Why Defense Contractors Should Embrace Insider Threat Requirements

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology and government. He is currently the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

October is national Cybersecurity Awareness Month, and I think it’s interesting it shares the same calendar space with Halloween. For many people working in government, the prospect of a security breach or hack is at least as scary as the season’s ghosts and goblins are for kids.

But while ghosts are arguably nonexistent and goblins are certainly confined to the realm of Tolkien fantasies, the danger of a cyber threat is all too real, with government becoming a favorite target of attackers in recent years.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Government has recently been motivated to improve its cybersecurity posture in a sort of trial by fire. The WikiLeaks and Edward Snowden incidents were a one-two punch in the gut in terms of worst-case scenarios. Then, the breach at the Office of Personnel Management that resulted in the theft of more than 21 million personal records brought the threat closer to home for millions of government workers.

None of those incidents happened very long ago, yet the government has done an admirable job ramping up its cybersecurity defenses with efforts like upgrading its traffic monitoring system to Einstein 3 Accelerated.

Had cybersecurity not been so woefully overlooked and underfunded, recent efforts might seem more like a strategic defensive upgrade instead of a mad scramble, but at least progress is being made. Nothing motivates people to run faster like a fire creeping up from behind.

Yet, as the government has upgraded its defenses, one fairly large hole remained: the millions of contractors working with government agencies. Although often thought of as just a different type of government employee, they are often subject to slightly different rules and codes of conduct compared to federal personnel.

That is why the recent change to the National Industrial Security Program Operating Manual recently approved by the Defense Department is so important. NISPOM is the key component of the National Industrial Security Program, which provides rules for contractors handling classified government information. It’s taken very seriously, almost like a bible, by many contractors. And just like the Bible, it does not change very often, and never without years of talks and discussion beforehand. The last time the document was modified was when Conforming Change 1 was approved in March 2013.

Change No. 2 to NISPOM is a big one. Along with some new reporting and self-inspection requirements is the stipulation that all government contractors that fall under NISPOM guidelines immediately create a full insider threat program at their companies.

That program must be led by an insider threat program senior official who has the full support and funding needed to create a corporationwide program. The ITPSO, who must be a U.S. citizen, along with all personal working with him or her, must also undergo counterintelligence and security fundamentals training.

Creating an insider threat program from the ground up where none existed before is certainly going to be a challenge for many companies—especially when you consider not every insider threat is actually going to stem from a malicious employee. You can’t just give everyone a lie detector or find out who is deep in gambling debts to spotlight potential turncoats.

Recent studies have shown most of the breaches that result from insider threats are simply accidents stemming from an employee who didn’t understand the rules, guidelines and best practices for handling classified information. So there needs to be heavy training coupled with investigative tactics that can help well-meaning but ignorant employees while also ferreting out the actual malicious ones.

Thankfully, insider threat detection is an emerging field, and many tools are available to examine them from various angles. I recently conducted a deep dive review of several of the top programs in that field, and found them to be highly intuitive and accurate.

The heavy burden on contractors Change 2 imposes is one of the reasons why it took so long to approve. But it’s a necessary and even critical step in these troubling times. Contractors who work with the government hold a very important position where the handling of classified information needs to be treated as an almost sacred duty. Change 2 ensures it’s also the law, and one small step to ensuring the danger posed by today’s cybersecurity threats could soon be no more frightening than the little candy-demanding ghosts that will be visiting our homes later this month