Distinguishing between whistleblowers who want to point out and fix problems within the intelligence community and employees who want to damage national security will demand increased attention as the insider threat problem grows, experts say.
On November 30, contractors who hold facility clearances were required to have a written insider threat program in place. The change comes on the heels of NSA leaker Edward Snowden, and more recently, another government contractor named Harold Martin, who removed classified information without authorization. In such a landscape, requiring contractors to have a program to look out for an insider threat seems obvious given the valid concerns over the theft of information critical to national security — but it could prove troubling in the context of targeting whistleblowers.
With new insider threat programs in place, companies are going to “be out there looking for odd behavior and indicators, and they’re going to start to identify people who are potential whistleblowers,” James Harris, an attorney with Holland & Knight in Washington, D.C. who counsels businesses in the intelligence and defense sectors, said. “So in some sense, they may sort of beat them to the punch.”
These new programs will likely lead to cases where someone gets flagged for being an insider threat, but then the employee claims to be a whistleblower who sent anonymous reports about their concerns.
“Then you have to sort out, well, are they just making that up? How do they prove that?” Harris said. “Because the anonymous reports are probably going to the inspector general of the agency, not within the company.”
Whistleblower policy for those in the intelligence community (IC) is different than in other departments and agencies. Most government employees are covered by the Whistleblower Protection Act, which can provide protection against adverse personnel action even if someone goes to the press. But that law does not apply to intelligence community personnel or to classified information.
The protections against retaliation that do exist for the IC are found in the Intelligence Community Whistleblower Act of 1998; Presidential Policy Directive 19, signed by President Barack Obama in 2012; and the Intelligence Authorization Act for Fiscal Year of 2014. There are, however, definite limitations for those who report waste, fraud and abuse, experts note.
“Some people think that they could potentially protect against criminal liability, and it’s pretty important to make clear that that’s not the case,” Rodney Perry, an attorney with Holland & Knight in Washington, D.C., said. “What these measures protect against is sort of adverse personnel action that results from a whistleblower following the proper channels as described in each relevant piece of legislation or measure.”
Proper channels for IC workers to make protected disclosures include the person’s supervisor, up to and including the agency head, inspector generals, ombudsmen, and the Director of National Intelligence, as well as potentially the intelligence committees of Congress.
“It was sort of sotto voce indicated as a last resort you can go to Congress as well, because you can’t prevent people from going to their representatives. Congress was not the preferred option. The preferred option was to do it inside, and there’s really quite a good reason for that,” Spike Bowman, formerly deputy general counsel for national security law at the FBI and deputy of the National Counterintelligence Executive, said.
That’s because whistleblowing in the IC most likely means dealing with classified information. And ultimately, the definition of a whistleblower under current policy is narrow.
“Whistleblowing is sometimes infused with a moral judgment, but in the legal aspect, no — it must be done through proper channels and you have to blow the whistle on fraud, waste, abuse, or other illegal conduct,” a senior congressional aide who works on intelligence issues said. “We want to protect people who do blow the whistle, we rely on them, but that’s very different than leaking information because you disagree with policy or its legitimacy because it was potentially illegal.”
There is no whistleblower protection against criminal prosecution, whether the person is a government employee or a contractor, Elizabeth Goitein, who co-directs the Brennan Center for Justice's Liberty and National Security Program, said. Protection against adverse personnel actions refers to things such as firing, demoting, or pay cuts, not criminal prosecutions.
And contractors do not receive the same protections from reprisal as their government employee counterparts. PPD-19 does protect against some retaliatory personnel actions for government IC whistleblowers who report wrongdoings through approved government channels. Contractors, however, are considered exempt except for the part of the directive that states a person’s clearance cannot be removed based on whistleblowing.
And there are no protections in any law for intelligence community employees or contractors who go to the press, Perry noted.
For instance, Snowden, who leaked reportedly 200,000 classified documents to several journalists, has been called a whistleblower by some supporters, but that has been heavily contested by many in Congress, the IC, and the Obama administration.
