An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Sept. 27, 2018

Analysis center experts share ‘insider’ information on threats

By Dianne Ryder DLA Public Affairs

As part of National Preparedness Month, Department of Defense Insider Threat Management and Analysis Center Deputy Director Delice Bernhard and Senior Behavioral Advisor Robert Gallagher spoke to employees about the critical path to insider threat risk, Sept. 18 at the McNamara Headquarters Complex.

DITMAC provides enterprise-level consolidation and information sharing to identify potential insider threats and coordinates actions to mitigate those risks across the Department of Defense.

“Their role is critical in reducing threats we face from trusted insiders,” Defense Logistics Agency Chief of Staff Kristin French said in her opening remarks. “They’re an integral part of our DLA insider threat program office.”

French cited shootings at government facilities as well as employees who have knowingly leaked classified and sensitive information to the public as tragedies that might have been averted if the perpetrator’s peers and supervisors had reported warning signs.

“They’ve highlighted a need for us to have a coordinated, DoD-wide counter-insider threat effort, and it’s critical that we take a look at things like espionage, unauthorized disclosure, workplace violence, shootings and system sabotage,” she said.

Bernhard said DITMAC was established in 2014 as a result of lessons from the shooting at the Washington (D.C.) Navy Yard five years ago. The undersecretary of defense for intelligence assigned the DITMAC mission to the Defense Security Service.

“We have a working partnership with the individual programs to ensure they have all the available information that we have access to or that other components may have on an individual, so everyone can make informed decisions,” Bernhard said.

DITMAC developed thresholds to facilitate component reporting of information on potential threats information and helps components mitigate or resolve insider threats. 

Gallagher explained critical-path modeling, represented by a pyramid of indicators and concerning behaviors that could point to a potential insider threat.

“It’s a simplistic way of taking a very complex thing and seeing it move down a pathway to a critical point,” he said.

Indicators of a potential insider threat include: destructive influences, questionable affiliations, multiple rule violations, problems with authority, personality and social deficits or even difficulties in decision-making, Gallagher said.

“This is by no means a comprehensive list; you could have thousands of things impact how we move down this pathway,” he said. “[It] doesn’t mean you’re an insider threat, it just means that you have some of the predispositions.”

Gallagher said many people successfully manage these so they don’t result in dangerous manifestations, but others don’t. Individuals can be influenced by stressors like psychological problems, personal tragedies, divorce, financial troubles, addictions and professional frustrations.

“People have some of those personal predispositions and life starts to happen to them; it isn’t a great mix,” he said. “People start to act out and that’s where you start to see the next stage, concerning behaviors.”

Gallagher said these behaviors often involve verbal threats, altercations, social network issues, personnel challenges, a disregard for cybersecurity rules and suspicious travel.

“What the organization does at this point is critical to determining whether a person moves on to the final stage or not,” he explained, offering two equally problematic courses of action an employer might take: “Inattention, where the organization does very little about it, or this draconian kind of response, where the organization immediately fires them.”

Both methods can cause harm; inattention imposes no consequences to the perpetrator, and immediate firing and removal of security clearance can render the individual a threat.

“[If] you immediately do something very dramatic, you take someone who’s troubled and make them troubling,” he said. “Maybe from an organizational perspective, you’ve limited your risk, but maybe you haven’t. That person may decide to come back and ‘reap some justice.’”

In his role as a behavioral advisor, Gallagher noted that he and DITMAC attempt to recommend a responsible approach to those who are beginning to display concerning behaviors.

Gallagher also addressed how organizations can instruct new employees about workforce culture and rules.

“If we’ve done a good job of onboarding you, teaching you about the organization you’re part of and letting you know what resources exist, you’re going to embrace the security culture and you’re going to accept personal responsibility,” he said.

Providing social support through resources like the Employee Assistance Program is part of being proactive, Gallagher said.

“This is not about turning someone in or catching them doing something bad; it’s about helping,” he said. “If you’re thoughtful and human about it, you can make a huge difference in someone’s life.”

When an individual displays concerning behaviors and begins to act out, an active approach is required, but the consequence should match the level of action, Gallagher said. 

Gallagher and Bernhard took questions from the audience and reviewed the insider threat case study of the Washington Navy Yard shooter.

Employees can contact dlacounterintelligence@dla.mil for more information.