THE USE OF PUBLICLY AVAILABLE ELECTRONIC INFORMATION FOR INSIDER THREAT MONITORING

INTELLIGENCE AND NATIONAL SECURITY ALLIANCEInsider Threat Subcommittee

January 2019

C O N T E N T S

01 EXECUTIVE SUMMARY

03 BACKGROUND

05 TYPES OF PAEI & POTENTIAL VALUE

05 Social Media

05 Information Regarding Financial Health

06 Law Enforcement and Court Records

06 Travel

07 Civic Activity

07 Dark Web

12 CONCLUSIONS

08 CONSIDERATIONS & RECOMMENDATIONS

08 Federal Government

09 Private Organizations

09 Recommendations

09 1. Ensure leadership support

09 2. Defineandcommunicate internalpolicies

10 3. Determinelegalconstraints

10 4. Identify relevant informationsources

10 5. EstablishpoliciesforuseofPAEI

11 6. Assesstimeliness,credibility andaccuracyofPAEI

11 7. Determinehowtoefficiently processPAEIdata

11 8. Ensure validity of data

11 9. Adapttochangesindata availabilityandevolving socialmores

INSA SUPPORTS A HEALTHY PLANETINSAWhitePapersareprintedonrecycledpaperthatis50%recycledcontentincluding25%post consumerwaste.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 1

EXECUTIVESUMMARYPubliclyavailableelectronicinformation(PAEI)–definedasinformationthatisavailabletothepubliconanelectronicplatformsuchasawebsite,socialmedia,ordatabase(whetherforafeeornot)–canprovideinsightintoanindividual’sperceptions,plans,intentions,associations,andactions.ProperuseofPAEIcanhelpemployersexamine,onacontinualbasis,whetheranemployeeposesapotentialthreattotheorganization’sinformation,assets,people,orfacilities,aswellastothemselves.ContinuousevaluationofPAEIisespeciallyvaluableforassessingemployeesworkingwithinthegrowing“perimeter-lessworkspace”(atclientlocations,athomeorfromtheroad)whereabnormaloratypicalbehavior–both in-person andon anorganization’s networks –maybe less visible tocolleaguesandmanagers.PAEIcanalsobeusedtoinitiateorprovidecontexttoaninternalinvestigationintoinsiderthreats.

As the U.S. Government overhauls its security clearance process, it mustdecidewhatkindsofpubliclyavailableinformationtouseandhowtoapplyittoassessacandidate’strustworthiness.Todoso,itmustdeterminewhatinformationconstructivelyinformsariskassessment,whattypesofinformationareappropriatetouse,andhowtousesuchinformationtomakebothinitialandongoingassessmentsoftherisksposedbyindividualemployees.

TheDirectorofNationalIntelligence(DNI),inhis/herroleasthegovernment’sSecurityExecutiveAgent,mustworkwiththeDefenseDepartment,which isassuming government-wide investigation and adjudication responsibilities,todevelopa single legal interpretationofwhatPAEImaybe collectedandanalyzedandtodeveloppoliciesforhowitmaybeusedforsecurity-relatedpersonneldeterminations.1AgovernmentdecisionregardingtheuseofPAEIforpersonnelsecurityandinsiderthreatpurposeswillsetthestandardfortheuseofsuchinformationbyorganizationsinboththepublicandprivatesectors.

1 While PAEI is used to inform security clearance determinations, it is also used for less intrusive but more widespread public trust determinations. Public trust assessments, which are undertaken by (or under the auspices of) the U.S. Office of Personnel Management, examine whether a potential employee is suitable for a position that is sensitive or that requires a high degree of integrity but that does not require a security clearance for access to classified information. Examples include public safety and health workers, officials entrusted with financial matters, or officials with access to sensitive data or information systems. Because a large percentage of investigative resources are dedicated to public trust assessments rather than security clearances, enrolling public trust employees in continuous evaluation programs that draw on PAEI would likely enable investigative resources to be devoted to higher priority or more challenging cases. This paper, however, focuses solely on the use of PAEI for the investigation and continuous evaluation of personnel with security clearances.

2 |IntelligenceandNationalSecurityAlliance|www.INSAonline.org

ThetypesofPAEIthatcouldbeexaminedareextremelyvaried.Somedata–suchasarrestandconvictionrecords–arewidelyavailabletothepublicandwouldseemtohave a direct bearing onwhether someone is likely toobey laws and follow regulations in the future. Somedata – such as credit reports – may be available onlythroughcommercialpurchaseandmayhave theabilitytoindicate,butnotdemonstrate,potentialrisk.Yetothertypes of information – such as personal commentariesandphotospostedonsocialmedia–mayrequiresomeeffort to locate,correlate lessdirectly to thedegreeofrisk the subject poses in aworkplace, andbe seen byemployees as inherently “private” and thus as overlyintrusiveforanemployertocollect.

