In the aftermath of the embarrassing leak of hundreds of thousands of sensitive government and military documents to the whistleblower website WikiLeaks, the Obama administration formed an interagency task force to refine the government's defences against insider threats.
That effort, which could inform private-sector security practices and will have a significant impact on security-cleared defence contractors, is set to wrap up this year, with an initial report expected to be issued to the White House and senior national security authorities in the next month or two, and a final set of standards and guidance for implementation likely to roll out to the departments and agencies in October, federal officials said Wednesday here at the FOSE government IT conference.
"If you were going to put it in one word, it's focusing on the threat posed by malicious insiders," said John Swift, senior policy advisor to the Insider Threat Task Force for the office of the director of national intelligence.
President Obama issued the executive order establishing the task force in October in response to the alleged exfiltration of huge stores of classified documents by Bradley Manning, and their subsequent publication in various global media outlets.
The executive order directs all agency heads who deal with classified information to designate a senior official to oversee the organisation's activities surrounding the sharing and protecting of sensitive files, and to implement a program to detect insider threats once the task force issues its final guidelines. Those agencies will also be charged with conducting self-assessments of their compliance with the new standards and policies, and required to submit those reports to a new steering committee that the executive order established. Affected agencies will also be expected to dispatch staff, as needed, to the task force and a new Classified Information Sharing and Safeguarding Office.
That will mean a variety of new mandates for cash-strapped agencies -- always a source of concern in the government -- though the president's executive order allows that implementation of the directive is subject to the availability of funding.
Officials formulating the guidelines for deterring insider threats sought to downplay the impact their work would have on agency operations, and noted that they are seeking input from all corners of government to ensure they arrive at a practical implementation strategy that will prevent another WikiLeaks-like episode without establishing an onerous compliance burden or trampling on government employees' privacy or civil rights.
"On a macro level almost you can't be looking at one aspect of this directive. You have to be looking at systems and people," said the FBI's Diana Braun. "In other words, nobody's sitting in an ivory tower and coming up with policies that aren't possible to implement in the field."
Braun explained that the task force is not approaching the issue of insider threats with a "one-size-fits-all" mentality, but will provide agencies with some flexibility to implement the standards in accordance with the nuances of their organisation.
What's more, members of the task force are urging agency heads to continue to evaluate and strengthen their existing procedures for detecting insider threats ahead of the final directive, noting that any government arm that handles or accesses classified data should already be acting in concert with a set of best practices. Even though the final standards and guidelines from the task force aren't due out until October, the administration has already tasked agencies with firming up their stance on other factors often involved in a data breach, such as the policies governing removable media, online identity management, access control and enterprise auditing.
"No agency is starting from scratch. That's the good news," Swift said. "It's going to take a while before agencies have a hard set of written standards to follow."
The precise impact that the forthcoming insider threat standards will have on the private sector is unclear, but it will likely be limited. While defence contractors with access to classified military networks will almost certainly have to hew to the forthcoming guidelines for insider threat detection, Swift explained that the president's executive order explicitly does not extend to private companies en masse. At the same time, the guidelines the government develops could inform or serve as a template for the best practices that businesses put in place, just as the task force is doing its work in consultation with the private sector.
"The executive order applies to federal agencies and departments. It doesn't apply to the private sector as a separate entity. Now, the insider threat standards that will be developed will be of use to individual companies and corporations. There's no reason why they wouldn't be of use," he said. "Having said that, the task force itself and others are reaching out to bring in the expertise of private-sector corporations so those standards are not developed in the blind."