Transcription
O CTO B E R 2 0 2 1The Need for Transparency onInsider Threats:Improving Information SharingBetween Government and IndustryPresented byI N SA’ S I N S I D E R T HRE AT SUBCO MMIT TEEBuilding a Stronger Intelligence Community
W W W. I N S A O N L I N E . O R GEXECUTIVE SUMMARYCleared government contractors need insight into their employees’behavior to successfully identify, evaluate, and mitigate security threatsand implement government-mandated insider threat programs.1 However,when their employees work on-site at government facilities, only thegovernment agency being supported is positioned to detect conductindicative of a security risk – for example, downloading classified filesunrelated to one’s job or threatening to harm co-workers. In most cases,however, government agencies do not tell the employing firm that theirstaff member may pose security risks, making it impossible for thecompany to mitigate potential threats. This lack of transparency is drivenby a misunderstanding of the law – particularly the Privacy Act of 1974 –and a lack of clear policy guidance.New legislation and policies are needed to enable all government agenciesto share appropriate personnel security information and thereby mitigatesecurity risks already known to the government. INSA recommends thatthe executive branch clarify an appropriate level of information that canbe shared under the law, issue clear policy guidance directing maximumtransparency, and streamline information-sharing procedures. INSA alsorecommends that Congress pass Section 502 of the Senate’s FY2022Intelligence Authorization bill [S. 2610], which would require agencies toshare observed security-relevant information on contractor employeeswith the employing firms.The National Insider Threat Task Force (NITTF), part of the Office of the Director of National Intelligence (ODNI), defines an insider threat as “a threat posed to U.S.national security by someone who misuses or betrays, wittingly or unwittingly, their authorized access to any U.S. Government resource.” See National Insider Threat TaskForce Mission Fact Sheet, no date, at National Insider Threat Task Force Fact Sheet.pdf. INSA’s Insider ThreatSubcommittee defines the threat more broadly to include trusted individuals who use their authorized access to cause harm to a government agency or company. INSA’sdefinition also encompasses threats of workplace violence. For details, see INSA, “Explanation of INSA-Developed Insider Threat Definition,” November 2015. At /10/INSA InsiderThreat definition-Flyer.pdf.12
THE NEED FOR TRANSPARENCY ON INSIDER THREATS: IMPROVING INFORMATION SHARING BET WEEN GOVERNMENT AND INDUSTRYINTRODUCTIONU.S. defense and intelligence agencies collaborateextensively with cleared contractors2 to securecapabilities and resources that they do not possessin-house. Government agencies have insights into thebehavior of cleared contractor employees who work ongovernment computer networks at governmentfacilities. When such individuals demonstrate behaviorthat indicates a potential security risk, agenciesgenerally fail to share relevant information with thecontractor firm, creating risks for the security ofclassified information, secure networks, and workplacesafety. Legislation and policies requiring all governmentagencies to share appropriate personnel securityinformation are needed to reduce these risks.The lack of clear policy guidance onwhat personnel security informationUSG agencies can share with clearedcontractors has created confusionand uncertainty and preventeduniform and consistent securitypractices across industry.Security Executive Agent Directive 3 (SEAD-3) requiresinformation to be shared in only one direction – fromcleared contractors to the United States Government(USG).3 No policy or statute exists to preventgovernment agencies from sharing information withcontractors; however, government officials are oftenreluctant to share details about suspicious behavior by acontractor’s employees with the contractor.BACKGROUNDUnder the National Industrial Security Program (NISP),the USG requires cleared contractors and clearedcontractor employees to protect classified informationin a manner equivalent to those procedures used byexecutive branch agencies. The National IndustrialSecurity Program Operating Manual (NISPOM) andseveral other USG policies and regulations specifycompliance standards for cleared contractors toensure uniformity and consistency within industry.Among the NISPOM’s standards is the requirement forall cleared contractors to implement comprehensiveinsider threat programs. Such initiatives dependupon information from multiple sources, includingsupervisors, co-workers, and computer networkuser activity monitoring (UAM). When a contractoremployee works on-site at a government facility, it isthe government agency being supported – not thecompany employing the individual – that has accessto the information and insights on the employee’sdaily work activities. Cleared contractors need thisinformation about their employee’s behavior for theirinsider threat programs to identify, evaluate, andmitigate security threats successfully.To address this situation expeditiously and therebymitigate risk more effectively, the Intelligence andNational Security Alliance (INSA) recommends aseries of policy, legal, and procedural solutions that willrequire close coordination among stakeholders acrossgovernment and industry.Throughout this paper, the term “cleared contractor” refers to a corporate entity, either for-profit or not for-profit, which has a contractual relationship with thegovernment to perform classified work that requires its employees to hold security clearances. The cleared employees of such entities will be referred to as “clearedcontractor employees.”2Office of the Director of National Intelligence, “Security Executive Agent Directive 3 (SEAD 3):Reporting Requirements for Personnel with Access to ClassifiedInformation of Who Hold a Sensitive Position,” June 12, 2017. At ns/SEAD-3-Reporting-U.pdf.33
W W W. I N S A O N L I N E . O R Galso evaluated the collection, sharing, processing,and storage of information used to make suitability,credentialing, and security decisions. It identified aneed for better information sharing and consistentapplication of standards and policies in the securityclearance procedures for both Federal employeesand cleared contractoremployees.While personnel security initiatives focus principallyon identifying and mitigating threats to sensitive andclassified information, such initiatives must evolve, toinclude information that may indicate whether a personmay harm themselves or others. This physical securityfocus is meant to prevent incidents like the 2013Washington Navy Yardshooting, in which a clearedcontractor employee killedtwelve people.While several subsequentinitiatives and measureshave enhanced thecapability of the USG tocollect information andshare it more consistentlyacross the Federalgovernment, thoseefforts do not directlyaddress the disparity insharing information withcleared contractors.SEAD-3 requires clearedcontractors to reportpersonnel security risks toUSG agencies, but it doesnot require agencies toshare insights on individualcontractors with the firmsthat employ them. USGsecurity personnel maydiscuss potential red flagswith individual cleared contractor employees to gatheradditional information and identify potentially falsealerts; however, agencies’ failure to share their concernswith contracting firms prevents companies fromassisting in the evaluation of potential security risksposed by their own staff members.The lack of clear policyguidance on whatpersonnel securityinformation USG agenciescan share with clearedcontractors has createdconfusion and uncertaintyand prevented uniformand consistent securitypractices across industry.New policies, andpotentially new legislation,are needed to ensureuniform and consistentsharing of personnelsecurity information fromUSG agencies to clearedcontractors.The President directedthe Office of Managementand Budget (OMB) to lead an interagency review ofsuitability and security clearance procedures forFederal employees and contractors following the NavyYard shooting. That review underscored the criticalimportance of uniform and consistent informationsharing.4 It assessed USG policies, programs,processes, and procedures involving determinationsof federal employee suitability, contractor fitness, andpersonnel security. The interagency working groupGovernment agencies withhold suspicious informationabout cleared contractor employees due to fourprincipal concerns.Office of Management and Budget, Suitability and Security Clearance Performance Accountability Council, Suitability and Security Processes Review Report to thePresident, February 2014. At 44
THE NEED FOR TRANSPARENCY ON INSIDER THREATS: IMPROVING INFORMATION SHARING BET WEEN GOVERNMENT AND INDUSTRYC ONC E RN #1:Sharing derogatory information would violatethe Privacy Act of 1974.To eliminate the widely held belief that the PrivacyAct prevents such information sharing, INSA’s InsiderThreat Subcommittee recommended in a January2020 white paper that ODNI and OMB convene aninteragency legal working group so “governmentlawyers [can] agree upon a uniform, governmentwide interpretation of what information can be sharedwith industry under the Privacy Act” and relatedlegislation.7 If statutory changes are needed to shareinformation that could mitigate security threats, INSArecommended, OMB should propose changes toCongress that would explicitly allow insider threatinformation to be shared with cleared contractors.USG officials often interpret the Privacy Act of 1974as preventing the sharing of personnel securityinformation regarding cleared contractor