What if the threat came from within? Federal agencies must manage risk


When the Colonial Pipeline was taken down by DarkSide hackers amid a growing ransomware-as-a-service threat, the experience was eye-opening for our country, which was ill-prepared to deal with the potential for growing attacks by profit-seeking hackers. Now, as the Department of Homeland Security (DHS) strives to regulate cybersecurity in the pipeline industry as an afterthought, all federal agencies must turn their attention inward to fortify themselves against external threats and similar internal threats.

The pipeline ransomware hack has brought our nation to its knees; on the East Coast, gas stations closed, vehicles sat idle and business suffered. If the hack had come from inside a federal agency, perpetrated by knowledgeable US government employees instead of an external Eastern European hacker, imagine how much worse it could have been. For many government agencies, it is not necessary to imagine; they have already had to deal with a violation.

Insider threats have long been a concern of government agencies. The federal government’s primary insider threat organization, the National Insider Threat Task Force, was established under the Office of the Director of National Intelligence (ODNI) in 2011.

The same order that convened the task force, Executive Order 13587, also established guidelines for federal agencies working with classified information to develop their own insider threat programs. Over the past decade, the task force, ODNI, and the Department of Defense have intermittently released resources and updated guidance to keep these programs current and interconnected.

But according to the Government Accountability Office (GAO), while regulations exist, they are not applied uniformly by all agencies – or for all authorized employees at all levels, permissions or access, as evidenced by the weakness of the Transportation Security Administration. (TSA) screening protocols for airport workers. The TSA isn’t the only agency underperforming on insider threat requirements: An inspector general’s report found that the Postal Service, a critical part of our nation’s infrastructure, has failed. not yet fully implemented a program to not only protect their information, but also provide a safe working environment.

Every organization has different risk surfaces, but they universally spend a lot of time and money preventing attacks from the outside and potential insider threats from those already on the team. One of the barriers to fully deploying an insider threat capability is the need to address privacy and compliance, which are key to building trust. This unbalanced approach to risk, which gives more importance to the hardening of external access points than internal access points, opens up loopholes that are now being exploited.

There’s a high probability that the next attack on our government will come from a controlled, trusted insider – someone who doesn’t need to find the key to unlock our defenses because they’re already inside. . In this all-too-real scenario, the problem is clear: it’s not the system that’s vulnerable, it’s the people who operate it or exploit it, whether the motivation is external coercion or internal greed. If there is a chance of preventing this eventuality, we must continually assess and strengthen our insider threat programs and challenge our current assumptions and processes.

Federal agencies should continue to strengthen rigorous background checks on government employees and contractors. All federal workers handling classified information are required to complete Standard Form 86 (SF 86) and go through the security clearance check process – but it is shortsighted to minimize this critical step for employees who may not have security clearance but still have access to the organization.

Completing these background checks provides a solid foundation for risk analysis and a basis to begin the real work of an insider threat program, but it is not enough to do a single check and call the problem off. Agencies need to constantly monitor to ensure that threats do not emerge and escalate. The Defense Security and Counterintelligence Agency (DCSA) is the leader in the development and expansion of continuous and ongoing audit and assessment capabilities. But each agency and organization must have its own ability to deter, detect, and mitigate the risk of an insider threat.

Insider threats can take many forms, and federal agencies should double down on their ongoing monitoring to quickly detect people under pressure or stress, as well as misconduct, high-risk behavior and digital anomalies. As technology advances, the capabilities of those who threaten our values ​​and freedoms will also evolve. Maintaining an effective insider threat program requires staying ahead of emerging threats and keeping each agency not only compliant, but also actively validating and improving its capability to ensure that it there are no weak links – human or technological – that can be exploited to gain access to government databases without detection.

Once these programs begin, it is imperative that Congress and federal agencies continue to fund and oversee the security of US citizens’ personal information and protect our national interest. It is not enough to simply put programs in place to comply with a guideline or a regulation. The insider threat is an ever-evolving problem, and federal agencies at all levels will need to regularly update and monitor their systems to stay ahead of potential attacks.

The ramifications of poorly implemented or outdated insider threat programs are too dangerous to ignore. What happened to Colonial Pipeline was a timely reminder. The focus is on organizations with a high number of security clearances, but any agency can be the target. Consider whether the next target was the vast stores of information held in the National Archives or the personal details of millions of Americans held by the Postal Service. Imagine the strain on our economy that could follow an attack on the Federal Trade Commission. What if our skies become the target and the Federal Aviation Administration (FAA) is next?

These scenarios are far from far-fetched, which is why the federal government must be invulnerable to attacks of this nature to properly protect the American people and our national interest. An ever-evolving insider threat program is key to ensuring this protection. There is no way to predict when or where the next attack will occur, but we must act today to ensure the federal government is ready to meet it, when and where it happens.

Col. Michael Hudson (USMC Ret.) is senior director of government solutions at ClearForce, a risk management organization. He served in the Marine Corps for 30 years, including commanding a helicopter squadron, a Marine expeditionary unit and, in his last active duty cantonment, as a sexual assault prevention and response officer. of the Marine Corps.


Comments are closed.