Federal Officials: Tackling the ‘Most Insidious’ Cyber Threat Takes Looking After Workers 

State Department officials describing the elements of an effective insider threat program said it mostly comes down to doing the same things someone would do if they’re just trying to be a nice person.

“I’m often asked what is the number one thing we can do to eliminate insider threat. It’s a question: ‘How are you?’” said Jacqueline Atiles who directs State’s insider threat program.

Following a 2011 executive order, all departments and agencies are required to have implemented such programs meant to “deter, detect and mitigate” insider threats.

Atiles shared details about the department’s program along with State Department policy adviser Gregory Collins on Tuesday at the RSA cybersecurity conference in San Francisco. 

A few doors away that day, Bill Evanina, director of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence, described insider threat as “the most insidious” threat in the context of efforts to combat intellectual property theft by the Chinese government.   

Evanina was joined in a panel discussion on the issue by John Demers, assistant attorney general for national security and leader of the Justice Department’s China initiative. 

The Trump administration officials acknowledged the benefits of a 2014 agreement between Presidents Obama and Xi wherein the two leaders agreed hacking tools shouldn’t be used for industrial espionage to steal private companies’ intellectual property. 

“It’s good to have norms,” Evanina said. But Evanina and Demers both suggested an increase in the occurrence of what Evanina has said is the “number one threat facing our nation” may be attributed to the presidents’ agreement leaving ambiguity around more prominent use of individuals with permissioned access to exfiltrate data.

“We’ve seen more insider threat since the Obama-Xi agreement,” Evanina said.

Demers added: “Insider threat wasn’t strictly part of the [Obama-Xi] agreement.”

In 2019, a Cybersecurity Insiders survey saw 70% of organizations confirm insider attacks are becoming more frequent. 

The State Department officials described ways to vet and monitor employees through technical means. This can include reviewing their external associations—such as whether they are a cub or Boy Scouts leader, and other open source information, in addition to criminal and financial reports. It also includes scanning workers’ communications for “keywords” such as “secret” and tracking whether they are accessing the department’s network remotely or are working without authorization at unusual times. 

Atiles noted any program an entity establishes must meet the approval of its general counsel. “This is not ‘Minority Report,’ we don’t get anywhere near that,” she said, referring to the dystopian film about state surveillance that predicts when its citizens will commit crimes.

The State Department officials emphasized the human element and “support” as an essential part of its program for detecting and mitigating malicious—rather than accidental—insider threats. 

“Take advantage of support systems,” Collins said. “If you have someone that is going through a tough time and needs to talk to a counselor, or they are having a tough time with their daycare with their kids, figure out ways you can work with them and help them get through that issue.” 

Evanina was on the same page.

“An unhappy employee is not just a matter for [human resources],” he said. “It’s a security problem.”