employeeswith their employers – particularly in the absenceof explicit consent by the individuals concerned.However, this interpretation is mistaken.Benjamin Powell, former General Counsel for the Officeof the Director of National Intelligence (ODNI), hasemphasized that the law is commonly misinterpreted.In an April 2019 paper entitled, The Privacy Act andInformation Sharing for Insider Threat Programs,Powell wrote:Congress took steps on its own to address privacyconcerns in a provision of the Fiscal Year 2020 NationalDefense Authorization Act calling for enhanced twoway information sharing. Section 6610(f) of the lawcalled for the Federal government’s Security ExecutiveAgent (the Director of National Intelligence) and itsSuitability and Credentialing Executive Agent (theDirector of the Office of Personnel Management) toconsider expanding the sharing of information held bythe Federal Government related to contract personnelwith the security office of the employers of thosecontractor personnel. The statute specifically directedthat the plan include mechanisms to address privacyconcerns.8 Unfortunately, this concept was never putinto practice, as the statute merely called for theseofficials to develop a plan to implement a pilot programto assess the feasibility and advisability of sharing thisinformation. Solving the problem requires more than aplan for a pilot to assess the merits of transparency.Despite commonplace claims to the contrary,the Privacy Act does not bar the sharingof this kind of information with clearedcontractors. The Act contains explicitexceptions that allow the government tomake disclosures in several circumstances,including disclosures to cleared contractors.5Multiple speakers reiterated these points at a paneldiscussion on “Government-Industry PersonnelSecurity Information Sharing Under the Privacy Act”held by INSA in January 2020. The panelists – whoincluded a former ODNI General Counsel (Powell),CIA’s Privacy and Civil Liberties Counsel, a SenateIntelligence Committee staff member, and the Directorof the Defense Department’s Office of Hearings andAppeals (DOHA) – argued that obstacles to sharingpersonnel security information on cleared contractoremployees are rooted in policy, not in the Privacy Act.6Benjamin Powell, “The Privacy Act and Information Sharing for Insider Threat Programs,” white paper, Wilmer Hale, April 2019. At /09/Privacy-Act-White-Paper.pdf.5Intelligence and National Security Alliance, 2020 National Security Legal Outlook, event description, January 16, 2020. At rity-legal-outlook/.6Intelligence and National Security Alliance, Legal Hurdles to Insider Threat Information Sharing, January 2020, pp. 8-9. At /01/INSA WP Legal-Hurdles FIN.pdf.7National Defense Authorization Act For Fiscal Year 2020, P.L. 116-92, 116th cong., 1st sess., section 6610(f). At rpt333.pdf.85
W W W. I N S A O N L I N E . O R GC ON C E R N # 2 :Sharing derogatory information would placecleared contractor employees at risk of adverseactions by their employer before completionof fact-finding and adjudicative actions bythe USG.The following year, the Senate called for more directaction in Section 403 of its FY 2021 IntelligenceAuthorization bill (S. 3905).9 This provision calledfor the Director of National Intelligence (DNI), as theFederal government’s Security Executive Agent(SecEA), to issue a policy requiring agencies to sharesuspicious behavioral information pertaining tocontractor employees with that person’s employingfirm. The draft legislation explicitly addressedconcerns that such information could be used to thedetriment of innocent contractor employees:As required by the NISPOM and regulations codifiedin the Federal Register,12 cleared contractors haveestablished insider threat programs to deter, detect,and mitigate vulnerabilities and threats from trustedinsiders. To enable cleared contractors to implementmandatory insider threat programs effectively, USGagencies should provide information developedfrom their own monitoring efforts so companies canintervene with employees before they become aninsider threat.– It addressed employee consent to informationsharing by requiring contractor employees toagree to such sharing as a condition of receiving asecurity clearance.– It ensured information would not be misusedby requiring contractors to use the informationexclusively for insider threat risk mitigation.Providing personnel information to industry insiderthreat program managers does not increase the riskthat a cleared contractor will punish its employeebefore completion of fact-finding. In fact, theseprograms are required to employ personnel specificallytrained in procedures for conducting insider threatresponse actions; applicable laws and regulationsregarding the gathering, integration, safeguarding, anduse of records and data; the consequences of misuseof such information; and applicable legal, civil liberties,and privacy policies. Legislation like Section 502 of theSenate’s FY2022 Intelligence Authorization bill wouldcreate further employee protections by preventingcontractor security officials from discussing theinformation with other parties, thereby preventingpersonnel action (such as termination) not linked to riskmitigation. In lieu of legislation, the SecEA could alsoinstitute such protections in policy guidance.