countering insider threat attacks - cde themed call launch 14 may 2013

Countering Insider Threat Attacks

Centre for Defence Enterprise (CDE)

Rapid technological change

© Crown Copyright MOD 2011

The aim of CDE


Prove the value of novel, high-risk, high-potential-benefit research


To enable development of cost-effective military capability advantage

13 May 2013

Five key operating principles underpin the CDE model

Engaging innovators

13 May 2013

Accessible opportunity

Sustaining incentives

Minimising participation costs

Compliance

Intellectual property

Two routes to funding

Online bid submission

Themed calls

CDE themed call programme Precision timing Call closes 6 Jun 2013

(at 1700 hrs)

Countering insider threat attacks Call closes 27 Jun 2013 (at 1700 hrs)

Secure communications Call launch 18 Jun 2013

Innovation in drug development processes

Call launch 25 Jun 2013

Enhancing military medical training and support for the medic

Call launch 16 Jul 2013

UK Biological Engagement Programme

Call launch 17 Sept 2013

Register and further details at www.science.mod.uk under ‘Events and Calls’

Defence Open Call

Seeking the exceptional

Challenging conventions

4355 proposals received

17% proposals funded

£39M contracts awarded

Making an impact

Exemplar project

Fuel efficiency

‘Micro generators’


Effective proposals

Challenge, pace & exploitation

The future of CDE

Introduction to CDE 1030 Programme overview 1050

Military context 1100

Current research 1120

Technical challenges 1140

Ethics 1230

Submitting a CDE proposal 1240

Q&A 1250 Networking lunch (book surgery appointments)

1300

Surgery sessions 1400

Event close 1600

Agenda

Context of today’s call

Network and question

Centre for Defence Enterprise 01235 438445

[email protected] www.science.mod.uk/enterprise





Ethics 1230



1300


Event close 1600

Agenda

Countering the Insider Threat -

CDE Themed Call Dstl Support to Operations Overview

DSTL/PUB72551

UNCLASSIFIED © Crown copyright 2013 Dstl

13 May 2013

© Crown Copyright 2013 Dstl

13 May 2013

Dstl Support to Ops • Dstl

– Science and Technology (S&T) agency of Ministry of Defence (MOD)

– Maximise impact of S&T on UK defence and security

• Support to Operations (S2O) – MOD main effort – Provision of appropriate deployed S&T

support – Oversight of cross-domain S2O research – Responsive approach to short-term

priorities • Insider Threat

UNCLASSIFIED

Insider Threat

• The Insider Threat is a real threat for UK Forces operating in Afghanistan

• The term ‘Insider Attack’ is used when a member of the Afghan National Security Forces (ANSF) attacks members of the International Security and Assistance Force (ISAF), of which the UK is a part

• The name of these incidents recognises that ANSF as well as ISAF are targets of these attacks

• The subset terms “Green on Blue”, “Green on Green” and “Green on Brown (contractors)” are still used to distinguish between the intended targets of attacks


13 May 2013

S&T response to Insider Threat • Increasing numbers of incidents through 2012 • Dstl Insider Threat ‘Challenge’ Autumn12

– What more can S&T do?

• Dstl Support to Ops: – Took forward proposals from the challenge – Created Project MORPHEUS – Pull together S&T in this area

• Coordinated with wider MOD effort – Direction from MOD customers – Permanent Joint Headquarters (PJHQ) and Ops Directorate (Afghanistan)


13 May 2013

Project MORPHEUS

• Portfolio of work items – Delivery by early 2014, largely soft science – Causes, capability gaps – Exploitable solutions


13 May 2013

What do we want from you?

• Research proposals to help counter the Insider Threat • Rapidly exploitable solutions

– Main focus is current operations – Exploitation by January 2014 – Some interest in longer term

• Ensure no stone is left unturned


13 May 2013

What will you hear today?

