Insider Threat Task Force focuses on disinformation, remote work
IMAGE: NITTF
Martin Matishak September 7, 2022

Insider Threat Task Force focuses on disinformation, remote work

Martin Matishak

September 7, 2022

Insider Threat Task Force focuses on disinformation, remote work

A U.S. intelligence community task force is highlighting the range of digital dangers that can expose federal agencies to insider threats due to the ongoing COVID-19 pandemic and quickly multiplying online risks.

Last week the National Insider Threat Task Force (NITTF) kicked off its latest annual, month-long program meant to emphasize, and hopefully negate, potential paths that could lead an employee to act against their organization, either through espionage and intellectual property theft or workplace violence and extremism.

The government group was created by a 2011 executive order to sharpen the hunt for security risks among federal employees and contractors after Chelsea Manning’s mass leaking of military and diplomatic secrets.

Yet federal agencies still struggle with the issue, especially in the cybersecurity realm. Most famously, Edward Snowden released troves of the National Security Agency’s most sensitive secrets. And just months ago, Joshua Schulte, a former Central Intelligence Agency software engineer, was convicted by a federal jury for causing the largest theft of classified information in the agency’s history.

Digital security was picked to be this year’s focus thanks to a “confluence of a lot of things,” including the pandemic that drove much of the vast workforce online, according to Rebecca Morgan, deputy director of the NITTF, which is housed within the National Counterintelligence and Security Center.

“There’s always been remote work. But it wasn’t on a scale that it was [before], and it was actually engaged in by more digital natives” that worked from home, she told The Record during a phone interview on Tuesday.

Another trend that drove the team’s decision was the rise in recent years of misinformation, disinformation and foreign malign influence campaigns, “which have come from a variety of adversaries and really increase the inherent vulnerability for insiders,” said Morgan.

Employees “without realizing it, can make decisions based on faulty information… They can see their work environment becomes filled with distrust and divisiveness,” according to Morgan, noting Russia, China and North Korea are the top nation-state perpetrators of such falsehoods.

For instance, task force officials witnessed an “increase” in phony social media profiles on social media created by Pyongyang’s operatives to target research and academia to either undermine, or outright steal, emerging critical technologies, said Morgan.

She added that domestic hackers, commercial competitors and other foreign powers also spread unfounded claims —that’s why a major thrust of the latest effort is to build media and digital literacy so that people understand the source of the information and can challenge their own biases. 

On the positive side, she said, the government has undergone “a real improvement in our cyber defenses,” including movement toward the implementation of zero-trust architecture within entities.

Morgan conceded many of the online campaigns deployed to compromise individuals — such as phishing attacks and social engineering — are “not exactly new” but argued a spotlight should be put on them because “sometimes we pivot a little bit too frequently and we assume that other people are squared away on understanding the threat and what to do about it.”

She noted that at the federal level, all agencies required by the 2011 executive order to create an insider threat program have done so. Of those, 95 percent have achieved full operational capability and most have moved beyond minimum requirements and are now entering into maturity models.

“For me, successful programs are those that really take that proactive, preventative strategy and mitigate risk,” Morgan told The Record. “What do they say? An ounce of prevention is a pound of cure.”

Martin is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.