1 00:00:00,124 --> 00:00:02,791 (upbeat music) 2 00:00:19,060 --> 00:00:20,390 - [Narrator] Insider Threat Programs 3 00:00:20,390 --> 00:00:22,350 are multidisciplinary in nature, 4 00:00:22,350 --> 00:00:25,660 and designed it to evaluate the entirety of the situation, 5 00:00:25,660 --> 00:00:29,290 and can often put reported indicators in context. 6 00:00:29,290 --> 00:00:31,440 They treat each matter individually, 7 00:00:31,440 --> 00:00:35,410 with utmost respect for privacy and civil liberties. 8 00:00:35,410 --> 00:00:38,410 Mitigation response options often include solutions 9 00:00:38,410 --> 00:00:40,913 that provide help and resources for those in need. 10 00:00:43,420 --> 00:00:45,840 - Okay, as you know, from our meeting yesterday, 11 00:00:45,840 --> 00:00:48,310 we received a number of separate reports 12 00:00:48,310 --> 00:00:50,360 of potential risk indicators. 13 00:00:50,360 --> 00:00:53,360 When we last met, each of you agreed to gather 14 00:00:53,360 --> 00:00:55,460 and analyze additional information, 15 00:00:55,460 --> 00:00:57,970 so that we can determine the best course of action. 16 00:00:57,970 --> 00:00:59,710 Thanks to all of you for your quick turnaround 17 00:00:59,710 --> 00:01:00,960 and checking into these matters. 18 00:01:00,960 --> 00:01:02,120 I know that we've all been 19 00:01:02,120 --> 00:01:04,430 burning the midnight oil on this one. 20 00:01:04,430 --> 00:01:08,050 For today's meeting, I have asked Mark King to join us. 21 00:01:08,050 --> 00:01:10,820 He's the first line supervisor of the individuals 22 00:01:10,820 --> 00:01:12,430 that we'll be discussing today. 23 00:01:12,430 --> 00:01:13,753 Thanks for coming in Mark. 24 00:01:14,690 --> 00:01:16,720 Since this is Mark's first meeting 25 00:01:16,720 --> 00:01:18,940 with the Insider Threat Program Hub Team, 26 00:01:18,940 --> 00:01:20,640 why don't we all go around the table 27 00:01:20,640 --> 00:01:22,653 and introduce ourselves? Linda. 28 00:01:23,760 --> 00:01:26,140 - I'm Linda with HR. 29 00:01:26,140 --> 00:01:28,400 - Sergeant Jackson, Counterintelligence. 30 00:01:28,400 --> 00:01:30,130 - I'm John from Security. 31 00:01:30,130 --> 00:01:31,407 - Ilana, legal. 32 00:01:33,816 --> 00:01:35,440 - Stacy, IT. 33 00:01:35,440 --> 00:01:36,863 - Rob, Behavioral Scientist. 34 00:01:37,900 --> 00:01:40,470 - All right, guys, let's start with Tim. 35 00:01:40,470 --> 00:01:43,930 In his case, two coworkers reported behavior and activity 36 00:01:43,930 --> 00:01:45,590 that seemed concerning. 37 00:01:45,590 --> 00:01:46,860 In the last couple of weeks, 38 00:01:46,860 --> 00:01:48,780 Tim has been seen late at the office, 39 00:01:48,780 --> 00:01:51,080 which is out of the ordinary for him. 40 00:01:51,080 --> 00:01:53,963 He's always arrived early, and left early. 41 00:01:55,010 --> 00:01:57,370 He's been working long hours of overtime. 42 00:01:57,370 --> 00:02:00,180 He's been printing out large volumes of information, 43 00:02:00,180 --> 00:02:02,180 and leaving the building with it. 44 00:02:02,180 --> 00:02:04,710 He was overheard talking in whispered conversation 45 00:02:04,710 --> 00:02:06,510 with someone in a stressed voice. 46 00:02:06,510 --> 00:02:09,850 Subsequently, he made some very expensive purchases. 47 00:02:09,850 --> 00:02:13,060 He was planning to leave town, and he apparently 48 00:02:13,060 --> 00:02:15,930 was under some stress in his personal life. 49 00:02:15,930 --> 00:02:18,010 So did anyone come up with information 50 00:02:18,010 --> 00:02:20,660 that might potentially explain Tim's activities, 51 00:02:20,660 --> 00:02:22,510 or put them into context? 52 00:02:22,510 --> 00:02:24,490 Do we need to dig a little deeper, 53 00:02:24,490 --> 00:02:26,540 or do we need to refer this matter 54 00:02:26,540 --> 00:02:29,930 to Counterintelligence, law enforcement, 55 00:02:29,930 --> 00:02:33,727 or another department for further inquiry? Linda. 