I Ran Intel at the Pentagon. Here’s My Advice on Insider Threats

After last week’s posting by WikiLeaks of thousands of pages of information purported to describe cyber intelligence-gathering tools, I have been thinking about how the director of national intelligence and the secretary of defense should respond.  

I recently stepped down after eight years at the Pentagon, where I last served as the top civilian intelligence advisor to Secretary of Defense Ash Carter and the top defense advisor to Director of National Intelligence James Clapper. Our time was often dominated by managing responses to a series of devastating security breaches at the hands of trusted insiders, including releases of sensitive data, espionage incidents, and tragedies on government installations, including at Fort Hood and the Washington Navy Yard.  

If I were still in government, this is what I would be telling my two bosses.

First, as chief executive officers, you should insist on finding new ways to thwart insider threats. You have only enough bandwidth for a small number of priorities, but this should be one of them. We must transform our security approaches to protect against cyber-hacking, espionage, and insider threats if we’re going to preserve our national security advantages. We expend great cost and effort to build precious military and intelligence advantages for America over our adversaries. Time after time, these advantages have evaporated when the blueprints or secret know-how have been stolen by our adversaries or revealed publicly by the likes of WikiLeaks. Every time you consider investing in a new capability or technological advantage, ask your team to also show you how it will be protected against adversaries who want to steal, copy, or reveal it. And hold one member of your senior team accountable for ensuring there is a comprehensive, enterprise-wide strategy in place.

Second, satisfy yourself that privacy and civil liberties protections are strong. Ensure you are personally confident you can reassure the American public that cyber and intelligence tools used by the military and the intelligence community are used to protect them, with appropriate privacy and civil liberties protections in place. I am confident this is the case, but you should be too. So take a fresh look at this with your technical experts and lawyers, make your own judgments, and share with the American people your assessment, frequently and loudly.

Third, you should invest heavily in modernizing and hardening our information technology infrastructure. As we move more information technology systems into cloud architectures, not only are we seeing greater operational gains that help our warfighters and our intelligence officers, but also security is improving as we can more rapidly deploy new protections across the full network, improve our ability to tag sensitive data and content, automate access by need to know, and track that access. Rapid changes in the application of data science, to include promising advances in artificial intelligence and deep machine learning, will enhance our ability to hunt for anomalous or alarming behavior while further limiting the impacts on those in our community who are doing nothing wrong and focused on the mission.

Fourth, you must transform our personnel security clearance system. For decades, we have relied on managing our personnel reliability risks through human-intensive background investigations conducted every five or 10 years, based upon a lengthy form — the Standard Form-86 — filled out by the individual. This system has failed to catch insider threats who have done great harm. At the same time, it drives tremendous waste and inefficiency into managing our cleared workforce across government and the defense industry. For example, a current backlog of more than half a million individuals awaits the completion of background investigations in order to be able to put their skills and talents to work for the national security. Insist that we move expeditiously to a system that relies less on manual background investigations and increasingly on automated records checks, continuous evaluation, and artificial intelligence-enabled data analytics to monitor the reliability of people who hold classified security clearances and access our facilities across government and industry.

Finally, keep asking for help from industry and technology leaders and other key stakeholders outside of government. In my experience, most corporate leaders want to help make government more effective and want to find ways to contribute to the national security. A dialogue at the CEO level can help catalyze creative partnerships to find those solutions.

A breach such as last week’s release to WikiLeaks can gravely weaken national security; the response to it is deserving of the attention of our nation’s most senior leaders. As we seek innovation in military and intelligence capabilities to build an edge over our adversaries, we need in parallel to innovate in our protections against insider threats — to protect our people and our national security advantages from devastating security breaches.