Insider Threat Research and Development

1. Insider Threat Research and Development Presentation to: Insider Threat SOAR Workshop Dr. Paul B. Paul Losiewicz Senior Scientific Advisor Cyber Security and Information Systems Information Analysis Center 15 August 2013

2. Overview • Technology Increases Risk from Insider Threat • Recent high level R&D Topics • Recent R&D initiatives • Implications and Policy Responses

3. Technology Increases Risk from Insider Threat • Computing capacity continues to increase while embedded systems proliferate. • Operating systems gain efficiency and capability with more sensors and distributed controls linked to other operating systems. • Infrastructure is capital intensive and expensive to operate. Efficient and cost minimizing approaches have great emphasis. SCADA systems have evolved to meet this need. • Combination of greater computing power and reach afforded by linked information systems affords greater span of influence; asymmetric threats increase. • Greater span of control allows fewer personnel to monitor a greater range of control systems – with lower personnel cost. Personnel costs are the highest business costs. • Similar dynamic holds in intellectual property and knowledge management systems. Less expensive cloud storage allows for more information to be available to more collaborative processes by small to mid-size businesses

4. Recent High Level R&D topics • Critical Infrastructure Security and Resilience (CISR) • CSIAC input to Department of Homeland Security (DHS) EO13636/PPD-21 R&D WG • Problems of complex system interdependencies must be adequately researched at the basic research level • Cross-domain interfaces and influences must be thoroughly understood, represented and modeled at the applied research level • Well-defined metrics must be appropriated from, and shared across, multiple domains and CI Sectors, to include Human Systems Interactions • 8 Aug - NSA plans to eliminate 90% of Sys Admins using smart networks • “Using technology to automate much of the work now done by employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster” • “These efforts pre-date Snowden's leaks, the agency has said, but have since been accelerated.”

5. Recent R&D initiatives • Insider Threat Identification (Network Anomaly Detection) • Chief Information Officer/Defense Information Systems Agency (CIO/DISA) CIO_DISA-13-BAA-RIF-0001 • Demonstrate the ability to analyze trends, patterns and other relevant data to identify insider threats that exist on DoD networks. • SBIR N132-132: Cognitive Modeling for Cyber Defense • Develop and validate a computational model of the cognitive processes from cues to actions of the attackers, defenders, and users to create a synthetic experimentation capability to examine, explore, and assess effectiveness of cyber operations. • Buthas NOT yet been extended to Insider Threat profiles

6. Implications and Policy Responses? • Technologically riskier environments require new solutions • New system monitoring , data mining , and anomaly detection methods are being pursued • Risk to Privacy by Big Data Mining and Cognitive Modeling? • Congressional and public opinion divided post-Snowden, regardless of recent Administration defense of bulk data collection under Section 215 of the USA Patriot Act • Greater transparency vs. improving threat detection a challenge • Cognitive (Smart) Networks development accelerated • will require corresponding advances in Secure Hardware and Protocols • may require advances in distributed High Performance Computing and Modeling and Simulation for Test and Evaluation before fielding • New anomaly detection and cognitive approaches in Personnel Reliability need investigation • E.g. “Is Steganography and Steganalysis useful as a deterrent?”