56 00:02:37,560 --> 00:02:39,310 - Well Tim has an excellent work record. 57 00:02:39,310 --> 00:02:41,510 Our files confirmed that Tim 58 00:02:41,510 --> 00:02:43,900 has accepted a position elsewhere, 59 00:02:43,900 --> 00:02:46,810 with a considerable raise, and very large hiring bonus. 60 00:02:46,810 --> 00:02:48,453 So he's leaving in two weeks. 61 00:02:49,330 --> 00:02:51,750 - I served as a reference for his new position. 62 00:02:51,750 --> 00:02:53,690 That's a great opportunity for him. 63 00:02:53,690 --> 00:02:56,490 He's been an important part of our team here for years, 64 00:02:56,490 --> 00:02:58,300 and he knows we rely on him, 65 00:02:58,300 --> 00:03:00,700 so he's been working to complete his tasks 66 00:03:00,700 --> 00:03:02,850 on our project before leaving. 67 00:03:02,850 --> 00:03:05,250 He has been printing out a large amount of information, 68 00:03:05,250 --> 00:03:07,100 but all of the information is directly related 69 00:03:07,100 --> 00:03:08,840 to the project he's working on. 70 00:03:08,840 --> 00:03:10,570 He really is a hell of a guy. 71 00:03:10,570 --> 00:03:11,833 I'm sad to see him go. 72 00:03:13,960 --> 00:03:15,830 - A check of Tim's activity on our system 73 00:03:15,830 --> 00:03:18,470 indicates he has not attempted to access any files 74 00:03:18,470 --> 00:03:21,970 to which he has no need to know, or authorization. 75 00:03:21,970 --> 00:03:24,460 The information he printed out is not classified, 76 00:03:24,460 --> 00:03:26,263 but it is FOUO. 77 00:03:27,150 --> 00:03:29,920 We have no record of him downloading any information 78 00:03:29,920 --> 00:03:31,633 onto any removable media. 79 00:03:33,590 --> 00:03:36,560 - He did file a foreign travel report about a year ago, 80 00:03:36,560 --> 00:03:38,250 to travel to Oslo. 81 00:03:38,250 --> 00:03:40,160 He does have family in Norway, 82 00:03:40,160 --> 00:03:44,390 and he has reported those foreign contacts appropriately. 83 00:03:44,390 --> 00:03:48,050 His file shows no irregular security issues. 84 00:03:48,050 --> 00:03:50,720 - Tim does work on a project, that is of interest 85 00:03:50,720 --> 00:03:52,640 to several foreign intelligence entities. 86 00:03:52,640 --> 00:03:55,780 While there's no sign that he has been actively targeted, 87 00:03:55,780 --> 00:03:58,010 or that he has disclosed information, 88 00:03:58,010 --> 00:03:59,590 I recommend he receive a threat briefing, 89 00:03:59,590 --> 00:04:01,980 so that he can continue to safeguard information 90 00:04:01,980 --> 00:04:02,950 that he has knowledge of, 91 00:04:02,950 --> 00:04:06,023 and be alert for signs of targeting, or recruitment. 92 00:04:07,730 --> 00:04:09,520 - Tim signed a nondisclosure agreement 93 00:04:09,520 --> 00:04:11,010 when he started working here. 94 00:04:11,010 --> 00:04:14,410 Before he leaves, he needs to also sign a statement 95 00:04:14,410 --> 00:04:17,150 that he has not taken any unauthorized information, 96 00:04:17,150 --> 00:04:20,633 and that he understands the repercussion should he do so. 97 00:04:22,150 --> 00:04:24,400 - It was mentioned that Tim's been under a lot of stress 98 00:04:24,400 --> 00:04:26,620 due to a recent breakup with his fiance. 99 00:04:26,620 --> 00:04:28,510 That can be tough for anybody. 100 00:04:28,510 --> 00:04:30,160 So I'd recommend HR provide him 101 00:04:30,160 --> 00:04:32,890 with the Employee Assistance Program resources. 102 00:04:32,890 --> 00:04:35,340 That should help them cope with the stress. 103 00:04:35,340 --> 00:04:36,173 - Okay, thank you. 104 00:04:36,173 --> 00:04:38,720 It sounds like we have some excellent courses of action 105 00:04:38,720 --> 00:04:39,840 to take with Tim. 106 00:04:39,840 --> 00:04:42,640 So now let's move on to Phyllis. 