By John Irvin, NOIR Team
When the Roman poet Juvenal wrote the line “Who will guard the guards themselves?” he was referring to marital fidelity. In common parlance it refers to the issue of ensuring the accountability of those already in power. However, the phrase also applies to problems facing the US government’s Insider Threat and Security Reform program (i.e., the “Insider Threat” program). The program’s FY2014, Quarter 4 report suggests that the goal of achieving Initial Operating Capability by January 2017 is “at risk.” While a necessary and well-intentioned effort, it should come as no surprise that it faces such difficulties.
In brief, the Insider Threat program is based on recommendations from an Office of Management and Budget (OMB) investigation of “federal employee suitability and contractor fitness determinations as well as security clearance procedures.” The investigation was ordered by the Obama administration in the wake of the September 16, 2013, mass shooting at the Washington Navy Yard in Washington, DC. In that incident, former US Navy serviceman and civilian IT contractor Aaron Alexis shot and killed twelve people before being killed himself in a gun battle with police. It was later revealed that Alexis had a history of mental health issues but was nevertheless able to obtain and hold the security clearances that allowed him access to the facility.
The goal of the Insider Threat program is to “mitigate the inherent risks and vulnerabilities posed by personnel with trusted access to government information, facilities, systems and other personnel.” Those “inherent risks” certainly include the risk of workplace violence so tragically demonstrated in the case of Alexis. Even a cursory review of the project’s goals, however, reveals a concern for the more common but potentially more damaging risk of insider espionage; that those granted access to classified information or facilities will use that access to engage in the unauthorized disclosure of national security information.
This is the perennial problem of the so-called “insider spy.” According to U.S. Code Title 18 (Crimes and Criminal Procedure), Part I (Crimes), Chapter 37 (Espionage and Censorship), § 798 (Disclosure of classified information), espionage (more commonly referred to simply as “spying”) is defined as knowingly and willfully communicating, furnishing, transmitting or otherwise making any classified information available to an unauthorized person, or publishing, or using it in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States.
The clear focus of the Insider Threat program on espionage attests to the reality of the damage an insider spy can potentially do to national security, whether the individual engaged in the disclosure of information to an unauthorized person gives it to a journalist or a hostile foreign intelligence service and regardless of his or her motivation in doing so.
A killer like Aaron Alexis may kill dozens of innocent people. An insider spy like former US Navy Chief Warrant Officer John Anthony Walker may provide an enemy with information that leads to an inestimable number of deaths.
Former Director of Naval Intelligence Admiral William Studeman suggested that Walker may have provided the Soviets with “potential war-winning” information in the event the Cold War had turned hot. In other words, killers like Alexis are a threat to US citizens, while spies like Walker may go so far as to pose an existential threat to the country itself.
Although the Alexis case provided the initial impetus for refocusing on insider spying with a commitment not seen since the end of the Cold War, the unauthorized disclosure of a massive amount of classified material by NSA contractor Edward Snowden gave the effort a greater sense of immediacy. As would be expected, those private companies that specialize in providing services to the American national security sector have risen to the challenge in the form of impressive cybersecurity systems among other technological innovations.
It would appear, however, that the stumbling block for the Insider Threat program is the requirement for Continuous Evaluation (CE). CE recognizes the practical reality that once an individual is “cleared” for access to classified information, simply having made the cut is no guarantee that he or she will continue to remain reliable. In fact, research reveals that spies usually do not consider committing espionage until after they are in a position of trust.
To ensure continued trustworthiness, CE programs have been proposed to collect and analyze data sets, such as public records regarding divorce, criminal activity, bank records, or other sources of information, in order to detect behaviors that would suggest either actual espionage or susceptibility toward espionage. Data may also be collected by software that records when a classified file or even a particular email message has been moved by an employee from one location to another or downloaded. A system may actually record and analyze all of an employee’s online activities in search of alerting behaviors.
According to Steven Aftergood’s article “Insider Threat” Program Lags Behind Schedule, the main problem in implementing CE effectively and on-time may stem from the fact that the “information technology structures that are in place at most executive branch agencies are not optimized to support continuous evaluation or related security policies. Adapting them to address the insider threat issue is challenging and resource-intensive. Nor are agency policies and practices consistent across the government or equally hospitable to security concerns.” In other words, it’s a software issue.
This may well be the case; however, it also reflects the popular view among federal agencies and the private contractors who support them that the solution to the perennial problem of insider espionage is one of finding the right technology to prevent it. In this view, the right system supported by the right software will identify anomalous behaviors and, thereby, identify those insiders engaged in or inclined toward espionage.
Moreover, it reveals a broader US cultural bias toward technical solutions to what are essentially human behavioral problems. It also reflects a bureaucratic preference for solutions that can be applied uniformly across a wide spectrum of individuals and offices. In this view, insider espionage can be prevented in virtually any setting as long as the walls are high enough, the doors are thick enough, and all potential opportunities for an individual to engage in espionage are plugged.
This is, of course, an impossible goal and one that NOIR staff addressed in an article published in Politico Magazine almost a year ago. It would appear nothing much has changed since then. As stated in the article, the problem is not simply one of opportunity, but of human motivation, which is profoundly subjective, unique to each individual, and not necessarily reflected in observable, measurable data sets or anomalous online behavior. In other words, spies spy because they want to, not simply because they can.
Obviously, systems that screen individuals before they are granted access to classified information and that provide physical security (and, more recently, cybersecurity) for classified information are necessary. Anyone who has lived in a big city apartment knows that you keep the door locked and take a good look at any visiting strangers before letting them in. The prudent dweller also knows enough to keep her most private possessions locked away, even from those she nominally trusts and grants access. Still, the most experienced urban apartment dweller knows that even this isn’t enough to guarantee the safety of his most prized possessions.