– It specified that contractor employees have theright to challenge the derogatory information andremedy any security concerns.– It prevented contractor security officials fromdiscussing the derogatory information with otherparties, thereby preventing personnel action (suchas termination) not linked to risk mitigation.While the Senate incorporated S. 3905 into theNational Defense Authorization Act for FY2021 in thelast days of the 116th Congress, this provision – whichwould have rectified the problem – was removed fromthe final legislation.10 Congress is reconsidering thisprovision in the 117th Congress, however; the SenateSelect Committee on Intelligence (SSCI) includedidentical language in section 502 of its markup of theFiscal Year 2022 Intelligence Authorization Act (S.2610), which it passed on a bipartisan 16-0 vote onJuly 28, 2021.11Intelligence Authorization Act for Fiscal Year 2021, U.S. Senate, 116th Cong., 2nd sess., S. 3905 (2020), section 403. See rted-june-8-2020.910The text of the Intelligence Authorization Act (not including the provision on information-sharing) was incorporated into the National Defense Authorization Act for FiscalYear 2021, Public Law No: 116-283, 116th Cong., 2nd sess., January 1, 2021. At -bill/6395.11Intelligence Authorization Act for Fiscal Year 2022, U.S. Senate, 117th cong., 1st sess., S. 3610 (2021), section 502. At 2610pcs.pdf. See also Office of Sen. Mark Warner, “Senate Intelligence Committee Passes the FY22 Intelligence Authorization Act,” press release, July 28, 2021. 2-intelligence-authorization-act.See 32 CFR part 117.126
THE NEED FOR TRANSPARENCY ON INSIDER THREATS: IMPROVING INFORMATION SHARING BET WEEN GOVERNMENT AND INDUSTRYC ONC E RN #3:Sharing derogatory information would exposethe USG and/or cleared contractors to lawsuitsfrom contractor employees who feel they hadbeen unduly punished as a result of prematurerisk reports.C ON C E R N # 4 :Sharing derogatory information could result inlitigation that exposes protected USG sourcesand methods through the legal discoveryprocess.The final concern, potential exposure of sensitiveinformation or sources due to any resulting litigation,can be managed by ensuring information andsubsequent actions are based upon clear anddefendable facts. Much of this information is alreadysubject to disclosure to the cleared contractoremployee who is the subject of an adjudicatedclearance determination.16 Thus, the informationwould be accessible in litigation regardless of whetherthe contractor is also provided with access to suchinformation.Another liability concern is the perception that morerobust information sharing would blur the lines betweenemployment decisions by cleared contractors andgovernment decision-making regarding securityclearances. Without access to the underlying factsto inform its own processes and decisions, clearedcontractors may infer that an adverse securityclearance decision necessitates adverse employmentactions. Alternatively, making no decision because ofa lack of information could lead the contractor to bein violation of its responsibility to notify the DefenseCounterintelligence and Security Agency (DCSA)of events that “impact the status of an employee’spersonnel security clearance (PCL); may indicatethe employee poses an insider threat; affect propersafeguarding of classified information; or that indicateclassified information has been lost or stolen.”13 Clearedcontractors need information from the government tomake informed decisions on how to mitigate insiderthreats and comply with government security policies.Cleared contractors needinformation from the governmentto make informed decisions onhow to mitigate insider threatsand comply with governmentsecurity policies.Some caselaw exists regarding information sharingunder NISPOM requirements. In Becker v. Philco,14the U.S. Court of Appeals for the 4th Circuit held thata cleared contractor is not liable for defamation of anemployee because of reports made to the Governmentpursuant to government-created contractualrequirements.15 Cleared contractors may inform thegovernment of information regarding cleared contractoremployees that indicate potential security risks if thereis a government requirement for that reporting. Similarly,a legislated requirement for the government to shareinformation within these same guidelines could extendthat protection to government actions.13National Industrial Security Program Operation Manual (NISPOM), Change 