On May 29, a federal employee trained to detect insider threats became one himself.
Nathan Vilas Laatsch, a 28-year-old IT specialist in the Defense Intelligence Agency’s Insider Threat Division, was arrested after allegedly attempting to pass handwritten notes derived from Top Secret materials to someone he believed to be a foreign government agent. He had the access, the clearance and the technical knowledge to exploit the very systems designed to detect him.
The irony is undeniable — but so is the opportunity.
This case is not an indictment of federal programs; it is a signal to advance them. It underscores the need to revisit and modernize the minimum requirements for protecting national security systems from insider threats, like Committee on National Security Systems Directive 504, or CNSSD 504. The guidance exists. The capabilities are proven. What’s needed now is leadership to ensure the policy and technology are aligned with today’s threat landscape.
The strength of CNSSD 504 — and where it can evolve
CNSSD 504 has been foundational in shaping federal insider threat programs since the WikiLeaks disclosures involving Chelsea Manning. That incident marked a turning point — exposing how a single trusted insider could compromise national security at scale. In the years since, the world has changed dramatically. The rise of AI, the weaponization of information and deepening political polarization have made insider risk more complex, dynamic and consequential.
CNSSD 504 outlines core technical and operational requirements to detect and mitigate malicious insider activity across classified environments. Yet much of its most forward-leaning guidance remains optional, despite being more relevant than ever.
These include:
- Anomaly detection
- Behavioral baselining
- Pseudonymization
- Data integration into analytical systems
Mandatory requirements, particularly “file shadowing”, also presents complexity, as the term is open to interpretation.
In Laatsch’s case, these capabilities — if mandated and clearly defined — may have made a meaningful difference. His alleged actions didn’t follow the conventional signs of data theft. There were no large file transfers or obvious policy violations. But behavioral signals — ideological dissatisfaction, shifts in file access, sentiment change — were reportedly present weeks before his arrest. If monitored and contextualized through anomaly detection and behavioral analytics, those signals might have triggered earlier intervention.
Three opportunities for leadership
Building on the strong foundation already in place, agency leaders have three clear opportunities to further enhance federal defense
1. Mandate proven detection capabilities
Anomaly detection, behavioral baselining, and pseudonymization aren’t theoretical — they are proven, deployable capabilities already in use across parts of government and industry. Making them mandatory would help close critical detection gaps.
Anomaly detection and behavioral baselining, for instance, help identify subtle shifts in behavior — like a user who begins accessing intelligence products outside their typical workflow, or whose system activity diverges from long-established patterns. In a privileged role like Laatsch’s, that kind of deviation can be difficult to see with traditional rules-based monitoring.
Pseudonymization is equally important. By enabling analysts to evaluate behavior without immediate attribution, it helps reduce bias and supports more objective, timely reporting, particularly in scenarios where colleagues or program administrators themselves must be monitored. In “watch the watcher” environments, anonymity is not only about privacy; it underpins the integrity of detection and response processes.
2. Strengthen and clarify “file shadowing” requirements
CNSSD 504 includes a reference to “file shadowing,” but interpretations of the term vary. A more robust definition — and requirement — would significantly improve investigative effectiveness.
Comprehensive file shadowing should include:
- Full lineage tracking: Who created a file, who modified it, and when.
- Access mapping: Visibility into who accessed a file outside typical user groups.
- Event correlation: Connecting file activity to broader behavioral context.
In cases like Laatsch’s — where an individual allegedly transcribed intelligence by hand over multiple days — such lineage could highlight access patterns inconsistent with an employee’s role, particularly when interacting with content beyond assigned duties.
3. Operationalize data-driven anomaly detection
Section 12 of CNSSD 504 encourages the use of user activity data in analytical systems that can detect insider threat indicators. However, it remains a recommendation rather than a directive.
In large federal environments with vast user bases and endpoints, it’s increasingly difficult to rely solely on human analysts to detect emerging risk. Behavioral analytics and user entity behavior analytics are critical for risk prioritization and surfacing the most relevant threats.
Laatsch’s alleged behavior — reaching out to a foreign government, expressing ideological dissatisfaction and preparing to exfiltrate classified material — likely did not begin overnight. It is likely that indicators such as shifts in sentiment, focus and file access may have been detectable if analyzed holistically. With stronger UEBA integration, such signals can be analyzed holistically, offering analysts the context needed to intervene earlier and more effectively.
Expanding protection to unclassified networks
Finally, Laatsch’s case spotlights a long-recognized vulnerability: unclassified systems.
CNSSD 504 and Executive Order 13587 primarily cover classified environments. Yet sensitive data — contextual intelligence, operational planning and interagency communications — often exists on unclassified systems. These environments remain unmonitored and underfunded.
It’s time to evolve the Executive Order, extending coverage and funding to unclassified networks, where the aggregation of seemingly benign data can pose just as serious a national security risk.
A call to action
Federal insider threat programs have made significant progress over the past decade. But the Laatsch case shows that even highly controlled environments are not immune from risk, especially when technology outpaces policy.
The case offers an important inflection point. Agencies now have a chance to:
- Turn guidance into action by making advanced capabilities mandatory.
- Update definitions and expectations around tools like file shadowing.
- Expand protection to all networks, classified and unclassified.
- Invest in analytics that focus human attention where it matters most.
The mission remains the same: protecting national security. But as the landscape and insider threat evolve, so too must the mandates, tools, and programs designed to meet them. With a strong foundation already in place, agencies are well-positioned to take the next steps forward.
Michael Crosland is the vice president of National Security Programs at DTEX Systems.
