The term “insider threat” is thrown around a great deal in the security world without much clarity. It’s a great marketing buzzword, but what exactly is an “insider threat” security program and how does it affect the Department of Defense? To start with, the National Counterintelligence and Security Center defines an inside threat as occurring when a person with authorized access to U.S. Government resources – including personnel, facilities, information, networks, and systems – uses that access to harm the security of the United States. Over the past century, insider threats have become more and more common, and have been responsible for some of the most damaging attacks on our country’s networks.

To counteract insider threats, the U.S. Government has taken steps to help safeguard agency networks from these inside attacks. On October 7, 2011, the president put into effect Executive Order (EO) 13587 – Structural Reform to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. EO 13587 stressed the importance of managing the people who have access to classified information and included strategies to keep an eye on what these people are doing with said classified information, be it physical or electronic.

EO 13587 also created the National Insider Threat Task Force (NITTF), an interagency task force responsible for preventing, deterring and detecting inside attacks on classified information. The NITTF also assists government agencies, including the DOD, in developing their own insider threat detection and prevention program.

The NITTF established baseline requirements to aid government entities on how they should be handling classified information, which can be broken down into three basic parts:

  1. Human Intelligence (HUMINT)
  2. Training
  3. Monitoring

The first part of the equation is human intelligence (HUMINT). The central focus of this is to make sure that only authorized individuals have access to classified information. Part of this is ensuring that people with access to classified information are not compromised or vulnerable to becoming compromised due to issues in their personal lives or outside factors.

The second part of the mandate is straightforward training. People who handle classified documents should be properly trained in what to do and not to do with classified information. This training teaches personnel security guidelines for viewing, transporting or sharing classified information. Clearly outlining the rules and regulations for classified information is very important to protecting against insider threat incidents.

The last part of the equation is the monitoring of user activity on U.S. Government networks. This refers to audit data collection strategies for insider threat detection, leveraging hardware and/or software with triggers deployed on classified networks to detect, monitor, and analyze anomalous user behavior for indicators of misuse.

By putting these three parts of the equation together, the DOD and other government agencies can help better protect their networks against insider threats. This is especially important for the DOD because of the nature of the data on its networks. If any of its classified military information was compromised, it could result in a serious breach in our national security. And in such a large organization with so many employees, it is imperative that the DOD have a strong insider threat program to keep its data – and our country – safe.


Michael Reed

Security Engineering Manager

Cisco StealthWatch - Federal