Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

Experts question Obama leak rule

Unproven profiling tips may backfire, they say

Jonathan S. Landay McClatchy-Tribune

WASHINGTON – In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues based on behavioral profiling techniques that are not scientifically proven to work, according to experts and government documents.

The techniques are a key pillar of the Insider Threat Program, an unprecedented governmentwide crackdown under which millions of federal bureaucrats and contractors must watch out for “high-risk persons or behaviors” among co-workers. Those who fail to report them could face penalties, including criminal charges.

Obama mandated the program in an October 2011 executive order after Army Pfc. Bradley Manning downloaded hundreds of thousands of documents from a classified computer network and gave them to WikiLeaks, the anti-government-secrecy group. The order covers virtually every federal department and agency, including the Peace Corps, the Department of Education and others not directly involved in national security.

Under the program, which is being implemented with little public attention, security investigations can be launched when government employees showing “indicators of insider threat behavior” are reported by co-workers, according to previously undisclosed administration documents obtained by McClatchy. Investigations also can be triggered when “suspicious user behavior” is detected by computer network monitoring and reported to “insider threat personnel.”

Federal employees and contractors are asked to pay particular attention to the lifestyles, attitudes and behaviors – like financial troubles, odd working hours or unexplained travel – of co-workers as a way to predict whether they might do “harm to the United States.” Managers of special insider threat offices will have “regular, timely and, if possible, electronic access” to employees’ personnel, payroll, disciplinary and “personal contact” files, as well as records of their use of classified and unclassified computer networks, polygraph results, travel reports and financial disclosure forms.

Experts question profiling procedures

Over the years, numerous studies of public and private workers who have been caught spying, leaking classified information, stealing corporate secrets or engaging in sabotage have identified psychological profiles that could offer clues to possible threats. Administration officials want government workers trained to look for such indicators and report them so the next violation can be stopped before it happens.

“In past espionage cases, we find people saw things that may have helped identify a spy, but never reported it,” said Gene Barlow, a spokesman for the Office of the National Counterintelligence Executive, which oversees government efforts to detect threats like spies and computer hackers and is helping implement the Insider Threat Program. “That is why the awareness effort of the program is to teach people not only what types of activity to report, but how to report it and why it is so important to report it.”

But even the government’s top scientific advisers have questioned these techniques. Those experts say that trying to predict future acts through behavioral monitoring is unproven and could result in illegal ethnic and racial profiling and privacy violations.

“There is no consensus in the relevant scientific community nor on the committee regarding whether any behavioral surveillance or physiological monitoring techniques are ready for use at all,” concluded a 2008 National Research Council report on detecting terrorists.

“Doing something similar about predicting future leakers seems even more speculative,” Stephen Fienberg, a professor of statistics and social science at Carnegie Mellon University in Pittsburgh and a member of the committee that wrote the report, told McClatchy.

Looking for workers’ suspicious behavior

The emphasis on individual lifestyles, attitudes and behaviors comes at a time when growing numbers of Americans must submit to extensive background checks, polygraph tests and security investigations to be hired or to keep government or federal contracting jobs. The U.S. government is one of the world’s largest employers, overseeing an ever-expanding ocean of information.

While the Insider Threat Program mandates that the nearly 5 million federal workers and contractors with clearances undergo training in recognizing suspicious behavior indicators, it allows individual departments and agencies to extend the requirement to their entire workforces, something the Army already has done.

Training should address “current and potential threats in the work and personal environment” and focus on “the importance of detecting potential insider threats by cleared employees and reporting suspected activity to insider threat personnel and other designated officials,” says one of the documents obtained by McClatchy.

Caitlin Hayden, a spokeswoman for the White House National Security Council, said in a statement that the Insider Threat Program includes extra safeguards for “civil rights, civil liberties and privacy,” but she didn’t elaborate. Manning’s leaks to WikiLeaks, she added, showed that at the time protections of classified materials were “inadequate and put our nation’s security at risk.”

