information warfare industry day - afcea.org · – federated approach across opnav n-codes; nitbog...
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
2
Background
D&A Insider Threat Program (InTP) mandate through Executive Orders,
Presidential Memos and various DoD and Service policies.
DoD/Navy Insider Threat Definition
– A person with authorized access, who uses that access wittingly or
unwittingly, to harm national security interests or national
security through unauthorized disclosure, data modification,
espionage, terrorism, or kinetic actions resulting in loss or degradation
of information, resources or capabilities. The term kinetic can include,
but is not limited to, the threat of harm from sabotage or workplace
violence (SECNAVINST 5510.37)
– FY17 NDAA: Will likely expand eligible population
Navy Approach
– DUSN-P -- DoN Senior Official; Director Navy Staff -- Navy Senior Official
– Federated approach across OPNAV N-codes; NITBOG
– N2N6 responsible for Counter Intelligence and Cyber aspects of Navy InTP
Long-term Materiel solution required
UNCLASSIFIED
UNCLASSIFIED
3
Army Specialist Ivan Lopez 2014Killed 3 people and injured 16 at Fort Hood, TX, during a shooting spree
that ends in Ivan killing himself.
Army Maj. Nidal Malik Hasan 2009Killed 13 people and injured 32 at Fort Hood, TX, during a shooting spree.
He was convicted and sentenced to death.
Contractor, Edward Snowden 2013Charged with “unauthorized communication of national defense information” and
“willful communication of classified communications intelligence information to an
unauthorized person”. 2014 – Receives asylum in Russia where he remains today.
Army PFC Bradley Manning 2009Downloaded classified information and released it to the website WikiLeaks.
2010 - 2011 Charged with 22 violations, including “aiding the enemy”
2013 - Sentenced to 35 years in prison
2017 – Commuted by President Obama
UNCLASSIFIED
UNCLASSIFIED
4
Petty Officer Second Class Bryan Minkyu Martin 2011Sold classified naval operations and intelligence information to who he believed
was an agent of China. Charged with attempted espionage – sentenced to 34
years in prison.
Aaron Alexis 2014Killed 13 people and injured eight at the Washington Navy Yard in Washington,
DC, during a shooting spree that ends in Aaron being killed by police.
Petty Officer First Class Robert Patrick Hoffman II 2012Attempted to spy for Russia, revealing to them methods to track US submarines.
Charged with attempted espionage – sentenced to 30 years in prison.
CDR Michael Misiewicz 2013 (Glenn Marine)
Passed confidential information on Naval ship routes. Charged with accepting
paid travel, the services of prostitutes and Lady Gaga tickets. Also charged was
NCIS Special Agent John Bertrand Beliveau II
Insider Threat: A Government-wide Problem
LCDR Edward Lin 2016Charged with espionage, attempted espionage and falsifying official documents.
Accepted plea arrangement. Pled guilty to communicating defense information,
passing classified information to a foreign national and an undercover FBI agent.
Walker Spy Ring 1967 – 1985 Sold classified naval operations and intelligence information to USSR.
UNCLASSIFIED
UNCLASSIFIED
5
Counter Insider Threat Capability
Establishing an InT acquisition program:
– Provides in-service engineering, maintenance, training, and logistics
– Supports installation on operational platforms
– Focus is on developing a 200 year program
Accelerated Drafting of Operational Requirements Document
– Information System – Capability Development Document (IS-CDD)
$56.4M funded across the FYDP in FY2018; $22M sustainment
– Ramp up to approx. $22M annually, funds all aspects + material solution
Organization:
– Resource Sponsor – N2N6
– Program Manager – PMW130
– Technical Authority – SPAWAR 5.0
– Milestone Decision Authority: -- Likely PEO C4I
Anticipate ACAT level IV program
Acquisition Decision Memorandum – Summer 2018
UNCLASSIFIED
UNCLASSIFIED
6
Counter Insider Threat Capability
The materiel solution provides the two main InTP requirements:
User Activity Monitoring (UAM)
– Definition: The technical
capability to observe and record
the activities of an employee, on
any device, accessing U.S.
Government information in order
to detect and mitigate potential
insider threats
– Status: UAM is conducted on a
portion of Navy JWICS ~30%
– Goal: UAM is conducted on
JWICS, SIPR…and NIPR
Analytic Hub
– Definition: An insider threat analytic
and response capability to manually
and/or electronically gather, integrate,
review, assess, and respond to
information derived from CI, Security,
IA, HR, LE, UAM and other sources
as necessary and appropriate
– Status: Virtual Hub established Feb
2018; Seeking physical location
– Goal: Automated, fully integrated and
manned analytic platform in an
appropriate location
8
Data Sources
Foreign Travel
Education and Reporting
Local Records Check
Financial Disclosure
Foreign Contact
Peer Referrals
Poly-graphs
Security Records
Supervisor Referrals
Human Resource
Data
Medical Referrals
Inspector General
Reporting
Command Leadership
Counterintelligence
Personnel Security
Law Enforcement
Inspector General
DITMAC
Other DoD Hubs
Navy Leadership
Other
Data Integration & Analytic Tools
Information Sharing and
Feedback
Risk Assessments
Analytic Hub Concept
Reporting and Coordination
Enterprise Audit
User Activity
Monitoring
Analytic Hub:
Physical Location
UNCLASSIFIED
UNCLASSIFIED
9
UAM Functional Overview
Functional Requirements – A system
that provides: *
– Key stroke monitoring
– Full application content (e.g. email,
chat, data import/export)
– Obtain screen captures
– Perform file shadowing for lawful purposes
– Authentication failure anomaly
– Baseline anomaly (non-compliant passwords, unauthorized scripts)
– Evidence tampering
– Exfiltration
– Privilege violation (attempting to access or modify prohibited
information)
– Network Traffic anomaly (unauthorized scans)
– User behavior anomaly
– Attributable to a specific user
– Trigger Management* Reference – CNSSD 504 09/2016
UNCLASSIFIED
UNCLASSIFIED
10
Hub Functional Overview
Functional Requirements – A system that provides: *
– Aggregate and analyze multiple information streams (CI, Security, IA, HR,
LE, UAM, Polygraph)
– Integrate the collected data into a common view (dashboard)
– Assess the data for anomalies indicating malicious behavior
– Analyst response with reports to appropriate stakeholders
– Maintain records of concerning activity by individual
Scope is on materiel items such as:
– Hardware: servers, storage
– Software: database, desktop interface, dashboard
– Engineering: integrating data streams; hardward/software suites of tools
– Integrate into existing processes (e.g. DITMAC System of Systems)
*References–
SECNAVINST 5510.37
OPNAVINST 5510.165A
10
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
11
How Can Industry Help?
