New Ideas for Mitigating Insider ThreatPresidential Panel Suggests Series of Steps
When the White House on Dec. 18 released the 46 recommendations of a presidential panel to tighten federal surveillance and IT security programs, media coverage focused on placing limits on the National Security Agency's bulk-collection program (see Panel Recommends Limits on NSA Surveillance).
But deep within the 308-page report are recommendations on how to mitigate the insider threat at federal agencies. After all, President Obama would never have had to order five cybersecurity experts to conduct this review if this generation's most celebrated or notorious (you choose the adjective) insider, Edward Snowden, hadn't leaked classified documents about government surveillance programs (see How Did Snowden Breach NSA Systems?).
We trust them implicitly but we need to mitigate what they could do.
The panelists in their report recommend a series of steps to reduce the risk associated with insider threats. "A governing principle is plain: Classified information should be shared only with those who genuinely need to know," the report's authors wrote.
Avoiding Government Contractors
One recommendation would implement specific changes to improve the efficacy of the personnel vetting system.
Much of the screening tied to granting federal government security clearance is conducted by private contractors. That includes the assessment of Snowden, who was vetted in 2011 by USIS, a private company based in the Washington suburb of Falls Church, Va. USIS has been under investigation since late 2011 in a "complicated contract fraud case," Michelle Schmitz, Office of Personnel Management's assistant inspector general for investigations, testified at a hearing of the Senate Homeland Security and Governmental Affairs Committee on June 20.
The panel says the use of for-profit corporations to conduct personnel investigations should be reduced or terminated. "When a company is paid upon completion of a case, there is a perverse incentive to complete investigations quickly," the report says.
To help agencies that don't have the resources to conduct their own vetting, the panel recommendations that the government should consider creating a not-for-profit organization, modeled after federally funded research and development centers such as RAND and MITRE, to conduct and improve the approach to background investigations.
Another panel recommendation to mitigate the insider threat is to, in effect, continuously monitor the activities and behaviors of those with security clearances. In the past, once an individual received a security clearance, it wasn't reviewed for another five or 10 years.
The panel says continuous security clearance vetting of individuals should employ a risk management approach and be based on the sensitivity and quantity of the programs and information to which individuals are given access.
Exploiting Big Data
Such a system is being implemented at the Department of Defense. How does it work? It exploits big data.
On demand, the system can query a large number of government and commercially available databases with "adjudicated, relevant information that speaks to the reliability of an individual," says Stephen Lewis, deputy director for personnel, industrial and physical security policy at the Directorate of Security Policy and Oversight in the Office of Undersecretary of Defense for Intelligence.
The system evaluates the results from the queries and issues red flags, when warranted, that would require an individual to intervene. "We are looking at continuous evaluation in addition to the normal inputs we get from commanders and supervisors and the like," Lewis says.
The types of information that could set off a red flag include arrests for driving under the influence and running up credit card debt that can't easily be repaid. Lewis says DoD seeks information that could help determine whether that individuals should continue to be in "a position of trust."
The Reality of Trust
Despite continuous evaluation, DoD leaders say they trust employees with security clearances, yet precautions must be taken.
"We trust them implicitly but we need to mitigate what they could do," says Robert Carey, DoD's principal deputy chief information officer, who co-chairs the federal CIO Council's information security and identity management committee. "It isn't anything against them. It's about just making sure that the information stays on the proper side of the firewall."
If trusted, security-cleared government workers don't like this extra monitoring, too bad. They have Edward Snowden to thank for it.