New DCSA Director Focuses on Future Capabilities at Insider Threat Analyst Forum

Photo By Christopher Gillis | Defense Counterintelligence and Security Agency (DCSA) Director David Cattler...... read more read more

Photo By Christopher Gillis | Defense Counterintelligence and Security Agency (DCSA) Director David Cattler describes his vision for DCSA and its oversight of the DOD Insider Threat Management and Analysis Center (DITMAC) while speaking to stakeholders and insider threat experts at DITMAC’s first Insider Threat Analyst Forum" on April 8. “Insider threat is a team sport and I recognize the critical role that we all play in building trust through our partnership – each and every day – while ensuring national security and helping to keep people safe,” said Cattler. "Our insider threat program can enable us to detect a potential threat, intervene early, and to get the individual help they might need. This makes DITMAC an incredibly strong partner and force-multiplier for many leaders across the total force."  see less | View Image Page

VA, UNITED STATES

04.15.2024

Story by John Joyce 

Defense Counterintelligence and Security Agency

✔ ✗ Subscribe

70

ARLINGTON, Va. – Defense Counterintelligence and Security Agency (DCSA) Director David Cattler challenged 160 insider threat professionals to describe their vision of Department of Defense (DOD) insider threat capabilities as he kicked off the "Insider Threat Analyst Forum" on April 8.

“Let's chart our course today,” said Cattler, responding to his challenge regarding the future of DCSA and its oversight of the DOD Insider Threat Management and Analysis Center (DITMAC).

He then shared his vision – emerging technologies to include mining and analyzing data with AI and machine learning will significantly impact prevention and mitigation of future insider threats to national security.

“Think about 2040 – what does that future look like,” Cattler inquired in his first speaking engagement since assuming responsibility as the agency’s new director on March 24. “Where will we be?”

The former assistant secretary general for intelligence and security at NATO asked deeper questions while inspiring attendees representing more than 30 DOD insider threat components, ranging from intelligence community elements to military services and combatant commands.

“What opportunities and challenges will there be,” he asked participants at the two-day inaugural event. Cattler continued with inquiries about DITMAC’s future: What new data sources will be available to perform most roles? How can that data best be exploited? How will our work change as a result of that environment, the data, and new tools?

“We had to separate the wheat from the chaff or find a needle in a haystack,” Cattler explained regarding data analysis in times past. “The problem today is that all of the data is useful. So much of it is so good, that you have a harder time trying to pick out which pieces are the most important and which pieces in that haystack of needles are the most useful to help you solve the problem you're dealing with. That's where we need to get you better technology and as computing technology – especially AI – becomes better developed, we should be able to better exploit these data sources to improve our mission, performance and outcomes.”

Data analysis is one of myriad tools DITMAC uses to identify, assess, and mitigate risk from insiders, to oversee and manage unauthorized disclosures, and to integrate, manage, mature, and professionalize insider threat capabilities.

Insider Threat analysts look for insights and data to understand what risk factors are present and what mitigation options can be considered from a threat management perspective. They work to contextualize reports received from DOD component Insider Threat hubs by identifying any predispositions, stressors, patterns of behavior, or additional concerning behaviors that may be present in an individual.

Cattler referred to a specific case reported to DITMAC by a DOD Insider Threat Component about an individual whose behavior met insider risk criteria under several DITMAC reporting thresholds.

“All of the employee’s behaviors and incidents add up to what most analysts would say is a pattern. And the pattern is disturbing but the good news is that this case is an example of collaboration and information sharing at its best,” he recounted. “Based on a notification from a force protection referral to an insider threat hub and subsequent submission to our DITMAC team, the insider threat was mitigated. Connecting the dots across DOD and with our federal partners is the key to success.”

This highly collaborative approach is necessary to holistically address the risks associated with an insider threat.

“That's just one recent great example of this community represented here today coming together in action,” said Cattler. “When people see something and say something and consequently, when we do something together in a timely fashion, there's a greater chance that we can mitigate risks early and protect our national security.”

The process begins as DOD Insider Threat components report cases to DITMAC if an individual's behavior meets the criteria under one or more reporting thresholds. DITMAC's case management system enables information sharing across the insider threat enterprise. DITMAC analyzes the reported incident and provides recommendations for mitigation. At that point, insider threat component hubs implement mitigation recommendations that DITMAC oversees to final resolution.

“Early identification of these risks and enabling mitigating action is vital to security and safety,” Cattler emphasized. “You've got a vital mission to protect our information systems, facilities and people. You could be preventing real violence that could lead to people being hurt or killed.”

