The executive branch is reconfiguring its approach to vetting individuals for access to sensitive information and granting them security clearances in an attempt to modernize and improve its procedures, according to a new quarterly report.
“The Insider Threat and Security Clearance Reform (ITSCR) Cross Agency Priority (CAP) Goals have been re-baselined so that they are aligned with the new enterprise-wide focus . . . and its four work streams (Trusted Workforce, Modern Vetting, Secure and Modern Mission-Capable IT, and Continuous Performance Improvement) for modernizing the SSC [security, suitability/fitness, and credentialing] mission over the next five years.” See the Quarterly Progress Update on Insider Threat and Security Clearance Reform, FY2016 Quarter 3, September 2016.
Translated out of bureaucratic jargon, this statement… still remains obscure and hard to understand. But at the least, it implies a determination that existing arrangements are unsatisfactory and that they require adjustment.
Among other steps, the latest Quarterly Update says that by December of this year, the Office of the Director of National Intelligence will “Establish a policy that requires the national security population to report information of security concern to the proper authorities in a timely manner.” The exact nature of such a requirement and its likely effect on “the national security population” remain to be seen.
Though security clearance “reform” of some kind has been underway for many years, the recent arrest of former NSA contractor Harold T. Martin III on suspicion of theft and retention of classified information suggests that room for improvement still exists. (“NSA case highlights growing concerns over insider threats” by Christian Davenport, Washington Post, October 6).
The total number of employees and contractors holding security clearances for access to classified information at the Department of Defense dropped by a hefty 900,000 between 2013 and 2016 — or 20% of the total cleared population at DoD. At the start of the current Fiscal Year, DoD had a remaining 3.7 million cleared personnel.
These data were presented in the latest quarterly report on Insider Threat and Security Clearance Reform, 1st quarter, FY 2016, published last month.
Importantly, this was a policy choice, not simply a budgetary artifact or a statistical fluke. A reduction in security clearances is a wholesome development, since it lowers costs and permits more focused use of security resources. It also increases pressure, at least implicitly, to eliminate unnecessary security classification restrictions.
However, reductions in clearances appeared to be stabilizing over the past year, with the elimination of around 100,000 clearance holders who did not have access to classified information, and an increase of around 100,000 cleared persons who did have such access.
Meanwhile, the Insider Threat program is being slowly implemented across the government. The Department of Defense expanded its “Continuous Evaluation” capability — providing automated notification of financial irregularities or criminal activity, for example — to cover 225,000 employees, up from 100,000 last year. The Department of State also initiated its own Continuous Evaluation pilot program.
Overall, the Insider Threat program faces continuing hurdles. “Many departments and agencies are discovering challenges with issues such as organizational culture, legal questions, and resource identification, to name a few,” the latest quarterly report said.
Under a requirement recently enacted by Congress, intelligence agency employees who hold clearances for Sensitive Compartmented Information (SCI) must report any employment with a foreign government entity for up to two years after leaving their US government job.
An internal US Air Force memorandum implementing the new requirement for Air Force intelligence personnel was released under the Freedom of Information Act yesterday.
See Reporting Certain Post-Government Employment by Holders of Sensitive Compartmented Information (SCI) Accesses, Air Force Guidance Memorandum 2015-14-04-O, 5 November 2015.
SCI is classified information that is derived from intelligence sources or methods.
It is unclear from the public record whether any specific incident or circumstance prompted the new reporting requirement.
The Department of Defense “is moving forward with the development of its insider threat and personnel security reform efforts,” wrote Michael G. Vickers, then-Under Secretary of Defense (Intelligence) in an April 2015 report to Congress that was released last month under the Freedom of Information Act. “The Department recognizes the magnitude and complexity of these challenges, the need for multi-agency solutions, and is marshalling needed resources,” he wrote.
An insider threat is defined as someone who uses his or her authorized access to damage the national security of the United States, whether through espionage, terrorism, unauthorized disclosures of classified information, or other harmful actions.
