Watchdog Says Pentagon Needs to Crank Up ‘Insider Threat’ Monitoring
Only half of military components GAO reviewed have logged system and user behaviors to develop "a baseline of normal activity patterns."
Work to rein in some post-Sept. 11 domestic surveillance practices ended with passage of a bill that limits the National Security Agency’s collection of U.S. call records. But regular Joes inside the Pentagon -- or at least those with access to sensitive or classified information -- should expect even greater scrutiny on their workplace digital activities.
Just before the Senate cleared the USA Freedom Act, the Government Accountability Office released a report recommending the Defense Department take new steps to set up so-called “insider threat” programs, which aim to stop information leaks by disgruntled employees.
The unclassified version of the report found only half of military components GAO reviewed have logged system and user behaviors to develop "a baseline of normal activity patterns." The purpose of tracing the activities of Pentagon personnel is to zero in on network "anomalies," computer usage that might be indicative of a leaker, the watchdogs said. NSA is part of the Defense Department.
The employee insider threat program was borne out of various laws and White House policies issued since 2010 that require all departments to do a better job of fortressing classified information. That year, former soldier Chelsea Manning shared top secret files with the WikiLeaks website. The ability of ex-NSA contractor Edward Snowden to reveal classified intelligence in 2013 suggests anti-leak programs need more muscle, Patricia Larsen, co-director of the governmentwide National Insider Threat Task Force, said last December.
This week, GAO agreed. A key element of the Pentagon’s program has not consistently been incorporated Defensewide, the auditors said, noting "three of the six components [evaluated] have developed a baseline of normal activity" on Defense networks. They did not identify the organizations by name.
"Anomalous activities are network activities that are inconsistent with the expected norms, the watchdogs added. "These activities, such as network activity outside of normal work hours or changes in typical data download patterns, could indicate the exploitation of cyber vulnerabilities, among other things."
To detect anomalies, three of the components GAO examined plan to buy or upgrade analytic tools that allow them to monitor user behavior suggesting insider-threat activities. One entity that already has such technology said the enhanced model it expects to obtain will be able to watch a user's behavior across unclassified, secret and top-secret networks.
A handful of policies published between 2000 and 2012 call for establishing a normal activity baseline. Auditors also pointed to a post-Snowden, nonpublic February 2014 directive on protecting national security systems from insider threats.
The U.S. military's 2000 Final Report of the Insider Threat Integrated Process Team instructs organizations to come up with a specific list of employee behaviors that should be tracked online, because otherwise managers will suffer information overload.
It will be impossible to baseline normal activity patterns "with the sheer volume of user characteristics data" unless supervisors establish an "inventory of behavior attributes and patterns grounded in counterintelligence experience and stored to allow for rapid automatic analysis and monitoring," the authors of that Defense report wrote.
Once a Pentagon organization has selected which employee and system activities to keep tabs on, those attributes should be studied for more than a couple of days. A December 2012 Carnegie Mellon Software Engineering Institute manual, Common Sense Guide to Mitigating Insider Threats, states "the longer the organization monitors the chosen data points, the more reliable the baseline will be."
Recommended data points to observe include:
- Communications between devices: the devices a workstation communicates with and the devices a server communicates with;
- Bandwidth consumed, especially noting the differences between bandwidth use during and after business hours;.
- Virtual private network users: times of access, bandwidth consumed, geolocation information;
- Ports and protocols;
- Normal firewall and IDS alerts—Normal alerts may occur when business processes change (e.g., there is increased website traffic).
The Carnegie Mellon researchers note, “Organizations may find it challenging to maintain employee privacy while collecting data to establish a baseline."
(Image via Andrea Danti/ Shutterstock.com)