DOD coming up short on insider threat safeguards, GAO says

While certain components of DOD’s insider-threat implementation program have been incorporated, other major standards have been neglected, according to a Government Accountability Office report. Specifically, the department has not analyzed gaps or incorporated risk assessments into the program.      

Going back to 2000, DOD issued an integrated process team report to guard against insider threats to information systems. This issue came to a head in 2010 following massive disclosures of classified information by then-Army soldier Bradley (now Chelsea) Manning. (The report refers to leaks by Manning and Edward Snowden, though not by name.)

Congress in 2011 called for DOD to establish an insider threat program while the White House issued an executive order establishing an interagency task force, known as the National Insider Threat Task Force. A 2012 presidential memorandum directed agencies to create insider threat programs by May 2013 and identified six minimum standards for the programs: (1) designation of senior official(s); (2) information integration, analysis, and response; (3) insider-threat program personnel; (4) access to information; (5) monitoring user activity on networks; and (6) employee training and awareness. 

GAO stated that DOD and the six selected DOD components it reviewed have begun incorporating the minimum standards, they have not done so consistently. 

GAO’s report, which was originally issued in a classified setting in April, notes that around that same time, DOD made a particular point to highlight the need to mitigate insider threats in its newly updated Cyber Strategy, which said DOD was pursuing security against insider threats “through continuous network monitoring, improved cybersecurity training for the workforce, and improved methods for identifying, reporting, and tracking suspicious behavior.” 

The report continued: “Mitigating the insider threat requires good leadership and accountability throughout the workforce. Beyond implementing policies and protocols, leaders will strive to create a culture of awareness to anticipate, detect, and respond to insider threats before they have an impact.”   

Although DOD is required to complete a continuing analysis of gaps in security measures, DOD officials reported in 2014 that this survey had been suspended due to financial and personnel limitations. “This survey would have allowed DOD to define existing insider-threat program capabilities; identify gaps in security measures; and advocate for the technology, policies, and processes necessary to increase capabilities in the future,” GAO wrote. Without that information, “the department will not know whether their capabilities for insider-threat detection and analysis are adequate and fully address the statutory requirements.”          

GAO starkly pointed out that it found DOD had not incorporated risk assessment s into insider threat programs. Risk assessments, GAO pointed out, “provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Risk assessments generally include the tasks of identifying threats and vulnerabilities, and determining consequences.”

Despite the fact that some DOD officials said insider threats are included in other risk assessments, these assessments are “technical in nature and focus on the vulnerabilities of individual systems” and “do not provide insider-threat program officials with complete information to make informed risk and resource decisions about how to align cybersecurity protections.” Further compounding this issue, GAO continued, is that officials in the Office of the Undersecretary of Defense for Intelligence do not view the results of the National Security Agency assessments or Command Cyber Readiness Inspection reports, meaning a “senior-level official does not know which specific types of risk the department is incurring.”     

Aside from the two major flaws mentioned at the outset, GAO also picked up on a lack of guidance from the top level of DOD. “DOD officials stated that they would need supplemental planning guidance that helps them identify actions, such as the key elements, beyond the minimum standards that they should take to enhance their insider-threat programs,” according to the report. “The current DOD directive does not contain additional guidance for implementing key elements of an insider-threat program beyond the minimum standards.”

A draft implementation plan provides guidance on minimum standards but not recommended elements.  DOD was expected to release a supplemental guidance in January 2015.