Insider threat protection is essential for government institutions — especially national defense organizations. As these organizations handle highly classified and sensitive information related to national security, military operations, and intelligence, they are particularly vulnerable to cyberattacks.
In this article, we reveal the main insider threats in the defense sector and how to spot them. We also give guidelines on building an effective military insider threat program.
The importance of cybersecurity in the military
Defense organizations have complex systems and networks containing lots of sensitive data including state secrets and personal data of employees and service members.
These organizations must continuously enhance their cybersecurity to protect:
- Government secrets
- Communications and information systems
- The personal information of employees and service members.
“Malicious cyber activity targeting the Department of Defense’s (DoD) Defense Industrial Base (DIB) can result in the unauthorized access and release of sensitive US Government data, proprietary information, and intellectual property, as well as the destruction of data, inability to conduct business, denial of services, and physical damage to property.”
Defense Industrial Base Cybersecurity Strategy 2024.
The military sector is vulnerable to both external attacks and internal attacks. However, threats that come from within are more difficult to detect and contain. For this reason, they may cause serious damage, compromising the personal information of citizens, government and military secrets, and more.
To protect sensitive data, organizations should be aware of the main types of insider threats in the defense sector.
See Syteca in action.
Find out how you can leverage Syteca’s insider threat prevention capabilities.
Types of insider threats in military cybersecurity
Just like in any other industry, threats in the military often come from people within the organization, including former employees, service members, contractors, or anyone else with access to sensitive data.
There are five distinct types of insider threats in the military sector:
- Sabotage is the act of deliberately destroying, damaging, or obstructing the processes and systems of a defense organization. An insider may decide to engage in sabotage due to a negative work experience, to get revenge, or in response to a work-related conflict.
- Theft in military cybersecurity usually involves stealing intellectual property (software, programs, tools) and sensitive data (government and military secrets, personal information of enlisted individuals and civilian personnel, etc.), typically with the intent to resell information to third parties or demand a ransom.
- Fraud is the act of exploiting sensitive information for one’s own benefit. The two most common motives behind fraud are financial gain and intellectual property theft. Fraudulent activities in the military sector can have serious consequences, including financial losses and compromised national security.
- Espionage refers to a number of practices that malicious actors use to obtain classified information. Foreign powers may engage in cyber spying to gain a strategic advantage by stealing military technology, revealing vulnerabilities, or intercepting strategic plans.
- Negligent insiders are individuals who inadvertently cause serious damage to an organization’s cybersecurity. For example, employees may fall victim to phishing emails or messages, leading to the compromise of sensitive information. In addition, when negligent insiders use weak or easily guessable passwords, attackers can exploit this vulnerability to gain unauthorized systems access.
Insider threats within defense organizations can come in various forms, and all of them pose significant risks to sensitive information and operational integrity. Identifying signs of potential insider threats is crucial for detecting malicious activities.
Signs of potential insider threats
To detect potential insider threats, it’s essential to pay close attention to employee behavior since a combination of personal and workplace issues may provoke a person to perform a malicious action. Here are a few examples of warning signs in employee behavior:
- Working irregular hours
- Changing political or religious views
- Showing interest in information extending the scope of duties
- Copying data not related to work
- Becoming more aggressive in communication with colleagues
- Taking trips for unexplained reasons
- Showing signs of disgruntlement
- Extravagant spending
- Breaking or trying to circumvent rules.
The reasons behind this behavior may vary. The US Army Cyber Command (ARCYBER) in their factsheet on insider threats highlights the key factors motivating employees to perform malicious actions:
- Greed or financial need
- Anger, revenge, or disgruntlement
- Lack of recognition
- Dissatisfaction with the job
- Disagreements within the team
- Pending layoff
- Ideology or identification
- Divided loyalty
- Adventure or thrill
- Drug or alcohol abuse
- Inflated ego
- A desire to win the approval of someone who can benefit from insider information.
The United States Department of Defense (DoD) asks its employees to remain vigilant and pay attention to changes in their colleagues’ behavior. When an employee notices someone struggling, it’s essential to notify the appropriate security or insider threat program staff. These interventions not only prevent severe security incidents but also benefit the personal and professional lives of employees.
Data breaches in the military: examples and consequences
Although all military organizations have cybersecurity departments responsible for the continuous improvement of their security, data breaches can still happen.
Below, we take a look at some examples of the most significant data security breaches in the US Military.
The Edward Snowden case — American whistleblower Edward Snowden is responsible for one of the most significant leaks in US history. The motives behind this insider threat incident are still unclear. Although Snowden claims he leaked information to expose the real surveillance state, some sources still suspect him of espionage.
In 2013, Snowden leaked highly classified information from the National Security Agency (NSA), revealing, the existence of the PRISM program, previously unknown details of a global surveillance apparatus run by the NSA, the NSA’s top-secret black budget, and the existence of the MonsterMind program.
The Reality Winner case — Former Air Force linguist and intelligence contractor Reality Winner was arrested in 2017 on suspicion of providing news website The Intercept with confidential information. Winner leaked a classified intelligence report about Russian interference in the 2016 US elections.
