U.S. ‘nowhere near the cutting edge’ in countering insider threats

The federal government’s ability to protect itself from insider threats is a “very long time” away from matching what’s possible in the private sector, a Department of Homeland Security official said Thursday.

The comments came from a panel discussion of experts who either work for or were previously employed at DHS, Office of the Director of National Intelligence and the State Department. The panel, speaking at a cybersecurity event held Thursday by the Atlantic Council, said the government relies too much on old policy and is too slow to procure new forms of technology that could protect vital information from being removed by disgruntled employees.

Brandon Wales, director of Homeland Security’s Office of Cyber and Infrastructure Analysis, said one of the big reasons the government lags is due to the bureaucracy hurdles agencies face.

“As anyone that has tried to get things through a government clearance process knows, to get anything done in government you need every single person to approve of it,’ said Brandon Wales, director of Homeland Security’s Office of Cyber and Infrastructure Analysis. “The people that are involved in these kind of programs, everyone from the security and intelligence side, to the IT side, to the human capital and civil rights, civil liberties, et cetera, [insider threats] can only be affected if you’re able to deal with all of those complex problems.”

Wales went on to say that these programs are often stood up using information collected from employees who submit information during the security clearance process, but the inability of the government to adopt better insider threat technology and figure out policies surrounding employees’ social media accounts is hampering improvements to their threat monitoring process.

“Government is a very, very, very slow adopter,’ Wales said. “The issue is not so much that we will never get to the point where the government may be looking into its personnel that have agreed to a security clearance and you can get their mental health records and et cetera. If you sign a waiver to give away your mental health records, its not too far of a stretch to say we should have access to your Facebook and Twitter. It’s going to take a very long time for the government to get there.”

Todd Rosenblum, a senior fellow at the Atlantic Council and former DHS deputy undersecretary, said rules governing how the government can collect information related to security clearances, which measure the threat level a potential employee presents, impede the ability of agencies to watch over its employees.

“We have a [security clearance] process that we initiated in the ’40s, that was about knocking on the neighbor’s door and asking, ‘Is this person a good American?’” he said. “Before we had Internet access, that was logical. Now, in real time, there are billions of bits of data and government is hamstrung. I respect why, with balance, the government is limited in its tools. It can’t go to data brokers, it can’t go to Google and say, ‘Gimme what you have.’”

Yet that data broker model is something Rosenblum would like the government to follow. He relayed a story of how he’s spent the past 24 hours searching for World Series tickets for his son, and has since been inundated with online ads for everything from Major League Baseball to various sporting goods retailers.

“The precision of the advertising world is phenomenal and outstanding,” he said. “I wish the government could get remotely close to that precision.”

Doug Thomas, the director of counterintelligence operations and investigations for Lockheed Martin, said one of the most important things any organization can do with a modern insider threat program is to have transparency and buy in from employees. He oversaw a program that went into place at Lockheed, and had human resources, ethics, legal and public relations help craft the program to prevent an “intrusive, big brother” feeling.

“I can’t overstate the importance of a good training and awareness campaign,” said Thomas, a former counterintelligence adviser to the director of national intelligence. “What we did not want to do is create a culture of snitches. We wanted to create a culture of employees engaged for their benefit and the company’s benefit.”

However, when it comes to the government, Rosenblum said employees should have to go through more rigorous examination, like a monitoring of their social media networks, since their salary comes from taxpayers.

“The government should have the extra license to mine personal data,” he said. “When you are entrusted, you don’t have the right to have that privacy piece. I wish the government was more effective about having intrusive tools, because it’s not the public we are talking about.”

Even if the government were to monitor more of its employees’ data, another challenge Rosenblum raised was having enough staff to mine through that data for red flags.

“When you want to figure out data that matters, it’s human beings figuring out what is anomalous that you care about,” he said. “All the algorithms in the world wouldn’t be effective without the anomalous activities you care about.”

Wales said it’s going to be some time before the government catches up.

“There are no silver bullets,” Wales said. “We’re nowhere near the cutting edge. We will continue to pursue and potentially, over time adopt, private sector technology. That will make us stronger.”