Even so, the new effort failed to prevent former National Security Agency contractor Edward Snowden from taking top-secret documents detailing the agency’s domestic and international communications monitoring programs and leaking them to the Guardian and the Washington Post newspapers.

Initiative includes variety of threats

The initiative goes beyond classified information leaks. It includes as insider threats “damage to the United States through espionage, terrorism, unauthorized disclosure of national security information or through the loss or degradation of departmental resources or capabilities,” according to a document setting “Minimum Standards for Executive Branch Insider Threat Programs.”

McClatchy obtained a copy of the document, which was produced by an Insider Threat Task Force that was set up under Obama’s order and is headed by Director of National Intelligence James Clapper and Attorney General Eric Holder. McClatchy also obtained the group’s final policy guidance.

Although agencies and departments are still setting up their programs, some employees already are being urged to watch co-workers for “indicators” that include stress, divorce and financial problems.

When asked about the ineffectiveness of behavior profiling, Barlow said the policy “does not mandate” that employees report behavior indicators.

“It simply educates employees about basic activities or behavior that might suggest a person is up to improper activity,” he said.

“These do not require special talents. If you see someone reading classified documents they should not be reading, especially if this happens multiple times and the person appears nervous that you saw him, that is activity that is suspicious and should be reported,” Barlow said. “The insider threat team then looks at the surrounding facts and draws the conclusions about the activity.”

Departments and agencies, however, are given leeway to go beyond the White House’s basic requirements, prompting the Defense Department in its strategy to mandate that workers with clearances “must recognize the potential harm caused by unauthorized disclosures and be aware of the penalties they could face.” It equates unauthorized disclosures of classified information to “aiding the enemies of the United States.”

Online activities will be tracked

All departments and agencies involved in the program must closely track their employees’ online activities. The information gathered by monitoring, the administration documents say, “could be used against them in criminal, security or administrative proceedings.” Experts who research such efforts say suspicious behaviors include accessing information that someone doesn’t need or isn’t authorized to see, or downloading materials onto removable storage devices like thumb drives when such devices are restricted or prohibited.

“If you normally print 20 documents a week, well, what happens if the next week or the following week you have to print 50 documents or 100 documents? That could be at variance from your normal activity that could be identified and might be investigated,” said Randy Trzeciak, acting manager of the Computer Emergency Response Team Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute.

“We’ve come up with patterns that we believe organizations might be able to consider when determining when someone might be progressing down the path to harm the organization,” said Trzeciak, whose organization has analyzed more than 800 cases and works with the government and private sector on cybersecurity.

Profiling techniques remain unproven

But research and other programs that rely on profiling show it remains unproven, could make employees more resistant to reporting violations, and might lead to spurious allegations.

The Pentagon, U.S. intelligence agencies and the Department of Homeland Security have spent tens of millions of dollars on an array of research projects. Yet after several decades, they still haven’t developed a list of behaviors they can use to definitively identify the tiny fraction of workers who might someday violate national security laws.

“We have not found any silver bullets,” said Deana Caputo, the lead behavioral scientist at MITRE Corp., a nonprofit company working on insider threat efforts for defense and intelligence agencies. “We don’t have actually any really good profiles or pictures of a bad guy, a good guy gone bad, or even the bad guy walking in to do bad things from the very beginning.”

Different agencies and departments have different lists of behavior indicators. Most have adopted the traditional red flags for espionage. They include financial stress, disregard for security practices, unexplained foreign travel, unusual work hours and unexplained or sudden wealth.

But agencies and their consultants have added their own indicators.

For instance, an FBI insider threat detection guide warns private security personnel and managers to watch for “a desire to help the ‘underdog’ or a particular cause,” a “James Bond Wannabe,” and a “divided loyalty: allegiance to another person or company or to a country besides the United States.”

A report by the Deloitte consulting firm identifies “several key trends that are making all organizations particularly susceptible to insider threat today.” These include an increasingly disgruntled, post-recession workforce and the entry of younger, “Gen Y” employees who were “raised on the Internet” and are “highly involved in social networking.”