ThefollowingquestionsmayhelpbothpublicandprivatesectorleadersdeterminehowtheirorganizationsshouldusePAEIforpersonnelevaluations:

• Canthedatacanbelegallycollectedandassessed?

• Istheorganizationanditsleadershipcomfortableusingthedata?

• WhatwillbetheimpactofusingPAEIonorganizationalcultureandemployeemorale?ArecertaintypesofPAEI(suchassocialmediaposts)consideredmore“personal”thanothers(suchascreditreports)?

• Whatinternalpoliciesmustbeimplementedbeforeusingthedata?

• Whatdatacanreliablycontributetoananalysisofinsiderthreatrisks?

• Whatistheintegrity,timeliness,andaccuracyof thedata?

• Howcanthedatabeefficientlyprocessedandanalyzed?

While addressing these questions, the followingemployeeprotectionmeasurescanprovideconfidencefor organizations considering PAEI as an insider threatresource:

• PAEIcollectionandanalysisshouldbegovernedbywrittenpoliciesthatareclearlycommunicatedtotheworkforce.

• Toensuremaximumrespectforemployees’privacy,onlyPAEIthatisrelevantandusefulforassessingthreatstotheorganization,itspeople,itsinformation,anditsfacilitiesshouldbecollectedandanalyzed.

• Exceptwhennecessarytothwartpotentialimminentthreats,PAEIshouldnotbethesoledeterminantfordecision-makingoraction;itmustbeconsideredandanalyzedinabroadercontext.

• Organizationsshouldinstitutedatavalidationprocessestoensurethatoutsidedataisreliableandattributedtothecorrectemployee.

• Organizations’considerationofPAEIshouldevolvealongwithchangesinsocialmores,legalstandards,andexpectationsofprivacy.

Proper usage of PAEI can help managers identify insider threat behavior before a harmful action is taken. Indeed, refusal or failure to consult PAEI could render an organization vulnerable to avoidable risks.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 3

2 In December 2015, INSA’s Insider Threat Subcommittee developed a comprehensive definition of insider threat that was briefed to, and accepted by, the directors of the Defense Security Service (DSS) and the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI/NCSC). INSA’s definition is as follows: “The threat presented by a person who has, or once had, authorized access to information, facilities, networks, people, or resources; and who wittingly, or unwittingly, commits: acts in contravention of law or policy that resulted in, or might result in, harm through the loss or degradation of government or company information, resources, or capabilities; or destructive acts, to include physical harm to others in the workplace.” See INSA, “Explanation of INSA-Developed Insider Threat Definition,” December 2015. At https://www.insaonline.org/explanation-of-insa-insider-threat-definition/.

BACKGROUNDAninsiderthreatisthehazardposedbyanindividualwhomayabusehis/herauthorizedaccess to informationor facilities toharmanorganizationor itsemployees.2Suchindividualsgenerally(butnotalways)actwittinglyandwithmalicious intent.Theycan inflictharmthrougharangeofactivities,suchascommittingespionage,leakingclassifiedorsensitiveinformation,sabotagingworkproductsorcomputernetworks,orcommittingactsofviolence in theworkplace.

Many organizations have insider threat programs that monitor employees’activitiestoidentifyriskybehavior–ideallybeforeanat-riskemployeecausesanydamage.ProperusageofPubliclyAvailableElectronicInformation(PAEI)canhelpmanagersidentifyinsiderthreatbehaviorbeforeaharmfulactionistaken.Indeed,refusalorfailuretoconsultPAEIcouldrenderanorganizationvulnerabletoavoidablerisks.Notethatwithinthecontextofaninsiderthreatprogramorinvestigation,PAEIencompassesinformationthatisavailabletothepublic–whether fora feeornot–onanelectronicplatformsuchasawebsite, socialmedia application,ordatabase. Itdoesnot includedataoractivities within an employer’s internal network, which is by its nature notpubliclyavailableandwhichmanyemployersroutinelyassessforinsiderthreatpurposes.Onceconsideredadesirablebutoptionalelementofinsiderthreatprograms,PAEIisnowconsideredacriticalresource.

