29 April 2023

The Government has an Espionage Problem. Open Source should be part of the Solution.

BRIAN DRAKE

OPINION — The unauthorized release of classified information and the subsequent arrest of Jack Teixeira has raised important questions. Why does the Air National Guard have staff with Top Secret clearances? If he is found guilty, was Teixeira’s ego really the cause of the leak? And what can be done about preventing these leaks in the future?

While these are all good questions, they do not address the central flaw in the American security apparatus: The U.S. government is not assessing security risk with the right data sources at scale.

Today, the security vetting process involves filling out a lengthy form, a series of suitability interviews, a credit check, and for certain clearance types, a polygraph. Prior to 2008, every employee was reinvestigated every five to ten years. Now, under the Continuous Evaluation Program (CEP), the government performs a thorough background check once and relies on automated ingests of terrorism watch lists, foreign travel, financial, criminal, credit, public records, and prior clearance eligibility determinations. All of this data is processed manually by threat analysts across the constellation of national security agencies.

There are two problems with the design of this system.

First, the CEP’s data sources are necessary, but not sufficient to detect security threat insider activity. Today’s insider threats broadcast their aims on anonymous discussion forums on the deep and dark web, build fake social media personas, and use encrypted communication platforms to complete clandestine information transfers. Unlike the spies of old, their payment preferences rely heavily on the secrecy of vice, the formal banking system. Also unlike their predecessors, these insiders want to be found by adoring audiences, paying foreign intelligence services, criminal enterprises, or corporate espionage agents. These are known threat venues and they are not considered worthy of ingestion by the CEP.

Second, it is unrealistic to expect analysts to go through this volume of information with enough fidelity to detect actionable threats. In response to the CEP’s overwhelming amount of information, most agencies rely on tips and activity-based monitoring only on government networks. Our most famous spies; Robert Hansen, Aldrich Ames, and Ana Montes, did not communicate with their handlers on government systems and neither do today’s spies. The government is experiencing decision paralysis because the size of the open source challenge is daunting and with 3 million people holding some level of clearance, they see their familiar manual review processes failing.

It’s not just for the President anymore. Cipher Brief Subscriber+Members have access to their own Open Source Daily Brief, keeping you up to date on global events impacting national security. It pays to be a Subscriber+Member.

Some have argued that widening the detection net would impinge on civil liberties and privacy. We must be clear eyed on this point. Holding a security clearance is a privilege, not a right. It is also a condition of employment. Every security clearance holder consents to having their life constantly and closely examined. Moreover, with the creation of the CEP, the government is empowered to scrutinize every element of personnel security risk. Now, with the arrest of Mr. Teixeira, we must acknowledge the imperative to evaluate the rich mosaic of open data and communications from people in positions of trust.

Congress should legislate the inclusion of open sources to the CEP, reduce the federal government’s reliance on cleared positions by emphasizing open source intelligence, and apply artificial intelligence (AI) tools to the mass data curation and analysis challenge.

First, as argued by others, an agency, separate from the Intelligence Community, with a laser-like focus on open source analysis cures many ills. If the agency included an open source insider threat detection program, it could look beyond “perimeter security” and more toward the dark corners of the Internet where insiders thrive.

Second, this agency can reduce the cleared person attack space by shifting missions toward open source intelligence. The Air National Guard of Massachusetts cleared Mr. Teixeira because the systems that support our military personnel are grounded in classified processing. The open source information environment offers capabilities that rival or exceed many national technical means. It is beyond time to jettison our dependence on over-classified products and drive down demand for cleared personnel.

Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today

Lastly, true continuous and comprehensive security clearance evaluation demands the application of AI. Manual processes have limits. Three million cleared people have family, friends, have lived in different places, traveled to foreign countries, and used multiple active Internet devices over the years. These all represent risk vectors that cannot be ignored and given the government’s existing clearance backlog, it’s time to adopt AI-powered analytics that can identify aberrant behavior at scale. Not adopting AI for the background check and insider threat detection missions admits defeat and makes future leaks appear more likely.

We owe assurances to trusted employees that the person sitting next to them is not working for our adversaries or seeking fleeting fame on a fanboy website. It would be irresponsible to continue resourcing a system designed to examine sub-optimal data at sub-optimal scales.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

No comments: