Tackling insider threat — everything from leaking classified information to potential workplace violence — is a key part of the National Counterintelligence and Security Center’s mandate. Leading efforts to develop new policies and pilot programs on the issue is NCSC Director Bill Evanina, who recently sat down with The Cipher Brief’s Mackenzie Weinger for a wide-ranging interview. A portion of the conversation focused on insider threats.
The Cipher Brief: I want to address the issues of leaks, whistleblowers, and the overall insider threat problem. How is the U.S. government dealing with the deluge of leaks it seems to be facing right now?
Bill Evanina: Honestly, we’re not dealing with it in terms of, there’s so much right now. We’re really having a difficult time sifting through what is a leak, a political leak, versus what is an actual unauthorized disclosure of classified information. And that is where my world sits. My world is the unauthorized disclosures of classified information, and there’s a lot of that.
So we have to identify what that is, who is it, where did it potentially come from. We’re going to try really hard in the future, working with the Department of Justice and the White House, to talk about damage. What are foreign intelligence services doing with that data? That’s not part of the narrative right now. Where people’s lives are endangered, or we’re losing collection capabilities around the world, we have to make that part of the narrative. There’s significant damage being done.
Also, there are legitimate whistleblowing venues to do this if you are angry. Every agency has one. You can go to your Inspector General, Congress. There are vectors for you to be angry and say, “Hey, I’m upset with my agency for doing X, Y, and Z.” Go that route. We have to do a better job in the government of explaining to our employees, to include government employees and contractors, there are these venues, and you can go through the whistleblower route if you are that angry. You don’t need to go to WikiLeaks, or The Washington Post, or put it off in a dropbox on a website. There are other venues.
And when you do those things that are not good, people’s lives are at risk. Collection platforms are lost. And we have lost capability to have liaison relationships with foreign governments. The damage is significant. I don’t think the people who are leaking stuff now, unauthorized disclosures, understand the damage they’re creating. They’re so currently maybe upset with the political world — it’s okay to be upset, but there are other ways to manifest your anger than giving stuff to the rest of the world.
TCB: Are there any specific counterintelligence lessons from recent cases like NSA contractors Harold Martin, Edward Snowden, and Reality Winner? How do you take these things and actively learn something from the CI perspective?
Evanina: I really can’t comment too much on the open cases, but I can say in general, they’re all different. At the end of the day, what we’re trying to accomplish here is the ability to get to a motivation. The FBI will do their investigation on who did what and when and how with the victim agencies. What we’re trying to look at, from not only the perspective of us here but the Intelligence Community and private sector entities — what’s the motivation? The last four or five unauthorized disclosures, did they all have the same motivation? Or were they different?
Back in the day, it was ego, it was money, it was reputation. But is it the same thing now? In order for us to get to a point where we can start to prevent more effectively the insider threat, we have to find out motivations. And that also goes to people who have already been convicted, doing interviews and debriefings to understand what motivated them to disclose this information.
TCB: Is this about the psychology, the behavioral issues related to insider threat?
Evanina: Yes. And what was the catalyst to make a determination to wake up one day and say, “I’m going to release this information to so-and-so.” Or, which is no different, someone who wakes up tomorrow and says, “I’m going to go to work and I’m going to shoot my boss, my coworkers, and myself.” It’s the same mentality. It’s the decision to wake up in the morning and do something bad. Sometimes it gets manifested in the Intelligence Community in leaking documents, sometimes it’s a shooting in the workplace, but it’s the same concept of insider threat.
We have to understand the motivations. Now, Mr. Martin, who is still under criminal process, eventually when his case is adjudicated, we’ll have an opportunity to debrief and find out his motivations, just like we did with [Army Pvt. Chelsea] Manning, with [FBI Spy Robert] Hanssen, with [CIA spy Aldrich] Ames. We don’t have the capability with Snowden right now. We had spies from Canada, [Jeffrey] Delisle, we need to know what his motivations were for spying on behalf of the Russians. We have one in Portugal right now, spying for the Russians, what was his motivation? Is it money? Ideology? Anger? I wasn’t promoted? A combination of a bunch of stuff?
