What if the threat comes from within? Federal agencies must address the risk

What if the threat comes from within? Federal agencies must address the risk
© iStock

When the Colonial Pipeline was brought down by DarkSide hackers as part of a growing ransomware as a service threat, the experience was eye-opening for our country, which was ill-prepared to address the potential for expanding attacks by hackers seeking only profit. Now, as the Department of Homeland Security (DHS) scrambles to regulate cybersecurity in the pipeline industry after the fact, all federal agencies need to turn their attention inward to fortify themselves against similar external threats and insider threats.

The ransomware hack on the pipeline forced our nation to its knees; on the East Coast, gas stations closed, vehicles sat idle, and business suffered. If the hack had come from inside a federal agency, perpetrated by knowledgeable U.S. government employees instead of an external hacker from Eastern Europe, imagine how much worse it could have been. For many government agencies, there is no need to imagine; they already have had to deal with being breached.  

Insider threats long have been a concern for government agencies. The federal government’s main insider threat organization, the National Insider Threat Task Force, was established under the umbrella of the Office of the Director of National Intelligence (ODNI) in 2011. 

ADVERTISEMENT

The same order that convened the task force, Executive Order 13587, also set up guidelines for federal agencies working with classified information to build out their own insider threat programs. Throughout the past decade, the task force, ODNI and Department of Defense intermittently have released resources and updated guidelines to keep these programs current and interconnected. 

But according to the Government Accountability Office (GAO), although the regulations exist, they aren’t being uniformly implemented by every agency — or for all cleared employees at all levels, clearance or access, as evidenced by the weakness of the Transportation Security Administration’s (TSA) screening protocols for airport workers. TSA isn’t the only agency underperforming on insider threat requirements: an inspector general’s report found that the Postal Service, a critical element of our nation’s infrastructure, has yet to fully implement a program to not only keep their information secure, but also provide a safe work environment. 

Each organization has different risk surfaces, but they are universally spending significant time and money on preventing attacks from the outside and potentially missing insider threats from those already on the team. One of the barriers to fully deploying an insider threat capability is the need to address privacy and compliance, which are critical to building trust. This unbalanced approach to risk, with more weight placed on hardening external access points than internal ones, opens gaps that today are being exploited. 

There is a high probability the next attack on our government will come from a vetted, trusted insider — someone who doesn’t need to find the key to unlock our defenses because they are already inside. In this all-too-real scenario, the problem is clear: It’s not the system that is vulnerable, it’s the people operating it or exploiting it, whether the motivation is external coercion or internal greed. If there is any chance of preventing that eventuality, we need to continually evaluate and strengthen our insider threat programs and challenge our current assumptions and processes. 

Federal agencies must continue to enhance strong background checks on government employees and contractors. All federal workers dealing with classified information are required to fill out the Standard Form 86 (SF 86) and go through the security clearance screening process — but it is shortsighted to minimize this critical step for those employees who may not have a security clearance but still have access to the organization. 

ADVERTISEMENT

Conducting these background checks provides a solid foundation for risk analysis and a basis to begin the real work of an insider threat program, but it’s not enough to do one check and consider the problem nullified. Agencies must continuously monitor to ensure that threats don’t appear and escalate. The Defense Counterintelligence and Security Agency (DCSA) is the lead for developing and expanding ongoing, continuous vetting and evaluation capability. But every agency and organization must have their own capability to deter, detect and mitigate the risk of an insider threat. 

Insider threats can come in many forms, and federal agencies should double down on continuous monitoring for early detection of individuals under pressure or stress, as well as misconduct, high-risk behaviors, and digital anomalies. As technology advances, so too will the capabilities of those who threaten our values and freedoms. Maintaining an effective insider threat program requires staying ahead of new threats and keeping each agency not only compliant but actively validating and enhancing their capability to ensure that there are no weak links — human or technological — that can be exploited to gain access to government databases without detection.

Once these programs are off the ground, it’s imperative that Congress and federal agencies continue to fund and provide oversight to keep American citizens’ personal information secure and protect our national interest. It’s not enough to simply put the programs in place to meet a guideline or regulation. Insider threat is a constantly evolving problem, and federal agencies at all levels will need to update and attend to their systems regularly to stay ahead of potential attacks. 

The ramifications of poorly implemented or out-of-date insider threat programs are too dangerous to disregard. What happened to Colonial Pipeline was a timely reminder. There is a significant focus on organizations with high numbers of security clearances, but any agency can be the target. Consider if the next target were the vast stockpiles of information held in the National Archives, or the personal details for millions of Americans maintained by the Postal Service. Imagine the pressure on our economy that could follow an attack on the Federal Trade Commission. What if our skies become the target and the Federal Aviation Administration (FAA) is next? 

These scenarios are nowhere near farfetched, which is why the federal government must be invulnerable to attacks of this nature to properly protect the American people and our national interest. An evolving insider threat program is the key to securing that protection. There is no way to predict when or where the next attack will occur, but we must act today to ensure the federal government is prepared to face it, whenever and wherever it happens.

Col. Michael Hudson (USMC Ret.) is senior director of government solutions at ClearForce, a risk management organization. He served in the Marine Corps for 30 years, including commanding a helicopter squadron, a Marine Expeditionary Unit, and, in his last active duty billet, as the Marine Corps’s Sexual Assault Prevention and Response lead.