Understanding the Insider Threat: Proceedings of a March 2004 Workshop

Abstract : A major research thrust of the Advanced Research and Development Activity (ARDA) of the U.S. intelligence community (IC) involves information assurance (A). Perhaps the greatest threat that A activities within the IC must address is the "insider threat"-malevolent (or possibly inadvertent) actions by an already trusted person with access to sensitive information and information systems. This unclassified workshop, held March 24, 2004, focused on the insider threat and possible indicators and warnings, observables, and actions to mitigate that threat. The ARDA researchers participating gave special attention to the activities, processes, and systems used within the intelligence community. A combination of plenary and breakout sessions discussed various aspects of the problem, including IC system models, vulnerabilities and exploits, attacker models, and characterization of events associated with an insider attack. A set of presentations by members of the IC and its contractors on Intelink (Appendix G) and such research activities as the development of "Glass Box" software (see Appendix H) and ARDA's "Novel Intelligence from Massive Data" (NIMD) research program (Appendix I) aided the workshop discussions. The present workshop built upon the availability of materials generated in an earlier workshop focused on the insider threat (Appendix F). Several overall themes emerged from these deliberations, discussed below under the headings of "Research Questions and Challenges" and "Databases Needed" (by researchers).