According to SECNAV Instruction 5510.37 dated 8 August 2013, an Insider Threat is "a person with authorized access who uses that access, wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities."
Simply put, Insider Threat means the unauthorized or unlawful disclosure of classified information that damages national security; or violence that results in injury, loss of life and/or damage to Navy resources.
Although the Navy has experienced a number of destructive and debilitating insider threat-related incidents over the years (like the Walker-Whitworth espionage case of the 1980s, for example), a recent continuous spate of information disclosures across DoD and instances of workplace violence have compelled a more focused inter-agency examination of the threat that resulted in several Executive Orders and associated national-level policy guidance documents regarding Insider Threat.
The tragic events of the shooting at Fort Hood in 2009, the sale of Navy classified information by Petty Officer Bryan Minkyu Martin in 2011, the damage to USS Miami (SSN-755) in 2012, the Washington Navy Yard shooting by Aaron Alexis in September 2013, the significant list of personnel caught up in the Glenn-Marine/Fat Leonard scandal starting in 2013 (and continuing through today), U.S. Army’s Private First Class Bradley Manning’s massive classified information disclosures in 2010, the National Security Agency contractor Edward Snowden’s extensive theft of classified information in 2013, and the case of Lt. Cmdr. Edward Lin who was charged with espionage and accepted a plea agreement for six year’s incarceration in 2016 — all indicate that the Department of Defense and the Navy have a significant Insider Threat problem. And there are many more instances!
In each case, the actions of these perpetrators could likely have been prevented had appropriate monitoring capabilities been implemented or had their colleagues been alert and attentive to their behaviors and, most importantly, reported it.
Why is Insider Threat Important?
With the most powerful military and the largest economy in the world, the United States is an attractive target not only to our adversaries, but to insiders who seek to harm us, illicitly benefit, or weaken us through compromised information. Insiders are particularly dangerous because, through our confidence and trust, they have been granted access to systems, capabilities or people they otherwise would not have the opportunity to access. For example, an insider threat to our cybersecurity may target specific sensitive information, classified programs or operations; and through witting collusion for private gain, may compromise that information to the detriment of our national security by either destroying or selling that information to a potential adversary.
As a consequence, through the assistance of an insider, adversaries may then gain knowledge of methods and procedures which they can later use for operational purposes, negatively impacting vital streams of intelligence or operational details essential for protecting U.S. lives and property or by gaining “leap ahead” technology that the Navy has spent years and significant resources to obtain. The witting insider with malicious intent is a true detriment to our goal of Dominance across the maritime domain and represents a clear and present danger to the security of our Nation.
As the recent high profile cases above have demonstrated, system administrators with privileged user status, the ubiquity and speed of our information systems, our workforce's broad access to sensitive systems and locations, and the comparative ease with which data can be transferred all greatly compound this issue. As a result, the Navy has moved aggressively to prevent, deter, detect and mitigate threats from both witting and unwitting insiders.
What is an Insider’s Motivation?
A feeling of injustice, a loss of something valuable, disregard of a system of protections, the need to feel important, just the thought that the rules don’t apply, or an antithetical moral obsession could transform an otherwise trustworthy service member or employee into a disgruntled insider or an unwitting potential target for an adversary to exploit. Equally threatening are those who may be stressed by circumstances beyond their control, and who may choose to sell information to alleviate their problems or resort to violence in retaliation for some perceived wrongdoing. All the above have been witnessed by every agency of the government.
Criminal behaviors that may manifest as a consequence of these motivations include theft, espionage, unauthorized disclosure of sensitive information, sabotage against the United States, and workplace violence. Although our primary focus is on those that would bring harm upon the Navy or its resources, we must also be wary of the well-intended insider that wears a Fitbit or carries a smartphone into a Sensitive Compartmented Information Facility (SCIF). This can result in a dangerous compromise of national security information as well.
The Navy Insider Threat Program
To combat these insider threats, the Secretary of the Navy signed SECNAV Instruction 5510.37 on August 8, 2013, implementing the Department of the Navy (DON) Insider Threat Program (InTP). According to the instruction, the DON shall:
- Ensure existing and emerging insider threat training and awareness programs are developed, updated and implemented.
- Enhance technical capabilities to monitor user activity on all systems in support of a continuous evaluation program.
- Leverage Antiterrorism/Force Protection (AT/FP), Counterintelligence (CI), Human Resources (HR), Information Assurance (IA), Law Enforcement (LE), Security and other authorities to improve existing insider threat detection and mitigation efforts.
- Detect, mitigate and respond to insider threats through standardized processes and procedures.
- Ensure legal, civil and privacy rights are safeguarded.
