How to Detect Insider Threats: Stopping Leaks in the Digital Age

The arrest and arraignment of Airman 1st Class Jack Teixeira, 21, of the Massachusetts Air National Guard exposes the fragility of intelligence and security in the digital age. Teixeira, a cyber transport systems journeyman with the 102nd Intelligence Wing was accused by the FBI of leaking a trove of secret and sensitive information in court proceedings April 14.

Threats from trusted, cleared professionals pose the greatest risks and deepest challenges, because insiders like Teixeira already have security clearances and are therefore inherently trusted. The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, a federally funded research and development center, was created to study and combat such threats.

“If there were a perfect solution for this, I’d be out of a job,” said SEI’s Daniel Costa, technical manager of enterprise threat and vulnerability management, in an April 14 interview with Air & Space Forces Magazine. 

In what Pentagon Press Secretary Air Force Brig. Gen Pat Ryder described as “a deliberate criminal act,” Teixeira allegedly released a trove of classified details on Russia’s invasion of Ukraine, along with sensitive briefing materials and analysis on the Indo-Pacific and Middle East theaters, on Discord, an online platform popular with video gamers. As in past incidents, such as that of Chelsea Manning, a soldier, and Edward Snowden, a technology contractor, both of whom used their clearances to gain access to classified documents, this case involves a trusted individual who allegedly ignored the inherent promise attached to a security clearance.

“Each of us signs a nondisclosure agreement—anybody that has a security clearance,” Ryder said April 13. “And so all indications are, again, this was a criminal act, a willful violation of those, and again, another reason why we’re continuing to investigate and support [the Department of Justice’s] investigation.”

In the wake of the Snowden and Manning leaks, President Barack Obama’s Executive Order 13587, signed in 2011, required government agencies with access to classified computer networks to implement formal insider threat detection and prevention programs. But no program is 100 percent airtight.

“There’s an inherent risk that comes along with doing business,” said Costa. “What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels.”

The Insider Threat Detection Center at SEI maintains a database of more than 3,000 incidents where individuals with authorized access to an organization’s documents or other assets used trusted access to either maliciously or unintentionally affect the organization in a serious, negative way. Reducing risk within an organization starts with identifying the most critical assets, which is a challenge in institutions as large as the Department of Defense, Costa said. Once those assets are identified, the organization must strategized to protect and limit access to those crown jewels.

“One of the unique things about insider threat programs is that the threat actors that we’re talking about are our colleagues, our co-workers, our contractors and other trusted business partners,” Costa explained. “The challenges lie within the fact that this is not a risk that you can buy down to zero, by the nature of that trust relationship you entered into by bringing an individual into your organization.”

For security professionals, the key to protecting those trusted relationships and at the same time reduce risk is monitoring that can help identify warning signs and enable leaders to intervene before individuals actually violate access rules, he said. Malicious insiders may use access for personal gain, such as financial fraud, intellectual property theft, cyber sabotage, espionage, or even notoriety. Unintentional insider incidents are also possible, where individuals can become victims of cyber phishing or other social engineering attacks, or where simple mistakes lead to substantial losses of data, funds, equipment, or information. 

Monitoring for warning signs is the central function of an insider threat program, with indicators ranging from repeated policy violations, to disruptive behavior, personal financial difficulty, changes in working patterns, such as when and where individuals access files, or job performance problems, according to SEI research. Unintentional incidents are best prevented through training. Securing against insiders takes a “whole-of-enterprise” approach to be effective, Costa said.

“This is not a technology problem, it’s a people problem,” he said. “We use technology to help us manage those risks, but at the end of the day—especially in terms of making the organization less mistake-prone—that largely comes down to management-related and HR-related activities.”

About one in three insider incidents involve malicious intent, Costa said. What exactly Teixeira’s intent may have been remains unclear. Reporting by the Washington Post and others indicates he seemed to crave attention and recognition for knowing national secrets. Rep. Seth Moulton (D-Mass.) told Politico, “This really is an issue that sort of seems to be a Gen Z issue where you get some of our youngest members of the military who feel particularly self important and entitled and therefore the rules don’t apply to them.”

The military and the intelligence community routinely trusts young people with significant responsibilities, Ryder said, and they are often capable of handling it.

“Think about a young combat platoon sergeant and the responsibility and trust that we put into those individuals to lead troops into combat,” he said. “That’s just one example across the board. So you receive training and you will receive an understanding of the rules and requirements that come along with those responsibilities, and you’re expected to abide by those rules, regulations and responsibility.”

Security clearances require background checks and include some level of continuous monitoring, but that process is limited and does not unearth every possible motive or notion buried in individuals’ subconscious. As with other crimes, relative inexperience can often be a factor in insider threats. In a 2012 study on fraud, SEI found crimes involving personally identifiable information “tend to be committed by younger, less experienced, non-managers.”

On the other side of the coin, crimes involving non-personally identifying information tended to be committed by older employees, and can be far more harmful to organizations, SEI wrote.

Malicious insiders may join organizations with malintent; such individuals tend to act early in their tenure, Costa said. Older employees may feel more comfortable with those policies and procedures, but personal, professional or financial stressors might motivate them to carry out an attack.

SEI recommends organization “right-size” who has access to valuable or sensitive assets and when, a means to reduce the opportunity and temptations, Costa said. Those with greater access may fall under greater scrutiny. But simply establishing rules is not enough; they must be enforced to be effective.

“Some of the challenges we see with really large organizations, is just maintaining complete situational awareness of their current risk posture,” Costa said. “It’s easy to say that these are the rules that govern what authorized access looks like. But to ensure a complete coverage across, you know, really complex organizations with lots of different moving parts and independent security operations can be a real challenge.”

Independent security operations might include smaller organizations within the larger enterprise, just like a multinational corporation may have operations within individual countries equipped with their own information technology and information security departments. The military, with its large number of commands and bases, has plenty of such operations.

“It’s a challenging problem for organizations at DoD scale to have the granularity that is needed to effectively right-size permissions,” Costa said. “In really large organizations, all it takes is one slip-up. One blind spot with too much access, and those soft spots are the things that insiders inevitably take advantage of.”

Like aviation safety, sexual assault and harassment prevention, and suicide prevention, insider threats are another thorny problem the Air Force and the military write large is dealing with that is not easily solved but which may be reduced with greater analysis. SEI publishes its best practices to help those in both the government and the private sector reduce the risk of insider threats.