collection:
• Keeping classified materials in an unauthorized location.
• Attempting to access sensitive information without authorization.
• Obtaining access to sensitive information inconsistent with present duty requirements.
• Maintaining inappropriate or unauthorized information systems.

Information Transmittal:
• Using an unclassified medium to transmit classified materials.
• Discussing classified materials on a non-secure telephone or email.
• Removing classification markings from documents.

Additional Suspicious Behaviors:
• Repeated or unauthorized work outside of normal duty hours.
• Sudden reversal of financial situation or a sudden repayment of large debts or loans.
• Attempting to conceal foreign travel; not declaring personal foreign travel.
• Repeated attempts to introduce personal portable electronic devices into SCIFs.

The above list of behaviors is just a small set of examples. You should report any observed suspicious behaviors that may parallel or exceed the concerns listed in this article.

What is the Navy Doing?

N2N6 is in the process of implementing several activities across the Navy in support of the Navy’s insider threat program. One of Navy’s first steps was to begin monitoring cleared personnel activities on our classified networks and systems; implementing a Random Polygraph Program focused on Navy IT Privileged Users in January 2016 (NAVADMIN 15/16); requested, justified, and successfully defended a $56.4 million-dollar issue over the Fiscal Year 2018-2022 Program Objective Memorandum (POM); received funding to begin Insider Threat Analytical Hub operations in FY17 in advance of the FY18 POM; and instituted meaningful insider threat training programs across the Navy.

Further, Navy supported Fleet Cyber Command directives to harden and better secure Navy networks and systems. In short, the Navy has undertaken a significant effort to deter, detect and mitigate malicious insiders and will continue to meet national and department guidance in this area in order to protect our personnel, resources and national security information.

Know Your Responsibility – Report Suspicious Behavior

Navy personnel need to be especially observant. Follow standard OPSEC procedures and be alert if someone asks about information for which they do not have a need to know. Be cautious of anyone showing unusual or unnecessary interest in your job, or who may inquire about deployment plans, mission, readiness, timetables, technology, organizational morale, or personally identifiable information.

Follow the common sense rules that protect access to your Navy accounts. Be particularly mindful of information you post on social media sites and do not broadcast your financial concerns or personal challenges. Instead, seek support through the numerous resources the Navy, Marine Corps and federal government have to offer. The information you make available can add up to a bigger picture, one that may make you a potential target for exploitation. Remember, you do not have to be the most valuable target, just the most available one.

Espionage, workplace violence and other national security crimes leave a long line of victims. Recognize the indicators. Prevent harm. If you see something — report it!

Report Insider Threat Concerns to:
• Chain of Command
• Security Manager
• Special Security Office
-- Text “NCIS” + tip info to CRIMES (274637)
-- “Tip Submit” Android and iPhone App (select NCIS as agency)
Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer