Lockheed Martin Counterintelligence &

Insider Threat DetectionDulles ISAC

Douglas D. ThomasDirector, Counterintelligence Operations & Corporate Investigations

February 24, 2016

2

Introduction & Background• Douglas D. Thomas – Director, Lockheed Martin

Counterintelligence Operations & Corporate Investigations

– Chair, Intelligence & National Security Alliance (INSA), Insider Threat Subcommittee

– 33 Years With The Air Force Office Of Special Investigations (AFOSI); Retired As Executive Director

– 2 Years As The Principle Deputy Director Of The National Counterintelligence Executive (NCIX)

3

Why Counterintelligence?

4

Thoughts to Consider...• National Security Is Executed/Funded By USG; Built By Industry

• Government Should Have Some Assurances Products & Services Are Delivered Uncompromised

• There Is NO Difference Between National Security And Economic Security

• MUST Think Beyond Classified Programs And Cleared People

• War Room Board Room

• “Adversaries” In The Government Might Be “Business Partners” In Industry

5

Perspective Change

Government

Classified Information

National Security

Foreign Nations

Private Industry, Law Firms,

Financial Institutions, Universities

Corporate Proprietary, Intellectual Property,

Pre-Classified Research

US Technological Edge, Financial Prosperity,

Brand Preservation

Industry Competition, Self Interest

6

Trends• FBI Economic Espionage Caseload Increased 53% November

2014 November 2015

• Economic Espionage And Theft Of Trade Secrets Represent The Largest Growth Area Among The Traditional Espionage Cases Overseen By The FBI’s Counterespionage Section

• Intelligence Information Reports (IIR) From Industry SCR Reporting; 660 In FY2010 7,292 In FY2015 (+ 1,005%)

• Federal Investigations Or Operations From DSS Referrals; 202 In FY2010 1,020 In FY2015 (+ 405%)

• Narrowing Of Technology Gap Between The U.S. And Competing Nations

7

CI Implications of OPM Breach• Possible Adversarial Actions

– Data Insertion

– Altered/Manufactured Data

– Deleted Data

• Highly Probable CI Implications

– Exfiltrated Data: Use Of Stolen PII For Coercion

– Sophisticated Spear-phishing

– Cultivation And Exploitation Of Human Relationships

– Extraction Of Data Related To Employees In Covered Status

– Activation Of Inserted ‘Sleeper’ Identities

8

COUNTERINTELLIGENCE

Threat Analysis

Training & Awareness

CI Support

Services

Investigations Insider Threat

Dedicated Cadre Of Experienced CI Professionals

Lockheed Martin Counterintelligence

9

Insider Threat Detection

10

Increase in Insider Threat• The Incidence Of Employee Financial Hardships During Economic

Downturns

• Employer Affordability Initiatives

– Reduction Of Benefits And Pension Plans, Lay-offs, Etc.

• The Global Economic Crisis

– Foreign Nations More Eager To Acquire New Technologies, R&D

– Mergers, Acquisitions, Divestitures, Joint Ventures

• Ease Of Stealing Anything Stored Electronically

• Increasing Exposure To Foreign Intelligence Entities (FIE) Presented By The Reality Of Global Business

• Increase In FIE Recruitment Of Students

• OPM Breach

11

LMCO Insider Threat Program

Planning Development Implementation Governance

Selling Leadership• Shifting Landscape• Trends• Cost Considerations• Peer Benchmarking

Peer Benchmarking• Challenges/Successes• Population Size• Privacy Considerations• Program Governance• Budget• Live Analyst Support

Identify Stakeholders• HR, Legal, Privacy,

Information Security, Communications, Ethics

• CONOPS• Codification Of Policy• Communications Plan

Tool Procurement / Development

Establish Potential Risk Indicators

• Determine Appropriate Weights And Aging

Identification Of Required Data Sets• Agreements With Data

Owners

Data Ingestion And Tool Calibration

Steering Committee• Security, Legal, HR,

Ethics, Information Security

• Receive Quarterly Briefings On Results

• Manage Policy Updates

Metrics• Tool Analysis• Employee Surveys

Red Team

Internal Audit

Risk And Compliance Committee

Board Of Directors

Incident Management• Conducting Inquires• Opening Investigations• Coordination With Law

