The insider threat has come of age. Last week, The National Insider Threat Task Force (NITTF), operating under the joint leadership of the Attorney General and the Director of National Intelligence, announced the release of the “Insider Threat Program Maturity Framework.” The release occurred during the NITTF’s semiannual Insider Threat Community Forum held at FBI headquarters in Washington, D.C.
Exactly what is the Framework? According to the NITTF:
The Framework, as it is known, is designed to help executive branch departments and agencies’ insider threat programs advance beyond the Minimum Standards to become more proactive, comprehensive, and better postured to deter, detect, and mitigate insider threat risk. The Framework identifies key elements within the existing minimum standards construct that, when enhanced, enable departments and agencies to increase program functionality and garner greater benefits from insider threat program resources, procedures, and processes. Each element within the Framework has been identified as a capability or attribute exhibited by an advanced insider threat program.
Covering the news was Christopher Burgess, a career security industry veteran, writer and former CIA official. In ClearanceJobs.com, Burgess shed further light on what the Framework means as well as pointed out leading causes of the insider threat. According to Burgess:
Lack of attention to detail enables seemingly weekly declarations of one entity or another not having configured their databases, applications, or web properties correctly, and exposing sensitive information to unauthorized individuals.
Similarly, the onslaught of phishing emails, SMS messages and video messages — all designed to socially engineer the recipient into taking an action which would compromise their device — is a constant.
To further make sense of the news, Burgess spoke with Dtex VP of Federal David Wilcox. Wrote Burgess:
According to Dave Wilcox, Vice President of Federal for DTEX Systems, this framework, created in support of E.O. 13587 of October 2018, has been a long time coming. The framework predominantly focuses on ensuring the counterespionage/insider threat cyber capabilities within government can be measured and improved.
“There are huge efficiencies which are realized with the implementation of technology,” Wilcox notes. “The government must be prepared to align policies and initiatives to encourage innovative, cost effective solutions.”
Read Burgess’ full story: Insider Threat Program Maturity Framework Released
Read the press release: National Insider Threat Task Force Releases Insider Threat Program Maturity Framework
Access the Framework: INSIDER THREAT PROGRAM MATURITY FRAMEWORK
Insider Threat, Alive and Well
The release of the Framework was certainly good news to the fed and security industry in general. There is still plenty of news happening showing that progress needs to be made. Even as we approach the US midterms, with all security eyes focused on election hacking and misinformation campaigns, the insider threat can’t be ignored. These are just a few stories about malicious and negligent insider threats that published last week:
Chicago Sun Times: Ex-CPS worker accused of stealing info on 80,000 people in latest data breach
ZDNet: US charges two Chinese intelligence officers ‘and their team of hackers’
SiliconANGLE: Visiting 9,000+ porn sites, employee infects U.S. Geological Survey with malware
Dark Reading: Ex-Employees Allegedly Steal Micron Trade Secrets Valued At Over $400 Million
More on Privacy
As a leader in privacy-by-design technology and values, Dtex is always paying attention to the latest privacy developments. Last week, the industry saw the whole concept turned on its ear. One of the biggest and most influential voices in privacy regulation, Sen. Ron Wyden (D-Ore.), introduced legislation that may be one of the strictest and harshest bills proposed to date. According to Gizmodo:
The tentatively named “Consumer Data Protection Act” would force sweeping changes at companies such as Google and Facebook, granting consumers the ability to opt-out entirely from having their data sold off for marketing purposes, while dramatically increasing the Federal Trade Commission’s (FTC) authority to pursue privacy violators.
To start, Wyden’s privacy bill sets forth a requirement that companies whose revenue exceeds $1 billion per year—or those who store data on more than 50 million consumers or consumer devices—submit to the government “annual data protection reports” outlining the measures taken to ensure the security of all collected personal information. Inspired by the Sarbanes-Oxley Act, which requires executive officers to certify and approve company financial reports, Wyden’s bill would require data protection reports to be certified by top executives, including chief executive officers, who would face not only stiff fines but jail time if they were to fail to comply.
The bill’s current language outlines up to 20-year prison sentences and fines not to exceed $5 million for executives who knowingly mislead the FTC, which at present has no authority to punish first-time corporate offenders. Companies that violate the standards established by the FTC under the law’s authority would also face steep fines, up to 4 percent of their annual revenue. For perspective, a company such as Google could face up to a $5 billion fine for a serious infraction.
Read the Gizmodo story: Wyden Unveils Plan to Protect Private Data, Restore ‘Do Not Track,’ and Jail Reckless CEOs