107 00:04:42,640 --> 00:04:44,650 Coworkers have reported that Phyllis 108 00:04:44,650 --> 00:04:46,410 might have been attempting to gain access 109 00:04:46,410 --> 00:04:49,060 to information beyond the scope of need. 110 00:04:49,060 --> 00:04:52,480 She was overheard making travel plans to a foreign country. 111 00:04:52,480 --> 00:04:56,140 She was observed downloading information onto a thumb drive. 112 00:04:56,140 --> 00:04:58,810 Mark, let's start with you. 113 00:04:58,810 --> 00:05:01,800 - Overall, Phyllis has been doing a good job. 114 00:05:01,800 --> 00:05:03,080 She seemed a little upset 115 00:05:03,080 --> 00:05:05,280 when she got her new project schedule, 116 00:05:05,280 --> 00:05:07,780 and she has made several requests for access to files 117 00:05:07,780 --> 00:05:09,460 beyond the scope of her work. 118 00:05:09,460 --> 00:05:11,220 When she was denied access, 119 00:05:11,220 --> 00:05:13,390 she was upset about that as well. 120 00:05:13,390 --> 00:05:14,870 - Our records show that Phyllis 121 00:05:14,870 --> 00:05:16,970 did sign a nondisclosure agreement. 122 00:05:16,970 --> 00:05:19,410 when she started working here, 123 00:05:19,410 --> 00:05:21,790 - HR records confirm Phyllis has been with the Agency 124 00:05:21,790 --> 00:05:23,960 for a little more than seven years. 125 00:05:23,960 --> 00:05:25,230 She also filed a request 126 00:05:25,230 --> 00:05:26,880 for emergency travel leave this morning. 127 00:05:26,880 --> 00:05:28,820 Apparently her mother is ill, 128 00:05:28,820 --> 00:05:30,720 and she's leaving for Cyprus tomorrow. 129 00:05:32,700 --> 00:05:34,640 - We did receive a notification of foreign travel 130 00:05:34,640 --> 00:05:36,720 from Phyllis about an hour ago, 131 00:05:36,720 --> 00:05:41,453 and she has informed us that her mother lives abroad. 132 00:05:42,760 --> 00:05:44,160 - It's important that clear personnel 133 00:05:44,160 --> 00:05:47,720 understand the risks of targeting when traveling overseas. 134 00:05:47,720 --> 00:05:49,960 Our office will arrange a security briefing for Phyllis 135 00:05:49,960 --> 00:05:52,653 before her departure, and a debrief on her return. 136 00:05:54,450 --> 00:05:56,820 - I checked our system files and found no evidence 137 00:05:56,820 --> 00:06:00,230 of access to any files, to which she has no clearance. 138 00:06:00,230 --> 00:06:02,490 We did authorize transfer of some files 139 00:06:02,490 --> 00:06:04,980 that were not displaying properly from her computer 140 00:06:04,980 --> 00:06:06,333 to our diagnostics team. 141 00:06:07,290 --> 00:06:10,423 The flash drive was one we gave her, and she returned it. 142 00:06:12,650 --> 00:06:15,500 - Phyllis sounds stressed due to work projects, 143 00:06:15,500 --> 00:06:16,760 and her mother's illness, 144 00:06:16,760 --> 00:06:18,460 and that's certainly understandable. 145 00:06:18,460 --> 00:06:20,230 So I'd recommend HR provide her 146 00:06:20,230 --> 00:06:22,710 with the same Employee Assistance Program resources 147 00:06:22,710 --> 00:06:24,490 that we discussed with Tim. 148 00:06:24,490 --> 00:06:26,670 Also, Mark, as her supervisor, 149 00:06:26,670 --> 00:06:28,790 it would probably be a good idea for you to stay engaged. 150 00:06:28,790 --> 00:06:31,440 Make sure she's getting any help that she needs. 151 00:06:31,440 --> 00:06:33,940 Also stay alert for any kind of stress 152 00:06:33,940 --> 00:06:35,613 or trouble in the future. 153 00:06:37,000 --> 00:06:39,970 - Thank you very much for your quick actions. 154 00:06:39,970 --> 00:06:42,310 It doesn't appear that Tim nor Phyllis 155 00:06:42,310 --> 00:06:44,810 have done anything wrong or illegal, 156 00:06:44,810 --> 00:06:46,820 but let's remain vigilant. 157 00:06:46,820 --> 00:06:50,540 We'll follow our security protocol for departing employees, 158 00:06:50,540 --> 00:06:52,550 now that we're aware of Tim's new position, 159 00:06:52,550 --> 00:06:55,120 and let's remain connected to Phyllis, 160 00:06:55,120 --> 00:06:57,330 so that she can get the help she needs, 161 00:06:57,330 --> 00:06:59,050 but also so that we're attuned 162 00:06:59,050 --> 00:07:02,163 to other potential risk indicators or behaviors. 