From initial report to resolution, DITMAC’s parallel and complementary role with DOD components in the handling of specific incidents is vital to early mitigation of insider risks. The role features DCSA analytic experts who evaluate relevant insider threat data; generate findings and risk assessments; and provide recommendations for components to mitigate the insider threat. Components submit insider threat matters to DITMAC when incidents meet specific reporting thresholds.

There are 13 DITMAC reporting thresholds: serious threat; allegiance to the United States; espionage and foreign consideration; personal conduct; behavioral considerations; criminal conduct; unauthorized disclosure; unexplained personal disappearance; handling protected information; misuse of information technology; terrorism; criminal affiliation; and adverse clearance actions.

“Insider threat is a team sport and I recognize the critical role that we all play in building trust through our partnership – each and every day – while ensuring national security and helping to keep people safe,” said Cattler. "Our insider threat program can enable us to detect a potential threat, intervene early, and to get the individual help they might need. The example I described resulted in the removal of that individual, but there are a number of examples resulting in people getting help and reestablishing trust relationships with the government. This makes DITMAC an incredibly strong partner and force-multiplier for many leaders across the total force."

DCSA’s posture to help mitigate risks from trusted insiders across the DOD enterprise starts with the agency’s Personnel Security mission, which includes Background Investigations and the Continuous Vetting service.

“We also have a team here from our Adjudication and Vetting Services or AVS. Ask them good and really hard questions about that process,” Cattler suggested to participants. “The vetting world and insider threat are closely tied together, and they really do need to hear from you - they need that information.”

This risk mitigation process concludes with adjudicators at AVS who determine security clearance eligibility of non-intelligence agency DOD personnel occupying sensitive positions or requiring access to classified material including sensitive compartmented information.

Among those in attendance were Prevention, Assistance and Response (PAR) coordinators who are using a multidisciplinary approach through collaboration with trained professionals, integrated prevention experts, and key stakeholders to develop tailored risk assessments and mitigation strategies while leading PAR programs at joint bases or regions and service specific military installations.

As they provide assistance, PAR coordinators work closely with functional experts resident on the installations to ensure military and civilian leaders have the information necessary to assess and manage risk. The ultimate goal is to provide an individual the appropriate resources, such as financial planning, marriage counseling or employee assistance programs, to mitigate future risk of a violent or destructive act.

Experts from DITMAC’s Behavioral Threat Analysis Center (BTAC) were also participating and presenting briefs to include a presentation called ‘Understanding Risk with Suicide and Domestic Violence.’ The multidisciplinary team is impacting DOD with case-specific insider threat recommended mitigation strategies in behavioral science, threat management, cyber, counterintelligence, law enforcement and human resources. 

Their influence began sweeping across DOD when BTAC was formed as an emerging capability in fiscal year 2023 following the Countering Extremism Activities Working Group recommendations directed by the Secretary of Defense. The new mission area is integral to supporting DITMAC’s ability to mitigate emerging and evolving insider threats by leveraging its expanded and new capabilities.

DITMAC key programs include Analysis and Mitigation capability to consolidate and share information necessary to identify potential insider threats, develop a holistic picture of risk posed by insiders, and coordinate actions to mitigate risk across DOD. The Mission Integration Office supports enterprise User Activity Monitoring efforts and integrates Publicly Available Information into insider threat analytic products to contextualize risk.

A breakout session at the event involved a discussion with DCSA Security Training and the agency’s Center for Development of Security Excellence (CDSE) on Insider Threat Analyst Training Needs Analysis.
CDSE is the premier provider of security training, education, and certification for DOD, federal government, and cleared contractors under the National Industrial Security Program. CDSE provides development, delivery, and exchange of security knowledge to ensure a high-performing workforce capable of addressing the nation's security challenges.

“Our training team helps to set and implement standards for important security related credentials to ensure that our teams are properly trained and ready for their work no matter which organization they serve,” said Cattler. “Looking to the future I consider that our current DCSA strategy is good to enable a sustained high performance. However, we've got to take advantage of these new computing capabilities so that we can keep the humans involved with the things that we need to do while cued by the computer. It means that the computer will tell you where there are anomalies; to go through the very large quantities of data that we have, and tell you what it thinks it sees that does not quite make sense. Then you can intervene, take a look at it, and help the system – whether it be Insider Threat program, AVS, or other mission partners. Take the cue that could be based on a computer tip and see what it leads to.”