Billions Lost, No One Watching

Insider Threat Programs Promised Protection But Delivered Little, As Fraud Runs Unchecked. What Can Australia Learn?

“They are people who already have the keys to the kingdom.”

Eric O’Neill, former FBI agent

There’s no greater risk to organisational security than an insider threat. Those with direct access to sensitive information and other assets can bring about irreparable damage to the companies and agencies they represent. Governments are no exception.

The 2025 United States Presidential Election brought a tidal wave of policy actions and executive overhauls that has kept the country busy trying to keep track of them all.

One of the most significant changes President Donald Trump instituted on the first day of his presidency was the creation of an independent auditing authority known as the Department of Government Efficiency (DOGE).

Many have expressed their concerns and voiced opposition to DOGE, as they appear to be operating with limited oversight, lacking clearances for elevated access to classified information, and permitting employees with questionable track records to conduct their audits.

Some have classified DOGE as an “insider threat”. For example, an intelligence team within the U.S. Treasury Department said Elon Musk’s slash-and-burn Department of Government Efficiency represents “the single greatest insider threat risk” they have ever faced, in an email sent to staffers. (source: https://www.wired.com/story/treasury-bfs-doge-insider-threat/)

Having said that, the Department of Government Efficiency is a temporary initiative established by President Donald Trump on January 20, 2025, through an executive order.

Its primary mission is to streamline federal operations, reduce wasteful spending, and enhance overall efficiency within the U.S. government.

Led by Elon Musk, it set out an ambitious target to reduce federal spending by $2 trillion, which Musk described as the “best-case outcome.” However, this goal was subsequently adjusted to $1 trillion.

Mr. Musk has promised “maximum transparency,” including a “wall of receipts” posted on the DOGE website.

As of this writing, the website claims total estimated savings of $150 billion, “which is a combination of fraud detection/deletion, contract/lease cancellations, contract/lease renegotiations, asset sales, grant cancellations, workforce reductions, programmatic changes, and regulatory savings.”

The Department of Government Efficiency has reported uncovering several instances of significant fraud within U.S. federal programs. 

One notable example involves fraudulent unemployment claims, where DOGE identified that millions of dollars were disbursed to fictitious individuals. This included payments to claimants with implausible birthdates, such as those not yet born or over 115 years old and even toddlers aged 1–5, totalling hundreds of millions in fraudulent disbursements.

(source: https://nypost.com/2025/04/10/us-news/doge-says-millions-in-taxpayer-dollars-wasted-on-unemployment-claims-for-fake-people/?utm_source=chatgpt.com)

In another example, a senior U.S. Department of Education official admitted that government money is being used to illegally help people in the country and that the department is trying to avoid being caught.

The official, Travis Combs, said in a hidden video that he described the department as a kind of “sanctuary” where taxpayer money is being used without asking about legal status.

Moreover, he revealed that staff members were using private messaging apps, like Signal, to discuss these issues in secret so that the Department of Government Efficiency couldn’t track their activities.

(source: Project Veritas – https://www.projectveritas.com/news/dept-of-education-operating-as-rogue-sanctuary-program-for-illegals)

Despite over a decade of mandates, billions in funding, and the establishment of insider threat programs across federal agencies, the United States government continues to be rocked by massive internal fraud, waste, and abuse.

Ironically, the very programs designed to detect insider threats have failed to stop the fraud that is now being exposed by external auditors, watchdog groups, and, more recently, by the Department of Government Efficiency. If these programs worked as intended, why are billions still slipping through the cracks? And why are those closest to the systems the ones exploiting them?

Understanding Executive Order 13587

The Executive Order 13587, signed by President Barack Obama in October 2011, was introduced due to high-profile national security breaches such as the WikiLeaks disclosures.

Its primary aim was to strengthen the security of classified national security information across all U.S. federal agencies. The order directed executive branch departments and agencies to establish formal Insider Threat Programs – comprehensive systems designed to deter, detect, and mitigate threats posed by trusted insiders who might intentionally or unintentionally harm the nation’s security.

It mandated that agencies integrate capabilities across security, human resources, information assurance, and legal teams to create a unified approach to monitoring and responding to insider risks.

At its core, the order sought to move beyond fragmented and reactive responses by requiring agencies to actively monitor user behaviour, establish training programs, and report on the effectiveness of insider threat mitigation efforts.

The creation of the National Insider Threat Task Force, a joint initiative of the Director of National Intelligence and the Attorney General, was a key part of this strategy, intended to guide implementation and ensure consistency across government.