163 00:07:03,410 --> 00:07:05,620 Now let's talk about our potential data spill 164 00:07:05,620 --> 00:07:07,790 with Joyce's article publication. 165 00:07:07,790 --> 00:07:10,700 Because she failed to have the information reviewed, 166 00:07:10,700 --> 00:07:13,640 prior to publication, we've referred this matter 167 00:07:13,640 --> 00:07:16,040 to our Information Security Team, 168 00:07:16,040 --> 00:07:18,360 who has initiated activities to determine 169 00:07:18,360 --> 00:07:21,430 whether there was a spill of classified information. 170 00:07:21,430 --> 00:07:23,470 It is extremely time sensitive, 171 00:07:23,470 --> 00:07:25,890 and they're working very hard on that now. 172 00:07:25,890 --> 00:07:28,660 Depending on the results, our Agency may have to report 173 00:07:28,660 --> 00:07:32,922 to DOD, to Congress, or even the FBI, 174 00:07:32,922 --> 00:07:36,810 and we will have to conduct a detailed damage assessment 175 00:07:36,810 --> 00:07:38,733 and/or impose sanctions. 176 00:07:40,600 --> 00:07:44,260 While I don't believe that Joyce's actions were intentional, 177 00:07:44,260 --> 00:07:47,850 they could still really cause some serious damage. 178 00:07:47,850 --> 00:07:51,130 We really need to get some information out to our employees 179 00:07:51,130 --> 00:07:54,530 so that no one else makes this mistake in the future. 180 00:07:54,530 --> 00:07:56,890 I will be sure to include the topic 181 00:07:56,890 --> 00:08:00,420 of unauthorized disclosure in my next Awareness Briefing. 182 00:08:00,420 --> 00:08:03,390 And I will get with Mark, and the other supervisors, 183 00:08:03,390 --> 00:08:06,533 to distribute some additional materials to their staff. 184 00:08:08,181 --> 00:08:09,014 - Good. 185 00:08:14,840 --> 00:08:17,740 - When potential risk indicators go unreported, 186 00:08:17,740 --> 00:08:20,480 all of our resources, information, personnel, 187 00:08:20,480 --> 00:08:22,720 and facilities are at risk. 188 00:08:22,720 --> 00:08:25,850 Valued employees undergoing the normal stresses of work, 189 00:08:25,850 --> 00:08:28,440 life, and family, may miss an opportunity 190 00:08:28,440 --> 00:08:30,310 to receive help and support, 191 00:08:30,310 --> 00:08:31,990 and unwitting or careless acts 192 00:08:31,990 --> 00:08:35,010 may lead to unintentional compromise. 193 00:08:35,010 --> 00:08:37,320 Awareness and reporting of risk indicators 194 00:08:37,320 --> 00:08:39,170 helps your Insider Threat Program 195 00:08:39,170 --> 00:08:42,490 deter, detect, and mitigate potential threats. 196 00:08:42,490 --> 00:08:45,320 Security really is everyone's responsibility. 197 00:08:45,320 --> 00:08:46,677 We all know the phrase, 198 00:08:46,677 --> 00:08:49,420 "If you see something, say something." 199 00:08:49,420 --> 00:08:54,036 So what would you do, and what might happen if you don't? 200 00:08:54,036 --> 00:08:56,703 (upbeat music) 201 00:08:59,600 --> 00:09:03,410 The risk posed by trusted insiders is real and substantial. 202 00:09:03,410 --> 00:09:05,740 From compromise of classified information, 203 00:09:05,740 --> 00:09:08,680 to devastating events resulting in loss of life. 204 00:09:08,680 --> 00:09:10,920 Insider threats can have a profound impact 205 00:09:10,920 --> 00:09:12,328 on national security. 206 00:09:12,328 --> 00:09:15,828 (bouncy energetic music) 207 00:09:25,430 --> 00:09:28,410 - [Announcer] In Washington today, KAU Applied Technologies 208 00:09:28,410 --> 00:09:31,470 confirmed an unauthorized disclosure of information 209 00:09:31,470 --> 00:09:34,760 that could compromise the latest U.S. Drone Avionics Program 210 00:09:34,760 --> 00:09:36,397 and national security. 211 00:09:36,397 --> 00:09:40,064 (dramatic energetic music)