The Department of Defense “is directing multiple pilots and concept demonstrations using both ‘push’ and ‘pull’ capabilities to conduct CE [continuous evaluation] on approximately 100,000 military, civilian and contractor personnel” in an effort to identify potential insider threats, the April 2015 DoD report to Congress said.
The overall, government-wide insider threat program is advancing rather slowly, judging by the program’s latest Quarterly Report (for the 4th quarter of FY 2015) that was just published. Several anticipated program milestones have been missed or deferred, the Report indicates.
The most effective way to limit the insider threat may be to reduce the number of “insiders.” If so, substantial progress has been made in that direction, with the elimination of 800,000 security clearances at the Department of Defense between FY2013 and the 3rd quarter of FY 2015, according to the Report. (The very latest security clearance totals have not yet been published.)
The 2016 Omnibus Appropriations bill passed by Congress last month included a provision requiring expanded reinvestigations of security clearance holders, Federal News Radio reported last week (“Agencies directed to use social media in security clearance reviews” by Nicole Ogrysko, December 28).
“The enhanced personnel security program of an agency shall integrate relevant and appropriate information from various sources, including government, publicly available and commercial data sources, consumer reporting agencies, social media and such other sources as determined by the Director of National Intelligence,” the legislation instructed.
Numerous advocacy and whistleblower defense organizations this week wrote to the Intelligence Community Inspector General urging him to investigate whether the insider threat program “has been improperly used to target or identify whistleblowers. Additionally, we ask that you lead the initiative to properly distinguish between whistleblowing and insider threats.”
The Department of Defense needs to take several steps in order to avoid “strategic surprise” by an adversary over the coming decade, according to a new study from the Defense Science Board, a Pentagon advisory body.
Among those steps, “Counterintelligence must be enhanced with urgency.” See DSB Summer Study Report on Strategic Surprise, July 2015.
The Board called for “continuous monitoring” of cleared personnel who have access to particularly sensitive information. “The use of big data analytics could allow DoD to track anomalies in the behaviors of cleared personnel in order to thwart the insider threat.”
“Continuous monitoring” involves constant surveillance of an employee’s activities (especially online activities), and it goes beyond the “continuous evaluation” of potentially derogatory information that is an emerging part of the current insider threat program.
“Insider actions often generate suspicious indicators in multiple and organizationally separate domains–physical, personnel, and cyber security. The use of big data and creative analytics can be carefully tuned to the style and workflow of the particular organization and can help to audit for integrity as well as individual user legitimacy,” the DSB report said.
The DSB report broadly addressed opportunities and vulnerabilities in eight domains: countering nuclear proliferation; ballistic and cruise missile defense; space security; undersea warfare; cyber (“The Department should treat cyber as a military capability of the highest priority”); communications and positioning, navigation, and timing (PNT); counterintelligence; and logistics resilience.
To an outside reader, the DSB report seems one-dimensional and oddly disconnected from current realities. It does not consider whether the pursuit of any of its recommended courses of actions could have unintended consequences. It does not inquire whether there are high-level national policies that would make strategic surprise more or less likely. And it does not acknowledge the recurring failure of the budget process to produce a defense budget that is responsive to national requirements in a timely fashion.
The number of people in the Department of Defense holding security clearances for access to classified information declined by 100,000 in the first six months of FY2015.
There are now 3.8 million DoD employees and contractors with security clearances, down from 3.9 million earlier in the year, and a steep 17.4% drop from 4.6 million two years ago.
Moreover, only 2.2 million of the 3.8 million cleared DoD personnel are actually “in access,” meaning that they have current access to classified information. So further significant reductions in clearances would seem to be readily achievable by shedding those who are not “in access.”
The total number of security-cleared persons government-wide is roughly 0.5 million higher than the number of DoD clearances, putting it at around 4.3 million, down from 5.1 million in 2013.
The new DoD security clearance numbers were presented in the latest quarterly report on Insider Threat and Security Clearance Reform, FY2015 Quarter 3, September 2015.
The reduction in security clearances is not simply a reflection of programmatic or budgetary changes. Rather, it has been defined as a policy goal in its own right. A bloated security bureaucracy is harder to manage, more expensive, and more susceptible to catastrophic security failures than a properly streamlined system would be.
