There’s no end to shoring up national security. On the one hand, our national security faces threats from the outside. On the other hand, we’re susceptible to the more alarming security threats from inside. The Insider Threat and Security Clearance Reform (ITSCR) team—led by James Clapper, Director of National Intelligence, Beth Cobert, Acting Director, Office of Personnel Management, among others—has been hard at work for quite some time now, trying to decrease the significant security threat in our Federal workforce. And their Fourth Quarter FY2016 report is worth a careful look, both for the effort the major problems they’re attempting to solve and the insights it shares addressing insider threats and as an exercise in cross-functional collaboration.
FEDERAL IMPROVEMENT
There’s a macro-stovepipe phenomenon in which Federal agencies fail to share information and work together. That’s where cross-agency priority goals come in. Insider Threat and Security Clearance Reform represents one of 16 cross-agency priority goals for the Federal government. While each Federal agency works to improve performance by making steady progress achieving agency-specific priority goals, the cross-agency goals address broader challenges that a single agency cannot solve alone, or challenges affecting the success of several agencies’ mission and processes.
THE INSIDER THREAT
Understand that the insider threat exists in any workforce, large or small. The ITSCR team’s overarching goal is to “protect our nation’s interests by ensuring aligned, effective, efficient, secure, and reciprocal vetting processes to support a trusted Federal workforce.” Their vision is a workforce that can be trusted with sensitive information and privileged access, characterized by better early detection, better decisions granting and renewing security clearances, capabilities that work across the government (versus myriad capabilities different and incompatible agency to agency), and an insider threat program that anticipates and recognizes threats before those threats act.
To reach this substantial goal and achieve this vision, the ITSCR team is focused on five impact areas and goals associated with each area: Trusted Workforce, Modern Vetting, Secure and Modern Mission-Capable IT, Continuous Performance Improvement, and Insider Threat Programs.
TRUSTED WORKFORCE
We may not “trust the government,” but when we’re talking about the people, the civil servants individually, I suspect most of us trust them, though we may have differing opinions about the quality of work, work ethic, and the like. However, examples from Navy Yard shooter Aaron Alexis to NSA Whistleblower Edward Snowden demonstrate that on an individual basis, there are people who threaten our national security from the inside. The ITSCR team’s Trusted Workforce Impact Area (sub-goal) is meant to begin solving this longstanding problem (remember, Aldrich Ames, Robert Hanssen . . . ) by aligning processes across agencies, early identification of unusual behavior, teaching the workforce how to identify and report unusual behavior, and establishing a single, effective policy for reporting and tracking threatening behavior. In short, “instilling a sense of shared responsibility by enabling a trusted workforce through consistent reporting requirements, employee and supervisor training, awareness campaigns for reportable behaviors, and identification of gaps in information sharing with sister missions.”
PROGRESS
The ITSCR team identified three milestones to improving the degree to which we can confidently trust the Federal workforce: (1) require the national security workforce, specifically, to report threatening behavior, (2) identify gaps in reporting and align processes to fill the gaps, and (3) get the entire Federal workforce—security or not—on board with effective, timely identification and reporting of suspicious behavior.
While two of the three milestones the ITSCR team identified to get to improve the degree to which we can trust the workforce have not yet come due, the team reports that by the end of December 2016, it had devised “a policy that requires the national security population to report information of security concern to the proper authorities in a timely manner.” The next milestone comes due next October, and the third, getting the entire Federal workforce moving in the same direction, is a more difficult proposition that they anticipate will take until mid-2019.
We’ll be watching.