• Operational context • Current research • Areas of interest • Assumptions and constraints • How to get involved • Answers to your questions

– Surgery sessions this afternoon


13 May 2013





Ethics 1230



1300


Event close 1600

Agenda

Joint Warfare Directorate

Countering Insider Threat Attacks: Military Context A View from Joint Warfare


Current situation

Not classified until 2008?

Peak in 2012 for UK?

It is an issue for Coalition and Afghan National Security Forces

Others are also examining this in detail


What has the military done? Training

Equipment

Personnel Information Doctrine

Infrastructure


Where should the military look next?

Afghanistan

Increase awareness of other cultures/religions?

Sharing intelligence with host nation & allies?

Ensure that the military reads and understands

doctrine/history?





Ethics 1230



1300


Event close 1600

Agenda

Project MORPHEUS Countering the Insider Threat


13 May 2013

DSTL/PUB72551

Overview of Current Work

UNCLASSIFIED

• The Insider Attacks are likely to be underpinned by a number of different factors

• This is reflected by the multifaceted programme • A number of work strands have been undertaken over the last 6

months: – Operational Analysis – Selection of Mentors – Cultural Training – Training Review – Information Dissemination Review – Intent Detection System Evaluation – Protected Living Spaces

© Crown copyright 2013 Dstl

13 May 2013

Operational Analysis • Objectives:

– To collate all available data into a classified database and conduct analysis on Insider Threat attacks to identify any common factors and trends over time

• Previous operations • Analogous attacks

– To conduct interviews with members of the Afghan National Security Forces to better understand their concerns / motivations / drivers

• Benefits: – A greater understanding of the threat will mean that appropriate mitigation

measures can be implemented – Work strands within the programme are evidence based


13 May 2013

Selection of Mentors • Objectives:

– To provide guidance on the knowledge, skills and experience required in order to operate successfully in the mentor role. Mentors and mentoring teams are there to provide training and support to both develop knowledge and improve the skills required to enhance their performance during military and policing operations

• Benefits: – Ensure that the most appropriate individuals deploy in the mentor role

• Eg Those who can build productive relationships and be culturally sensitive


13 May 2013

Cultural Training • Objectives:

– To provide guidance on how to improve the pre-deployment cultural training received by all troops

• To improve the methods of delivery • To ensure that the ‘so what’ is included

• Benefits: – Ensure that troops are culturally sensitive and will not cause offence


13 May 2013

Training Review

• Objectives: – To identify and review current training cross government that will be relevant

for dealing with the Insider Threat on current and future operations • Behavioural analysis/ anomaly detection • De-escalation training • Cultural training

• Benefits: – Identify relevant training material and methods which could be incorporated

into a specific Insider Threat training course if required – Provide recommendations for how ‘soft skills’ training could be incorporated

into basic training


13 May 2013

Information Dissemination • Objectives:

– To review existing Insider Threat newsletters/ doctrine notes • To propose revised content • To provide options for effective future communication of latest Insider Threat

findings

• Benefits: – Improved dissemination of information to target audience


13 May 2013

Intent Detection Systems

• Objectives: – To consider whether Intent Detection Systems could have utility for the

Insider Threat • Assess whether systems could detect the intent to commit an insider attack • Evaluate the practicalities of using Intent Detection Systems on current operations

• Benefits: – A better understanding of the capability


13 May 2013

Protected Living Spaces

• Objectives: – To provide advice on materials/technologies that are available to protect

living accommodation in Afghanistan

• Benefits: – Improved understanding of the options available to mitigate against the

vulnerabilities within living accommodation


13 May 2013

Summary

• These work strands give a flavour of the types of activities currently being undertaken in this area

• Programme already established and benefits are being realised

• What else could you do?


13 May 2013





Ethics 1230



1300


Event close 1600

Agenda

Countering Insider Threat Attacks: CDE Themed Call Overview


13 May 2013

Scope

• Open to new approaches and solutions • Current and possible future operations • Not limited to current situation and assumptions • Push boundaries, however unusual or radical • Thinking differently


13 May 2013

Scope

• Continue partnering with host nation’s forces and population

• Human dimension: – Insider Threat: Underlying causes? Influence over others? Opportunity?

