Prologue
In February 2025, the United States National Counterintelligence and Security Center (or NCSC) released a report titled Insider Threat Mitigation for U.S. Critical Infrastructure Entities – Guidelines from an Intelligence Perspective.
Pentagram Advisory is flagging this report with our followers because its insights are equally valid for Australia’s critical infrastructure owners and operators, as defined by Australia’s Security of Critical Infrastructure Act 2018 (the SOCI Act) and its subordinate legislation.
The NCSC report is valuable for Australian entities, whether they be critical infrastructure or other types of enterprises, as up-to-date advice on the growing importance of the insider threat to Australia’s national security overall and to the critical infrastructure community in particular.
As context to consider the NCSC report, let’s first check how Australia has viewed the insider threat in recent years, focusing on four key security requirements designed to mitigate insider threat.
Australia’s Insider Threat Regulatory Landscape
In November 2021, the Commonwealth’s Protective Security Policy Framework (PSPF) revised two policies to upgrade the security actions that would be applied to individuals with the Commonwealth’s highest level of security clearance known as TOP SECRET-Privileged Access (or TS-PA). These measures include an insider threat program which requires ongoing, also known as continuous, monitoring of TS-PA security clearance holders. The Australian Security Intelligence Organisation (or ASIO) manages Australia’s TS-PA capability.
In late 2023, many Commonwealth departments outside the group of national security departments and agencies were informed they each needed to establish an insider threat program. This requirement was clarified in November 2024 amendments to the Commonwealth’s PSPF which most Commonwealth departments are subject to.
The amendment known as Requirement 51 states: “An insider threat program is implemented by entities that manage BASELINE to PV security clearance subjects to manage the risk of insider threat in the entity.” This means if any person holds a Commonwealth security clearance, at any level, then an insider threat program is required to be installed and operated by the sponsoring entity.
Also, in 2023, it became clear that critical infrastructure entities, most of which are private sector entities, have obligations under the SOCI Act and its subordinate legislation requiring them to mitigate insider threat for both their ‘critical workers’ and broader workforce, and also into their supply chain. Whilst the SOCI legislation does not use the term ‘insider threat program’, such a program is the mechanism required to manage personnel security and insider threat across a critical infrastructure entity as expressed in the SOCI legislation obligations.
Further, Australia’s partners in the AUKUS enterprise, the United States and the United Kingdom, have committed to maintaining and constructing nuclear-powered submarines in Australia and sharing select secret advanced technologies and research with Australia. This arrangement requires the creation and operation of robust insider threat programs, aligned with U.S. and UK security practices, capturing tens of thousands of personnel across Australia and overseas in public and private sector entities. Australia cannot afford to fail to safeguard the nuclear technology secrets and submarine operations information that our key allies are willing to share. Insider threat programs for the key government, defence, and private sector AUKUS entities are in place and will need to grow. These programs will be complex and demanding to operate effectively.
To summarise, we see in Australia over the last four years that ASIO, the Department of Home Affairs (responsible for PSPF and SOCI) and the Department of Defence (responsible for AUKUS) have raised new demands for insider threat programs, making clear the serious risk posed to Australia’s national security by insider threats.
With this context in mind, in this article Pentagram will recount the key information and guidance set out in the United States NCSC report and offer relevant companion notes for Australian readers.
Some Overarching Points about Insider Threat
The first point to note is that the NCSC is warning about the risk to critical infrastructure assets and operations posed by the insider threat. The insider threat is a trusted individual in the organisation – a trusted insider – who misuses their legitimate access to assets, personnel, and information to cause harm to their entity. The harm may be caused unintentionally or intentionally, but the same level of harm, known in risk terminology as the consequence, can be inflicted irrespective of the intent. The fact that the NCSC is writing about insider threat, or in other words the human threat, in relation to critical infrastructure shows the insider threat is both real and significant.
The report also notes that, because the insider threat is a human problem, it requires a human solution. The workforce, more than technical solutions, is the most important resource to counter the insider threat.
The second point to note is the subtext of the title – Guidelines from and Intelligence Perspective. The use of the word ‘intelligence’ signals that there is a more complex set of considerations at play other than just mitigating adversary efforts simply to degrade our critical infrastructure operations.
Critical infrastructure entities serve as intersections in our society, where almost all residents will have their personal credentials stored across numerous critical providers, with many critical infrastructure assets interconnected. Think, for example, about your bank details linked to payments made to your telecommunications and electricity providers. Or your medical records linked between hospital and doctor. Critical infrastructure entities are high value targets to mine data and inflict damage, both consequences ultimately degrading the population’s confidence in government and defence, and also diminishing society’s ability and willingness to defend itself.
