I have heard many times over the years the comment from government and corporate leaders that insider threat programs are too hard to implement, too expensive, too troublesome, and require too much time and too many resources. Wherever I've turned, someone in a position of power has been there saying it's "too something" when confronted with the very real risk that insider threats pose.
On the U.S. government side, some requirements were unfunded mandates. Since they were unfunded, leaders were forced to decide from which other equally important initiative budget would be stolen to cover their insider threat obligations. Budget managers and resource planners were very vocal, saying: "There isn't enough time or budget for it this year."
There were also times when civil liberties, privacy or other legal objections were louder than the voices supporting creation of the programs. Arguments arose about where to place the program and who would have overall control of it. The number and variety of obstacles to overcome were seemingly endless and insurmountable.
Overall, I understand some of the objections and excuses, but making decisions to postpone or defer to a later date also came with unexpected results.
Unintended consequences
"The law of unintended consequences, often cited but rarely defined, is that actions of people — and especially of government — always have effects that are unanticipated or unintended."
— Rob Norton
, The Concise Encyclopedia of EconomicsThis concept is especially germane in light of the recent 231-page report by the Oversight and Government Reform Committee’s Republican majority regarding the OPM data breach. The report states that federal agencies must adopt a Zero Trust Model in defending critical data. This "zero trust" idea is centered on the concept that users inside a network are no more trustworthy than users outside the network.
That is a powerful statement. I’m an insider at my company and I don’t consider myself to be on the level with others outside my organization. On the surface, it’s almost insulting!
On the other hand, because so few organizations have taken action, something needs to happen to motivate them. No matter what side of the aisle you’re on politically, this statement has far-reaching effects. It also serves to highlight another line from the article on unintended consequences, stating: "Most often, however, the law of unintended consequences illuminates the perverse unanticipated effects of legislation and regulation."
Sloppy policing
Decades ago, I was a street cop in San Jose, California. Like every other rookie officer, I made mistakes while I was learning my craft. I desperately hoped I learned from those mistakes to become a better officer. I had as a mentor a wonderful sergeant who taught me much about human nature relating to police work. One of the things I vividly remember is his advice that "poor police work creates poor laws."
In other words, by being sloppy or disregarding proper procedures, you will end up needing to defend yourself in court. Your work will be challenged and quite possibly overturned. That is the expected consequence of poor police work.
The unintended effects, however, are much more powerful and troubling. As we’ve seen very recently, bad decisions made by a few officers across the country are shining an uncomfortable and unfortunate light on the actions of every man and woman in uniform. Lawmakers and the courts are now being prompted to address the mistakes of these officers, possibly leading to laws and regulations that will make the jobs of every officer harder when they pass.
My sergeant was absolutely correct when he taught me that doing my job right would have a positive and equally far-reaching impact.
Living with our decisions
Let me bring this back to today’s problem. For years, insider threat programs have been necessary, and for just as long, organizations have hesitated and postponed their implementation. In the OPM case, it appears that poor insider-threat work has led to congressional and perhaps legal intervention.
OPM had the opportunity to design, build and run programs according to its needs and requirements. Its inaction to do so has the unintended consequence of the Congressional Oversight Committee telling us what we should be doing, making implementation of insider threat programs for U.S. government agencies much harder to accomplish.
When considering the law of unintended consequences in developing and deploying insider threat programs, remember that inaction or a slow response can ultimately end with a lawmaker, politician or other nonexpert telling you, the professional, how to prevent insiders from causing harm. You may not like what they tell you. To paraphrase my mentor: bad insider-threat work creates poor laws.
Hopefully everyone learns the lesson provided by this scenario — we can’t afford any more mistakes.
Keith Lowry is the senior vice president of Nuix USG and Nuix's Business Threat Intelligence and Analysis division
. He served as chief of staff to the deputy under secretary of defense for human intelligence, counterintelligence and security at the Pentagon, and as an information security consultant in the private sector.