The relatively new discipline blends together the roles of counterintelligence analyst, human resources professional and information security professional.
A New Year’s goal of the federal office responsible for averting employee leaks is to make a career out of catching so-called insider threats.
It is a delicate task to simultaneously guard hard-working federal personnel and expose the bad apples. And it takes different talents than those one would find in a counterintelligence analyst, human resources professional or information security professional. The insider threat discipline melds all those disciplines.
"It’s a privilege to work in that program. And the only reason that you are there is to help protect your colleagues, not to out them. So, we’ve got to professionalize that workforce of people who do this for a living," said Patricia Larsen, co-director of the National Insider Threat Task Force. "They have to view themselves as part of a community."
Larsen was speaking at a forum hosted by Nextgov earlier this month.
Background investigators these people are not. Although, that profession now has somewhat of a reputation problem, too.
The Office of Personnel Management on Thursday began notifying more than 48,000 employees their personal information may have been exposed following a possible cyber intrusion at KeyPoint Government Solutions, which conducts background checks on personnel applying for security clearances. Over the summer, USIS, once the government’s largest provider of employee investigator, disclosed a data breach, potentially compromising information on 25,000 workers.
The Obama administration created Larsen’s office after former soldier Chelsea Manning spilled U.S. secrets to Wikileaks. The more recent actions by ex-contractor Edward Snowden that revealed National Security Agency intelligence indicate the task force needs to pick up the pace, she said.
But there is no occupational series and pay scale for the insider threat profession. The task force is exploring whether a new occupational code might be warranted, Larsen told Nextgov. In the meantime, agencies are using several existing job classifications to recruit staff.
Personnel with insider threat-related tasks can easily earn six-figure salaries in government or industry. Currently, there is an opening at OPM for a “Supervisory Intelligence Operations Specialist” with a salary between $106,263 and $138,136, whose responsibilities include insider threat awareness training, according to USAJobs.gov.
Talent search firm Hudson is recruiting an “IT Risk Evaluation Manager” for an unnamed financial institution who, similarly, would be paid between $100,000 and $130,000 to have an “in-depth understanding” of insider threat analysis to keep the company’s proprietary computer code secure.
Today, internal threat specialists serving within roughly 70 different agencies come from the fields of counterintelligence, information security and civil liberties, as well as law enforcement.
Some agencies have hired intelligence analysts from the "0132" job series defined by OPM. Others have focused more on the investigative capabilities within the 1800 series, or 0080 security specialists.
"They bring their own experiences with them but now we’re asking them to do a unique skillset, a unique discipline -- to be an insider threat professional," Larsen said.
Every federal agency that has access to classified information is required to set up an insider threat program. Many have robust initiatives in place, while others are still in the early stages and are still filling positions. The size of the insider threat workforce for each department will vary based on the agency's size, mission and access to secrets, Larsen said.
These professionals must learn how to synthesize intelligence from myriad sources that analysts traditionally don’t use all at once. It requires some technical expertise to perform the “big data analysis” and to refine algorithms that ingest the data to flag potential rogue behavior, Larsen said.
The specialists must undergo awareness training on privacy protections, intelligence oversight and investigative procedures, should suspicions bear out.
"In the event detected activity necessitates referral to law enforcement," it is crucial that the insider threat personnel do not interfere with potential prosecutions or psychological treatment, Larsen said. "It is also critical to remember the human element, and the expertise of clinical psychologists is crucial to inform insider threat analysis.”