Enforcement Agencies

Roll-out Message To Employees

• Transparency In Objective

• Reinforcement Of Leadership Support

• Proper Vehicles For Voicing Concerns

12

Privacy Considerations• Communications Plan To Properly Introduce Program To

Employees

• Ingestion Of Only Data Already Collected By Existing Corporate Initiatives

• Proper Adoption Of Local Restrictions Applicable To Foreign And Expatriated Employees

• Access To Automated Tool Heavily Restricted

• “Red Team” Exercises To Ensure Highest Level Of System Defenses

• Continual Coordination With Corporate Privacy General Counsel

• Member Of CI Team Privacy Certified Through International Association Of Privacy Professionals (IAPP) – (In Progress)

• No Profiling

13

Communications Strategy• Proper Introduction To Employees – IMPERATIVE!

• Absolute Transparency In Purpose And Objective

• Communication Of Adherence To Corporate Value Structure

• Joint Strategy Development (HR, Communications, Public Relations)

• Executive Review

• Multi-pronged Approach

• Deployment Of Various Modalities

14

LM Wisdom ITI™• Evaluation Of Employee Attributes, Behaviors And Actions

According To Analyst-defined Models

• Digital And Behavioral Baseline

• Lead Generation And Triage From Three Graphical Outputs

• Automated Link Analysis

• Analyst Defined Categories And Attributes Of Interest

• Categories And Attributes Are Assigned Weights

• Models Run Against An Entire Population Or Subsets

• Based On Big Data Technologies (Petabyte+)

• Notifications And Alerts

• Data Encryption

15

Daily Graphical Output

Most PRI hitsTop Composite scores

Change in behavior over time

ALL GRAPHS ARE REPRESENTED WITH NOTIONAL DATA

16

Intelligence Threats to Supply Chain

17

• CI & Security Issue With National Attention

– Director, NCIX, Dubbed 2013 “Year Of The Supply Chain”

– National Counterintelligence Strategy Lists “Assure The Supply Chain” As One Of Four Strategic Objectives

• Soft Underbelly Vulnerability

• Applicable To Classified & Unclassified Technologies

• Very Difficult To Detect

• Vulnerabilities Exist At All Stages Of The Process

• Vendors Are Likely The Softest Target For Exploitation

• Decision Makers Often Focused Solely On Cost & Schedule

Intelligence Threats to Supply Chain

18

Implications of Compromise• Theft Of Lockheed Martin Technology• Counterfeiting

– Potential For Sub-par Components And Lawsuits• Sabotage

– Potential To Insert Components Which May Be Designed To Fail Or Malfunction Immediately Or At Some Point In The Future

• Acquisition Of Program/System Intelligence– Sensitive Program Information Could Potentially Yield

Engineering Of Defense & Weaponry Countermeasures– System Limitation Information Could Allow For Engineering Of

Offensive Measures• Severe Damage To Reputation

19

Mitigation Recommendations• KNOW Your Supply Chain!• Thoroughly And Continuously Vet Your Vendors• Stay Apprised Of Vendor Ownership Changes• Practice “Need To Know” With Vendors• Use Trusted US Manufacturers, Builders & Installers Where Possible• Consistently Use Anti-tamper & Tracking Technology • Educate Your Workforce & Vendors On The Importance Of Reporting

Suspicious Anomalies• Know Who’s Touching Your Materials/Shipments• Periodically Change Procedures• Investigate Suspicious Anomalies• Limit Access To Critical Systems• Educate Yourself On How Vendors Protect Your Data On Their Networks

20

Questions?