Agencies continue to struggle to establish insider threat programs. Many missed the deadline to hit initial operating capability in December 2015, and many still will miss the December 2016 deadline to hit full operational capability.
The most recent data from the Obama administration on the Performance.gov portal doesn’t provide specifics on how many or which agencies, but the National Insider Threat Task Force (NITTF) says a combination of “organizational culture, legal questions and resource identification” are among the obstacles preventing agencies from meeting the White House goal. The Coast Guard is one of the few agencies that met the full operational capability goal around insider threats.
All of these delays and challenges with creating an insider threat program would seemingly point to yet another reason why Harold Thomas Martin III, 51, of Glen Burnie, Maryland, allegedly was successful in taking classified materials from the National Security Agency over a two-year period.
The Justice Department on Oct. 5 charged Martin with “theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor.” Martin worked for Booz Allen Hamilton under contract at NSA.
“When Booz Allen learned of the arrest of one of its employees by the FBI, we immediately reached out to the authorities to offer our total cooperation in their investigation, and we fired the employee,” Booz Allen said in a release. “We continue to cooperate fully with the government on its investigation into this serious matter.”
Experts, however, say the insider threat program is neither the problem nor the answer. Instead, experts say, reducing the risk of federal employees or contractors becoming threats goes back to security clearances.
“To effectively counter the inside threat, we have to take advantage of the technology and implement the processes that continuously evaluate the behavior of employees to flag suspicious activities,” said Larry Hanauer, vice president of policy for the Intelligence National Security Alliance (INSA). “To reform the entrenched security clearance processes will take time, but it’s important to expedite the reforms and the next administration must make it a priority.”
Hanauer, who spent 20 years working in the national security community including time with the Department of Defense, on Capitol Hill, and with the private sector, said the government is relying on a 1950s risk-based approach to ensure employees and contractors are properly vetted. INSA recently released a new report offering recommendations for small and medium-sized businesses in setting up insider threat programs.
The Office of Personnel Management launched the National Background Investigations Bureau (NBIB) on Oct. 1. The NBIB is relooking at everything from technology to processes to people to improve the security clearance process.
The NBIB is creating several new offices, including the Federal Investigative Records Enterprise (FIRE), which will automate and digitize the NBIB’s processes, the Engagements and Customer Service office, which will include a newly established law enforcement liaison to promote and augment the exchange of vital electronic records, and a Business Transformation directorate, which will focus on data-driven decisions and policies to support strategic goals.
The NBIB has a big hill to climb. The administration reported on Performance.gov that it still takes on average 147 days to complete an initial investigation at the secret level; 210 days on average to complete an initial investigation at the top secret level; and 211 days for periodic investigations.
Raj Ananthanpillai, the CEO of IDentrix, an insider threat continuous risk monitoring company, said even after incidents involving Edward Snowden and Aaron Alexis, the Navy Yard shooter, change is happening too slowly. He said while the government is getting better at protecting against the insider threat, the distributed nature of agencies and contractors makes it more difficult to get consistent application of new processes and technologies.
“This is all about continuous risk monitoring and evaluation of the cleared workforce. It’s become a people problem, not a technology problem,” he said. “It’s unfortunate to say that we’ve arrived at a place where no one can be trusted. Being able to connect the dots between external behaviors and potential risk assumed inside an organization is the new reality. Background screens of employees are conducted at time of hire. What happens between the gaps of time around reinvestigations — 1, 5 or 10 years? Is there a major life event that triggers an employee’s financial situation or substance abuse that may come to work with that employee? These are the things that we might miss when contractors or agencies wait too long to re-screen. The combination of external and internal risk monitoring and evaluation can provide advance warning and alerts for agencies and government contractors.”
Ananthanpillai, Hanauer and other experts say the move to continuous vetting is the best protection against insider threats.
The Obama administration says it has taken steps to move toward continuous vetting, including in May 2016 when James Clapper, the Director of National Intelligence, signed off on Security Executive Agent Directive (SEAD) 5 in May, permitting agencies to collect and evaluate valuable publicly available social media information as part of vetting for national security eligibility.
Additionally in the coming months, the White House says Clapper will sign off on SEAD 3, which will align and standardize reporting requirements “for handling and protecting reported information is a key step to improve the federal workforce’s confidence that the information will be properly safeguarded,” the administration wrote on the Performance.gov portal.
The NITTF also trained 100 individuals from 40 agencies on Insider Threat hub operations, conducted independent assessments of five agencies to gauge community progress and briefed the federal CXO councils to help raise awareness.
Jim Henderson, CEO of Insider Threat Defense, Inc. and an instructor of the Insider Threat Program Development Training Course, said these problems keep happening because agencies are not addressing the insider threat in a holistic way.
“Malicious insiders do not care about compliance regulations, they will exploit an organization’s weaknesses to achieve their goals,” Henderson said. “The insider threat problem is further compounded by the lack of a comprehensive and structured information/information systems security program.”
Henderson said agencies need to have an insider threat risk mitigation framework that includes:
A strong governance structure;
Security policies and procedures;
Going beyond compliance by implementing baseline security controls and secure configurations of IT systems, software applications and networks and defense-in depth risk mitigation strategies;
Security education training and awareness;
Performing computer user activity monitoring;
Conducting comprehensive risk assessments.
Henderson said combating the insider threat has to be a combination of technology and cross-department communication between the security—both cyber and physical branches—human resources, mission or business leaders and others about potential employees who may pose a threat.
“Individuals responsible for insider threat risk mitigation, should conduct an insider threat data exflitration exercise,” he said.
IDentrix’s Ananthanpillai said the need to have a 360 degree view of any employee with a clearance will help mitigate many risks.
“The key underlying principle is the government must figure out the best way to maintain integrity of the cleared workforce,” INSA’s Hanauer said. “We are placing great trust in people with security clearances and there are a lot of ways to guarantee their integrity, but the challenge is really to maintain and develop a trusted workforce.”