After years of focusing on outside threats, the federal government and its contractors are turning inward, aiming a range of new technologies and counterintelligence strategies at their own employees to root out spies, terrorists or leakers.
Agencies are now monitoring their computer networks with unprecedented scrutiny, in some cases down to the keystroke, and tracking employee behavior for signs of deviation from routine. At the Pentagon, new rules are being written requiring contractors to institute programs against “insider threats,” a remarkable cultural change in which even workers with the highest security clearances face increased surveillance.
The “if you see something, say something” mind-set of the post-9/11 world has fully arrived in the workplace, with new urgency following high-profile leaks such as the revelations of former National Security Agency contractor Edward Snowden.
“People’s sensitivity to this has changed substantially,” said Lynn Dugle, president of a Raytheon business unit that markets an insider threat detection system called SureView. “I can tell you five years ago, when we were talking to agencies or companies about insider threat, we would normally be talking to (chief information officers) who were under budget stress. . . . And that was a very tough sell. Now we see boards of directors and CEOs really understanding what the threat can mean to them, and the risk it poses to them.”
In response to the breach by former Army intelligence analyst Pfc. Bradley Manning, President Obama in 2011 issued an executive order that established a National Insider Threat Task Force and required all federal agencies that handle classified material to institute programs designed to seek out saboteurs and spies.
While corporate security has long been part of Beltway culture, the heightened focus and the emergence of new monitoring technology touched off a burgeoning industry. In addition to Raytheon, Lockheed Martin has developed an insider-threat detection service, as have several start-ups in the Washington area.
Even Booz Allen Hamilton, which faced national embarrassment when Snowden, one of its employees, walked off with some of the country’s most guarded secrets, counsels its clients on how to detect rogue employees. A recent job posting said the company was looking for an “insider threat analyst,” which required a security clearance and more than five years of experience in counterintelligence. The posting spread on the Web and sparked ridicule over the notion that the company that employed Snowden was now looking to help turn the historic breach into a profitable lesson learned.
Raytheon’s SureView program allows agencies to create all sorts of internal alerts indicating when something may be amiss. A company could, for example, program the software to detect whenever a file containing the words “top secret” or “proprietary” is downloaded, e-mailed or moved from one location on the system to another.
Once that wire is tripped, an alert almost immediately pops up on a security analyst’s monitor, along with a digital recording of the employee’s screen. All the employee’s actions — the cursor scrolling over to open the secure file, the file being copied and renamed — can be watched and replayed, even in slow motion. It’s the cyber equivalent of the security camera that records robbers sticking up a convenience store.
Lockheed Martin provides a service called Wisdom, which acts as “your eyes and ears on the Web,” according to a company official. At its broadest use, the service can monitor mountains of data on the Web — Facebook, Twitter, news sites or blogs — to help predict everything from a foreign coup or riot to political elections. But it can also be turned inward, at employees’ online habits, to predict who within the organization might go rogue.
Counterintelligence officials use Wisdom to “evaluate employee behavior patterns, flagging individuals who exhibit high risk characteristics,” the company says in a brochure.
“I like to think of it as a digital intuition that is being developed,” said Jason O’Connor, Lockheed’s vice president for analysis and mission solutions.
The market is much broader than the defense and intelligence industries. It extends to hospitals, which need to protect patients’ information; retailers, which hold customers’ credit card numbers; and financial institutions.
Some worry that the programs are an overreaction to a relatively rare threat that will do more to hinder the free flow of information than to deter crime, while creating repressive working environments.
Despite the soon-to-come federal mandate, many defense contractors have “already implemented fairly imposing controls to minimize the unauthorized use of data,” said Loren Thompson, a defense industry consultant who has worked with Lockheed Martin and other contractors. But he warned that this “clearly is a trade-off in which values like efficiency and collaboration will be sacrificed in order to reduce the likelihood of internal wrongdoers from succeeding.”
After Sept. 11, many agencies were criticized for not sharing sensitive information that could have prevented the attacks, so steps were taken to consolidate data within the government. Thompson fears the current climate of worry about Snowden-like leaks could lead to a return to the old habits, with key information once again compartmentalized.
