Insider threats add pressure for real-time fixes to workforce risks
- By Brian Robinson
- Apr 23, 2014
With the problems of insider security threats clearly shown by the Snowden NSA surveillance revelations and earlier Wikileaks’ dump of sensitive government documents, agencies are being pushed to institute more continuous scanning and evaluation of cleared workers. The problem is how to improve that process.
One of the main reasons for these insider threats, many in government believe, is that the process used to check security clearances for people who work in government is inadequate. The need for faster clearances in general was a focus of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), and specific proposals for IT solutions that would leverage modern tools and technology were made to the Bush administration in 2008.
However, the havoc caused in government by the Snowden and Wikileaks affairs, and the potential threat from other insiders who have nevertheless passed clearance checks, has ratcheted the urgency for a near-real-time solution even higher.
One answer is for government organizations to build their own evaluation systems. U.S. intelligence agencies said in March that they are planning to put just such a system in place later this year at certain agencies. It’s based on the Defense Department’s Automated Continuing Evaluation System (ACES), which has been in development of for a number of years.
Database giant LexisNexis believes a solution it already has, based on a proprietary engine used to drive its identity management and fraud detection products, could be applied to the insider problems the government is now trying to resolve.
The way the government clearance process works, said Steve Nguyen, vice president of LexisNexis Special Services, Inc., is that much of the data in both new and repeat investigations comes from self-reported data. The LexisNexis system uses publicly available data to automatically check a person’s status.
“We pull information from over 38,000 sources, plus we have dozens of partnerships with other vendors who also provide us with data,” he said. “We’ll check to make sure the employee’s self-reported data is correct, and then we’ll apply a data analytics model to establish the person’s risk score to see if they should get a second look from clearance authorities.”
Traditionally, agencies have waited for any adverse information to “bubble up” through random sampling, he said. Instead, the LexisNexis approach continually evaluates an employee’s public data and, using data analytics, isolates anything that raises a flag and pushes that information to the person’s government employer.
The flag could be raised over DUIs, which could create a criminal record, or over bankruptcies and other events that change an employee’s financial status. If any of that contravenes agency guidelines about clearances, a flag is sent. The system can also produce a numerical risk score for individuals.
Each agency does clearances in different ways and emphasizes different requirements, which the LexisNexis system will also account for, Nguyen said. An agency director who has a high-level clearance will need to be evaluated more closely than other people lower down the ladder, he said, but categories such as janitorial staff, who have access to many different places in an agency, may also need to be scrutinized at the same level as the director.
Except for information gleaned from social media, which Nguyen said most people understand is not necessarily the most accurate, the company assures customers of a 99.99 percent confidence level that the data it uses for its analysis belongs to the person being evaluated — and is correct.
The LexisNexis output can be delivered in several ways, through popup windows in existing agency case management and security systems or through the company’s own dashboards, which can show where in the agency flags occur.
The dashboards can also provide charts and bar graphs for how many employees have liens against them, the high and average risk scores for cleared employees and how those scores have changed, and then it can drill down for more details.
Many government agencies are already using bits and pieces of the LexisNexis solution, Nguyen said, and the company’s intention now is to present a more holistic version of what that solution provides. The problem is that there’s little of a specific return on investment for this that can be shown to potential users. However, the value pitch — that agencies who use the solution can quickly identify at risk employees — is one he feels is particularly attractive right now.
Brian Robinson is a freelance technology writer for GCN.