UNCLASSIFIED

Information Warfare Industry Day10 May 2018

UNCLASSIFIED

UNCLASSIFIED

2

Background

D&A Insider Threat Program (InTP) mandate through Executive Orders,

Presidential Memos and various DoD and Service policies.

DoD/Navy Insider Threat Definition

– A person with authorized access, who uses that access wittingly or

unwittingly, to harm national security interests or national

security through unauthorized disclosure, data modification,

espionage, terrorism, or kinetic actions resulting in loss or degradation

of information, resources or capabilities. The term kinetic can include,

but is not limited to, the threat of harm from sabotage or workplace

violence (SECNAVINST 5510.37)

– FY17 NDAA: Will likely expand eligible population

Navy Approach

– DUSN-P -- DoN Senior Official; Director Navy Staff -- Navy Senior Official

– Federated approach across OPNAV N-codes; NITBOG

– N2N6 responsible for Counter Intelligence and Cyber aspects of Navy InTP

Long-term Materiel solution required

UNCLASSIFIED

UNCLASSIFIED

3

Army Specialist Ivan Lopez 2014Killed 3 people and injured 16 at Fort Hood, TX, during a shooting spree

that ends in Ivan killing himself.

Army Maj. Nidal Malik Hasan 2009Killed 13 people and injured 32 at Fort Hood, TX, during a shooting spree.

He was convicted and sentenced to death.

Contractor, Edward Snowden 2013Charged with “unauthorized communication of national defense information” and

“willful communication of classified communications intelligence information to an

unauthorized person”. 2014 – Receives asylum in Russia where he remains today.

Army PFC Bradley Manning 2009Downloaded classified information and released it to the website WikiLeaks.

2010 - 2011 Charged with 22 violations, including “aiding the enemy”

2013 - Sentenced to 35 years in prison

2017 – Commuted by President Obama

UNCLASSIFIED

UNCLASSIFIED

4

Petty Officer Second Class Bryan Minkyu Martin 2011Sold classified naval operations and intelligence information to who he believed

was an agent of China. Charged with attempted espionage – sentenced to 34

years in prison.

Aaron Alexis 2014Killed 13 people and injured eight at the Washington Navy Yard in Washington,

DC, during a shooting spree that ends in Aaron being killed by police.

Petty Officer First Class Robert Patrick Hoffman II 2012Attempted to spy for Russia, revealing to them methods to track US submarines.

Charged with attempted espionage – sentenced to 30 years in prison.

CDR Michael Misiewicz 2013 (Glenn Marine)

Passed confidential information on Naval ship routes. Charged with accepting

paid travel, the services of prostitutes and Lady Gaga tickets. Also charged was

NCIS Special Agent John Bertrand Beliveau II

Insider Threat: A Government-wide Problem

LCDR Edward Lin 2016Charged with espionage, attempted espionage and falsifying official documents.

Accepted plea arrangement. Pled guilty to communicating defense information,

passing classified information to a foreign national and an undercover FBI agent.

Walker Spy Ring 1967 – 1985 Sold classified naval operations and intelligence information to USSR.

UNCLASSIFIED

UNCLASSIFIED

5

Counter Insider Threat Capability

Establishing an InT acquisition program:

– Provides in-service engineering, maintenance, training, and logistics

– Supports installation on operational platforms

– Focus is on developing a 200 year program

Accelerated Drafting of Operational Requirements Document

– Information System – Capability Development Document (IS-CDD)

$56.4M funded across the FYDP in FY2018; $22M sustainment

– Ramp up to approx. $22M annually, funds all aspects + material solution

Organization:

– Resource Sponsor – N2N6

– Program Manager – PMW130

– Technical Authority – SPAWAR 5.0

– Milestone Decision Authority: -- Likely PEO C4I

Anticipate ACAT level IV program

Acquisition Decision Memorandum – Summer 2018

UNCLASSIFIED

UNCLASSIFIED

6

Counter Insider Threat Capability

The materiel solution provides the two main InTP requirements:

User Activity Monitoring (UAM)

– Definition: The technical

capability to observe and record

the activities of an employee, on

any device, accessing U.S.

Government information in order

to detect and mitigate potential

insider threats

– Status: UAM is conducted on a

portion of Navy JWICS ~30%

– Goal: UAM is conducted on

JWICS, SIPR…and NIPR

Analytic Hub

– Definition: An insider threat analytic

and response capability to manually

and/or electronically gather, integrate,

review, assess, and respond to

information derived from CI, Security,

IA, HR, LE, UAM and other sources

as necessary and appropriate

– Status: Virtual Hub established Feb

2018; Seeking physical location

– Goal: Automated, fully integrated and

manned analytic platform in an

appropriate location

UNCLASSIFIED

UNCLASSIFIED

7

Operational Overview

8

Data Sources

Foreign Travel

Education and Reporting

Local Records Check

Financial Disclosure

Foreign Contact

Peer Referrals

Poly-graphs

Security Records

Supervisor Referrals

Human Resource

Data

Medical Referrals

Inspector General

Reporting

Command Leadership

Counterintelligence

Personnel Security

Law Enforcement

Inspector General

DITMAC

Other DoD Hubs

Navy Leadership

Other

Data Integration & Analytic Tools

Information Sharing and

Feedback

Risk Assessments

Analytic Hub Concept

Reporting and Coordination

Enterprise Audit

User Activity

Monitoring

Analytic Hub:

Physical Location

UNCLASSIFIED

UNCLASSIFIED

9

UAM Functional Overview

Functional Requirements – A system

that provides: *

– Key stroke monitoring

– Full application content (e.g. email,

chat, data import/export)