While the intent behind Executive Order 13587 was sound, protecting sensitive information from misuse or betrayal. Its rollout has faced significant challenges. Over a decade later, the continued rise of internal fraud and security failures has raised serious questions about whether the programs born from this order are fulfilling their mission.

Australian Insight: A bold policy doesn’t guarantee outcomes. Mandating programs does not equal implementation, effectiveness, or cultural adoption.

Misalignment At The Core

At first glance, it may seem surprising that the U.S. government, with all its insider threat infrastructure, continues to suffer from massive internal fraud. However, the real issue lies in the original intent and scope of Executive Order 13587. The order was introduced to protect classified national security information, not to detect procurement fraud, misuse of funds, or financial misconduct.

It focused on counterintelligence and cybersecurity risks, particularly in the wake of leaks by insiders like Chelsea Manning and Edward Snowden.

In that context, the aim was to prevent the unauthorised disclosure of sensitive information, not to monitor the financial integrity of public servants or agencies…This narrow scope created a systemic blind spot.

Insider threat programs in many U.S. agencies were set up under the banner of national security, often placed under the control of cybersecurity teams, intelligence units, or security offices.

Fraud, on the other hand, is often seen as a matter for auditors, inspectors general, and financial oversight bodies, entirely separate from security teams.

This disconnect means that fraud indicators, such as irregular spending, abuse of procurement processes, or unauthorised financial approvals, are not being fed into insider threat systems.

Even if someone is actively stealing from the government, insider threat tools may not detect it unless that person also triggers security alerts or mishandles classified data.

In effect, the government constructed a powerful radar system but aimed it mainly in the wrong direction. While agencies monitored for spies and data leakers, insiders engaged in fraud, bribery, and financial misconduct operated largely undetected. 

That’s not a failure of technology. It’s a failure of alignment, scope, and leadership.

Australian Insight: If insider threat programs are too narrow in focus, they miss real and present threats.

Root Causes and Failure

Despite more than a decade of effort, U.S. insider threat programs have largely failed to prevent internal fraud. Designed in response to national security breaches, these programs were narrowly focused on protecting classified information, not monitoring financial misconduct or procurement abuse.

As a result, many insider threat teams lack access to financial systems, audit data, or procurement workflows where fraud typically occurs. They are often siloed within cybersecurity or security departments, watching for spies or data exfiltration, while insiders committing fraud, bribery, and misuse of resources go unnoticed.

Adding to this misalignment, insider threat programs are implemented inconsistently across agencies, with uneven maturity, resourcing, and leadership support.

Crucially, fraud is still being uncovered, not just by insider threat systems. According to the Association of Certified Fraud Examiners’ 2024 Report to the Nations, 43% of all detected fraud cases were tipped off by employees, vendors, or customers, not uncovered by technical surveillance or behavioural monitoring. This staggering figure shows the limited reach of current programs and the overreliance on policy over performance.

Many insider threat initiatives are treated as compliance exercises, measured by existence, not effectiveness.

Australian Insight: If programs aren’t integrated into organisational culture and daily operations, they become ineffective.

Strategic Directions for Australia

Australia has a unique opportunity to learn from the U.S. government’s missteps and build insider threat programs that are more holistic, integrated, and effective from the outset.

The key is to avoid replicating the narrow, siloed models seen in the U.S., where insider threat programs were overly focused on classified information and cybersecurity.

In Australia, insider risk should be framed more broadly as encompassing not just national security breaches but also internal fraud, corruption, policy manipulation, sabotage, and unethical behaviour.

This means insider threat capability should not sit solely under IT security or physical security teams but be integrated with HR, finance, internal audit, risk, and governance functions.

By designing a multidisciplinary model from the start, Australia can ensure that the signs of insider abuse, whether behavioural, financial, or procedural, are detected early and acted upon.

Equally important is building a culture of accountability and trust.

Australian agencies should move beyond check-the-box compliance and focus on performance-driven metrics: The number of threats detected, the number of early interventions made, and the amount of fraud prevented.

This includes investing in secure and anonymous reporting channels, analysing tip-offs (which are statistically the most effective detection methods), and actively encouraging ethical leadership.

Australia should also prioritise national consistency (the focus is on creating a unified approach across government agencies) by developing a government-wide insider threat framework with clear standards, data-sharing protocols, and oversight mechanisms.

With the proper strategic alignment, Australia can shift from passive protection to active prevention and show what a modern, intelligent insider threat program truly looks like.