2, DoD 5220.22-M, section 1-300, updated May 18, 2016. At suances/dodm/522022m.pdf.Becker v. Philco, 372 F.2d 771 (4th Cir. 1967).14The NISPOM did not exist at the time Becker was decided; however, the U.S. Government has interpreted the reasoning and the contractual relationship in that case toequate to the NISPOM reporting requirements.1516Intelligence Community Policy Guidance (ICPG) 704.3, section D.1, allows for the disclosure of all information used to form the basis for denial or revocation of access,including a comprehensive written explanation, the right to counsel, and the right to any documents, records and reports upon which a denial or revocation is based.See Office of the Director of National Intelligence, Intelligence Community Policy Guidance Number 704.3: Denial or Revocation of Access to Sensitive CompartmentedInformation, Other Controlled Access Program Information, and Appeals Processes, October 2, 2008. At https://www.dni.gov/files/documents/ICPG/icpg 704 3.pdf.7
W W W. I N S A O N L I N E . O R GRECOMMENDATIONSINSA recommends policy and statutory changes that create greater certaintyregarding the conditions in which certain types of insider threat information canbe shared with cleared contractor employees and the companies that employthem. INSA also recommends that the USG modify information-sharing proceduresto promote the transparency needed to mitigate security risks while alleviatingemployee concerns that such information could be misused. Balance can bestruck most effectively if government agencies share the details of a contractoremployee’s concerning behavior or comments – particularly those that have beeninvestigated, substantiated, and found to be credible – without offering subjectiveanalysis or interpretation of such facts.8
THE NEED FOR TRANSPARENCY ON INSIDER THREATS: IMPROVING INFORMATION SHARING BET WEEN GOVERNMENT AND INDUSTRYPOLICY AND STATUTORY RECOMMENDATIONS1. CLARIFY WHAT INFORMATION CAN BE SHAREDUNDER THE LAW. As INSA’s Insider ThreatSubcommittee recommended in its January 2020white paper, ODNI and OMB should convenean interagency legal working group chargedwith developing a uniform, government-wideinterpretation of what information can be sharedwith industry under the Privacy Act and relatedlegislation. Such a working group could beconvened under the auspices of the Federal PrivacyCouncil, which was established in 2016 by executiveorder “as the principal interagency forum to improvethe Government privacy practices of agencies andentities acting on their behalf”; members of theCouncil, which is chaired by OMB’s Deputy Directorfor Management, include the senior privacy officialsfrom ODNI, DOD, and other agencies that engagecleared government and contractor staff.17 If theworking group determines that statutory changesare needed to share information that could mitigatesecurity threats, OMB should propose changes toCongress that would explicitly allow insider threatinformation to be shared with cleared contractors.3. PASS SECTION 502 OF THE SENATE’S FY2022INTELLIGENCE AUTHORIZATION BILL [S. 2610].The draft legislation requires agencies to sharesuspicious information on contractor employeesso their companies could effectively implementgovernment-mandated insider threat programswhile simultaneously preventing such informationfrom being used to the detriment of contractoremployees determined to pose no security risk.INSA also recommends that theUSG modify information-sharingprocedures to promote thetransparency needed to mitigatesecurity risks while alleviatingemployee concerns that suchinformation could be misused.2. ISSUE CLEAR POLICY GUIDANCE DIRECTINGMAXIMUM TRANSPARENCY. Once the interagencylegal working group develops a legal framework, theDNI, as the SecEA, should convene an interagencypolicy working group to develop information-sharingpolicy guidance affecting cleared government andcontractor personnel. This directive should clarifythat within the specified legal parameters, agencies’default approach should be to share as muchinformation as possible, as maximum transparencyis needed to enable companies to implementthe NISPOM-mandated insider threat programsdesigned to reduce national security risks.17See Establishment of the Federal Privacy Council, E.O. 13719, 81 Fed. Reg. 29 (February 12, 2016). At pdf/201603141.pdf.9
