When National Security Agency (NSA) contractor Edward Snowden told his supervisor that he needed time off to deal with his epilepsy and boarded a flight bound for Hong Kong with an NSA-estimated 1.7 million classified documents, the agency had no indication of what was about to unfold. Although an extreme example, Snowden’s successful evasion of security protocols is enough to keep counterintelligence professionals up at night.
At the United States Geospatial Intelligence Foundation’s (USGIF’s) GEOINT 2013* Symposium, Jason O’Connor, Lockheed Martin’s Vice President of Analysis and Mission Solutions, updated Defense Media Network on the capabilities of one of these products: LM Wisdom ITI™ (Insider Threat Identification). While cautioning that LM Wisdom ITI™ was not developed in response to Snowden, O’Connor does see increased interest due to Snowden’s actions. “When it comes to LM Wisdom ITI™, I want to be real clear that was not a system or development in response to Snowden. It’s a capability that’s been in development for years at Lockheed Martin. There is certainly more talk, more press, about those types of capabilities,” said O’Connor.
“It’s fair to say that while the Snowden events have increased talk about insider threat, the National Insider Threat Policy has been a driver and will continue to be a driver for those dialogues.”
“LM Wisdom ITI™ is a more longstanding capability that has been with us for awhile,” emphasized O’Connor. O’Connor credits another, lesser reported event as spurring the development of insider threat technology. “It’s fair to say that while the Snowden events have increased talk about insider threat, the National Insider Threat Policy has been a driver and will continue to be a driver for those dialogues,” said O’Connor.
O’Connor was referring to Executive Order 13587, signed by President Barack Obama on Oct. 7, 2011, which sought to standardize the protection of classified data among government agencies without shutting down the sharing of that data. Executive Order 13587 itself came out of a breach in classified data; the WikiLeaks reports. According to the memorandum Obama issued to heads of executive departments and agencies, the National Insider Threat Policy was designed “to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security.”
While Edward Snowden may be the most glaring example of an insider threat detection failure, other factors such as the National Insider Threat Policy have been drivers of the development of insider threat detection technology. The WikiLeaks Channel photo
Instead of relying solely on cyber-related data sources, that while valuable don’t deliver the whole picture, LM Wisdom ITI™ uses a wide range of data sources and models. Those data sources can be integrated to model behavior indicators of a potential insider threat, giving counterintelligence analysts a full picture of the potential insider threat risk profile of a user’s company or government agency. Employees who exhibit high-risk characteristics can then be flagged as a possible insider threat. LM Wisdom ITI™ is used in-house to monitor employee behavior.
A May 2013 study from Carnegie Mellon University’s Software Engineering Institute (SEI) CERT Division on 29 cases of the insider theft of intellectual property for foreign benefit, found examples of victim corporations losing more than $1,000,000 in sales revenues, the loss of more than $40,000,000 in documents, and a decrease in sales in an unnamed foreign country after a competitor in that country created a rival product.
Insider threats are a growing problem, not only for the U.S. government, but also for private industry. A recent FBI study found that 59 percent of employees cop to taking proprietary information upon being terminated. Insider threats also cost money. Lots of it. Losses due to insider threats are estimated to total more $13 billion annually. A May 2013 study from Carnegie Mellon University’s Software Engineering Institute (SEI) CERT Division on 29 cases of the insider theft of intellectual property for foreign benefit, found examples of victim corporations losing more than $1,000,000 in sales revenues, the loss of more than $40,000,000 in documents, and a decrease in sales in an unnamed foreign country after a competitor in that country created a rival product.
The desire to identify insider threats before they manifest themselves isn’t limited to government. Private companies have also increasingly been victims of insider theft. Lockheed Martin photo
LM Wisdom ITI™ is just one potential tool that counterintelligence professionals can use to evaluate the behavior patterns of employees. The FBI identifies activities such as interest in subject matter outside the scope of their work duties, unnecessary copying of material, remotely accessing the computer network at odd times, disregard for company computer policies, and short trips to foreign countries as being red flag behavioral indicators of a potential insider threat risk. Insider threats can be hard to detect. The SEI CERT Division study found that 70 percent of cases involved theft only during working hours.
While Snowden may get the headlines, it’s directives such as the National Insider Threat Policy and the increasing theft of intellectual property from companies that are driving the development of insider threat detection products like LM Wisdom ITI™.
While Snowden may get the headlines, it’s directives such as the National Insider Threat Policy and the increasing theft of intellectual property from companies that are driving the development of insider threat detection products like LM Wisdom ITI™. As companies and government try to ensure that the theft of data and proprietary information don’t become the cost of doing business, predictive analytics and preemptive security are likely to become the coin of the realm.