This type of data is of high value to organised crime and foreign states, now and into the future, perhaps damaging to you for your entire lifetime. These adversaries may use this data against you at any time in many ways. This data can be accessed by either external cyber-attack or by a trusted insider who enables access by a cyber attacker or steals and exfiltrates the data for use by themselves or others.
How the Risk and Threat Environment are Changing
The NCSC report states that the U.S. threat environment is changing in ways that require new kinds and levels of attention, and that U.S. critical infrastructure is both in the geopolitical battle space and a target of extensive criminal activities. Harming U.S. critical infrastructure is one way for foreign adversaries to inflict severe damage on U.S. national security, economic security, or public health and safety. The same applies to Australia.
According to the related United States’ 2024 National Counterintelligence Strategy:
“Foreign intelligence entities are developing the capacity to exploit disrupt or degrade critical infrastructure worldwide. Their efforts likely are aimed at influencing or coercing U.S. decision makers in a time of crisis by holding critical infrastructure at risk. The decentralized and digital nature of critical infrastructure worldwide creates vulnerabilities that could be exploited by foreign intelligence entities, and they also are targeting the facilities and networks that underpin global energy and financial markets, telecommunications services, government functions, and defense capabilities”
This threat assessment applies equally to Australia, which, like the United States, sees most of its critical infrastructure owned by the private sector, and much of it owned by foreign entities, which means that a public-private partnership is required to effectively protect our critical infrastructure.
The report states that foreign threat actors continue to target government and key private sector entities to gain economic and national security advantage. Also, these foreign states are collecting large sets of public and non-public data from critical infrastructure organisations and their workforces at an unprecedented level. By combining the information collected with advanced data analytic capabilities and other tools, foreign adversaries are afforded vast opportunities to identify, target, and exploit vulnerable people in critical infrastructure workforces to further foreign states’ interests at the expense of the United States. This point applies equally to Australia.
Given this threat landscape, it is imperative that critical infrastructure entities prioritise and dedicate resources to pre-empt and/or mitigate insider threats.
Insider Threats Pose New Kinds of Challenges
Insider threats to critical infrastructure entities are growing. Insider threats are often less appreciated and less visible than remote-access cyber threats. Insider threats are an increasingly important threat vector to critical infrastructure, both within the context of cybersecurity or supply chain risk, and within the broader risk to security.
Insider threats can cause harm through economic espionage, sabotage, workplace violence, fraud and other misuse of resources. Insider threat activities can involve deliberate actions by trusted insiders working with Foreign Intelligence Services (FIS), criminal groups, or issue-motivated extremists, or a combination of these.
The current tense ideational-ideological landscape in the United States, with the same tensions evident in Australia and many other Western democracies, exacerbates these risks by giving some people, including trusted insiders, greater motivation and permission to cause harm.
Critical infrastructure protection discussions have often become synonymous with cyber security discussions, focusing primarily on the cyber battlefield and not the threat actor, that is a human being the human being directing the cyber-attack. Yet, more often than not, there is a human with access who compromises the integrity of our resources.
Another recent change in the threat landscape stems from the COVID-19 pandemic, which impacted public health, safety, and economic security, and amplified demands for remote work opportunities, testing an already delicate threat environment including increasing the means and capabilities of insider threats.
With more people working remotely, the pandemic fostered greater reliance on less-secure information and communication technologies which may be exploited by adversaries, creating more interdependencies between these technologies and degrading enterprise security.
Many employees in the workforce faced unprecedented stresses at home, became more isolated from their organisations and their colleagues, and were reliant upon less-secure information technologies to work.
In this environment, robust and adaptive insider threat programs have become more necessary yet more difficult to implement. Insider threat programs are more necessary now due to the increased prominence of insider threat motivations, behaviours, and stresses along with an operating environment that is permissive for insider threat behaviour. However, these programs are increasingly difficult to build and operate in this environment because the crisis puts stress on corporate and government resources, including security programs which can often be a casualty of reduced operating budgets.
In Australia, and perhaps globally, it is likely there will be an economic downturn in the 2025-26 period, which will add to the already high fuel load of cost-of-living pressures, geopolitical tensions, war, ineffective debt-plagued governance, and social fracture. Any further overt military action in the Middle East, Europe, or the Asia-Pacific could combust with little notice resulting in even greater polarisation of Australian society which will likely stimulate insider threat activity, including in our critical infrastructure.
In such a challenging economic and social environment, security is likely to be a target for savings rather than investment. The insider threat program should not be deferred or cut but rather be seen as a high-value, enterprise-level task that will be good for workplace culture and for the financial and operating health of an organisation.
Security as an Evolving Cycle
In the current operating environment, there is a new imperative for organisations to take stock of their security postures to ensure they match the evolving threat and risk landscape. True organisational security, in both a national security and a business sense, is the responsibility of everyone in the organisation.
An effective insider threat program is not merely a security program but is a fundamental plank in a sustained employee outreach and security awareness effort that promotes a shared vision and shared success between managers and workers.