According to United States Attorney Bobby L. Christine, the leaked report contained sources and methods of intelligence gathering, and its disclosure “caused exceptionally grave damage to US national security.” In 2018, Winner was sentenced to five years and three months in prison as part of a plea deal.
The AutoClerk database leak — In 2019, 179 gigabytes of data were made accessible due to an unsecured cloud server run by a travel services company. Along with information about civilians’ trips, the travel details of large numbers of US government and military personnel were exposed.
The AutoClerk database leak is an example of how third-party contractors can become insider threats to defense organizations. The exposed data included sensitive personal information including names, birthdays, addresses, phone numbers, and travel details.
Cloud email leak — In February 2023, sensitive US military emails were inadvertently exposed on the Internet. Thousands of messages sent out by the Defense Intelligence Agency (DIA) spilled online due to a misconfigured US government cloud email server hosted on Microsoft’s cloud platform. The misconfiguration allowed users to access the emails without a password.
This email data spill impacted US Special Operations Command (USSOCOM) and DoD customers — SF-86 and other sensitive data was exposed. In this breach, humans played a key role since misconfigurations in the system resulted in a missing server password.
Discord leaks — Jack Teixeira, Massachusetts Air National Guard member, was indicted on six charges related to exposing government secrets on Discord. Teixeira initiated a massive data leak that exposed many US government secrets, including the prospects for Ukraine’s war with Russia, spying on allies, diplomatic fires for the White House, and the precariousness of Taiwan’s air defenses. Teixeira eventually accepted a 16-year prison sentence as part of a plea deal.
Jack Teixeira’s disclosure of documents was unique in that he exposed highly classified intelligence documents only a few weeks after the information was provided to senior military brass. Teixeira posted information on a small Discord group. In February 2023, somebody spread the documents outside the group and exposed them to the public.
The internal investigation found that a “lack of supervision” and a “culture of complacency” enabled Jack Teixeira to expose US military secrets. The Air Force disciplined 15 people for failing to restrict Jack Teixeira’s access to classified systems and facilities.
Each of these data breaches revealed weak points in defense cybersecurity that must be eliminated. A comprehensive insider threat program is essential for identifying, mitigating, and addressing these vulnerabilities effectively. Let’s examine the key DoD insider threat program features.
Explore the power of Syteca!
Discover how Syteca can help you manage insider threats.
A look at the DoD insider threat program
According to the US Department of Defense’s memorandum on Army Directive 2013-18 (Army Insider Threat Program), an insider threat protection program is an integrated departmental effort to manage the risks of employees or service members who may represent a threat to national security.
The DoD insider threat program aims to secure critical resources and sensitive data, including the personal information of service members and their families, civilians, and military contractors. The main goals of the program are:
- Ensuring the safety and security of military computer networks
- Facilitating information sharing to recognize and counter insider threats
- Evaluating employees’ security information
- Educating personnel about insider threats and their reporting responsibilities
- Gathering information to establish centralized analysis, reporting, and response capabilities.
Military organizations should put the details of their insider threat protection program in writing so that all employees can read it and understand which actions are allowed and which are not. The information security policies within the program should include best practices that show how to detect, respond to, prevent, and mitigate security incidents.
To ensure your insider threat program is effective, it’s essential to revise it regularly. It should always be updated after security incidents, modifications to your IT infrastructure, or the introduction of new policies.
The National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs highlight the importance to “deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risks through administrative, investigative or other response actions”. The document also points to five minimum standards that an insider threat protection program should meet:
- Gather, integrate, centrally analyze, and respond to critical threat-related information
- Assign personnel to the insider threat program
- Manage personnel access to classified information
- Monitor employees’ use of networks
- Provide personnel with insider threat awareness training
Now let’s take a look at the key steps for developing an insider threat protection program for the military.
1. Plan and research
Before creating a program, organizations need to carry out thorough research and planning.
First, military organizations have to map the laws and requirements they need to comply with, explore recommended programs, and conduct independent research and reviews of cybersecurity in the defense sector. It’s also vital to explore various documents related to insider threats within government and military organizations.
Here are a few essential documents to review during the planning and research stage:
- Federal Information Security Management Act
- Cybersecurity Readiness Review [PDF] prepared at the request of the Secretary of the Navy
- Cybersecurity of NATO’s Space-based Strategic Assets [PDF] by Chatham House
- Assessment of the Military Services’ Insider Threat Programs [PDF] by the Department of Defense
- SECNAV Instruction 5510.37 [PDF] by the Secretary of the Navy
- Framework for Improving Critical Infrastructure Cybersecurity [PDF] by NIST. In March 2024, the DoD released the DIB cybersecurity strategy which strongly recommends following NIST guidelines.
The next step is to analyze cybersecurity incidents caused by insider threats and explore how similar situations could be avoided in the future.
2. Identify potential attack vectors
Although each organization must develop an insider threat protection program tailored to its specific needs, all insider threat programs have some things in common. For instance, every military security program should include information about employees that may pose a threat to the organization’s cybersecurity.