So the Administration’s Insider Threat Program states that one of the objectives of the program is to “Reduce total population of […] Secret and TS/SCI clearance holders to minimize risk of access to sensitive information and reduce cost.”
Reducing security clearances would also go hand in hand with, and help to reinforce, a long-term reduction in national security classification. (Although not widely recognized, original classification activity — the creation of new secrets — across the government has dropped each year for the past four years to a historically low level, according to the Information Security Oversight Office.)
The current insider threat program was initiated in 2012 — after the major WikiLeaks releases but before the Snowden disclosures. Its purpose was “to counter the threat of those insiders who may use their authorized access to compromise classified information.” See National Insider Threat Policy, The White House, November 21, 2012.
Implementation of the program has been slow, however.
A December 2014 milestone to provide “continuous evaluation” of the most sensitive Top Secret-cleared population was missed, the latest quarterly report notes. (Continuous evaluation refers to the automated screening of relevant information streams from multiple sources and databases including law enforcement, counterintelligence, credit reporting, and perhaps others.) Continuous evaluation of all TS and TS/SCI cleared personnel is said to be on track for December 2016.
Last year, the Department of Defense demonstrated continuous evaluation on approximately 100,000 cleared personnel. DoD will expand this capability to 225,000 persons this year, to 500,000 next year, and to 1 million in 2017, the quarterly report said.
Last week, the U.S. Navy issued updated guidance on implementation of its own Insider Threat Program.
Among other things, the guidance calls for a “reduction of Navy privileged users” who have unusually broad access to IT systems and data “and, therefore, could pose a higher risk of insider threat.” See Navy Insider Threat Program, Opnavinst 5510.165A, October 1, 2015.
The Department of Defense recently demonstrated the “Continuous Evaluation” of approximately 100,000 cleared military, civilian and contractor personnel, in order to validate their eligibility for access to classified information on an ongoing basis.
Continuous Evaluation (CE) refers to the automated monitoring of government and commercial databases for signs of criminal behavior, irregular financial activity, or other “triggers” that could lead to suspension of a security clearance. CE is a central feature of the emerging Insider Threat program that is intended to deter and detect espionage, terrorism, unauthorized disclosures of classified information, and other offenses by security-cleared personnel.
According to a new quarterly report on the Insider Threat program, the Department of Defense is on track to expand its Continuous Evaluation capability to 225,000 persons by the end of 2015, to 500,000 persons by the end of 2016, and to 1 million persons during 2017. (There are approximately 4.5 million cleared personnel in government and industry.) See Insider Threat and Security Clearance Reform, Quarterly Report, FY 2015, Quarter 2, June 2015.
But progress has been uneven. The Office of the Director of National Intelligence missed a December 2014 milestone for Continuous Evaluation of the most sensitive Top Secret and TS/SCI (Top Secret/Sensitive Compartment Information) clearance holders in government and industry. The revised goal is “to have CE completed on a portion of the TS and TS/SCI population in the Executive Branch by the end of FY 16,” the new quarterly report said.
The Insider Threat problem is a difficult one particularly since the fraction of employees who are spies, terrorists, or leakers is minuscule. Nor does this tiny contingent have a simple, readily identifiable profile. (Convicted spy Aldrich Ames and fugitive unauthorized-discloser Edward Snowden, for example, seem to have few traits in common, although both apparently passed their polygraph examinations without difficulty.)
Therefore, even though Continuous Evaluation is years away from full implementation, security policy officials are already looking beyond it for other options.
Last week, the Intelligence Advanced Research Projects Agency (IARPA) invited researchers to submit proposals for its Scientific advances to Continuous Insider Threat Detection (SCITE) Program.
The SCITE Program seeks “a new class of insider threat indicators, called active indicators, where indicative responses are evoked from potential insider threats,” according to the June 18 Broad Agency Announcement issued by the IARPA “Office for Anticipating Surprise.”
“Current practice and research is heavily focused on passive indicators that monitor existing data sources for indicative behaviors,” IARPA said.