The evolving threat environment should prompt questions among organisations about the extent to which their security posture is well-matched against today’s threats. Protections against external physical access and remote-access cyber threats are often more developed than protections against insider threats. Taking stock of one’s security posture is the first step toward addressing emerging threats.
For many organisations, the sheer number and scope of potential threats and risks create uncertainties over which to prioritise. Frequently, the response is to stick with the seemingly most salient risks – often involving controlling physical access and remote-access cyber threats.
Most organisations have built some forms of security against security threats to mitigate risk, but these security measures may not match the latest threat landscape. Threats and risks tend to be countered in specialised stovepipes, making an enterprise view difficult. For some organisations, a ‘tick-the-box syndrome’ can be in play, that is ticking off security measures to show these are in place rather than acting to deliver security effects that actually provide protection. In this ticking-off approach security programs in name only can be seen as better than no programs at all. Such risk framing can contribute to serious security deficiencies because the true threat situation is obscured.
Augmenting an existing security structure or creating a new security program is often difficult to resource. Even when sticking with a legacy security posture, it is important to review and assess the posture to ensure it addresses current and emerging threats as best possible with the resources available.
Security posture assessments can help determine if your organisation performs ‘intelligence-like’ functions – the ability to gather and process information relevant to organisational security. Security events and consequential harms can result from organisational intelligence failure.
While a formal government-like counterintelligence program is not likely feasible for many in the corporate world, it is imperative that information about foreign adversary threats, including intent and capabilities, is incorporated into organisational risk management assessments to protect against determined, organised, and well-financed adversaries. Such programs will help protect your organisation and its workforce.
Nine Elements of Insider Threat Programs for Critical Infrastructure Entities
The NCSC report offers nine points to consider with respect to establishing and operating an insider threat program. Pentagram agrees with these points and commends them to readers.
- Recognise that insider threat is a human challenge.
- Have a dedicated insider threat program.
- The complexity of insider threats merits specialised attention and requires participation and commitment from the entire workforce.
- Incorporate components from across the organisation in structuring an insider threat program.
- Designate a top-level senior official to oversee the insider threat program and ensure the counter insider threat mission is promoted across the organisation.
- Effective insider threat programs are attentive to threats and risks to an organisation’s ‘crown jewels’.
- Successful insider threat programs are fuelled by an upward flow of insider-relevant information from the workforce.
- Technological systems for mitigating insider threats should be integrated with broader human-based programs for detection and deterrence. Technology does not provide ‘silver-bullet’ solutions.
- Tabletop and red teaming exercises help strengthen insider threat programs.
In considering these nine points focused on insider threat, I expect many readers will sense these are familiar, and they are, as they resonate with usual business practice and policy about having a dedicated lead, recognising the true nature of the issue, leveraging current resources and information to create a cross-organisation solution, and so on.
Pentagram notes that most organisations already have the ingredients for an insider threat program, in terms of functions and information, so they only require the decision to establish and run an insider threat program, with some external guidance on how best to build it in the context of the organisation’s unique operating environment.
What Does Success Look Like?
The first step of successful mitigation of any risk is threat awareness because this awareness informs the scale of consequences of insider threat harms –helping managers visualise the consequence of the threat being realised. Understanding the ways in which insider threats can wreak havoc on reputations, financial viability, intellectual property, public safety, workplace safety, and our national and economic security is crucial for success.
Success will also be realised when insider threat programs across industry and government foster a sense of organisational citizenship and are viewed as a shared responsibility among employees.
Instead of responding to new risks posed by emerging technologies and new uses, organisations should anticipate those risks and build protections against insider threats early on. Programs to deter, detect and mitigate insider threats need to mature and evolve to the point where they are not considered unnecessary costs, but rather essential to the mission success of an organisation and its ability to maintain organisational integrity and safety. Pentagram believes many of these risks are foreseeable and so directors, chief executives, and leaders are obliged to act to mitigate within the bounds of the resources available.
What’s in a Name?
A final thought for you. The name ‘insider threat program’ does arouse negative sentiment. By using this name, an organisation is seemingly conveying to all its people, to all its trusted insiders, that the organisation considers them to be threats. Whilst technically that is true, people are a source of threat, the naming appears quite harsh and does not help establish trust between employers and employees.
The essential ingredient in the workplace is trust, and trust is a key enabler for an insider threat program to be successful. However, it is the function of an insider threat program that is important, not the name.
So, you could consider using a more positive, but still accurate, name for the insider threat program. Examples are the Trusted Insider Protection Program or Workforce Protection Program. Think about what is the best name you might use for your organisation to label the insider threat program in a way that will encourage worker participation and support for what could be the most important protection for your organisation, the people within it, and all the stakeholders who rely on it.