- Promote awareness and use of employee assistance programs (EAP) to enhance interventions for employees in need. (This link provides additional information, resources, and guidance for Employee Assistance Programs: http://www.militaryonesource.mil.)
In support of SECNAV's policy and to increase awareness throughout the entire workforce, the Chief of Naval Operations published OPNAV Instruction 5510.165A in October 2015, designating the Director of the Navy Staff (DNS) as the Navy’s Senior Official for Insider Threat, establishing a Navy Insider Threat Board of Governance (NITBOG) to address the problem across the entire OPNAV Staff and throughout the Fleet, and organizing a cross-functional Insider Threat Working Group under the DNS to address Navy Insider Threat programs and policies.
CNO's Insider Threat Program (InTP) NITBOG and its subordinate working group focus on measures aimed at preventing unauthorized disclosure of classified information as well as deterring future workplace violence. In close coordination with stakeholders from across the OPNAV staff and the Navy, this team issues directives and recommends policy changes that reinforce the safety and security of both our people and our information. A core member of the team, OPNAV N2N6, focuses on the significant cybersecurity and counterintelligence aspects of Insider Threat.
To address this responsibility, the Deputy Chief of Naval Operations for Information Warfare, N2N6, established the Insider Threat to Cybersecurity (ITCS) Office in 2014. The ITCS Office was created to lead the focus on the intelligence, counterintelligence (CI), information assurance (IA), analytical hub operations, user activity monitoring (UAM), and continuous evaluation (CE) elements of Navy Insider Threat.
The ITCS Office is charged with planning, implementing and overseeing Insider Threat activities within these specific areas, and coordinating with related efforts across the AT/FP, HR, LE, security and other mission areas within the operational Navy. The ITCS Office is also charged with improving information sharing on insider threat prevention, deterrence, detection and mitigation efforts. Accordingly, the ITCS Office maintains a close association with the recently established Defense Insider Threat Management and Analysis Center (DITMAC).
The ITCS office has also been working diligently since 2013 to envision, pilot, research, program for and implement an effective and efficient Navy Insider Threat program. This office is complementary with the non-cyber aspects of Insider Threat and serves to identify potential insiders before they have the opportunity to significantly compromise national security. Within the last year, the ITCS office has adopted an acquisition approach to Insider Threat with the goal of establishing a Program of Record for the Navy’s Insider Threat Program. That goal was achieved in October 2017 and the ITCS office has successfully secured a $56.4 million-dollar program to address Insider Threat capabilities beginning in FY18. As envisioned, it is likely that Insider Threat will be a Navy Program of Record for possibly the next 200 years!
Major elements of ITCS
The mission of the ITCS office is to develop a Navy program that seeks to prevent, deter, detect, mitigate and deny the activities of insider threats operating against DON and Navy programs, information and operations, while fostering a workforce environment in which employee issues are identified and addressed prior to the advent of inappropriate behavior harmful to national security.
The organization vision is to develop a program in coordination with other key Navy stakeholders that implements and executes the full scope of ITCS, consisting of the development of policies and procedures, a governance structure, employee assistance activities, enhanced continuous evaluation, centralized user activity monitoring, an analytic hub and response capability, and a random polygraph program for privileged users that provides a timely response to potential threat information derived from AT/FP, CI, IA, HR, LE, security, and other sources, as necessary.
Our guiding principles are in order to effectively and efficiently develop and execute the U.S. Navy ITCS Program, ITCS will align with National, Department of Defense, SECNAV, and the larger U.S. Intelligence Community Insider Threat activities and initiatives; partnering wherever possible, to maximize effective insider threat prevention and mitigation while minimizing resource requirements and cost.
• Deterrence and sustained vigilance. In implementing an effective Insider Threat program, the Navy has taken immediate actions to enhance safeguards and decrease the likelihood of insider activity, focusing on the compromise or loss of sensitive or classified information. These actions included or will include:
- Enhanced continuous evaluation of Navy personnel;
- Enhanced security review and update of networks and systems;
- Network upgrades and network hardening efforts;
- Deploying Two-Person Integrity in case of sensitive networks and critical infrastructure;
- Mandatory random polygraphs for privileged users and system administrators;
- Continuous validation and monitoring of privileged user accounts;
- Implementation of User Activity Monitoring across all Navy classified networks;
- Training the workforce on Insider Threat principles and activities;
- Creating an environment of trust; and
- Monitoring the cleared workforce through an Analytical Hub operation.
• Compliance: An All Hands Issue. Sailors, civilians and contractors have been entrusted with unique access to sensitive information and information systems, most of which are directly or indirectly related to our national security. Consequently, Navy personnel must adhere to appropriate security policies and procedures designed to safeguard personnel, facilities, information and systems. Compliance with governing law, policies and procedures is a command responsibility and commanders must ensure appropriate implementation of security policies, processes and procedures.
