September 2, 2013

Spy agencies hunt for insider threats

The government spends millions to uncover suspicious staff activity, but the scrutiny is uneven and possibly wasteful.

By CAROL D. LEONNIG, JULIE TATE and BARTON GELLMAN The Washington Post

WASHINGTON - The U.S. government suspects that individuals with connections to al-Qaida and other hostile groups have repeatedly sought to obtain jobs in the intelligence community, and it reinvestigates thousands of employees a year to reduce the threat that one of its own may be trying to compromise closely held secrets, according to a classified budget document.

Pfc. Bradley Manning
click image to enlarge

After former Army Pfc. Bradley Manning, above, leaked hundreds of thousands of documents in 2010, the intelligence community became more focused on insider threats. But the spy agencies’ systems failed to notice that Edward Snowden, below, was copying classified documents from NSA networks.

The Associated Press

Edward Snowden
click image to enlarge

The CIA found that among a subset of job seekers whose backgrounds raised questions, roughly one out of every five had "significant terrorist and/or hostile intelligence connections," according to the document, which was provided to The Washington Post by former National Security Agency contractor Edward Snowden.

The groups cited most often were Hamas, Hezbollah, and al-Qaida and its affiliates, but the nature of the connections was not described in the document.

So sharp is the fear of threats from within that last year the NSA planned to launch at least 4,000 probes of potentially suspicious or abnormal staff activity after scrutinizing trillions of employee keystrokes at work.

The anomalous behavior that sent up red flags could include staffers downloading multiple documents or accessing classified databases they do not normally use for their work, said two people familiar with the software used to monitor employee activity.

This shrouded, multimillion-dollar hunt for insider threats has suffered from critical delays in recent years and uneven implementation across agencies, the budget records show. And the spy agencies' detection systems never noticed that Snowden was copying highly classified documents from different parts of the NSA's networks.

He subsequently fled to Hong Kong and then Moscow, where he remains after being granted temporary asylum.

Contractors like Snowden, an NSA spokeswoman said, were not included in the plans to reinvestigate 4,000 security clearances.

'SMALL' SUBSET FLAGGED

CIA officials said the number of applicants ultimately tied to terrorist networks or hostile foreign governments was "small" but declined to provide an exact number or the reasons the broader group of applicants initially raised concerns.

"Over the last several years, a small subset of CIA's total job applicants were flagged due to various problems or issues," one official said in response to questions. "During this period, one in five of that small subset were found to have significant connections to hostile intelligence services and or terrorist groups."

The official, like others interviewed for this article, spoke on the condition of anonymity to discuss classified material.

The intelligence community's dramatic emphasis on insider threats came in the wake of disclosures by WikiLeaks in 2010.

The anti-secrecy group received hundreds of thousands of military and diplomatic documents from Army Pfc. Bradley Manning, now known as Chelsea Manning.

Congress made security a top priority and in 2011 ordered Director of National Intelligence James Clapper to set up "an effective automated insider threat detection program" to guard against similar security failures. The program was supposed to flag possible abuses, identify double agents and prevent leaks.

The project was delayed several times because the intelligence community was preoccupied with handling the fallout from Manning's leaks, the budget documents show.

Congress gave Clapper an October 2012 deadline to install the automation system and until October 2013 to have it fully operating. At the Obama administration's request, the deadlines were each pushed back a year.

Steven Aftergood, a government secrecy expert at the Federation of American Scientists, which analyzes national security policy, said he suspects the agency may respond to a lot of "false positives" -- alerts for activity that is actually innocent and work-related.

"If the 4,000 cases turn up only two or three actual threats, they need to adjust their detection threshold or they'll be using a lot of resources for no purpose," he said.

(Continued on page 2)

Were you interviewed for this story? If so, please fill out our accuracy form

Send question/comment to the editors




Further Discussion

Here at PressHerald.com we value our readers and are committed to growing our community by encouraging you to add to the discussion. To ensure conscientious dialogue we have implemented a strict no-bullying policy. To participate, you must follow our Terms of Use.

Questions about the article? Add them below and we’ll try to answer them or do a follow-up post as soon as we can. Technical problems? Email them to us with an exact description of the problem. Make sure to include:
  • Type of computer or mobile device your are using
  • Exact operating system and browser you are viewing the site on (TIP: You can easily determine your operating system here.)