Ability? Timing? Location? Outcome? – UK forces: Awareness? Response? Training? Influence?

• Technology: – Detect intent? Share situational awareness? Building layout to minimise

effects? Weapon suppressors?


13 May 2013

What’s required

• Research proposals for new solutions and technology to help mitigate the Insider Threat

• New ways of countering attacks • Re-use old ideas from a related world • Social and behavioural sciences

– Training, tools, planning aids • Proof-of-concept technology • ‘Doing things differently’


13 May 2013

What’s not required


13 May 2013

• Long-term social and behavioural science studies • Incremental improvements • Ideas with no realistic probability of exploitation

Call challenges

• Call divided into four challenges: 1. Dissuade Improving the effects of influence 2. Detect Improving the identification of intent 3. Prepare Improving the effectiveness of training 4. Protect Improving Force Protection


13 May 2013

Call challenges


13 May 2013

Increase understanding

Identify the underlying causes

Reduce probability of situation escalating

Influence

Dissuade

Protect

Prepare

Detect Understand human behaviour

Training

Force Protection/ equipment

Next steps

• Proposals are sought to address one or more of these challenges

• Current and possible future operations • Short-term studies for delivery by end January 2014 • Proposals involving human participants will require MOD ethics

approval


13 May 2013

Exploitation

• Current work often exploited rapidly through changes to pre-deployment training

• Technical Partner will be assigned to each successful proposal – Provide interface with MOD – Assist with exploitation

• Stakeholder Day will be held on completion of all successful proposals


13 May 2013

Timescales, funding

• 21 May 2013 Webcast published • 27 June 2013 Call closes 1700 hrs

• £400k available for this CDE themed call


13 May 2013

Background information

• Proposed work must be unclassified • Data sources

– Open sources – BBC3 Our War – Online – Analogous communities – MOD website

• Operations & Deployments • Thinking differently…


13 May 2013

Challenge 1

Dissuade –

Improving the effects of Influence

DSTL/PUB72551


13 May 2013


‘How can people be dissuaded from undertaking insider attacks, both before and during an incident?’


13 May 2013



13 May 2013




Influence

Dissuade

Protect

Prepare

Detect Understand Human behaviour

Training


Background • Identify underlying causes of Insider Attacks

– Understand Afghan National Security Forces troops – Understand the Afghan people – Wider applicability to other crises

• Social sciences disciplines – Anthropology, Psychology, Law History, International Relations, Economics, Theology

• Output – Operations: eg Cultural Specialists, Human Terrain Teams – Education: HQ, unit and individual training


13 May 2013

De-escalation

• De-escalation (Dissuasion) – Reduce underlying grievances – Broader, longer-term, higher-level issues

• De-escalation (Detection, Prevention, Protection) – Defuse confrontation – Local, immediate, tactical-level issues – Often language constrained

• Social science can inform both categories


13 May 2013

Potential avenues of research • Novel ways to understand Afghan culture • Novel tools to help understand what might influence someone • Novel methods to understand someone’s level of discontent • Novel methods to disseminate information to Afghans

particularly if they can’t read • Afghan cultural awareness of ISAF • Afghan personnel selection • Afghan sentiment • Building rapport • Afghan media


13 May 2013

Challenge 2

Detecting Deception

Specifically the deception associated with an insider attack


13 May 2013

Detecting deception


13 May 2013




Influence

Dissuade

Protect

Prepare

Detect

Training


Understand human behaviour

Detecting deception


13 May 2013




Influence

Dissuade

Protect

Prepare

Detect

Training


Understand human behaviours

Behavioural detection

• Person or vehicle-borne IEDs or intention of firing into a crowd – No reliable generic indicators for suspicious intent – Post hoc analysis is potentially problematic – Different motivations manifest in different indicators – Suicide bombers psychologically different to criminals – No evidence that guilt or stress are reliable indicators of suspicious

intent – Cultural differences


13 May 2013

What affects behavioural cues?

