Federal agencies eager to find enemies within

Washington: After years of focusing on outside threats, the federal government and its contractors are turning inward, aiming a range of new technologies and counterintelligence strategies at their own employees to root out spies, terrorists or leakers.

Agencies are now monitoring their computer networks with unprecedented scrutiny, in some cases down to the keystroke, and tracking employee behavior for signs of deviation from routine. At the Pentagon, new rules are being written requiring contractors to institute programs against “insider threats,” a remarkable cultural change in which even workers with the highest security clearances face increased surveillance.

The “if you see something, say something” mind-set of the post-9/11 world has fully arrived in the workplace, with new urgency following high-profile leaks such as the revelations of former National Security Agency contractor Edward Snowden.

“People’s sensitivity to this has changed substantially,” said Lynn Dugle, president of a Raytheon business unit that markets an insider threat detection system called SureView. “I can tell you five years ago, when we were talking to agencies or companies about insider threat, we would normally be talking to (chief information officers) who were under budget stress. . . . And that was a very tough sell. Now we see boards of directors and CEOs really understanding what the threat can mean to them, and the risk it poses to them.”

In response to the breach by former Army intelligence analyst Pfc. Bradley Manning, President Barack Obama in 2011 issued an executive order that established a National Insider Threat Task Force and required all federal agencies that handle classified material to institute programs designed to seek out saboteurs and spies.

While corporate security has long been part of the culture among Washington-area companies and federal agencies, the heightened focus and the emergence of new monitoring technology touched off a burgeoning industry. In addition to Raytheon, Lockheed Martin has developed an insider-threat detection service, as have several start-ups in the Washington region.

Even Booz Allen Hamilton, which faced national embarrassment when Snowden, one of its employees, walked off with some of the country’s most guarded secrets, counsels its clients on how to detect rogue employees. A recent job posting said the company was looking for an “insider threat analyst,” which required a security clearance and more than five years of experience in counterintelligence. The posting spread on the Web and sparked ridicule over the notion that the company that employed Snowden was now looking to help turn the historic breach into a profitable lesson learned.

Raytheon’s SureView program allows agencies to create all sorts of internal alerts indicating when something may be amiss. A company could, for example, program the software to detect whenever a file containing the words “top secret” or “proprietary” is downloaded, emailed or moved form one location on the system to another.

Once that wire is tripped, an alert almost immediately pops up on a security analyst’s monitor, along with a digital recording of the employee’s screen. All the employee’s actions - the cursor scrolling over to open the secure file, the file being copied and renamed - can be watched and replayed, even in slow motion. It’s the cyber equivalent of the security camera that records robbers sticking up a convenience store.

Lockheed Martin provides a service called Wisdom, which acts as “your eyes and ears on the Web,” according to a company official. At its broadest use, the service can monitor mountains of data on the Web - Facebook, Twitter, news sites or blogs - to help predict everything from a foreign coup, political elections and riots. But it can also be turned inward, at employees’ online habits, to predict who within the organization might go rogue.

Counterintelligence officials use Wisdom to “evaluate employee behavior patterns, flagging individuals who exhibit high risk characteristics,” the company says in a brochure.

“I like to think of it as a digital intuition that is being developed,” said Jason O’Connor, Lockheed’s vice president for analysis and mission solutions.

The market is much broader than the defense and intelligence industries. It extends to hospitals, which need to protect patients’ information; retailers, which hold customers’ credit card numbers; and financial institutions.

Some worry that the programs are an overreaction to a relatively rare threat that will do more to hinder the free flow of information than to deter crime, while creating repressive working environments.

Despite the soon-to-come federal mandate, many defense contractors have “already implemented fairly imposing controls to minimize the unauthorized use of data,” said Loren Thompson, a defense industry consultant who has worked with Lockheed Martin and other contractors. But he warned that this “clearly is a trade-off in which values like efficiency and collaboration will be sacrificed in order to reduce the likelihood of internal wrongdoers from succeeding.”