Almost two years after Edward Snowden climbed the world stage, the intelligence community is just now putting the finishing touches on a computer-driven system for catching insider threats– one that promises not just to detect future Snowdens and Mannings in the act, but also to predict who the next leakers will be.
The new method, meant to identify leakers of classified information but also homegrown terrorists, drug financiers, school ground shooters, and even sexual predators, builds the security equivalent of a "credit score." It would secretly attach to every individual, while automatically generating and changing scores as behaviors and associations trigger indicators of anomalous activity.
The initial "security scores" would be applied to insider threats (or "InThs" as they are now being called internally)—that is, people "affiliated" with the federal government. But the definition of who qualifies as being an insider is already so broad, and the methods of activity monitoring so widespread and promising, that it's only a matter of time before some kind of security score system is applied universally.
Any piece of data ingested by NSA systems over the last two years has been meta-tagged with bits of information, including where it came from and who is authorized to see…
Tagging both the data and the individual user, NSA thinks, will expose what data any individual accesses and what they do with it. It sounds definitive and big brotherish, except that there are hundreds of thousands of workers and part of the analytic process requires them to legitimately access huge amounts of data to do their jobs. Automated, real-time deterrents are the hope of deterring all but the most fervent and sneaky insider, intelligence sources say. But to catch the next Snowdens?
That's where the credit score-like tool enters the picture. Every user, based upon clearances, time in service, personnel evaluations, derogatory information, anomalous transactions, credit score, etc., etc., will be churned in the temple of big data to detect the InThs who pose the most risk to an organization.
A credit score, according to the federal government, is defined as: "The result of a calculation based on a consumer's credit history that is intended to predict future credit performance for that consumer. It is a numerical estimation of the likelihood that the consumer will meet his or her debt obligation(s)."
Though most people come into contact with their credit scores when applying for a home loan or attempting to secure even more credit, the industry behind scoring and detection of fraudulent activity is constantly active. And given the proliferation of the use of government purchase cards (GPCs)—credit cards—by federal and local agencies, the feds have become some of the biggest players.
Add to that the post 9/11 mania to intercept and dry up terrorist financing as an element of U.S. strategy and you have a robust, far-flung apparatus looking everywhere.
The score, of course, is merely a static and final indicator, and the algorithm is so flawed that there's another industry for people to challenge their scores. Fraud detection is big business because fraud is so prevalent and the means of financial fraud so varied.
Same goes for security threat detection. As an example, according to an internal intelligence community report on insider threats and obtained by Gawker, the initial movement to Third-Party Payment Merchants (e.g., PayPal) in the mid-2000s triggered a whole set of automated alerts to supposed high-risk transitions—because one or both parties were hidden from both audit and data mining screening. The entire world of transactional security needed to change their algorithms to dig deeper into transactions.
Then came Wikileaks. Chelsea Manning was convicted for crimes associated with downloading thousands of documents from the Defense Department's Secret-level internal network (SIPRNet), an activity that was only detected once the material was published. The response of the security types was to plumb the log-ons and logs in more real-time to flag similar behavior in the future.
The wheels of government being square, nothing happened that prevented Edward Snowden from accessing and downloading over a million documents from the Top Secret internal NSA network (NSANet). There's no evidence that anyone in the multi-billion dollar security industry was fired for failing to detect and thwart Snowden's act, but the damage assessments done identified not just the means for how to do so in the future but also what additional measures (and authorities) would be needed to prevent future Snowdens.
Enter the Senior Information Sharing and Safeguarding Steering Committee (SISSSC) of the National Security Council, and the IC Deputies Executive Committee (DEXCOM) dealing with the InTh, the National Insider Threat Task Force (NITTF), under the joint chairmanship of the Attorney General and the Director of National Intelligence; and the implementing agencies: The National Counterintelligence Executive (NCIX) working for the DNI and the FBI for the AG, both co-directing the daily activities of the NITTF. And a new National Counterintelligence and Security Center (NCSC) was created consolidating the security components of the office of the DNI and the NCIX, reorganization being the impulse of government to any problem.
The mandates also flowed:
- Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information," October 7, 2011 (and the White House/NSC 45-day plan)
- Presidential Memorandum, "National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs," November 21, 2012
- DOD Instruction 5240.26, "Countering Espionage, International Terrorism, and the
- Counterintelligence (CI) Insider Threat," May 4, 2012
- NITTF Guide to Accompany the National Insider Threat Policy and Minimum Standards, November 2013
- DOD Directive 5205.16, "The DoD Insider Threat Program," September 30, 2014.
- USCYBERCOM Task Force Operations Order 14-0185, Insider Threat, July 14, 2014.
All of this spawned more. An Intelligence Community (IC) Insider Threat Executive Advisory Group (ITAG) to identify and coordinate solutions and policies. The Pentagon established the DOD Insider Threat Working Group under the auspices of the Under Secretary of Defense for Intelligence in August 2013. Information Security breaches were one thing, but when Army Major Nidal Hassan opened fire at Ft. Hood, Texas killing four and injuring sixteen, the InTh and the measures necessary separated on different tracks. The Defense Department Insider Threat Working Group (InTWG) was given three areas to focus on: workplace violence, terrorism, and general security threats (including espionage and threats to information systems).
In response to the post-Wikileaks and post-Snowden directives, virtually every agency of the federal government scrambled to establish its own InTh program.
From the Department of Agriculture to the National Reconnaissance Office, insider threat detection systems and software programs were unleashed like a pack of hunting dogs, monitoring internal network activity for behaviors and events that were anomalous in nature; detecting, identifying; and investigating suspected threats; developing new capabilities to monitor, detect, crunch, catch, crush, etc.
The scope of insider threats ballooned, and the Pentagon set the definition to include: counterintelligence (CI), cybersecurity, physical security, civilian and military personnel management, workplace violence, emergency management, law enforcement (LE), and antiterrorism (AT) risk management. Meanwhile, the Defense Security Service broadened the definition of an insider as:
Any person with authorized access (by virtue of statutory, regulatory, or contractual authority or any other person who has been granted access) to any U.S. government resources to include personnel, facilities, information, equipment, networks, systems and operations. An insider could also include family members, friends, or associates who have access to resources by virtue of their relationship to an employee or contractor of the agency.
And the 2014 directive adds: "Individuals who volunteer and donate their services" to the military. In other words, if you are related to or associated with someone in the military or intelligence community (or any contractor for them), or if you visit a federal government facility or website, you are an insider. That's an overly broad definition that could encompass millions upon millions of people who have access to nothing of value but are at the same time subject to special monitoring for the purposes of InTh.
The security industry is already churning on a new process to replace the standard Security Clearance Background investigation, not a surprise given how ineffectual that the records check and talking-to-neighbors process has been over the years in catching the really big fish.
A combination of smart card credentialing, tagged activity and location within the network—both for people and documents and data—plus real time intelligence reporting of communications, the security goons think, will finally close all the side and back doors. It sort of makes me think of a nightclub that has bolted all of the exits: Super security; everybody inside dies.
You can contact me at firstname.lastname@example.org, and follow us at @gawkerphasezero. If you are into the theater of being underground, you can anonymously deliver tips through the Gawker Media SecureDrop. I've got a book on drones coming out in July called Unmanned: Drones, Data and the Illusion of Perfect Warfare. I'm open to your input and your questions, tough questions.
[Gattaca screenshot courtesy of Columbia Pictures; Snowden photo courtesy of AP Images]