Federal Report

One decade after Navy Yard shooting, major changes made to ‘insider threat’ approach

The Navy Yard shooting was a "wake up call," in the words of one expert, for the government's security apparatus. Ten years later, ideas like continuous vetting...

Justin Doubleday@jdoubledayWFED

September 18, 2023 3:43 pm

8 min read

One decade after the Washington Navy Yard shooting, officials and other experts say the tragedy has proven to be a catalyst in overhauling the government’s approach to managing potential security risks from its employees and contractors.

In the years following the shooting, the Defense Department established a central organization to manage “insider threats,” while the military services and other organizations also set up insider threat “hubs” to share information about potential risks from employees.

DoD has also taken over the background investigation process from the Office of Personnel Management and adopted a more proactive approach to identifying red flags in an employee’s background.

“With this unfortunate, tragic incident, what we have seen is real and lasting change, which doesn’t always happen,” James Shappell, the director of the DoD Insider Threat Management Analysis Center (DITMAC), said during a Sept. 14 online event hosted by the Center for Development of Security Excellence.

On Sept. 16, 2013, Aaron Alexis shot and killed 12 civilian and contractor employees at Naval Sea Systems Command headquarters. Alexis also wounded four others before he was killed by law enforcement.

Alexis was a former Navy reservist who held a secret security clearance and had access to NAVSEA headquarters through his job as a Navy IT contractor.

A Pentagon review of the shooting found it could have been prevented if the Navy and Alexis’s employer had properly evaluated and reported previous arrests involving firearms, as well as other erratic and alarming behavior.

Terrance McGowen, a security professional for the Navy who narrowly escaped the shooting, shared his harrowing experience from that 2013 day during the CDSE webinar last week. And he pointed to the changes that have been made in the years since the incident.

“Now we have continuous evaluation, we have continuous vetting, we have automatic checks with checking your interaction with law enforcement and your credit on a daily basis,” McGowen said. “All of this is because of the Aaron Alexis situation, where there were red flags throughout his career in the Navy and as a contractor, and no one took up those opportunities.”

Continuous vetting

The Pentagon’s review found Alexis’ background investigation file was missing critical information, including how a 2004 arrest, which Alexis told investigators was just “mischief,” was due to him shooting out the tires of construction worker’s tires during a traffic dispute.

The Navy also did not monitor whether Alexis was addressing financial issues and other personal conduct concerns that were flagged during his background investigation.

During his Navy career, there were two additional arrests and one instance of non-judicial punishment that should have been put into Alexis’ file. And in the weeks leading up to the shooting, Alexis told police he was being followed, hearing voices, and of being under attack by vibrations and microwaves. But these instances were ultimately not reported to DoD security offices.

Alexis’ employer knew about his potential psychological instability, the review found, but did not refer those concerns to a mental health professional or seek further guidance from DoD.

The incident highlighted a major gap in DoD’s security clearance process: once an individual has gone through an initial background investigation and received a security clearance, that person would not be investigated again for at least another five years. In between those investigations, security offices would be reliant on an individual self-reporting or being contacted about a potential concern by another party, such as an employer.

One part of the solution, the review suggested, was in technology. It recommended DoD adopt an enterprise “continuous evaluation” program that would enable “real-time automatic notifications of issues of security concern.” DoD had developed an automated continuous evaluation system in 2005, but had only piloted the capability with a small number of personnel.

“An enterprise-wide continuous evaluation capability would help mitigate gaps in information obtained through self-reporting and would complement a threat management capability,” the Pentagon review suggested.

In the intervening years, the term “continuous evaluation” has morphed into “continuous vetting,” but the recommended changes have come to fruition. More than 4 million security clearance holders across DoD and industry are now enrolled in continuous vetting. The current system includes automated records checks for data like criminal incidents and credit history.

Charlie Sowell, a former senior advisor to the director of national intelligence, called the Navy Yard shooting a “wake up call” for DoD’s internal security apparatus. Sowell is now chief executive officer of SE&M Solutions, a contractor for the Defense Counterintelligence and Security Agency.

“When you look at the ability of the government to identify problems before they snowball, it’s at a whole different level,” Sowell said.

Paul Stockton, a former assistant secretary of defense who led the Pentagon review of the Navy Yard shooting, called continuous evaluation “the most important” recommendation from the study.