• Variety of motivations – Personal grievance – Planned insurgent activities – Medical issues – Instant emotional reaction to a particular event

• Variety of emotional states – Calm – Angry – Fearful – Elated


13 May 2013

Pattern of life recognition

• Expectancy Violations Theory – Establish baseline behaviour for context – Identify behaviour that deviates from this baseline within this context

• Skills required – Perception – Question – Act


13 May 2013

Feedback from the front line

• BBC3 Our War – This was deemed to be very useful prior to deployment because it

provided head cam footage of real life in theatre

• Development of:

– Empirically underpinned synthetic environments? – Empirically underpinned interactive skills training?


13 May 2013

How you can help

• Tools or techniques to enhance awareness of behaviour that violates the relevant pattern of life

• These must be:

– Validated – Mobile – Easy to use – Based on current scientific evidence


13 May 2013

Challenge 3

Prepare –

Training solutions


13 May 2013

Prepare – Training solutions


13 May 2013




Influence

Dissuade

Protect

Prepare


Training


The problem • We do not know why insider attacks occur

– Infiltration by the enemy – Poor relations – Attackers feel insulted – Revenge – Stress

• Hence, providing a training solution will be difficult and challenging

UNCLASSIFIED


13 May 2013

Insider Threat training

• Currently – All personnel receive initial Insider Threat awareness training – Specialist training to select high-risk groups


13 May 2013

Insider Threat training • Can training

– Improve relationships? – Enhance the ability of a person to perceive the Insider Threat? – Improve the “course of action” decision? – Optimise that course of action?

UNCLASSIFIED


13 May 2013

Improve relationships

• Enhance cultural understanding – How is your wife? – Passing in front of you when praying

• Active listening skills • Enhancing empathy


13 May 2013

Enhance ability to perceive Insider Threat • Can you perceive insider attack behavioural cues

– Months before – Days before – Imminently

• What are the cues? Do they exist? • Behavioural science • Cultural understanding • Observation skills

UNCLASSIFIED


13 May 2013

Improve decisions about Insider Threat • Decision making under pressure • High-risk decision making • Enable or enhance heuristics

– Mental short cuts to aid decision making


13 May 2013

Optimise response

• De-escalation (physical/verbal) • Tactical communication skills • Physical unarmed combat skills • Close quarter armed combat skills


13 May 2013

Possible avenues

• Training Needs Analysis for specific and generalist roles • Observation skills training • Sound decision making • De-escalate (tactical verbal communication/physical

intervention) • Close quarter combat with firearms • Provision of realistic training scenarios (tabletop/role play)


13 May 2013

Challenge 4

Protect -

Force Protection


13 May 2013

Force Protection


13 May 2013




Influence

Dissuade

Protect

Prepare


Training


Introduction

• What is Force Protection? • Outline of threat • Prevention • Options • Considerations


13 May 2013

What is Force Protection?

• "It is easier and more effective to destroy the enemy's aerial power by destroying his nests and eggs on the ground than to hunt his flying birds in the air." - General Giulio Douhet (1869-1930) Italian army air officer known as the father of strategic air power.

• In simple terms, Force Protection is preventive measures taken to mitigate hostile actions in specific areas or against a specific population


13 May 2013

Outline of threat • Good range of Force Protection at ground level

– Barriers – Partitions – Manned/Gated entrances

• Elevated positions pose more of a threat – Building roofs – Sangars/Watchtowers

• However solutions enhancing ground protection should not be discounted


13 May 2013

Prevention

• Defeat of the Insider Threat could be achieved through addressing three separate topics – Countering the initial Insider Threat – Prevent the Insider Threat from locating or engaging targets – Prevent injury to Insider Threat targets


