U.S. agencies moving slowly to tighten data security, despite major leaks


By Mark Hosenball

WASHINGTON, Oct 23 (Reuters) - Despite saying they sufferedmajor damage from classified documents made public by an Armysoldier and a National Security Agency contractor, U.S.government agencies have fallen behind in installing computersoftware to stop such leaks, U.S. officials say.

Following the disclosure to the WikiLeaks website ofhundreds of thousands of sensitive State Department cables andother documents by Army Private Bradley Manning, the White Housein 2010 ordered U.S. spy agencies to install programs capable ofblocking "insider threats."

Congress wrote the requirement into law in 2011.

But the intelligence agencies have already missed an Oct. 1deadline for having the software fully in use, and are warningof further delays.

Officials responsible for tightening data security sayinsider threat-detection software, which logs events such asunusually large downloads of material or attempts atunauthorized access, is expensive to adopt.

It also takes up considerable computing and communicationsbandwidth, degrading the performance of systems on which it isinstalled, they said.

James Clapper, the director of national intelligence,acknowledged in closed-door briefings to U.S. lawmakers thatputting detection systems in place had proved "more difficultthan (intelligence agencies) thought and was taking longer thanthey anticipated," said a source familiar with the matter.

Reuters reported last week that the National Security Agencyfailed to install the most up-to-date anti-leak software at itsHawaii operations center before contractor Edward Snowden wentto work there and downloaded tens of thousands of highlyclassified documents.

But after agencies reported they were nowhere close tomeeting the Oct. 1 goal set by Congress for having the insiderthreat-detections systems installed and operational, Congresspushed back the deadline.

The latest law requires the agencies to have the newsecurity measures' basic "initial operating capability"installed by this month and to have the systems fullyoperational by Oct. 1, 2014.

But U.S. officials acknowledged it was unlikely agencieswould be able to meet even that deadline, and Congress wouldlikely have to extend it further. One official said intelligenceagencies had already asked Congress to extend the deadlinebeyond October 2014 but that legislators had so far refused.

A spokesman for the National Counterintelligence Executive,a division of the Office of Director of National Intelligenceresponsible for security policy, said ODNI was "in the processof evaluating insider-threat programs within the intelligencecommunity."

The spokesman declined to give details of how extensivelyinsider-threat software was operating at intelligence agencies,but insisted, "We're making good progress." He also pointed outthat software programs were only one element in a broader set ofmeasures that an insider-threat task force is developing to spotand shut off potential leaks.

Republican Representative Mike Rogers, chairman of the HouseIntelligence Committee, agreed. "There are other things you cando. Software in and of itself is not the only thing you have,"he told Reuters.

Rogers said he believed the spy agencies would meet theOctober 2014 deadline. "We're not interested in a delay. Wealready had one delay," he said.

Officials said the amount of money already spent oninstalling insider threat software was classified.


Steven Aftergood, a secrecy expert with the Federation ofAmerican Scientists, said there were "lots of uncertainties"about the performance of such systems.

"The more ambitious it is, the harder it would be toengineer and to operate, particularly since (intelligencecommunity) employees have many different degrees ofauthorization that would somehow need to be taken into account,"Aftergood said.

"False positives - alarms or flags triggered by unusual butlegitimate access and requiring investigation - could easily getout of hand," he said.

He added: "Current efforts to limit and monitor access areat odds with the post-9/11 imperative to promote informationsharing, at least within the government. They haven't found theoptimal balance yet."

After WikiLeaks' disclosures of documents downloaded byManning, President Barack Obama's administration set up a taskforce to recommend measures to improve protection of governmentsecrets.

One key recommendation of the task force, which was based inthe White House, was that spy agencies and the Defense and StateDepartments should develop and install systems to detect effortsby government employees and contractors to access classifiedmaterial they had no legitimate need to see.

A December 2010 White House "fact sheet" explicitlyrecommended that spy agencies adopt systems which "will monitoruser activity on all IC (intelligence community) classifiedcomputer systems to detect unusual behavior."

It also recommended that agencies create "a fully staffedanalytic capability" that would "put a human eye on the suspectactivity."

Spokesmen for the White House and top U.S. intelligenceagencies, including the NSA, CIA and Defense IntelligenceAgency, either declined comment on the issue or did not reply torequests for comment.

Another official familiar with the systems andgovernment-wide efforts to step up data security said someagencies had fueled paranoia and resentment among employees bysetting up units designed to handle insider threats.

One of the main activities of the units, which can bestaffed by contractors rather than government employees, is toreceive and investigate tips from employees about allegedlysuspicious behavior by other employees.

In some cases, the official said, agencies had moved morequickly to create such anti-leak squads than to install moreneutral and impersonal software systems designed to detectunauthorized access attempts. That process has sometimes createdresentments, often among information operations personnel whoare uncomfortable about having "another group of people lookingover their shoulders," the official said.

View Comments (0)