The fault isn’t in seeking ever better means of physical- and cyber-security. It is in the false belief that such systems can ever approach complete (or perhaps even adequate) effectiveness. Human history is an on-going story of ever-improving technologies designed to make one person or group safe from the threat of some other person or group, only to discover that our own human ingenuity (or guile) inevitably provides us with a means of circumventing or neutralizing the new technology.
Human history is an on-going story of ever-improving technologies designed to make one person or group safe from the threat of some other person or group, only to discover that our own human ingenuity (or guile) inevitably provides us with a means of circumventing or neutralizing the new technology.
Technology has changed constantly throughout history. The one thing that has remained relatively constant is the human mind. Our circumstances change given time and location, but the basic way humans think has remained the same. What motivates an individual today is basically the same as it was a decade, a century, or a millennium ago, only in a contemporary context. This is why you can read the Bible, Bhagavad Gita, or Beowulf on your Kindle while on an international flight to attend an IT conference halfway across the globe and still relate to characters and people who lived and died very long ago under very different circumstances.
Technological efforts at Continuous Evaluation will inevitably run into a stumbling block when confronted with the one thing systems and software, regardless of their sophistication, are incapable of…emotion. While we may use technical means of accomplishing it, espionage is a decidedly human activity, and all human activity originates in the minds of individuals who are neither machines nor logarithms. The current focus of CE appears to be an effort to use objective, logical means to thwart a subjective, emotion-driven problem.
Research in psychology suggests that we are not the “rational animal” that Aristotle and his adherents believe we are. Rather, we based our decisions on our emotional reaction to events that have already been filtered through a unique world view shaped by a lifetime of experiences we may only vaguely remember (if we remember them at all).
When human behavior is considered at all in CE systems, it is all too frequently from the view of classical behaviorism. As expressed in the works of Watson and Skinner, this view concerns itself almost exclusively with observable, measurable behaviors while largely ignoring internal, subjective events such as thought and motivation.
Generals are often criticized for “fighting the last war.” That criticism could also apply to the Insider Threat program, which seems to focus on the sort of cybersecurity and screening issues that allowed NSA contractor Edward Snowden to obtain and abscond with a vast amount of classified information. The technical issues and systemic failures highlighted in the Snowden case can be fixed. Making those fixes might make it harder for any future “Snowdens” to gain access in the same manner and walk away with the same volume of material, but it is hardly likely to eliminate the insider threat.
Former NSA analyst and insider spy Ronald Pelton probably never left his office with a single classified document. Instead, he appears to have used his photographic memory to simply remember what he had read and to write it down later in a more private setting. The material he gave to the Soviets related to a project he had authorized access to. Had he been working in today’s office environment, there simply would have been no anomalous online behavior to track.
Insider espionage is not simply a matter of capability, but of intent. Those disinclined toward espionage will not engage in it regardless of capability, while those intent on espionage will take advantage of capability, or create it where it doesn’t already exist. No one is in a better position to circumvent security systems than those already familiar with and subject to them. This is especially true of those charged with creating and maintaining them. Quis Custodiet Ipsos Custodes?
Technological fixes are necessary but insufficient. What appears to be lacking in the Insider Threat project is the sort of serious focus on the psychology of espionage last demonstrated in the 1980’s with the creation of the Personnel Security Research Center (PERSEREC) in Monterey, California, and the Community Research Center in Newington, Virginia, whose research efforts would fall under the name “Project Slammer.”
Solutions to the issue of the Insider Threat should be sought not only in the realm of tangible, material, logical systems and software, but also in the less tangible, incorporeal, and frustratingly subjective world of psychology. These psychological approaches would form a kind of “second line of defense” that would seek to thwart those insider spies able to breach the “first line of defense” provided by personnel screening, physical- and cyber-security measures, and CE. Psychological approaches such as that offered by Dr. Charney in his True Psychology of the Insider Spy and manifested in practical efforts such as the creation of a National Office for Intelligence Reconciliation (NOIR) provide an example. Both approaches are necessary. Alone, neither is sufficient. Together they may be able to realize the vital goals of the Insider Threat project.
Mr. Irvin is exactly right. Our response to Edward Snowden’s measures against the NSA classified databases was to remove the human element from that level of access – more reliance on technology versus direct management by system administrators. But as the recent Anthem hack where the records of 80,000,000 Americans was stolen proves, a shift to purely technological countermeasures is inadequate and even dangerous.
Technological countermeasures also does not allow the mechanisms of NOIR to be put into effect – giving the insider spy that one final choice to reveal themselves to the NOIR Program so that the Intelligence Community can assess the damage directly.
Centralized databases are a direct threat to US national security. Edward Snowden was able to circumvent traditional countermeasures because system administrators and managers of these databases and access points are smarter than most of us when it comes to this form of technology. When insider spies emerge in fields where management of information involves centralized databases, tremendous damage can be done to US national security.
Countermeasures from that job discipline will be readily detected by people like Snowden because technology does not interpret the human factor – the interaction between humans and machines, and the rare group that uses them. We will also see a lot of loyal, hard working Americans lose positions in the system IT profession due to the disloyalty of one American where those positions will be replaced with automation in the false belief that information will be more secure if individuals do not have access to it.
From the counterintelligence perspective, nothing can replace the human mind as a CI function. There must be a balance between the continued use of centralized databases and human interaction with that technology. That means the NOIR program is more important than ever to address potential security concerns that exist in technology fields, due to the truth that hostile penetrations of those fields is growing at an exponential rate against our country.