ROLE OF TECHNOLOGY TODAY

Upon investigating the Washington Navy Yard shooting by Aaron Alexis of September 2003, the Department of Defense (DOD) concluded technology advancements and access to information technology systems and reviewing open-source social media, financial records, and more detailed criminal records would allow for more thorough background investigations of clearance holders.166 _{The Office of the National}

Counterintelligence (ONCI) executive notes:

Insiders convicted of espionage have, on average, been active for a number of years before being caught. Today more information can be carried out the door on removable media in a matter of minutes than the sum total of what was given to our enemies in hard copy throughout U.S. history. Consequently, the damage caused by malicious insiders will likely continue to increase unless we have effective insider threat detection programs that can proactively identify and mitigate the threats before they fully mature.167

These insider threat detection programs rely heavily on improved technology, as well as a cultural change within the intelligence community. Policies and practices will need to be evaluated for effectiveness.

The DOD, the agency that has the most positions requiring security clearances, has been in the forefront of creating new technology. As such, DOD researchers have posed five broad questions regarding analysis of an agency’s risk to insider threat:

• Did the organization adequately account for cultural, social, political, legal, economic and other local pressures and stressors in its environment that increased the risk of insider activity across its many potential targets? • Did the organization lack any important policies or practices (e.g., pre-

employment screening, employee monitoring) that could have alerted it to the risks presented by this employee in a more timely way, deterred this individual, managed the risk, or prevented his or her actions?

166 _{U.S. Department of Defense, Security from within: Independent Review of the Washington Navy}

Yard Shooting (Washington, DC: U.S. Department of Defense, 2013), 4.

• Did any of the organization’s policies and practices have unintentional consequences that made it harder to deter, manage, or prevent insider risks, or did they even increase the risk of insider actions?

• Did the manner in which the organization enforced, or failed to enforce, existing policies and practices contribute to the insider’s risk?

• How could modification of the organization’s policies and practices have improved the organization’s ability to prevent, detect, deter, and manage insider risk?168

Most notable in leading alternative screening measures is the DOD Personnel and Security Research Center (PERSEREC), which has spent the better part of two decades developing a program called the Automated Continuous Evaluation System (ACES). As Herbig, Zimmerman, and Chandler explains:

ACES is an automated computer system that collects data from more than 40 government and commercial electronic records. It uses an applicant’s personally identifiable information (PII) obtained from the federal security questionnaire, the Standard Form 86 (SF-86), to check these data sources, verify the information that has been submitted, and leverage the information gathered to collect additional subject information. It applies business rules to analyze the data returned, produces a report that flags issues of potential security concern, and electronically transmits the report to the approved recipient—typically an adjudication facility.169

If implemented by DOD, repeated testing by PERSEREC of ACES database mining has shown the security clearance and suitability vetting process can be streamlined while reducing costs. ACES electronic database checks can be used throughout an employee’s employment: between an initial background investigation and a periodic reinvestigation, as a tool for elements of the initial investigation or the reinvestigation, as a tool for prescreening military recruits, and as a tool for counterintelligence investigations.170 By conducting a random review of clearance

168 _{Eric D. Shaw, Lynn F. Fischer, and Andrée E. Rose, Insider Risk Evaluation and Audit (technical}

report 09–02) (Monterey, CA: Defense Personnel Security Research Center, 2009), http://www.dhra.mil/perserec/reports/pp09-03.pdf, 3.

169 _{Katherine L., Herbig, Ray A. Zimmerman, and Callie J. Chandler, The Evolution of the Automated}

Continuous Evaluation System (ACES) for Personnel Security (technical report 13–06) (Monterey, CA:

Defense Personnel Security Research Center, 2013), vii.

holders current backgrounds, this technology will assist in determining if personnel are loyal, trustworthy, reliable, and of good character.

In 2013, an ACES

pilot test with a sample of 3,370 Army service members, civilian employees, and contractor personnel demonstrated that ACES was able to identify 731 individuals with previously unreported derogatory information (21.7 percent of the tested population), prompting 176 reinvestigations to resolve or adjudicate that derogatory information. Of this group, 99 individuals had serious derogatory information (e.g., financial issues, domestic abuse, drug abuse, or prostitution). Based on the results of this test, the Army revoked the clearances of 55 of these individuals and suspended the access of the remaining 44.171

Another PERSEREC implementation is the Insider Risk Evaluation and Audit Tool “designed to help the user gauge an organization’s relative vulnerability to insider threats.”172 The tool is comprised of

six categories of internal preventative or mitigating management activities and the selection of evaluation and audit questions in each category is based on the authors’ distillation of empirical analysis from a relatively large number of insider cases, academic research, and organizational consultations on insider challenges.173

The six functional areas are: • Policies and Practices

• Recruitment Methods

• Pre-employment Screening

• Effective Training and Education

• Continuing Evaluation and Policy Implementation

• Management Intervention174

171 _{Undersecretary of Defense for Intelligence, Internal Review of the Washington Navy Yard}

Shooting, 14.

172 _{Defense Personnel Security Research Center, Insider Risk Evaluation and Audit Tool (PP 09–03),}

August 2009, http://www.dhra.mil/perserec/reports/pp09-03.pdf, 1.

173 _Ibid. 174 _Ibid.