The Navy Approach to Insider Threat
Since the days of the Chelsea Manning and Edward Snowden massive leaks of national security information, the Navy has made significant investment to address the toughest challenges posed by the potential threat from malicious insiders. After the insider threat gained national attention with several damaging breaches that attacked the very fibers of our national security, the President signed an Executive Order mandating that the agencies of the government, including the Navy, develop and implement effective Insider Threat Programs (InTP). As a result, various directives were put in place from the Office of the Director of National Intelligence and the Department of Defense (DoD) to the individual Service’s policies.
Today, the DoD-directed definition of Insider Threat is: “A person with authorized access, who uses that access wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of information, resources, or capabilities. The term kinetic can include, but is not limited to, the threat of harm from sabotage or workplace violence.” (SECNAVINST 5510.37)
The Navy has a clearly stated responsibility to establish and maintain an Insider Threat program designed to protect National Security Information on our classified systems and networks, with an associated requirement to identify potential malicious actors before they take action that may damage or harm Navy resources or personnel.
A Measured Acquisition Approach to Insider Threat
Since the first Presidential InTP mandate in 2011, the Navy has identified approximately 135 separate, mandated requirements needed to establish and maintain a program that detects, deters, prevents and mitigates threats to national security from malicious or unwitting insiders. The Navy has adopted a decentralized approach to Insider Threat with Senior Staff Officials leading elements of Insider Threat that best fit within their portfolios as coordinated by the Director of the Navy Staff (DNS), who serves as the Designated Senior Official for Insider Threat for the Navy.
As prevention of compromise of classified information is one of the primary responsibilities of an Insider Threat Program, the Deputy Chief of Naval Operations for Information Warfare (N2N6) has a significant role in the development, management and implementation of the total Navy Insider Threat Program. N2N6 serves as the Navy’s lead for the cyber and counter-intelligence related aspects of Insider Threat. Further, N2N6 serves as the DNS’s Executive Agent to manage Insider Threat across the OPNAV N-Codes and the Fleet. To address these aspects of Insider Threat, N2N6 established a Directorate focused on Insider Threat and developed key activities designed to implement a meaningful and successful Insider Threat program for the Navy.
Since 2013, the Navy has decided to take a measured acquisition approach to develop a Counter-Insider Threat capability that ensures continuity of effort and sufficient resources to implement, manage and operate the program over an extended period of time. Use of an acquisition model program ensures sustainment and appropriate funding of a program that will continue as a Navy program of record for the foreseeable future. N2N6 has established a program of record, made up of several program elements, that provides for three basic InTP capabilities. Those capabilities are:
- Random Polygraph Program for Privileged Users (PUs): Navy network PUs (personnel with enhanced IT system accesses) are now subject to a random counterintelligence polygraph examination. This program provides a counterintelligence scope polygraph to Navy privileged users that have significant access to Navy’s most sensitive and classified systems.
- Analytical Hub (Hub): Development, establishment and maintenance of a separate and discrete operational center for analysis designed to collect appropriate data on all Navy personnel (uniformed, civilian and contractors) and analyze that data to identify potential malicious insiders before they act.
- User Activity Monitoring (UAM): Development and implementation of a capability to monitor, analyze, and report on the activities of all Navy personnel who use Navy classified information networks or systems. This capability baselines and monitors the activity of every Navy individual using Navy networks and systems and reports anomalous and potentially malicious behavior to the Analytical Hub.
Navy Implements Random Polygraphs to Enhance Security
Past failures in safeguarding classified information stored electronically has raised Navy concerns over the protection of critical information and resources. The risk presented by Privileged Users who administer information networks compelled the Vice Chief of Naval Operations to direct N2N6 to establish a random polygraph program for PUs in 2013. The Navy is now using random polygraphs to deter, detect, and mitigate the potential insider threat posed by malicious PUs. PUs are individuals who have been granted access to system controls, monitoring, or administration functions of Navy networks and information systems and typically perform administrator maintenance and routine upkeep activity on those systems.
PUs could use their authorized access to do harm to the security of the United States and can possibly present a significant risk to national security. The Navy’s goal is to randomly select and polygraph approximately 20 percent of our PUs annually. Navy allocates $3.5 million per year for this program. N2N6 works closely with the General Counsel of the Navy to ensure the program complies with applicable statutes, regulations, policy and directives.
The N2N6 Insider Threat branch oversees and coordinates the activities of the Random Counterintelligence Polygraph Program with Naval Criminal Investigative Service (NCIS) to include selection, notification, scheduling, and reporting of results to the appropriate authorities. In coordination with NCIS, N2N6 manages the Random Polygraph Program for PUs while NCIS, as the executive agent for Navy polygraphs, executes the polygraphs. NCIS administers the polygraph examinations in accordance with the DoD directive on administration of polygraph exams. N2N6 provides the policy and oversight functions of the program. To date, Navy has executed 3,144 polygraphs where only 46 of those polygraphs were unsuccessful or required retesting. That represents an anomaly rate of about 3.61 percent, about right for a program that focuses on those that have already been given high level security clearances. However, it does indicate that there are potential problems out there in our cleared workforce.
Establishment of the DON Insider Threat Analytic Hub
The Navy’s Insider Threat Analytic Hub will serve as DON’s insider threat analytic and response center that gathers, integrates, reviews, assesses, reports, and responds to key information derived from continuous evaluation, mission partners, user activity monitoring, polygraph programs, law enforcement and other sources. The DON Hub will be the center of coordination designed to identify, prevent, detect, deter, and mitigate the insider threat with the primary mission of reporting potential malicious insiders to the appropriate authority before a malicious act can take place.
