Secrecy News

Insider Threat Program Advances, Slowly

The Department of Defense recently demonstrated the “Continuous Evaluation” of approximately 100,000 cleared military, civilian and contractor personnel, in order to validate their eligibility for access to classified information on an ongoing basis.

Continuous Evaluation (CE) refers to the automated monitoring of government and commercial databases for signs of criminal behavior, irregular financial activity, or other “triggers” that could lead to suspension of a security clearance. CE is a central feature of the emerging Insider Threat program that is intended to deter and detect espionage, terrorism, unauthorized disclosures of classified information, and other offenses by security-cleared personnel.

According to a new quarterly report on the Insider Threat program, the Department of Defense is on track to expand its Continuous Evaluation capability to 225,000 persons by the end of 2015, to 500,000 persons by the end of 2016, and to 1 million persons during 2017. (There are approximately 4.5 million cleared personnel in government and industry.) See Insider Threat and Security Clearance Reform, Quarterly Report, FY 2015, Quarter 2, June 2015.

But progress has been uneven. The Office of the Director of National Intelligence missed a December 2014 milestone for Continuous Evaluation of the most sensitive Top Secret and TS/SCI (Top Secret/Sensitive Compartment Information) clearance holders in government and industry. The revised goal is “to have CE completed on a portion of the TS and TS/SCI population in the Executive Branch by the end of FY 16,” the new quarterly report said.

The Insider Threat problem is a difficult one particularly since the fraction of employees who are spies, terrorists, or leakers is minuscule. Nor does this tiny contingent have a simple, readily identifiable profile. (Convicted spy Aldrich Ames and fugitive unauthorized-discloser Edward Snowden, for example, seem to have few traits in common, although both apparently passed their polygraph examinations without difficulty.)

Therefore, even though Continuous Evaluation is years away from full implementation, security policy officials are already looking beyond it for other options.

Last week, the Intelligence Advanced Research Projects Agency (IARPA) invited researchers to submit proposals for its Scientific advances to Continuous Insider Threat Detection (SCITE) Program.

The SCITE Program seeks “a new class of insider threat indicators, called active indicators, where indicative responses are evoked from potential insider threats,” according to the June 18 Broad Agency Announcement issued by the IARPA “Office for Anticipating Surprise.”

“Current practice and research is heavily focused on passive indicators that monitor existing data sources for indicative behaviors,” IARPA said.

By contrast, “Active indicators introduce stimuli into a user’s environment that are designed to evoke responses that are far more characteristic of malicious users than normal users. For example, a stimulus that suggests that certain file-searching behaviors may be noticed is likely to be ignored by a normal user engaged in work-related searches, but may cause a malicious user engaged in espionage to cease certain activities.”