– Obtain screen captures

– Perform file shadowing for lawful purposes

– Authentication failure anomaly

– Baseline anomaly (non-compliant passwords, unauthorized scripts)

– Evidence tampering

– Exfiltration

– Privilege violation (attempting to access or modify prohibited

information)

– Network Traffic anomaly (unauthorized scans)

– User behavior anomaly

– Attributable to a specific user

– Trigger Management* Reference – CNSSD 504 09/2016

UNCLASSIFIED

UNCLASSIFIED

10

Hub Functional Overview

Functional Requirements – A system that provides: *

– Aggregate and analyze multiple information streams (CI, Security, IA, HR,

LE, UAM, Polygraph)

– Integrate the collected data into a common view (dashboard)

– Assess the data for anomalies indicating malicious behavior

– Analyst response with reports to appropriate stakeholders

– Maintain records of concerning activity by individual

Scope is on materiel items such as:

– Hardware: servers, storage

– Software: database, desktop interface, dashboard

– Engineering: integrating data streams; hardward/software suites of tools

– Integrate into existing processes (e.g. DITMAC System of Systems)

*References–

SECNAVINST 5510.37

OPNAVINST 5510.165A

10

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED

11

How Can Industry Help?

PMW 130

CDR Matt O'Neal

PMW 130, PEO C4I

Counter-Insider Threat APM

matthew.o'neal@navy.mil

(619) 524-7641

OPNAV

Mark H. Lokay

Branch Chief, Navy Insider Threat

to Cybersecurity Program

OPNAV N2N6I/NIA SI2

mark.lokay@navy.mil

(703) 604-5735

Questions?

UNCLASSIFIED

UNCLASSIFIED

12

BACK-UP

UNCLASSIFIED

UNCLASSIFIED

13

NDAA 2017 Insider Threat Definition

Per NDAA 17:

The term “insider threat” means, with respect to the DoD, a threat

presented by a person who—

(A) has, or once had, authorized access to information, a facility, a

network, a person, or a resource of the Department; and

(B) wittingly, or unwittingly, commits –

(i) an act in contravention of law or policy that resulted in, or

might result in, harm through the loss or degradation of

government or company information, resources, or

capabilities; or

(ii) a destructive act, which may include physical harm to another

in the workplace.

UNCLASSIFIED

UNCLASSIFIED

14

Strategic Guidance

– EO 13587 (OCT 2011) – Directs establishment of a program to responsibly share and safeguard

classified information.

– Presidential Memo, National Insider Threat Policy (NOV 2012) – Establishes policy to promote

the development of effective insider threat programs to deter, detect and mitigate insider threats.

– 2012 NDAA, Sec 922 – Directs DoD to establish a program for information sharing protection and

insider threat mitigation to detect unauthorized access to, use of, or transmission of classified or

sensitive unclassified information.

– Intelligence Community Standard (ICS) 500-27 (JUN 2011) – Provides for the collection and

sharing of audit data to support counterintelligence (CI), information assurance (IA), business

analytics, personnel security, and other community audit needs related to IC information resources.

– Intelligence Community Standard (ICS) 700-2 (JUN 2011) – Provides for the use of audit data to

support counterintelligence (CI), information assurance (IA), business analytics, personnel security,

and other community audit needs related to IC information resources.

– DoDD 5205.16 (SEP 2014) – Establishes policy and assigns responsibilities within DoD to develop

and maintain an insider threat program to prevent, deter, detect, and mitigate actions by malicious

insiders who represent a threat to national security.

– SECNAVINST 5510.37 (AUG 2013) – Establishes the DoN Insider Threat Program (InTP),

promulgates policy, assigns responsibilities and institutes a governance framework.

– OPNAVINST 5510.165A (OCT 2015) – Establishes the Navy Insider Threat Program, promulgates

policy, assigns responsibilities, and institutes the Navy Insider Threat Board of Governance

(NITBOG).

UNCLASSIFIED

UNCLASSIFIED

15

CNSS 504 Direction

Establishes the minimum insider Threat protective capabilities required for all Federal

Government D/A with NSS to protect computer networks and information residing on

them.

UAM” Each D/A must have the following minimum capabilities to collect user activity

data: key stroke monitoring and full application content (e.g., email, chat, data import data

export), obtain screen captures and perform file shadowing for all lawful purposes. UAM

data must be attributable to a specific user.

Identifies 5 required capabilities for Insider Threat Programs:

Prevent the use of unauthorized applications

Implement standardized access control methodologies (Multifactor authentication,

Role Based Access Control, restrict Administrator accounts)

Control and log use of Removable Media

Implement Data Loss and Spillage prevention capabilities

Implement Trusted Network Connections restrictions.

16

LeadershipDUSN(P) – DoN

OversightEnterprise Awareness

Inspector General (IG)

Response

NCIS-CI/LE

Random Polygraph

Anonymous Report/Hotline

Continuous Evaluation

Cyber/Enterprise Audit (EA)

Personnel Security

Human Resources

Mirador/IMESA/DBIDS

Detect – Deter – Mitigate

TriageData Aggregation

Analysis Analytic Finding

NCIS/FBI

Personnel Security

Physical Sec. Force

Protection

Information Assurance (IA)

Other Federal Agencies

ODNI/NITTF/FBI

Data Input

UAM JWICS UAM SIPR UAM NIPR

Peer/ Supervisor Referrals

Foreign Contact Reporting

Command Security

Foreign Travel Reporting

DITMAC

Legal

US Navy Insider Threat Analytic Hub

16

UNCLASSIFIED

UNCLASSIFIED