1. CSIAC is a DoD Information Analysis Center (IAC) sponsored by the Defense Technical Information Center (DTIC) Presentation to: Insider Threat SOAR Workshop Dr. Paul B. Paul Losiewicz Senior Scientific Advisor Cyber Security and Information Systems Information Analysis Center 15 August 2013 Insider Threat Research and Development

2. Overview 2 Technology Increases Risk from Insider Threat Recent high level R&D Topics Recent R&D initiatives Implications and Policy Responses

3. Technology Increases Risk from Insider Threat 3 Computing capacity continues to increase while embedded systems proliferate. Operating systems gain efficiency and capability with more sensors and distributed controls linked to other operating systems. Infrastructure is capital intensive and expensive to operate. Efficient and cost minimizing approaches have great emphasis. SCADA systems have evolved to meet this need. Combination of greater computing power and reach afforded by linked information systems affords greater span of influence; asymmetric threats increase. Greater span of control allows fewer personnel to monitor a greater range of control systems – with lower personnel cost. Personnel costs are the highest business costs. Similar dynamic holds in intellectual property and knowledge management systems. Less expensive cloud storage allows for more information to be available to more collaborative processes by small to mid-size businesses

4. Recent High Level R&D topics Critical Infrastructure Security and Resilience (CISR) CSIAC input to Department of Homeland Security (DHS) EO13636/PPD-21 R&D WG Problems of complex system interdependencies must be adequately researched at the basic research level Cross-domain interfaces and influences must be thoroughly understood, represented and modeled at the applied research level Well-defined metrics must be appropriated from, and shared across, multiple domains and CI Sectors, to include Human Systems Interactions 8 Aug - NSA plans to eliminate 90% of Sys Admins using smart networks “Using technology to automate much of the work now done by employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster” “These efforts pre-date Snowden's leaks, the agency has said, but have since been accelerated.” 4

5. Recent R&D initiatives Insider Threat Identification (Network Anomaly Detection) Chief Information Officer/Defense Information Systems Agency (CIO/DISA) CIO_DISA-13-BAA-RIF-0001 Demonstrate the ability to analyze trends, patterns and other relevant data to identify insider threats that exist on DoD networks. SBIR N132-132: Cognitive Modeling for Cyber Defense Develop and validate a computational model of the cognitive processes from cues to actions of the attackers, defenders, and users to create a synthetic experimentation capability to examine, explore, and assess effectiveness of cyber operations. But has NOT yet been extended to Insider Threat profiles 5

6. Implications and Policy Responses? Technologically riskier environments require new solutions – New system monitoring, data mining, and anomaly detection methods are being pursued Risk to Privacy by Big Data Mining and Cognitive Modeling? – Congressional and public opinion divided post-Snowden, regardless of recent Administration defense of bulk data collection under Section 215 of the USA Patriot Act – Greater transparency vs. improving threat detection a challenge Cognitive (Smart) Networks development accelerated – will require corresponding advances in Secure Hardware and Protocols – may require advances in distributed High Performance Computing and Modeling and Simulation for Test and Evaluation before fielding New anomaly detection and cognitive approaches in Personnel Reliability need investigation – E.g. “Is Steganography and Steganalysis useful as a deterrent?” 6