Preventing the next intelligence leak could be as simple as acting on a tip that a user is behaving abnormally. But sometimes those tips go unnoticed, a top defense tech official said.
“We all have some user activity monitoring tools. We have some behavior analytics already on. This is really about empowering and integrating the two together,” Gurpreet Bhatia, the Pentagon’s principal director for cybersecurity, said during an Intelligence and National Security Alliance event in Arlington, Va. on Wednesday. “If I have a tip that goes somewhere and it just sits there, and there’s no action taken, it’s kind of mindless.”
The Defense Department is on a 2027 deadline to complete its shift to zero trust, a cybersecurity practice that assumes a network has been compromised by bad actors and works to ensure that each user must prove his or her identity and authorization to access a given pool of information.
But how can you tell when a user is mishandling or improperly sharing the information? Foiling these kinds of insider threats largely depends on understanding whether a user is behaving abnormally.
Things become more complicated as workplace culture across the defense and intelligence communities shift to be more open to include remote work.
In January, the Pentagon updated its telework policy to be more liberal, advocating for broader use among eligible employees and pushing leaders to support flexible workplace environments.
“We’re basically in a space where geographic boundaries are kind of not there anymore,” Bhatia said. “So a lot of this is really about knowing what is happening within your wire, and then being able to take some action to minimize the impact.”
John Sahlin, vice president for defense cyber solutions at General Dynamics Information Technology, said the company tested additional tools that target insider threat behavior during the recent Yama Sakura multinational military exercise in Japan.
Dealing with insider threats is a “very nuanced” concernbecause it’s akin to picking out a cherry-red needle in a “stack of millions of needles that range in color from Barbie pink to brick red,” Sahlin told Defense One. “Humans can’t tell the nuanced differences nearly as well as an automated tool…to understand that tips that may look like normal activity, they’re just a little bit off.”
GDIT has been testing out zero trust solutions for the Army on the battlefield and has begun laying the groundwork for more advanced insider threat detection.
“We didn’t exercise it to a great extent. But we laid the groundwork so that we could start to collect user behavior, because the first step in understanding what those tips are, is monitoring the existing behavior patterns to establish what a normal pattern is,” Sahlin said.
The ultimate goal is for cyber operators to see tips in real time so they can act when needed. Experimenting with zero trust during military exercises like Yama Sakura could also help inform how the Defense Department uses zero trust on the enterprise level.
“It gives us an area to explore without having to look at just the huge volume of the entire enterprise that can be just daunting and overwhelming,” Sahlin said. “We can accelerate delivery…by executing a limited set of capability at a time and building on what infrastructure we currently have as a complement.”
The Pentagon’s chief information officer is tracking implementation progress of each component and agency and recently evaluated how they were meeting minimum capability goals, Bhatia said.
“We just went through the first round of looking at all of their integration plans that [talk] about how are they going to meet the first target level goal for FY27, which includes not just the technology bit, but also are they resourced,” he said.
DOD CIO John Sherman is working with the components to make sure they’re on track, Bhatia said.
“We’re outlining the conditions of what does goodness look like,” Bhatia said. “We’re making all the components come back together with a holistic approach, and really informing them of the threats.”
Discussion about this post