Nov 17 2014

Agencies Develop Insider Threat Programs, Prepare for Continuous Evaluation

A key part of the insider threat program in 2015 will be more robust reinvestigations to assess cleared individuals’ ongoing eligibility for access to classified information.

Who is the insider threat?

Depending on whom you ask in government, the answer varies. Some people say former government contractor Edward Snowden. Others in the Defense Department think it’s Washington Navy Yard shooter Aaron Alexis. The insider threat means different things to different people.

We are trying to manifest that an insider threat is a human being, someone seeking to do harm to themselves or others or systems or information,” National Counterintelligence Executive Bill Evanina told FedTech. “It’s more than just the Snowdens. And to the DOD folks, it’s more than just Alexis at the Navy Yard and it’s more than just a contractor. The insider threat is vast.”

Evanina co-directs the daily activities of the National Insider Threat Task Force, which was created by an October 2011 executive order in the aftermath of the WikiLeaks scandal. The task force was charged with developing a governmentwide policy for detecting, deterring and mitigating insider threats and for issuing minimum standards for implementing agency programs.

Evanina credits agencies’ robust insider threat programs for preventing multiple suicides. “We’ve had significant success in the government in the last four months,” he says. Promoting the good that has come from these programs will be key in winning over skeptics who are leery of federal programs that involve employee monitoring, even if it’s restricted to electronic monitoring on government computer systems.

The government is acting no differently from a Fortune 500 company that wants to protect its crown jewels, says Gene Barlow Jr., associate deputy director for public affairs at the Office of the National Counterintelligence Executive (ONCIX).

More than 70 departments and agencies are required to implement minimum standards to combat the insider threat, which include designating a senior official to oversee insider threat initiatives and adopting an insider threat policy and plan for implementing a program. Part of the challenge is articulating to smaller agencies why these standards are vital even if they don’t manage classified information, Evanina says. By the end of the year there will be a “big closing of the gap at the agencies who weren’t where we need them to be.”

You won’t find stats on the outcomes of federal insider threat programs, but Evanina says he expects to hear more anecdotal stories of prevention as the government builds more functional and efficient programs. The primary goal is to deter, detect and mitigate, Barlow explains. It’s hard to measure deterrence, though.

How Does an Insider Threat Program Work?

Evanina offers this scenario: Let’s say an employee who generally works from 7:30 a.m. to 4:30 p.m. all of a sudden starts coming in at 10 a.m. Co-workers notice that their colleague has been sending emails late at night. He usually works on issues pertaining to Southeast Asia, but lately he has been downloading materials on Russia. IT staff mention to his manager that he is doing extensive research on Vladimir Putin, and he recently flew to Ukraine and did not report his travel.

“So, those things get added up to identify a complete picture,” Evanina explains. It doesn’t mean the employee is a spy or an insider, but these could be a red flag. Sometimes behavioral changes mean a person needs employee assistance, which is why agencies should be proactive in detecting these anomalies and reaching out to workers. Agencies’ insider threat policies should identify the proper channel for reporting concerns and set requirements for training employees so they know what issues to report.

Each agency has a different threshold for determining if someone could be a threat. What may seem minor to managers at the Social Security Administration may raise red flags at the CIA.

A key part of the insider threat program will be more robust reinvestigations “to assess cleared individuals’ ongoing eligibility for access to classified information,” according to ONCIX. The process is called continuous evaluation and involves automatic records checks on individuals who have security clearances.

As the owner of continuous evaluation, ONCIX will conduct the evaluations. Evanina’s office is working with agencies to determine how frequently the records checks will occur. For some agencies “continuous” means every 30 days. Evanina expects these automatic evaluations will also help address the clearance backlog.

“There’s no way to prioritize who gets them [background investigations] first,” he says. Now, agencies can make those determinations based on data collected through continuous evaluation.

The government is facing possible slowdowns in background investigations after the Office of Personnel Management’s announcement that it would not continue working with the government's primary contractor for handling security clearance investigations — U.S. Investigative Services — once the company’s contracts expired on Sept. 30, the Washington Post reported.

Implementing Continuous Evaluation

Evanina says his office will launch a robust rollout of continuous evaluation in 2015, starting with top secret security clearance holders. The initial goal is to complete checks on 5 percent of these individuals (that number is classified).

Initially, his office had planned to begin automatic checks in September, but that date was pushed back. “Timelines are set because no one knows how difficult they are going to be,” he explains. “When we got in this process, we said ‘what we needed to do is to meet the minimum standards. It’s going to be pretty difficult.’ ”

“So we put some reality-based numbers on it,” he adds.

Evaninia says his office must first complete a proof of concept to ensure it can easily and accurately match the right people with the right public records. Starting next year, agencies will be able to send ONCIX batches of names for evaluation.

ONCIX will use publicly available information from databases and sites such as Google, LexisNexis and Dun & Bradstreet, as well as government databases. His office does not plan to use social media accounts for records checks unless the information is publicly available, he says. This could include tweets generated from a Twitter account that is not password-protected.

If a records check uncovered that a clearance holder had filed for bankruptcy or was arrested for domestic violence, this information would be provided to the home agency in a report. From there, the agency would decide the relevancy of that data and whether it warranted putting the employee at the top of the list for a background investigation.

The technology for conducting the automatic checks and agency reports is still being developed and will pull from the best that government and industry have to offer. Evanina hopes agencies will have reports in hand no later than five days after submitting names for continuous evaluation. Storage capacity won’t be an issue because information will be stored in the cloud, he says. “It will probably be part of the Amazon cloud at some point, [but] right now we call it the cloud.”

He adds: “We have a whole very robust engineering team from multiple agencies working right now to build this tool and capacity, and we are hoping to be up and running initially in [the] early part of next year.”


aaa 1