Navy has allocated $56.4 million and 22 personnel over the FY18-23 program (with annual sustainment) to accomplish both the UAM and Analytical Hub goals. Recently, the Under Secretary of the Navy directed that the U.S. Navy, the U.S. Marine Corps and the DON Secretariat collaborate and establish a consolidated DON Insider Threat Analytical Hub. This will be accomplished with Navy building out an analytical hub in accordance with the requirements outlined in our Insider Threat Program of Record; the Marine Corps and Secretariat will fall in on the single hub location. N2N6 will lead the development of the infrastructure within the hub and will receive funding support from the other two entities, as appropriate.
The analysis conducted in the Hub determines if inappropriate behaviors or indicators of a potential insider threat exist. If insider threat activities are validated, the Hub engages with the appropriate authority to ensure proper action is taken to mitigate risk. In addition, enhanced monitoring capabilities promote early discovery of anomalous behaviors. The Hub seeks to identify individuals that may be in crisis and enable commands to intervene to ultimately prevent malicious insider activities before they occur. The DON Hub will also have the operational capability to synchronize effectively with the Defense Insider Threat Management and Analysis Center (DITMAC) for the purpose of mandated reporting, thereby enabling further coordination.
As the Hub continues to mature, additional data sources will be integrated into the Hub capability to increase the Navy’s foothold on vetting insider risk. Information is aggregated within the Hub and will be evaluated using a counter-insider threat automated tool capability. Over the next year, the Navy will continue to work with the Naval Facilities Engineering Command (NAVFAC) to transition all hub operations to a newly designed permanent location in the Washington National Capital Region and continue to work with the program office to move the Hub from initial operating capability to a robust Hub with full operational capability in the near future.
User Activity Monitoring Expansion Across All Navy Networks
UAM is a software tool deployed to each Navy computer to detect anomalous behaviors and potential insider threat activity. A Presidential Memo dated Nov. 21, 2012, requires the deployment of UAM on all classified systems, agency-wide, in order to detect activity indicative of an insider threat. An agency is defined as an agency or department of the government that operates classified systems and manages classified information. Accordingly, every Service of the Department of Defense is an agency for Insider Threat purposes. N2N6 currently manages a UAM fusion cell that analyzes and responds to relevant insider threat information discovered by this purpose-designed software tool. The UAM fusion cell coordinates with the Hub to communicate any behaviors of interest for response and mitigation.
For any DoD element, UAM is a very expensive undertaking with a scope that can exceed tens of thousands of user terminals. Because of the scope of the issue, Navy has also taken a measured approach to UAM, piloting the activity on our most sensitive systems while expanding in a slow and measured approach as resources and authorization allows.
The gravest risk to the Navy may come from insiders on our afloat or undersea assets. For this reason, the Navy will continue to focus on efforts to provide tools that can identify deployed malicious insiders—to include UAM, on classified networks afloat. To that end, the Navy successfully completed an operational test of UAM capabilities during exercise Trident Warrior 2018, an annual at-sea field experiment designed to test new operational concepts afloat. The Trident Warrior experiment offered a chance for the Navy to test new or forthcoming warfare and information technology in an afloat environment. Testing occurred on the operational afloat platforms USS Carl Vinson, USS Halsey and USS Sterett. The test clearly indicated that deployment of insider threat capabilities afloat is a viable and cost-effective method of protecting sailors and Navy resources in an operational environment.
To date, the Navy’s insider threat program is successfully monitoring anomalous behavior in critical areas of the Navy and is moving forward with expansion of the program to encompass the entire Navy population. Currently, Navy is conducting UAM on a significant number of our most sensitive workstations and we have found many instances where law enforcement or command intervention were required. Navy will continue to expand UAM and other Insider Threat capabilities to meet the National, DoD and SECNAV requirements as time goes on, sticking to our measured approach to insider threat capability development.
A Call to Action: What you can do?
Insider threat is an all hands effort. The Navy continues to develop its strategic communication plan to coordinate with commands across the Navy. Effective communication is imperative to successfully mitigating potential insider threat activities.
Navy personnel need to be especially observant. It is equally important to remain on the offensive in addition to all the defensive strategies the Navy is implementing. Follow standard OPSEC procedures and be alert if someone asks about information for which they do not have a need to know. Be cautious of anyone showing unusual or unnecessary interest in your job, or who may inquire about deployment plans, mission, readiness, timetables, technology, organizational morale, or personally identifiable information. You, as an insider, may be a target as well! In addition, be on the alert for questionable or inappropriate behavior by your fellow office mates. Many of the Navy’s most notorious cases, like the Walker-Whitworth Ring, simply carried massive amounts of classified information off the ship or out of their offices. This is entirely preventable with appropriate training and monitoring.
Follow the common sense rules that protect access to your Navy accounts. Be particularly mindful of information you post on social media sites, and do not broadcast your financial concerns or personal challenges. Instead, seek support through the numerous resources the Navy, Marine Corps, and federal government have to offer. The information you make available can add up to a bigger picture, one that may make you a potential target for exploitation. Remember, you do not have to be the most valuable target, just the most available one.
Espionage, workplace violence and other national security crimes leave a long line of victims. Recognize the indicators. Prevent harm. If you see something – report it!
How to Report Insider Threat Activity?
Insider Threat is every employee’s concern! Through implementation of a proactive and effective Insider Threat program, the Navy can minimize, or eventually, eliminate the unauthorized compromise or theft of National Security Information or head off the next destructive act that would target Navy personnel. A fully operational and effective Navy is critical to meet our National Security needs as we move into the future. Stopping the malicious insider, both witting and unwitting, will go a long way to ensuring the future effectiveness of the United States Navy.
Report Insider Threat Concerns to:
- Chain of Command
- Security Manager
- Special Security Office
- Text “NCIS” + tip info to CRIMES (274637)
- “Tip Submit” Android and iPhone App (select NCIS as agency)