US agencies moving slowly to tighten data security, despite major leaks

Despite saying they suffered major damage from classified documents made public by an Army soldier and a National Security Agency contractor, U.S. government agencies have fallen behind in installing computer software to stop such leaks, U.S. officials say.

Following the disclosure to the WikiLeaks website of hundreds of thousands of sensitive State Department cables and other documents by Army Private Bradley Manning, the White House in 2010 ordered U.S. spy agencies to install programs capable of blocking “insider threats.” Congress wrote the requirement into law in 2011. But the intelligence agencies have already missed an October 1 deadline for having the software fully in use, and are warning of further delays.

Agencies moving slowly

Officials responsible for tightening data security say insider threat-detection software, which logs events such as unusually large downloads of material or attempts at unauthorized access, is expensive to adopt. It also takes up considerable computing and communications bandwidth, degrading the performance of systems on which it is installed, they said.

James Clapper, the director of national intelligence, acknowledged in closed-door briefings to U.S. lawmakers that putting detection systems in place had proved “more difficult than (intelligence agencies) thought and was taking longer than they anticipated,” said a source familiar with the matter.

More from News & Analysis

What is the US HIRE Bill and why is India’s $250-billion IT sector worried? Is the internet dead? What's this theory that OpenAI's Sam Altman says might be true?

Reuters reported last week that the National Security Agency failed to install the most up-to-date anti-leak software at its Hawaii operations center before contractor Edward Snowden went to work there and downloaded tens of thousands of highly classified documents. But after agencies reported they were nowhere close to meeting the October 1 goal set by Congress for having the insider threat-detections systems installed and operational, Congress pushed back the deadline.

The latest law requires the agencies to have the new security measures’ basic “initial operating capability” installed by this month and to have the systems fully operational by October 1, 2014. But U.S. officials acknowledged it was unlikely agencies would be able to meet even that deadline, and Congress would likely have to extend it further. One official said intelligence agencies had already asked Congress to extend the deadline beyond October 2014 but that legislators had so far refused.

A spokesman for the National Counterintelligence Executive, a division of the Office of Director of National Intelligence responsible for security policy, said ODNI was “in the process of evaluating insider-threat programs within the intelligence community.” The spokesman declined to give details of how extensively insider-threat software was operating at intelligence agencies, but insisted, “We’re making good progress.” He also pointed out that software programs were only one element in a broader set of measures that an insider-threat task force is developing to spot and shut off potential leaks.

Republican Representative Mike Rogers, chairman of the House Intelligence Committee, agreed. “There are other things you can do. Software in and of itself is not the only thing you have,” he told Reuters. Rogers said he believed the spy agencies would meet the October 2014 deadline. “We’re not interested in a delay. We already had one delay,” he said. Officials said the amount of money already spent on installing insider threat software was classified.

Steven Aftergood, a secrecy expert with the Federation of American Scientists, said there were “lots of uncertainties” about the performance of such systems. “The more ambitious it is, the harder it would be to engineer and to operate, particularly since (intelligence community) employees have many different degrees of authorization that would somehow need to be taken into account,” Aftergood said. “False positives - alarms or flags triggered by unusual but legitimate access and requiring investigation - could easily get out of hand,” he said.

He added: “Current efforts to limit and monitor access are at odds with the post-9/11 imperative to promote information sharing, at least within the government. They haven’t found the optimal balance yet.” After WikiLeaks’ disclosures of documents downloaded by Manning, President Barack Obama’s administration set up a task force to recommend measures to improve protection of government secrets.

One key recommendation of the task force, which was based in the White House, was that spy agencies and the Defense and State Departments should develop and install systems to detect efforts by government employees and contractors to access classified material they had no legitimate need to see. A December 2010 White House “fact sheet” explicitly recommended that spy agencies adopt systems which “will monitor user activity on all IC (intelligence community) classified computer systems to detect unusual behavior.”

It also recommended that agencies create “a fully staffed analytic capability” that would “put a human eye on the suspect activity.” Spokesmen for the White House and top U.S. intelligence agencies, including the NSA, CIA and Defense Intelligence Agency, either declined comment on the issue or did not reply to requests for comment.

Another official familiar with the systems and government-wide efforts to step up data security said some agencies had fueled paranoia and resentment among employees by setting up units designed to handle insider threats. One of the main activities of the units, which can be staffed by contractors rather than government employees, is to receive and investigate tips from employees about allegedly suspicious behavior by other employees.

In some cases, the official said, agencies had moved more quickly to create such anti-leak squads than to install more neutral and impersonal software systems designed to detect unauthorized access attempts. That process has sometimes created resentments, often among information operations personnel who are uncomfortable about having “another group of people looking over their shoulders,” the official said.

Reuters