Insider Threats Are Real
All threats, no matter how subtle, are real. The highly publicized, aforementioned Insider Threat incidents represent extreme cases where lives were lost and classified information was leaked on an unprecedented scale. A successful Insider Threat incident, however, doesn't have to be as dramatic or explosive as those to cause serious or grave damage to the national security. The threat can be much more subtle, and still have crippling consequences. The fact that the President, Secretary of Defense, Secretary of the Navy and the Chief of Naval Operations have all instituted Insider Threat programs for the Nation, the Defense Department and the Navy reinforces this concern.
We must be cognizant of the motivations that could lead a Sailor or employee to become a malicious insider. We must be aware of the behaviors and indicators exhibited by potential malicious insiders. And we must be resolute in our individual responsibility to report questionable activity. Although automation is one of the many tools that the Navy is implementing to watch for malicious insiders, the Insider Threat problem is not a cybersecurity problem, it is a personnel problem. The advent of high speed automation combined with massive storage ability is not the problem; the problem is the insider, intent on malicious activity with ready access to that high speed automation. In the end, an effective Insider Threat program must prevent and deter such activity to be effective.
Insider Threat Behavioral Indicators — Know the Signs — When to report or show concern:
- Keeping classified materials in an unauthorized location.
- Attempting to access sensitive information without authorization.
- Obtaining access to sensitive information inconsistent with present duty requirements.
- Maintaining inappropriate or unauthorized information systems.
- Using an unclassified medium to transmit classified materials.
- Discussing classified materials on a non-secure location, telephone or email.
- Removing classification markings from documents.
- Removing classified information from an authorized facility without authorization.
Additional Suspicious Behaviors:
- Repeated or unauthorized work outside of normal duty hours.
- Sudden reversal of financial situation or a sudden repayment of large debts or loans.
- Attempting to conceal foreign travel; not declaring personal foreign travel or associations.
- Repeated attempts to introduce personal portable electronic devices into SCIFs.
The above list of behaviors is just a small set of examples. You should report any additional observed behaviors that may parallel or exceed the concerns listed here. Naval Criminal Investigative Service (NCIS) has published a list of reportable behaviors that the concerned individual can use as a guide.
What is the Navy Doing?
N2N6 is in the process of implementing several activities across the Navy in support of the Navy’s Insider Threat program. One of Navy’s first steps was to begin monitoring cleared personnel activities on our classified networks and systems; implementing a Random Polygraph Program focused on Navy IT Privileged Users in January 2016 (See NAVADMIN 15/16); establishing a $56.4 million issue over the Fiscal Year 2018-2022 Program Objective Memorandum (POM); receiving funding to begin Insider Threat Analytical Hub operations in FY17 in advance of the FY18 POM; and instituted meaningful Insider Threat training programs across the Navy. Further, Navy supported Fleet Cyber Command directives to harden and better secure Navy networks and systems. In short, the Navy has undertaken a significant effort to prevent, deter, detect and mitigate malicious insiders and will continue to meet national and department guidance in this area in order to protect our personnel, resources, and national security information.
Know Your Responsibility — Report Suspicious Behavior
Navy personnel need to be especially observant. Follow standard OPSEC procedures and be alert if someone asks about information for which they do not have a need to know. Be cautious of anyone showing unusual or unnecessary interest in your job, or who may inquire about deployment plans, mission, readiness, timetables, technology, organizational morale, or personally identifiable information. You, as an insider, may be a target as well!
Follow the common sense rules that protect access to your Navy accounts. Be particularly mindful of information you post on social media sites, and do not broadcast your financial concerns or personal challenges. Instead, seek support through the numerous resources the Navy, Marine Corps, and federal government have to offer. The information you make available can add up to a bigger picture, one that may make you a potential target for exploitation. Remember, you do not have to be the most valuable target, just the most available one.
Espionage, workplace violence and other national security crimes leave a long line of victims. Recognize the indicators. Prevent harm. If you see something — report it!
Report Insider Threat Concerns to:
- Chain of Command
- Security Manager
- Special Security Office
- Text “NCIS” + tip info to CRIMES (274637)
- “Tip Submit” Android and iPhone App (select NCIS as agency)
Insider Threat is every employee’s concern! Through implementation of a proactive and effective Insider Threat program, the Navy can minimize, or eventually, eliminate the unauthorized compromise or theft of National Security Information or head off the next destructive act that would target Navy personnel. A fully operational and effective Navy is critical to meet our National Security needs as we move into the future. Stopping the malicious insider, both witting and unwitting, will go a long way to ensuring the future effectiveness of the United States Navy.