“Insider threats are a real problem, but mandating a particular standard for all contractors will cost huge amounts of money and quite possibly result in the wrong steps being taken,” he said.
In addition to the cases that have made headlines worldwide, there are an untold number of incidents in the broader corporate world where insiders wreak havoc — from the systems administrator at what was then UBS Paine Webber who planted a “logic bomb” on the company’s network, to the Chinese national who was convicted of stealing trade secrets from Ford Motor Co.
In 2008, a network administrator for the city of San Francisco held much of the network hostage for nearly two weeks because he was the only one with the password. The city didn’t get it back until then-Mayor Gavin Newsom visited the administrator in jail and essentially begged him for it.
According to a brochure put out by the FBI with tips for companies “on how to detect an insider threat,” there are “increased incidents of employees taking proprietary information when they believe they will be, or are, searching for a new job.”
As a result, companies and government agencies are training employees to notice, and report, odd behavior — if the person in the next cubicle is working odd hours, taking short trips to foreign countries or suddenly comes into wealth.
A recent training video for the Department of Homeland Security features “Doug,” a suspicious employee who skulks around in restricted areas, brags about his new car and blogs under a pseudonym about the shortfalls of the company.
“You have the power to protect your workplace,” the narrator says. “If you see something suspicious from one of your co-workers, say something to your supervisor, human resources department or your security officer.”
There have also been advances in what’s called “sentiment analysis,” which allows organizations to scan employees’ e-mail for changes in behavior and tone.
Stan Soloway, head of the Professional Services Council, an industry group that represents hundreds of federal contractors, said looking at employees as potential threats “is a real mind shift. But it’s the reality of the business world today.”
“There’s a growing awareness that this is a very significant challenge for institutions of all kinds, and what we’re seeing now is the implementation. It’s going to take some time to get it right. . . . How do those protections align with your other responsibilities as an employer?”
Chris Kauffman, the founder and chief executive of Personam, a McLean company that focuses entirely on insider threats, said programs can “assess insider threatening behaviors without breaching the employee’s privacy.”
“There’s always the concern of the Orwellian overseers watching everything we’re doing. But we’re very sensitive to that,” he said. “We evaluate the activities and the transactions over the networks. Which Web sites they go to, which file servers they go to. But what we don’t do is absorb the content of that data. We don’t read e-mails or chats or texts. Or even the content of the Web sites they go to. We’re looking at the patterns they use.”
MITRE, a not-for-profit research and development company, did a study in 2009 where it asked some of its own employees to try to access sensitive information on its own network. In addition to assessing the network’s strength, the company wanted to “study evasiveness,” said Deanna Caputo, MITRE’s principal behavioral psychologist. “We wanted to see what good guys gone bad would look like.”
Working under a grant from the Defense Advanced Research Projects Agency, the Pentagon’s research arm, Georgia Tech computer scientists have worked to develop software that can detect a rogue employee even before he or she has broken bad. “When a soldier in good mental health becomes homicidal or a government employee abuses access privileges to share classified information, we often wonder why no one saw it coming,” said a Georgia Tech news release.
All this corporate scrutiny doesn’t necessarily bother groups that advocate for privacy protections. When it comes to using a government or corporate network, employees often do not have expectations of privacy, especially if they are dealing with classified information, said Ginger McCall, an associate director at the Electronic Privacy Information Center.
“I think there is an important distinction between monitoring a person’s personal e-mails and monitoring access to sensitive databases,” she said.
And since so much information about ordinary Americans is contained on government and corporate databases, there are benefits to making sure they are protected and under constant surveillance.
“We would want to know if someone at the FBI is accessing a database on a person when they shouldn’t be,” she said.
Michael Crouse, Raytheon’s director of insider threat strategies, said such programs help agencies “trust but verify.”
“We trust our privileged users,” he said. “But what we’re seeing is that you can verify that they are doing the work that is assigned to their role.”
It’s sort of like a big factory, he said, “where the foreman is looking down on the factory floor making sure everyone is doing their job.”