“The progress DoD has made in addressing insider threat challenges is extremely important and needs to be sustained and indeed needs to be built upon to meet emerging threats,” Stockton said in an interview. “The establishment of DITMAC institutionalizes opportunities for such progress, and above all, the ability of the department to continue to improve continuous monitoring is absolutely vital.”

Insider threat hubs and reporting

The review also recommended DoD establish the DITMAC to provide a “central clearinghouse” that could monitor and identify potential security concerns across the military.

The Navy Yard shooting occurred after several other “insider threat” incidents, including the 2009 Fort Hood shooting, the 2010 Wikileaks classified data release, and the 2013 leaks by National Security Agency contractor Edward Snowden.

The Pentagon review found DoD needed a “more coordinated and consolidated approach” to insider threat policies and reporting capabilities. The DITMAC, it recommended, could be a “one stop shop” to gather and analyze any adverse information that is reported about employees.

Insider threat programs had been around since 2011, when then-President Barack Obama directed agencies to establish insider threat and detection programs in the wake of the Wikileaks data spill.

But in addition to launching the DITMAC, the Navy yard shooting demonstrated the potential deadly ramifications of not identifying red flags about a trusted insider’s behavior.

“It really more than anything else launched the insider threat programs across government,” Sowell said. “I also think it helped government and industry realize that insider threats go way beyond information disclosure. What greater threat is there than a loss of life incident at a company or on a government installation?”

Challenges remain

Despite the progress, officials and recent audits point to remaining gaps in DoD’s approach to insider threats.

DoD’s inspector general, in a redacted September 2022 report, found DoD’s insider threat hubs, spread out across the military services and other defense agencies, were not consistently reporting concerning incidents to the DITMAC.

The Navy, for instance, did not report 26 incidents to the center that involved “murder, rape, kidnapping, aggravated assault, robbery, and soliciting sexual conduct with a minor,” the IG reported.

Furthermore, it took as long as two years for some of the hubs to report incidents to the center.

“Unless the DoD component hubs consistently report insider threat incidents to DITMAC as required, DITMAC cannot fully accomplish its mission to provide the DoD with a centralized capability to identify, mitigate, and counter insider threats and reduce the harm to the United States and the DoD by malicious insiders,” the report concluded.

More recently, a Massachusetts Air National Guardsman was indicted for being the perpetrator behind a massive leak of classified data on the Discord website. Defense Secretary Lloyd Austin, following a review of security procedures across the military, recently directed officials to establish a “Joint Management Office for Insider Threat and Cyber Capabilities,” among other actions.

Meanwhile, Sowell said it continues to be a challenge to convince employees to report the potentially concerning behavior of a colleague.

“Who’s going to notice someone’s behavior changing at the workplace, that they spend eight hours a day at either physically or maybe they’re online, on remote work scenarios, and you can see that something’s kind of off? Supervisors and coworkers are probably going to be the ones that would see that, and you still see low levels of reporting,” Sowell said.

The focus of this year’s government-sponsored “insider threat awareness month,” held every September, is “bystander engagement.” The goal, the Office of the Director of National Intelligence said in a release, is encouraging “government and industry employees to recognize and report behaviors of concern to appropriate parties so early intervention can occur and at-risk employees can be connected to resources and assistance if appropriate.”

And despite the progress made with adopting continuous vetting, Sowell said the current system flags a limited amount of information. And the Government Accountability Office last month reported that DoD’s current cost and schedule estimates for the next-generation background investigations IT system are “unreliable,” posing the potential for further delays and overruns.

“I wonder if some of the revolutionary technology changes that you need to better aggregate and analyze relevant information and serve up information to adjudicators and investigators, if we’re going to be able to implement any of that anytime soon, and that’s a big hindrance to the process,” Sowell said.

Going forward, Stockton said DoD needs to pursue the use of artificial intelligence and machine learning to detect insider threat activities.

“AI and ML can gather together disparate information from disparate sources, better synthesize that data, and do so with a speed and effectiveness that could make AI and ML invaluable tools to strengthen continuous monitoring and the detection of potential insider threats before those threats are manifested in ways that we saw at the Washington Navy Yard and potential future events,” Stockton said.