By contrast, “Active indicators introduce stimuli into a user’s environment that are designed to evoke responses that are far more characteristic of malicious users than normal users. For example, a stimulus that suggests that certain file-searching behaviors may be noticed is likely to be ignored by a normal user engaged in work-related searches, but may cause a malicious user engaged in espionage to cease certain activities.”
The government-wide effort to contain the threat to classified information and sensitive facilities from trusted insiders is falling behind schedule.
Currently, the anticipated achievement of an Initial Operating Capability for insider threat detection by January 2017 is “at risk,” according to a new quarterly progress report. Meanwhile, the date for achieving a Full Operating Capability cannot even be projected. See “Insider Threat and Security Clearance Reform, FY2014, Quarter 4.”
One aspect of the insider threat program is “continuous evaluation” (CE), which refers to the ongoing review of background information concerning cleared persons in order to ensure that they remain eligible for access to classified information and to provide prompt notice of any anomalous behavior.
The Office of the Director of National Intelligence was supposed to achieve “an initial CE capability for the most sensitive TS [Top Secret] and TS/SCI population” by December 2014. The latest quarterly report on the Insider Threat program noted that this milestone is “at risk.” In fact, it was missed.
“We did not meet” the December 2014 milestone for an initial CE capability, confirmed ODNI spokesman Eugene Barlow, though he said that “we’ve made considerable progress” in the Insider Threat program overall.
Nor has a revised milestone date for the initial CE capability been set, he added. But “we continue to aggressively push forward” and the desired function will be rolled out over the next few years, he said.
The Department of Defense is “on track” to provide continuous evaluation of 225,000 agency personnel by the end of 2015, and to expand that number to 1 million employees by 2017, according to the quarterly report. Actual achievements in individual agencies are classified.
As a general matter, the Insider Threat program faces both technological and “cultural” obstacles.
The information technology structures that are in place at most executive branch agencies are not optimized to support continuous evaluation or related security policies. Adapting them to address the insider threat issue is challenging and resource-intensive. Nor are agency policies and practices consistent across the government or equally hospitable to security concerns.
But it’s worth noting that the uneven performance described in the quarterly report reflects a degree of public candor that is unusual in security policy. Instead of presenting assurances that everything is fine in the Insider Threat program, the report acknowledges that some things are not fine and will not be fine for an unspecified time. That is refreshing and even, in its straightforward approach to the issue, somewhat encouraging.
On October 24, the Pentagon issued an updated version of DoD Directive 5143.01 defining the role of the Under Secretary of Defense (Intelligence), the Department’s principal intelligence advisor and manager of military intelligence programs.
The differences between the two directives reflect changes in the global environment as well as in the intelligence mission, and in the role of the USD(I) in particular.
Cybersecurity. Insider threats. Unauthorized disclosures of classified information. Biometrics. None of these terms and none of these issues were even mentioned in the 2005 edition of the DoD intelligence directive.
But all of them and more are now part of the expanded portfolio of authorities and responsibilities of the Under Secretary of Defense for Intelligence, who also serves as Director of Defense Intelligence and principal advisor to the DNI on defense intelligence matters.
Meanwhile, intelligence spending has been on a downward slope for the past few years, and the FY2015 request for the Military Intelligence Program was about $1.3 billion below the request for the previous year, which was $18.6 billion. (The FY2014 intelligence appropriations for national and military intelligence programs are due to be disclosed this week.)
“Intelligence is a major source of U.S. advantage. It informs wise policy and enables precision operations. It is our front line of defense. The challenges we face, however, are increasing and becoming more complex, and our resources are declining,” said Michael G. Vickers, the current USD(I), at an April 4 hearing of the House Armed Services Committee.
“We have five defense intelligence operational priorities: countering terrorism, particularly countering the threat posed by al-Qaida; countering the proliferation of weapons of mass destruction and associated delivery systems; countering the actions of repressive governments against their people, such as in Syria; countering state-on-state aggression; and countering cyberthreats,” he said then.
