DHS expands insider threat program
The Department of Homeland Security is expanding its insider threat program (ITP) to go beyond scrutinizing individual with access to classified materials to encompass "all those with past or current access to DHS facilities, information, equipment, networks, or systems," according to a Privacy Impact Assessment dated June 16.
When the ITP was originally set up in 2011 through an executive order, it required agencies that operate or access classified computer networks to implement an insider threat detection and prevention program that would safeguard classified national security information.
The effort was expanded in January 2017 to focus on threats posed by all individuals who have or had access to DHS facilities, information, equipment, networks or systems, essentially identifying a new category of insider threat outside the classified environment.
The new impact statement, which accounts for ITP’s expanded scope, says that DHS’ data collection efforts will now include employment and performance information, personnel files, clearance status and more. That information can be collected from any DHS component agency, program, record or source, or it can be lawfully obtained from other domestic or foreign government or from the private sector.
The data collected includes records from “information security, personnel security and systems security for both internal and external security threats,” the assessment says, as well as “current employment and performance information, contract information, personnel files containing information about misconduct and adverse actions, and current and former security clearance status.”
DHS says it is using a “person-centric tool” that will alert it to a potential insider threat that can be investigated by the Insider Threat Operations Center. The privacy risk comes from the fact that the behavioral indicators used to flag cases for additional analysis -- which are based on historical trends and specific conduct -- were created for a smaller population and do not account for the expanded scope of the insider threat program, the assessment states. Other privacy risks could result from the data becoming outdated, subjects being unaware that their activity is being monitored, the data being used for purposes beyond the insider threat program and officials reviewing data that is not relevant to insider threats.
The document does not specify what threat-related activities might include, saying only that they “include those posed by insiders with and without security clearances engaging in activities that have no nexus to unauthorized disclosure of classified information."
Connect with the GCN staff on Twitter @GCNtech.