Can investigators reverse engineer insider threats?

A top official at the background check agency created after the Office of Personnel Management hack wants to use analytics to reverse engineer insider threats.

James Onusko, transition director at the National Background Investigations Bureau, said at an April 28 conference he would like to see research and development put toward studying cases when federal employees have had their clearances denied or revoked.

The idea is to use private-sector advances in data mining to build profiles of possible "insider threats," a broad term spanning leakers of sensitive information to those who pose physical threats to government facilities.

After the event, hosted by the Intelligence and National Security Alliance, Onusko told reporters that funding for that analytical R&D could be a challenge. He was nonetheless optimistic about what high-powered algorithms could bring to the screening process.

OPM contractors have been hacked more than once. The massive breach of OPM databases, revealed in June 2015, came via compromised credentials of KeyPoint Government Solutions, a contractor who had a representative on hand at the INSA event. Nonetheless, Onusko said, contractors will remain a key part of the investigative workforce.

Onusko, who has run personnel security for the Department of Veterans Affairs, is part of a transition team named by OPM in March to stand up the NBIB. The Defense Information Systems Agency is building the IT infrastructure for the new agency, and Onusko said DISA's expertise in IT security would help make the NBIB defensible against hacking. 

'I can't believe how stupid' the process is

John Hamre, a former deputy secretary of Defense, opened the INSA conference with a blistering critique of the security clearance process.

"I can't believe how stupid" the process is, he said, citing a question from an in-person background checker that defied common sense. "This process will catch nobody" who wants to infiltrate the government as a spy, he added.

Hamre also took aim at what he said was the government's tendency to over-classify information, including the "messy world of 'sensitive but unclassified [information].' What the hell is that?"

"We're choking" on over-classified information," added Hamre, who is now president of the Center for Strategic and International Studies.

Hamre's comments resonated at the conference, held in a Sensitive Compartmented Information Facility at Vencore, Inc.'s Chantilly, Va., offices.

"I wanted to stand up and cheer several times" during Hamre's remarks, said Carrie Wibben, a security official in the Office of the Undersecretary of Defense for Intelligence.

After WikiLeaks' disclosure of a trove of State Department cables that included reams of classified information, President Obama in October 2011 issued an executive order to tighten the protection of such material. The directive gave agency heads ownership of the task of safeguarding classified information. It also laid the groundwork for a government-wide insider threat program that is still maturing.

The executive order only covered collecting information on people who have access to classified information. An insider threat program dealing with the unclassified realm is therefore arguably on murkier legal footing. Wibben alluded to this dichotomy by noting that "privacy issues have slowed us up a bit."

Government lawyers are looking into the legal feasibility of carrying out "user activity monitoring" for cleared users of the unclassified Defense Department network, Wibben told FCW.

Privacy concerns have also arisen as government background-checkers set their sights on social media, the next frontier in insider threat programs. Wibben called social media "the data source that we've really been longing for for many years."

But with more data comes a need to make sense of it, and for now, Wibben said, DOD needs to do a better job of aggregating the data it already has.

Kemp Ensor, the National Security Agency's director of security, estimated that 80 percent of his workforce joined NSA after the September 11, 2001, terrorist attacks. Many in that category of employees spend much of their time online, he added. "So that's where we need to be, that's where we need to mine" if the agency is to build a secure workforce, Ensor said.