PMW 130
CDR Matt O'Neal
PMW 130, PEO C4I
Counter-Insider Threat APM
matthew.o'[email protected]
(619) 524-7641
OPNAV
Mark H. Lokay
Branch Chief, Navy Insider Threat
to Cybersecurity Program
OPNAV N2N6I/NIA SI2
(703) 604-5735
Questions?
UNCLASSIFIED
UNCLASSIFIED
13
NDAA 2017 Insider Threat Definition
Per NDAA 17:
The term “insider threat” means, with respect to the DoD, a threat
presented by a person who—
(A) has, or once had, authorized access to information, a facility, a
network, a person, or a resource of the Department; and
(B) wittingly, or unwittingly, commits –
(i) an act in contravention of law or policy that resulted in, or
might result in, harm through the loss or degradation of
government or company information, resources, or
capabilities; or
(ii) a destructive act, which may include physical harm to another
in the workplace.
UNCLASSIFIED
UNCLASSIFIED
14
Strategic Guidance
– EO 13587 (OCT 2011) – Directs establishment of a program to responsibly share and safeguard
classified information.
– Presidential Memo, National Insider Threat Policy (NOV 2012) – Establishes policy to promote
the development of effective insider threat programs to deter, detect and mitigate insider threats.
– 2012 NDAA, Sec 922 – Directs DoD to establish a program for information sharing protection and
insider threat mitigation to detect unauthorized access to, use of, or transmission of classified or
sensitive unclassified information.
– Intelligence Community Standard (ICS) 500-27 (JUN 2011) – Provides for the collection and
sharing of audit data to support counterintelligence (CI), information assurance (IA), business
analytics, personnel security, and other community audit needs related to IC information resources.
– Intelligence Community Standard (ICS) 700-2 (JUN 2011) – Provides for the use of audit data to
support counterintelligence (CI), information assurance (IA), business analytics, personnel security,
and other community audit needs related to IC information resources.
– DoDD 5205.16 (SEP 2014) – Establishes policy and assigns responsibilities within DoD to develop
and maintain an insider threat program to prevent, deter, detect, and mitigate actions by malicious
insiders who represent a threat to national security.
– SECNAVINST 5510.37 (AUG 2013) – Establishes the DoN Insider Threat Program (InTP),
promulgates policy, assigns responsibilities and institutes a governance framework.
– OPNAVINST 5510.165A (OCT 2015) – Establishes the Navy Insider Threat Program, promulgates
policy, assigns responsibilities, and institutes the Navy Insider Threat Board of Governance
(NITBOG).
UNCLASSIFIED
UNCLASSIFIED
15
CNSS 504 Direction
Establishes the minimum insider Threat protective capabilities required for all Federal
Government D/A with NSS to protect computer networks and information residing on
them.
UAM” Each D/A must have the following minimum capabilities to collect user activity
data: key stroke monitoring and full application content (e.g., email, chat, data import data
export), obtain screen captures and perform file shadowing for all lawful purposes. UAM
data must be attributable to a specific user.
Identifies 5 required capabilities for Insider Threat Programs:
Prevent the use of unauthorized applications
Implement standardized access control methodologies (Multifactor authentication,
Role Based Access Control, restrict Administrator accounts)
Control and log use of Removable Media
Implement Data Loss and Spillage prevention capabilities
Implement Trusted Network Connections restrictions.
16
LeadershipDUSN(P) – DoN
OversightEnterprise Awareness
Inspector General (IG)
Response
NCIS-CI/LE
Random Polygraph
Anonymous Report/Hotline
Continuous Evaluation
Cyber/Enterprise Audit (EA)
Personnel Security
Human Resources
Mirador/IMESA/DBIDS
Detect – Deter – Mitigate
TriageData Aggregation
Analysis Analytic Finding
NCIS/FBI
Personnel Security
Physical Sec. Force
Protection
Information Assurance (IA)
Other Federal Agencies
ODNI/NITTF/FBI
Data Input
UAM JWICS UAM SIPR UAM NIPR
Peer/ Supervisor Referrals
Foreign Contact Reporting
Command Security
Foreign Travel Reporting
DITMAC
Legal
US Navy Insider Threat Analytic Hub
16
UNCLASSIFIED
UNCLASSIFIED