An insider attack is more likely to come from:
- Former employees
- Current employees with a history of violating rules
- Contractors and other third-party vendors that have access to systems and networks
- Privileged users
- New hires and other negligent insiders who lack knowledge about cybersecurity rules.
3. Establish rules to cover key threats
After identifying potential threats, military organizations should establish the relevant measures and procedures to minimize the risk of insider threats:
- Conduct a thorough background check for each employee and contractor
- Manage privileged user accounts
- Block all access for departing employees
- Remove all access for contractors on the last day of collaboration
- Make sure new employees know and understand all cybersecurity rules before providing them with access to critical assets.
The DoD calls for additional security measures to be taken in the CIO Memo Compliance Confirmation [PDF]. According to the document, DoD CIOs need to:
- Implement the principle of least privilege. System owners of data repositories must restrict access to classified data based on the need-to-know principle. System owners must also minimize the privileges for software products to execute.
- Provide optimized audit capabilities. System owners must ensure auditing capabilities are activated on systems processing, storing, or transmitting classified information.
- Ensure optimized user activity monitoring (UAM) capabilities. System owners must deploy UAM capabilities, triggers, and analysis on classified endpoints.
Moreover, the DoD is on a 2027 deadline to complete the shift to zero trust.
To comply with these measures, cybersecurity departments will need to deploy effective insider threat management software.
Check out our other article to explore the biggest challenges for CIOs.
4. Implement cybersecurity software
Monitoring and logging information about user access and actions is one of the best insider threat detection and prevention techniques. Insider threat detection software can provide security officers with the details of who accessed critical assets in the event of a security incident.
Navigating the abundance of military and government cybersecurity solutions available on the market can be overwhelming. The most important features to look for in cybersecurity software for the military are:
- Monitoring and logging functionality to oversee user activity with sensitive assets
- Robust authentication and authorization systems to secure critical data from unauthorized access
- Access management capabilities to grant elevated privileges to sensitive resources only to employees who need them to perform their duties
- Incident response capabilities to instantly notify security officers about security threats
- Third-party monitoring functionality to track how vendors and contractors handle data.
5. Educate employees
Insider threat awareness among employees is crucial.
The Cybersecurity 2023 Legislation calls on government agencies to:
- implement cybersecurity training
- set up and follow formal security policies, standards, and practices
- have incident response plans in place
- report security incidents.
The more efforts are made to educate employees about cybersecurity rules, the less chance there is of unintentional data leaks. Moreover, trained employees are more attentive while handling data and can spot rule violations by their colleagues.
Educating employees usually consists of the following steps:
- Ensuring that every employee is familiar with the policies within the insider threat protection program
- Giving employees the opportunity to ask questions about anything that is unclear
- Providing regular training for employees to inform them about new security measures and procedures
- Testing employee knowledge through formal exams or practical challenges (for example, sending mock phishing emails and seeing how many employees click on them).
Take note that employee training and awareness is listed by the DoD as one of the 10 best practices for a resilient cybersecurity program.
How can Syteca protect the military from insider threats?
Syteca is a comprehensive insider risk management platform that can help military organizations detect suspicious user behavior, prevent unauthorized access, and respond to potential threats coming from within.
User activity monitoring
- Real-time and recorded user sessions give you a clear view of user actions within your critical IT infrastructure. Sessions are recorded in screen capture format accompanied by informative metadata.
- Search for the information you need by setting various parameters within the current session and across all recorded sessions. Export a fragment or an entire monitored user session in a protected forensic format for in-depth investigation.
- Implement third-party vendor monitoring to oversee how contractors, partners, and other remote users with access to your critical endpoints handle sensitive data.
Privileged access management
- Implement the principle of least privilege by granting users granular access to your critical endpoints. Limit the time for which access is granted and manually approve access requests.
- Add an additional layer of protection by verifying user identities with two-factor authentication. Identify users of shared accounts with secondary authentication.
Alerts and incident response
- Receive pre-defined alerts on abnormal user activity or configure custom alert rules to cover other potential insider threat scenarios.
- Use Syteca’s incident response functionality to prevent security incidents by sending warning messages, killing suspicious processes, or instantly blocking users.
- Prevent theft of sensitive information by blocking unapproved USB devices.
Auditing and reporting
- Gain insights into user activity with more than 20 types of reports.
- Investigate security incidents and identify patterns of malicious behavior to prevent further damage to your organization.
- Provide a detailed audit trail of user activity to demonstrate compliance with certain cybersecurity requirements.
Conclusion
Creating and enhancing an insider threat protection program for military organizations is a complex task that requires thorough research, planning, analysis of security incidents, and education for personnel. In addition, organizations need to form the foundation of such a program by deploying dedicated insider threat protection software.
As an effective insider risk management platform, Syteca offers a wide range of features to help military organizations secure sensitive information and mitigate insider threats. By leveraging Syteca’s capabilities, military and defense organizations can enhance their cybersecurity posture, safeguard national security interests, and maintain the integrity of critical operations.
Ready to try Syteca? Access the Demo now!
Clients from 70+ countries already use Syteca.