WASHINGTON, D.C. – The Insider Threat Program, a new initiative ordered by President Barack Obama, is aimed at identifying potential future leakers and other security violators from within the government. The government has always had protocols for finding security leaks, but this program changes the game by encouraging federal employees and contractors to report potential leakers. Failure to report anyone an employee suspects fits the profile of a leaker can mean possible criminal charges.
The program allows every federal agency to launch security investigations when an employee or contractor shows indicators of “insider threat behavior” as reported by a fellow worker. The order covers every federal agency, including the Department of Education and the Peace Corps. Suspicious computer networks may also automatically trigger investigation under the Insider Treat Program.
Among other things, federal employees are being asked to report changes in lifestyle of fellow employees, including attitudes and behavior, unusual travel, excessive spending, and marital problems. The Insider Threat Program mandates that the five million federal employees and contractors with any security clearance undergo training in recognizing suspicious activity.
The initiative includes as insider threats “damage to the United States through espionage, terrorism, unauthorized disclosure of national security information or through the loss or degradation of departmental resources or capabilities,” according to a document setting minimum standards for executive branch Insider Threat programs.
Departments and agencies are being given flexibility to go beyond the White House’s basic requirements, leading the Defense Department to direct that workers with clearances “must recognize the potential harm caused by unauthorized disclosures and be aware of the penalties they could face.” It equates unauthorized disclosures of classified information to “aiding the enemies of the United States.” (Would this apply to Seal Team Six and this administration?)
All federal agencies must track employees’ online activities. The information gathered by monitoring “could be used against them in criminal, security, or administrative proceedings.” Suspicious behaviors include accessing information that someone does not need or is not authorized to see, or downloading materials onto removable storage devices like thumb drives when such devices are restricted or prohibited.
“If you normally print 20 documents a week, well, what happens if the next week or the following week you have to print 50 documents or 100 documents? That could be at variance from your normal activity that could be identified and might be investigated,” said Randy Trzeciak, acting manager of the Computer Emergency Response Team Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute.
“We’ve come up with patterns that we believe organizations might be able to consider when determining when someone might be progressing down the path to harm the organization,” said Trzeciak, whose organization has analyzed more than 800 cases and works with the government and private sector on cyber security.
Many government insiders are leery of the program, saying that profiling remains unproven, can make employees more resistant to reporting violations, and can lead to spurious allegations. Some government programs that have used behavioral indicators have been condemned as failures.
Most criticized is the Transportation Security Administration’s Screening of Passengers, termed the SPOT. The program, which has cost $878 million and employs 2,800 people, uses “behavior detection officers” to identify potential terrorists by scrutinizing airline passengers for signs of “stress, fear or deception.”
The inspector general of the Department of Homeland Security observed in a May 2013 report that “TSA cannot ensure that passengers at United States airports are screened objectively, show that the program is cost-effective, or reasonably justify the program’s expansion.”
In spite of such questions, the Pentagon is moving ahead in training Defense Department and contractor managers and security officials to set up insider threat offices. One company emphasized how its course is designed for novices; “The Establishing an Insider Threat Program for Your Organization Course will take no more than 90 minutes to complete.”
“What we really point out is if you’re in doubt, report, because that’s what the investigative personnel are there to do, is to get to the bottom of ‘is this just noise or is this something that is really going on?’” said Larry Gillis, a senior Army counterintelligence and security official.
Some US officials and experts worry that Obama’s Insider Threat Program may lead to false or reactive accusations across the entire government because security officials are granted access to information outside their usual purview. It may be the rule of the government by executive fiat, but the Insider Threat Program has a long way to go before it accomplishes what the president hopes it to.