Can Instagram really make a difference to national security? Quite possibly.
Last week, the Insider Threat Subcommittee of the Intelligence and National Security Alliance (INSA) released a key report on Publicly Available Electronic Information (PAEI) and its role in preventing insider threats. PAEI refers to social media, public databases, or other information that is accessible to the general public. It’s a relevant topic as the government looks to extend electronic continuous evaluation across all security clearance holders as a part of efforts to reduce insider threats and speed up the security clearance process.
INSA argues that government agencies need to figure out how to make the most of PAEI, issuing uniform legal standards behind its use. These sources can provide valuable insight into the lives of cleared employees and help set off alarm bells that may not be otherwise visible. The report does an excellent job of summarizing both the value of PAEI and where the government is doing well – and falling short – with its use.
What Is Publicly Available Electronic Information?
The report defines PAEI as, “information that is available to the public on an electronic platform such as a website, social media, or database (whether for a fee or not) – can provide insight into an individual’s perceptions, plans, intentions, associations, and actions.”
Some examples of PAEI:
- Credit reports, tax reports and other information that can offer insight into someone’s financial health or sudden changes in unexplained wealth.
- Travel plans, whether publicly available or deduced through social media or other online forums. Irregular or foreign travel could raise red flags for employers.
- Social media. As the report astutely points out: “The wide spread use of social media for personal expression and communication means people are more likely to use these outlets to voice their hostility, anger or plans for malicious or violent activity. Indeed, rather than confide in a close friend or coworker, disgruntled individuals are more likely to express themselves on these platforms, where they can find sympathetic ears and “likes” and hide behind a cloak of anonymity.”
- Court records, which as the report explains, often precede criminal activity. “Documented insider threat incidents suggest a person does not decide to commit a crime at work overnight; rather, indicators frequently mount leading up to the incident. Law enforcement and court records can bring such turmoil in an employee’s life to light.”
- Civic activity such as associating with organizations known to be violent, anti-American, or other groups that pose a security risk (e.g. Wikileaks).
- Dark web, which the report elaborates as, “online forums and exchanges related to guns, drugs, illicit pornography, hacking, and fraudulent financial activities – is often highly suspect”
The Risks of PAEI
While PAEI is an extremely useful and increasingly essential tool for vetting and monitoring cleared personnel, it is also not without its concerns. For one thing, the report explains that there are no standards to assert which information is or is not relevant to the background investigations process. Are your Instagram posts fair game, but not your credit reports? Is Vermont updating its criminal records database as often as Arizona? Can investigators say for certain that “Bradass87” on Twitter is actually the employee or candidate in question? And perhaps most importantly, what information can employers and investigators gather legally and without unduly invading employee privacy?
These questions are particularly pressing, given that Continuous Evaluation is already incorporating PAEI. This automated monitoring depends on the integrity and completeness of its data streams. Standardizing data sources and methods is necessary for both the candidate’s privacy and for national security.
Recommendations for the Use of PAEI
The Use of Publicly Available Electronic Information for Insider Threat Monitoring concludes with clear recommendations for intelligence community leaders. The report recommends:
“The Director of National Intelligence, as the government’s Security Executive Agent, work with the Defense Department, which will assume government-wide investigation and adjudication responsibilities, to take several key steps, including:
- Determine what sources of publicly available information are relevant to security determinations;
- Develop a single legal interpretation of what PAEI, including social media data, may be collected and analyzed for personnel security purposes; and
- Establish policies for how PAEI, including social media data, may be used for security-related personnel determinations.”
In all, the report tackles a very timely and necessary topic that has not gotten enough attention – but has become an essential part of the clearance reform conversation. Until now, the definition and use of PAEI has been dictated primarily by the system’s whim and a dash of Kentucky windage. Hopefully this will help inspire the intelligence community to put some common standards to paper.
You can download the whole report at www.insaonline.org.