In order to identify the next leaker, we’ve got to understand what the motivations are, from a more academic perspective, so we can quantify that. All the user activity monitoring, all the technology is one thing — that’s going to stop the bleeding. But it’s not going to prevent someone from stealing documents.
TCB: Are there any kinds of innovative practices with behavioral psychology or on the technological side that you can discuss?
Evanina: We’re doing some pilots right now, and we’re working not only in the interagency, but with the Defense Department and some private sector organizations and universities to try to develop some type of AI [artificial intelligence], some type of methodology to do predictive analysis. But the question is, based upon what? What are those factors going to be to be able to predict Bill’s ability to leak a document before you? We have to develop the criteria first, the algorithm. I think the construct afterwards will be fine, but we have to find a baseline of, what are those aspects? And we’re doing that by looking at a lot of the leakers and spies over time, and looking for those common denominators so we can start to do that. That’s issue one.
Then issue two is, how do you implement that in the workforce? What, are you going to put a machine in someone’s office so you know what their mood is that day? So implementation of the science is a secondary thing that we don’t have at our beck and call yet. It’s easy to have a user activity monitor on your keyboard, because you already have a keyboard, but how do you monitor it from a behavioral analysis perspective?
TCB: And then things like satire become an issue. Civil liberties and privacy advocates have some issues with predictive tools, and I’ve talked to several who say it obviously can work on things like credit card fraud because there are so many data points, but they’re more skeptical about the national security applications.
Evanina: But that’s predictive based upon past action. Not mentality or personal behavior. We do the same thing though, we can see an anomaly in someone’s printing activities, or when they log on. We have all that behavioral stuff down. But that doesn’t take into account your mood, or that you haven’t been promoted in the last two years, or all that kind of stuff. And the predictive, AI stuff — what is your mindset? Did you just go through a divorce? Are you financially strapped right now? Do you have family problems, childcare, eldercare? Those things, how do you quantitate that stuff? And that’s part of the motivation process.
We have some universities that are trying to help us right now, doing the behavioral side of it, but at the end of the day, once we get that in the box — two things: How do we implement it? And then do we ensure privacy and civil liberties, and how do we still have people want to come work in the Intelligence Community even though they’re being monitored? My argument on that is, they’ll be okay with that because they’ll understand they’re not doing anything wrong. The financial disclosure we fill out now is already so intrusive.
But how do you measure the mind? I’m not sure how we get to that, if we have to get to that. But we have to look at some of the ideals of the current cases we have. We have five or six current cases in the last two years. We should be able to come up with an idea. Just like, I heard today, “Well, it’s the millennials.” No, it’s not. Look at the last seven cases, there might be two cases out of seven.
There’s no empirical evidence that they’re all, A, millennials, or B, contractors. Because they’re not. I could point you to the State Department, the CIA, the FBI. It’s just the person that day who goes bad may be a contractor or a government employee, and they’ll be more to come. You look at Hanssen, Ames, to Harold Martin to Reality to the woman from the State Department, they’re all over the map.
TCB: How do you deal with somebody who is an unwitting insider threat? Or potentially a whistleblower, rather than an insider threat? Because some people speculate that with these, some things where they might have been an actual whistleblower in the future they could instead be picked up as an insider threat — that it may make the line trickier.
Evanina: I don’t think there’s a line. Because if you decide that you have a classified document that you think is wrong, or we shouldn’t be doing it, and you, as a clearance holder, have a responsibility if you think it’s wrongdoing to go to the whistleblower protection folks. Giving it to a foreign intelligence service or to the media is never the answer.
So I don’t think there is a fine line, I think there is clearly a big ocean between the two. And there’s a constant decision to say, “I’m going to give this document to the free press.” And then the press is going to give it, unwittingly, to the Russians and the Chinese and Iranians. I don’t think people think that through. I think they say, “I’m just going to give it to WikiLeaks.”
Mackenzie Weinger is a national security reporter at The Cipher Brief. Follow her on Twitter @mweinger.