W W W. I N S A O N L I N E . O R G4. STREAMLINE INFORMATION-SHARINGPROCEDURES. Government agencies and clearedcontractors alike want to base security decisionson vetted and validated information, not rumors orisolated pieces of data. Furthermore, relying onvalidated data insulates agencies from accusationsthat their security decisions are intended to yieldpunitive personnel actions. Agencies could shareinformation with contractors in two ways, withsharing of unverified information reserved forsituations where potential risks are higher.If the cleared contractor were tobe kept in the dark about the riskits employee poses, the companywould have to make an uninformedassessment about whetherthe person is suitable for otherUSG work, thereby potentiallytransferring risk onto a different,unsuspecting government agency.a. Option I: Sharing Adjudicated Information ofCurrent Cleared Contractor Employees.The USG could provide the cleared contractorinformation derived from an adjudicative action(i.e., suspension, revocation, or denial of a securityclearance) taken against its employee as a resultof adjudicated security information – data thathas already gone through a complete vetting andvalidation process and meets the burden for theUSG to make a security decision. Including thecleared contractor in this process would providetwo benefits. First, the cleared contractor couldprovide actionable information of his/her/theirown to the USG to strengthen its adjudicativedecision or damage assessment. Second,providing validated information enables thecleared contractor to take their own mitigationmeasures. If the cleared contractor were to bekept in the dark about the risk its employee poses,the company would have to make an uninformedassessment about whether the person issuitable for other USG work, thereby potentiallytransferring risk onto a different, unsuspectinggovernment agency.b. Option II: Sharing Enhanced MonitoringInformation of Current Cleared ContractorEmployees. Often, threat intelligence will driveagencies to launch a formal assessment of anemployee or contractor; such efforts typicallyinvolve enhanced monitoring to determine ifsecurity risks actually exist. Even though riskindicators have not yet been fully validatedat the beginning of an assessment, the USGcould nevertheless share these indicators –particularly in situations where the securityrisks are potentially high. This would enablethe cleared contractor’s insider threat programto review its own records for information thatcould corroborate or assuage the government’ssuspicions, ensuring a more informedadjudicative decision by the government.Such transparency would be consistent withthe broader goal that insider threat programsshould gather disparate sources of informationto inform a “whole person” assessment.10
THE NEED FOR TRANSPARENCY ON INSIDER THREATS: IMPROVING INFORMATION SHARING BET WEEN GOVERNMENT AND INDUSTRYCONCLUSIONGovernment and cleared industry are partners in ensuring the protection of nationalsecurity information and the safety of the national security workforce. To makethis partnership work, government agencies must tell cleared contractors whenthey suspect that an individual contractor employee poses a potential securitythreat. No legal or policy barriers exist to prevent such information sharing, despitecommon misperceptions to this effect. To enable the fullest information sharingpermitted under existing policy and legislation, the Intelligence Community mustclarify what information can be shared and under what circumstances. If theIntelligence Community does not do so through clear policy guidance, Congressshould mandate effective information sharing through legislation.Cleared contractors are committed to protecting sensitive and classifiedinformation, as they are required to do under the NISPOM and under individualcontracts for classified work. Indeed, failure to do so could lead companies to bedisqualified from further government contracts – a potential penalty far costlierthan the expense of maintaining effective security and insider threat programs. Tomeet their security obligations and effectively implement mandatory insider threatprograms, cleared contractors need all pertinent information the government mayhave regarding risks posed by their employees. Concerns regarding employeeprivacy can be addressed by limiting the use of personnel security informationto security matters and by limiting sharing to validated information, except incircumstances in which potential security risks are high. Greater transparency oninsider threat matters will yield greater security for the nation.11
ACKNOWLEDGEMENTSINSA expresses its appreciation to the INSA members and staff who contributed their time, expertise, andresources to this paper.I NSA M E M BE R SIN S A STA FFSue Steinke, Peraton;Insider Threat Subcommittee Vice ChairJohn Doyon, Executive Vice PresidentVinny Corsi, IBM; Insider Threat Subcommittee ChairJoshua Massey, MITREGreg Torres, Booz Allen HamiltonTimothy Calhoun, Booz Allen HamiltonJoseph Kraus, ManTechEric Roscoe, SANCORPGary Ross, Bush School of Government andPubli
Under the National Industrial Security Program (NISP), the USG requires cleared contractors and cleared contractor employees to protect classified information in a manner equivalent to those procedures used by executive branch agencies. The National Industrial Security Program Operating Manual (NISPOM) and
