A department-wide program to protect against the unauthorized disclosure of classified information is expected to be fully operational by the end of this year in line with an Obama administration directive, the head of the Department of Homeland Security’s intelligence agency said on Wednesday.
Operations of the insider threat program will include “deployment of monitoring technology on all of our classified computer networks,” Francis Taylor, under secretary for Intelligence and Analysis, told the House Homeland Security Subcommittee on Counterterrorism and Intelligence in his prepared remarks. “This includes the Secret-level Homeland Secure Data Network, which provides classified connectivity to our 23 federal agency subscribers and nearly all state and local fusion centers.”
The DHS insider threat program arose out of President Barack Obama’s Executive Order 13587 issued in October 2011. The directive came a year after a former Army soldier Bradley Manning, now Chelsea Manning, leaked intelligence information to WikiLeaks, and two years before contract employee Edward Snowden, a system administrator supporting the National Security Agency, provided large amounts of classified information on surveillance programs to news organizations.
Taylor provided some details on results of the insider threat program.
“This fiscal year our technical monitoring solution audited 33 million actions on our enterprise classified networks, of these 215,000 required manual reviews by our analysts, of which 72 required further investigations,” he told the panel. “During the previous two fiscal years the insider threat program also identified 162 violations and provided support to 15 counter intelligence and internal security investigations.”
The purpose of the insider threat program is to identify, detect, deter, and mitigate the unauthorized disclosure of classified information,” Taylor said.
Richard McComb, the chief security officer at DHS who testified alongside Taylor, said that the insider threat program uses automated technology to monitor “tens of thousands” of network users that is combined with data from other sources to create “a total threat picture.” He said the automated technology provides “user activity monitoring” and that “detection thresholds are tailorable to specific types of users and to specific types of behaviors.”
The automation includes alerts that give analysts a heads-up about “events that have a high threat potential and minimize wasteful false positives.”
The insider threat program also includes workforce training to “recognize aberrant behavior,” McComb said.
McComb added that the insider threat program is just one layer in a risk mitigation effort related to employees, contractors, other officials, and external threats.
Taylor also touted the Coast Guard’s insider threat program as being the first in the executive branch to reach “’Full Operating Capability’ status as assessed by the National Insider Threat Task Force.” The task force was created by the 2011 executive order.
While the insider threat program is focused on protecting classified information, McComb said that DHS, the Defense Department and the intelligence community are “taking a more expansive view of the threat to include workplace violence, fraud, waste and abuse, and other potential workforce corruption.”
In the past month there two personnel working at the DHS headquarters complex on Nebraska Avenue in Washington, D.C., were found to be carrying handguns into the premises through random screening. One individual is a department employee and the other a contractor.
McComb said the investigations into the personnel are ongoing but that currently “there’s no indication that either of these individuals were planning or were conspiring to commit workplace violence.”
McComb and Taylor said they were willing to provide more details into the two cases in a classified session with the panel that was to follow the open hearing.