In September, Obama’s White House Press Secretary Josh Earnest said Snowden “is not a whistleblower,” and that the former NSA contractor did not follow the designated process for would-be whistleblowers. “That is not what Mr. Snowden did, and his conduct put American lives at risk, and it risked American national security,” he said. The House Permanent Select Committee on Intelligence that month also released its assessment of Snowden after a two-year investigation, calling him not a whistleblower, but a disgruntled employee who caused “tremendous damage to national security.”
“Just from a policy point of view, putting law aside, I think it’s harder for an insider to claim the whistleblower mantle when certain factors exist – for instance, they don’t know everything they took, they publicly revealed far more than was in whistleblower bucket, they involve other actors they don’t necessarily have reason to trust, and if they haven’t tried to reach friendly audiences that are appropriately in the circle of knowledge. All those factors to me undercut the whistleblower mantle,” said a former senior national security official, who spoke on the condition of anonymity.
Despite debates over Snowden in the years since his leaks, there has been discussion of looking anew at whistleblower protection policy, particularly for contractors. For a few years, Congress included in its intelligence authorization bills statutory protections against adverse personnel actions for IC contractors who were whistleblowers, Goitein said.
“For those five years, contractors in the intel community had more protections than employees in the intelligence community did. Those were stripped out in 2012, and there’s been a battle to put them back in ever since,” she said.
But for the near future, perhaps the most crucial thing to watch for those who are concerned with the issues of insider threats, whistleblowers, and the line between the two, will be the new programs devised by government contractors.
Ideally, Harris noted, whistleblower and insider threat programs have similar goals — each is “just trying to make sure everyone is doing what they’re supposed to be doing.” But there’s undoubtedly a friction between the two, and that will be more apparent when contractors start doing incident response in connection with the new insider threat program requirement. Companies should build out a program that states clearly how indicators will be analyzed and responded to, according to Harris.
“Within reason, [the contractor needs to] be able to say these are the standards, these are the behaviors, and once we get this combination or some rough equivalent of that, we’re going to respond in a consistent way,” he said. “So if you do get charged with a retaliation claim or whatever, you at least have some defense, like this is our policy and at least we’re consistently making it effective.”
The training on spotting insider threats and how to report them must also be matched by similar training on the whistleblower process, Harris said. It’s important for contractors to encourage their employees with legitimate issues to go through the designated process and properly inform them on what each step involves — if not, that’s where a person can move from being a whistleblower to an insider threat.
“Once they step out of that process and get in this paranoid state, and they don’t trust the system or the anonymous hotlines, and then they start stealing a bunch of data out of your organization, then they are an insider threat problem, and there’s no defense to that other than in the court of public opinion,” Harris said.
“You can’t take classified information out of there because you don’t trust the system. I think it would be a good idea to train on both and try to educate people on how they work together, and they need to not step out of bounds on either one, or that’s where they’re going to run into some trouble,” he added.
A whistleblower is “supposed to be pointing out stuff that’s illegal – not just stuff you disagree with,” former CIA and NSA director General Michael Hayden noted. “My great complaint is that the label gets thrown on a whole bunch of people who don’t meet the definition.”
Trying to protect against the insider threat “is really hard to do, and you always run the risk of creating more ill effects than good effects when you try to go after” the problem, he said. The “really destructive aspect” of people such as Snowden or others who adopt the whistleblower mantle without adhering to the definition, is that “the bureaucracy responds like bureaucracies do,” according to Hayden.
“They overcompensate, and you run the risk of creating a chilled atmosphere inside organizations who can only do their job in an internal atmosphere of trust. So they’re doubly destructive – not just the information that bleeds out, but the wreckage that’s left behind as the bureaucracy, and I’m not using bureaucracy in a kind way here, tries to cope,” he said.
Mackenzie Weinger is a national security reporter at The Cipher Brief. Follow her on Twitter @mweinger.
Follow @TheCipherBrief on Twitter for exclusive #InsiderThreat coverage.