“To address the intelligence gaps that exist within these operational priority areas, we are focused on enhancing defense intelligence capabilities in five areas: enhancing global coverage; improving our ability to operate in anti-access/area denial, or A2AD, environments; sustaining counterterrorism and counterproliferation capabilities; continuing to develop our cyberoperations capabilities; and strengthening our counterintelligence capabilities and reforming our security clearance processes to minimize insider threats,” Mr. Vickers testified.
The position of Under Secretary of Defense (Intelligence) was established by the defense authorization act for FY 2003 to improve management and coordination of defense intelligence programs. The office has previously been occupied by Stephen Cambone and James R. Clapper, Jr., the current DNI.
The new DoD directive authorizes the Under Secretary to “communicate with… members of the public… and non-governmental organizations.” However, “communications with representatives of the news media” are to be conducted through the Office of Public Affairs, the directive said.
Security policies in the executive branch are being overhauled in response to a potential “insider threat.” But while some progress is being made, the intended functionality will not be available for several more years to come.
The insider threat includes “the threat of those insiders who may use their authorized access to compromise classified information.” Three years ago, due in part to the unauthorized disclosures by then-Pfc. Bradley Manning to WikiLeaks, President Obama issued Executive Order 13587 directing agencies to “implement an insider threat detection and prevention program.”
Last week, the Department of Defense finally issued an internal directive establishing department policy on the subject. The policy aims to establish “an integrated capability to monitor and audit information for insider threat detection and mitigation,” including “the monitoring of user activity on DoD information networks.” See “The DoD Insider Threat Program,” DoD Directive 5205.16, September 30, 2014.
But that is easier said than done. The timetable for achieving a government-wide insider threat program does not envision an Initial Operating Capability until January 2017, and even the achievement of that operational milestone is considered to be “at risk,” according to the latest quarterly report on Insider Threat and Security Clearance Reform (at p. 15).
Prior to 2010, Army regulations “never adequately addressed the ‘insider threat’,” said a 2011 Army investigative report on the Compromise of Classified Information to Wikileaks that was released by the Army in redacted form last month.
“Disenchanted idealists are… a fertile source of information” for adversaries, according to Army Regulation 530-1 on Operations Security, updated 26 September 2014.
Nearly two years after President Obama issued a National Insider Threat Policy “to strengthen the protection and safeguarding of classified information” against espionage or unauthorized disclosure, the effort is still at an early stage of development.
Only last week, the U.S. Air Force finally issued a directive to implement the 2012 Obama policy. (AF Instruction 16-1402, Insider Threat Program Management). And even now it speaks prospectively of what the program “will” do rather than what it has done or is doing.
The Air Force Insider Threat Program includes several intended focus areas, including continuous evaluation of personnel, auditing of government computer networks, and procedures for reporting anomalous behavior.
“Procedures must be in place that support continuous evaluation of personnel to assess their reliability and trustworthiness,” the AF Instruction says.
Such continuous evaluation procedures may eventually sweep broadly over many domains of public and private information, but they are not yet in place.
“There are a number of ongoing pilot studies to assess the feasibility of select automated records checks and the utility of publicly available electronic information, to include social media sites, in the personnel security process,” said Brian Prioletti of the Office of the Director of National Intelligence in testimony before the House Homeland Security Committee last November.
The Air Force directive also encourages reporting of unusual behavior by potential insider threats.
“Insider threat actors typically exhibit concerning behavior,” the directive says. But this is not self-evidently true in all cases, and the directive does not provide examples of “concerning behavior.”
A Department of Defense training module recently identified expressions of “unhappiness with U.S. foreign policy” as a potential threat indicator, the Huffington Post reported last week. (“Pentagon Training Still Says Dissent Is A Threat ‘Indicator'” by Matt Sledge, August 4.) If so, that criterion would not narrow the field very much.
The “CORRECT Act” (HR5240) that was introduced last month by Rep. Bennie Thompson and Sen. Ron Wyden would require any insider threat program to meet certain standards of fairness and employee protection, and “to preserve the rights and confidentiality of whistleblowers.”
That message may have been partially internalized already. The terms “civil liberties” and “whistleblowers” are each mentioned four times in the eight-page Air Force Instruction.