Mark Nehmer doesn’t trust people so much anymore. At last week’s Nextgov Cybersecurity Series event, the Associate Deputy Director for cybersecurity and counterintelligence for the Defense Security Service admitted that recent events (i.e., Manning and Snowden’s thefts of classified information) have made him more cynical and convinced him the department needs a more holistic strategy to prevent insider threat. Specifically, DoD needs an all-in, data-centric approach that allows for the correlation of individual data points that collectively indicate a potential threat. To complement and facilitate this big data approach, Nehmer made four specific recommendations:
1. Establish a two-person integrity (TPI) system. To ensure appropriate physical and logical control of classified information for privileged users, Nehmer encourages expanding the TPI system recently implemented by the NSA that prevents any one individual from copying such information alone. TPI requires that an individual’s request to copy data from a secure network be approved and executed by another person.
2. Amplify concern for data spillage. Nehmer supports the growing movement within DoD to increase cyber hygiene training and elevate concern for data spillage at all levels. Part of the solution is changing the vernacular; a data spillage incident should be considered a “negligent discharge of classified information” not unlike negligent discharge of a firearm, a chargeable offense.
3. Prioritize development of the joint information environment (JIE). Using cloud platforms, DISA has already made progress building a single enterprise architecture for DoD IT systems. Nehmer considers the further development of this architecture integral for insider threat prevention because it promises to facilitate big data analysis by integrating information silos. Furthermore, the efficiencies that come with an enterprise architecture should free up manpower to focus on insider threat detection.
4. Require Security Technical Implementation Guideline (STIG) and patch compliance for all programs of record and weapons systems. Computer software and hardware programs used by DoD need to be fixed whenever vulnerabilities are discovered, but the speed at which STIGs are updated means patches provided by the commercial sector are not always certified. This discrepancy can create new vulnerabilities. Nehmer believes that DoD must have a single, integrated methodology to mitigate such vulnerabilities.
These four recommendations constitute an across-the-board approach to mitigating insider threat that acknowledges the need for technical, policy, and cultural reforms. For Nehmer, stopping the next Snowden is not enough. DoD must prepare for all potential insider threat vectors and, as he put it, “get left of boom.”