13 May 2013

Option 1 – Countering the initial Insider Threat • Ensure day to day activities are not denied

– 360 degree coverage on sentry duty within Sangar – Normal activities at checkpoints

• Could also include early detection of a possible event


13 May 2013

Option 2 – Prevent the Insider Threat from locating or engaging targets • Masking the locations of individuals

– Screened areas • Hanging screens • Walls

• Prevention of munitions reaching the target – Barriers – Concrete walls – Detonation screens


13 May 2013

Option 2 – Continued

• Need to be considerate of potential threat directions – Where is the Insider Threat likely to come from? – Can whatever measures be orientated to the likely threat

direction? – Multiple directions eg Sangars in camps – Specific directions eg Checkpoints


13 May 2013

Option 3 – Prevent injury to Insider Threat targets • Elimination or reduction of injury causing threat from

– Small arms fire – Rocket-propelled grenades – Other fragmenting devices

• Increased personal or area protection


13 May 2013

Considerations • Need to avoid any potential of alienation • May help to harbour any perceived culture clash • Solutions should make the maximum use of

materials that are readily available to forces on operations


13 May 2013





Ethics 1230



1300


Event close 1600

Agenda

Ethics approval • Some of the proposals may require ethics approval

– Any research involving human participants in MOD research, both clinical

and non-clinical requires ethics committee approval

13 May 2013

© Crown copyright 2013 Dstl UNCLASSIFIED

• Conduct research upon the human participant, including (but not limited to) administering substances, taking blood or urine samples, removing biological tissue, radiological investigations, or obtaining responses to an imposed stress or experimental situation

Clinical

• Conduct research to collect data on an identifiable individual’s behaviour, either directly or indirectly (such as by questionnaire or observation)

Non-Clinical

Ethics approval • All proposals should declare if there are potential ethical hurdles to

address

• A proposal must, in the first instance, be scientifically robust in order for

it to be, prima facie, ethical

• If the proposal may require ethics approval, please make a three-part

proposal – Milestone 1: Produce research protocols

– Milestone 2: Obtaining ethics approval for the project

– Milestone 3: Proposed research (subject to ethics approval)

• More information – http://www.science.mod.uk/engagement/modrec/modrec.aspx

13 May 2013

© Crown copyright 2013 Dstl UNCLASSIFIED

http://www.science.mod.uk/engagement/modrec/modrec.aspx�





Ethics 1230



1300


Event close 1600

Agenda

Crown Copyright (c) 2012

Centre for Defence Enterprise www.science.mod.uk/enterprise [email protected]

UNCLASSIFIED / FOR PUBLIC RELEASE

Centre for Defence Enterprise Submitting a Successful Proposal

Centre for Defence Enterprise (CDE)

Maximising your chances

Dstl is part of the Ministry of Defence

UNCLASSIFIED / For Public Release


Crown Copyright Dstl 2012

Know what is available





Read available information

Start with –

Quick Start Guide

plus other CDE manuals – Account Manual, User Manual, Technology Application Manual






Developing a CDE proposal




Proposal health check

Claim of future benefit

Contribution to future benefit

Logical programme of work

Generation of evidence

Demonstration of progress

The essentials

Description

mins

Assessment

Not an exam

MOD Performance Assessment Framework

Five criteria: Operational relevance Likelihood of exploitation Builds critical S&T capability to meet UK needs Scientific quality/innovation Science, innovation and technology risk

Commercial tab





Government-furnished X

Health and safety

Ethics

Unclassified

Early birds





This call closes:

17:00 hrs on

Thursday 27 June 2013

Deadline




[email protected]

Call process queries





[email protected]

Call technical queries





www.science.mod.uk

Events and Calls > Current calls for proposals > Countering Insider

Threat Attacks

Further information

countering insider threat attacks - cde themed call launch 14 may 2013

Technology

crown copyright mod

cde proposal

aim of cde

cde model

future of cde

research proposals

defence enterprise cde

term insider attack