More than a year and a half after President Barack Obama issued a directive to agencies for dealing with disgruntled or rogue employees, it appears insider- threat programs are finally getting off the ground.
But even after the fallout from the WikiLeaks and Edward Snowden disclosures, it’s hard to tell how many agencies are actually checking all the boxes on the Obama administration’s plan for combating insider threats, which is one of the 15 cross- agency priority goals announced in its fiscal 2015 budget proposal.
Agencies were supposed to have taken initial steps to set up insider-threat programs by June 30, according to an update posted on Performance.gov. Those initial steps included naming a senior agency official responsible for the agency’s effort, circulating an insider threat policy signed by the agency head and developing an implementation plan.
But so far, it’s impossible to know how many agencies met that initial criteria by the milestone date. That information is classified, according to the progress update.
The latest update shows agencies are still in the early stages of developing insider threat programs, said John Dillard, co-founder and partner at Big Sky Associates.
“A lot of what’s in there now is still very much at the governance and planning stage,” said Dillard, whose firm has helped agencies set up insider-threat programs. “A lot of what’s in the plan are plans to have a plan, which is not unusual at this stage of the game.”
Some agencies are further along than others, in part because Obama’s original November 2012 directive “gave agencies a lot of latitude to do their own thing,” Dillard said.
But the latest update from the Office of Management and Budget seems to suggest more coordination going forward, Dillard said. He also pointed to the passage of the fiscal 2015 Intelligence Authorization Act, signed into law by the president last week, which prods agencies to take more concrete steps on insider threats.
The administration wants to have agency insider-threat programs reach initial operating capability by January 2017. According to the progress update, that should include “some capability to pull data from appropriate sources to retroactively analyze and respond to anomalies” and monitoring user activity on at least one classified network.
To get there, agencies need to start ramping up pilot projects “that begin to test some of the meatier parts” of the administration’s overall strategy, Dillard said. That includes how to institute the practice of continuous evaluation — automatically culling through police records and credit checks to track potential warning signs in an employee’s life.
Security-clearance overhaul also eyed
Continuous evaluation is a key part of the administration’s plan for reforming security clearances, an effort that goes hand-in-hand with its plan for detecting and dealing with insider threats.
Key deadlines for implementing a limited continuous-evaluation capability are looming.
The intelligence community is preparing to roll out a plan for continuously evaluating clearance holders, in addition to periodically reinvestigating them every few years. According to the progress update, the IC plans to have a continuous-evaluation capability in place for the most sensitive clearance holders by September.
The following month, the Defense Department — which has been piloting a few continuous systems over the past few years — plans to expand its pilot program to a sample of about 100,000 cleared military, civilians and contractor personnel.
“To a large extent, what they’re doing now and what they’ll continue to do in the near-term is focus on automation and sharing information using the existing guidelines on adjudication and suitability,” Dillard said. “That has some inherent weaknesses but that’s certainly a step in the right direction, in terms of expediting the process and sharing information more effectively and making the process move faster.”
The focus on automation will make the process more efficient. But Dillard said he hopes agencies also begin to think about how to retool the entire process using risk-management and data analytics to become predictive.
Can data analytics predict insider threat?
“There are a variety of different standards that adjudicators and investigators use when they look at people,” he said. “And if we simply automate all of those using the current forms and current system, it will expedite and improve that current system, but I think it misses the opportunity to apply real data science — and by that I mean understanding in a risk-based way, what behaviors are most likely to result in or suggest a probability of someone engaging in dangerous behavior.”
Despite the upcoming incremental milestones, both the insider-threat strategy and security-clearance reform efforts are massive, mult-year undertakings.
A deadline for final operating capability for insider-threat programs is still to be determined and continuous-evaluation systems won’t be deployed to all 1 million top-secret clearance holders until at least 2017.
Dillard said the size and scope of the project means it’s important for agencies and the administration to focus on scalable pilots.
“I think that the crucial thing in order for the government not to fail is to be sure to build small pilots that iterate,” he said. “What we can’t do and the government certainly has done many, many times is build very large, fixed custom systems that are hard to modify.”
No system will be 100 percent full-proof.
“Bad things are going to happen sometimes,” he said. “We can’t predict the future … The crucial thing is that we have the flexibility in our systems, processes and policies — and quite frankly legal structures — to learn and adapt from negative incidents when they do occur.”