Insider threat. The words conjure up images of a secretive employee loitering at a business after closing time, hoping to catch the right moment to get a peek at confidential information.
Insiders have legitimate and authorized access to an organization’s resources and often tend to have knowledge of the organization’s vulnerabilities as well. Those individuals become an insider threat when they use their legitimate access to do harm to the organization.
The need for an insider threat program in higher education
For higher education institutions that collect data ranging from personal information to highly sensitive research information, an insider threat can cause irreparable harm. While higher ed insider threat programs are not widespread, some colleges and universities have existing insider threat programs that are motivated by a mandate to protect national security.
Over 12,000 facilities, including laboratories and universities, are approved for access to classified information under the National Industrial Security Program. Universities cleared for access to such information hold a Facility Security Clearance (FCL). An FCL is granted when it is determined that a contractor (in this case a higher education institution) needs access to classified information in connection with a governmental contract. Colleges and universities may hold an FCL if they are conducting Department of Defense sponsored research that requires faculty members or researchers to have access to classified data.
The academic community is a top target for foreign intelligence services who seek classified information about U.S. technologies for military or economic advantage. Colleges, universities, and academics are targets for some of the same reasons that the academy is revered: scientific discovery and the collaborative nature of the academic community; education’s openness to hosting foreign scholars; and the openness of many academic information technology networks.
Foreign intelligence services can target U.S. higher education institutions using mechanisms that are commonplace and seemingly legitimate: Requests to present research findings at conferences, foreign students & postdoctoral researchers seeking research positions or assistantships, requests seeking thesis assistance, reviews of draft scientific publications, access to U.S. research papers, and requests for assistance with research projects. “An insider threat program helps higher education institutions distinguish the legitimate contacts from the ones that may be suspicious,” says Kathie Sidner, Director of Defense & Military Partnerships at The University of North Carolina System Office.
“An insider threat program helps higher education institutions distinguish the legitimate contacts from the ones that may be suspicious.”
Uncovering the insider threat
Insider threat incidents fall into a number of different categories, ranging from national security espionage to theft of intellectual property to privacy violations. The insider threat is hard to detect, especially in higher education.
“Often, because of the open, publication-driven culture, people within the academic community may not fully grasp or appreciate the real threat of “insiders” at universities. The idea of foreign intelligence services targeting university faculty and students just feels so abstract or far-removed from the campus setting. Especially when most of the case studies center around a disgruntled or blackmailed government or private contractor employee” says Kathie Sidner. “But, just like government and industry, there are individuals in higher education with access to sensitive information (whether classified or not) who are vulnerable to coercion or may intentionally or unintentionally expose information that can negatively impact national security” Sidner says.
“…just like government and industry, there are individuals in higher education with access to sensitive information (whether classified or not) who are vulnerable to coercion or may intentionally or unintentionally expose information that can negatively impact national security.”
Some possible indicators of insider threat that colleges and universities might look for in their insider threat programs include:
- Unreported or frequent foreign travel; attempts to conceal foreign travel
- Sudden unexplained wealth, sudden repayment of large debt or loan
- Repeated security violations, such as unauthorized downloads or copying of files, keeping classified assets at home or any other unauthorized place, or discussing classified research or related information in public
- Exhibiting disgruntled or agitated behavior
- Making anti-U.S.comments or expressing anti-U.S. ideology
Insider threats aren’t always intentionally malicious. The 2018 Cost of Insider Threats: Global report found that well over half (64%) of insider threat incidents are committed by a careless or negligent employee or contractor.
Insider threat program elements
Cleared contractors, like colleges and universities with an FCL, are required to establish insider threat programs to help identify situations where an insider may put the security of the U.S. at risk by unwittingly creating vulnerabilities for others to exploit, or by being a willing or coerced participants to espionage. The requirements for these insider threat programs are specified in the National Industrial Security Program Operating Manual (NISPOM). The NISPOM requires institutions to:
- Designate an insider threat program senior official to oversee the institution’s insider threat program;
- Establish an insider threat program and identify insider threat program personnel to run the program;
- Provide insider threat training for insider threat program personnel and for cleared employees;
- Detect and mitigate the impact of insiders who pose a risk to classified information;
- Monitor classified network activity; and
- Conduct self-inspections of the institution’s insider threat program.
Failure to implement an insider threat program as mandated can lead to loss of an institution’s FCL, the college or university can be barred from bidding on federal contracts, and fines or lawsuits.
Building an insider threat program
Insider threat programs can extend beyond protecting classified information. Higher ed institutions can build them to protect sensitive campus data, like research data or personally identifiable data, from compromise by an insider threat. To get started with building an insider threat program, higher education institutions can turn to the NISPOM for high level guidance on the most important program elements:
- Identifying a campus official or officials to run the program
- Creating processes and procedures to help detect and mitigate the impact of insiders who pose a risk to institutional data and resources;
- Providing training to campus employees to help them identify and report suspected insider threats
Institutions wanting to establish an insider threat program should start by forming an institutional working group. The group’s institutional members should have positions that give them the necessary expertise to help inform the design of the program, facilitate access to needed information during insider threat investigations, and provide ongoing guidance for program activities. These same leaders can also help the institution ensure that any administrative, legal, privacy, civil rights, and civil liberties issues are appropriately identified and addressed within the institution’s insider threat program.
While external threats often grab the headlines, insider threats can be just as harmful to an institution’s resources and reputation. Campus programs are a strong step forward that help identify and mitigate the higher education insider threat.
This post was authored by Senior Consultant Joanna Lyn Grama, JD, CISSP who advises clients on information security policy, compliance, governance and data privacy issues. Portions of the content in this blog were first published in EdScoop on July 29, 2019.