Theproliferationofdigitalinformationoverthelasttwodecadeshaspromptedthischange.Theincreasinguseofonlinetoolsandnear-omnipresenthandhelddevices–which,withusers’consent,collectandreportdataon individuals’activities–hasledcompaniestocompilesuchinformationintodatabasesthatcanprovidedetailedpersonal,financial, andprofessionalprofilesofalmostany individual. Furthermore,dramatic technological advanceshaveallowedinstantaneousglobalcommunicationthroughdiscussionforums,socialmedia,and online publishing platforms. Younger generations, known as “digitalnatives”forhavingneverlivedwithoutadvancedelectronicdevicesandtheInternet,conductmuchoftheirlivesincyberspace,tendingtousesocialmediaandpublicforumsastheirfirstchoiceforself-expression.Theyalsotendtosharefarmoreonline,providingvaluableinsightintotheirperceptions,plansand intentions.

4 |IntelligenceandNationalSecurityAlliance|www.INSAonline.org

Theavailabilityofmassivegovernmentalandcommercialdatabases – some compiledby commercial firms for afee, and others posted online for free –means that awide range of information about individuals’ personal,financial, and professional behavior can be consultedeasily. This data can inform security assessments inmultipleways, startingwith pre-employment screeningand continuing through data collection in thewake ofa security incident. Inbetween, itaddscritical value tosystemsthatcontinuouslyevaluateemployees’behavioragainst tripwires that could indicate malicious activity(by reflecting anomalous behavior) or by identifyingantagonisticactionsoracrimoniousopinionsthatcouldbeprecursorstomaliciousacts.

The wide spread use of social media for personalexpressionandcommunicationmeanspeoplearemorelikely to use these outlets to voice their hostility, angeror plans for malicious or violent activity. Indeed, ratherthan confide in a close friend or coworker, disgruntledindividualsaremorelikelytoexpressthemselvesontheseplatforms, where they can find sympathetic ears and“likes”andhidebehindacloakofanonymity.

Manygovernmentemployeeswhoengaged in criminalorviolentbehaviorhadexhibitedindicatorsofnefariousactivity prior to their ultimate discovery, whether bypostinganti-governmentorviolentsentimentsonsocialmedia, getting arrested, or engaging in suspiciousfinancialactivities,allofwhichwouldhavebeenrevealedinpublicrecordsdata.Troubledemployeeswhotippedtheir hand through such behavioral indicators includeNSAhoarderHaroldThomasMartin,whowasarrestedfordrunkendriving,chargedwithmisdemeanorharassment,andhada lienplacedonhishouse for14yearsduetounpaidtaxes,3andWashingtonNavyYardshooterAaronAlexis,whohadbeenarrestedmultipletimesbothbeforeandafterenlistingintheNavy.4

Given the clear applicability of PAEI to employeebackgroundinvestigationsandinsiderthreatassessments,both the Department of Defense and the IntelligenceCommunitydecidedtodrawonPAEIfortheircontinuousevaluation (CE) programs. However, agencies remainundecidedonwhatPAEIsources theywilluseandhowtheywillapplytheinformation.Asaresult,asbothDODandtheODNIrollouttheirrespectiveCEprograms,theIntelligenceandDefensecommunitiesareusingdifferentsourcesofinformationtomakeclearancedeterminationsforemployeeswhomayworkinbothrealms.

The use of PAEI has contributed to the reduction ofanenormousbacklogof security clearance cases thatreached 725,000 people in June 2018.5 Furthermore,the incorporation of PAEI into CE programs couldboth reduce (oreveneliminate) theneed forperiodicreinvestigations of employees at five- or ten-yearintervals and mitigate risks by identifying potentiallyconcerningbehaviorinnear-realtime.

As theU.S.Government reforms its securityclearanceprocess, itmustaddress theuseofPAEI–particularlyemployees’ social media accounts and commerciallyavailabledatabases–forpersonnelsecurityandinsiderthreat purposes.

3 Scott Shane and Jo Becker, “N.S.A. Appears to Have Missed ‘Big Red Flags’ in Suspect’s Behavior,” New York Times, October 29, 2016. At https://www.nytimes.com/2016/10/30/us/harold-martin-nsa.html. 4 Tom Vanden Brook, “Report: Concerns About Navy Yard Shooter Never Reported,” USA Today, March 18, 2014. At https://www.usatoday.com/story/news/nation/2014/03/18/navy-yard-shooter-called-insider-threat/6558373/. 5 Office of Management and Budget (OMB), Performance Accountability Council (PAC), “Security Clearance, Suitability/Fitness, and Credentialing Reform,” FY2018 3rd Quarter Update, slide 5. At https://www.performance.gov/CAP/action_plans/FY2018_Q3_Security_Suitability.pdf.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 5

6 Mary Madden and Lee Raine, “Americans’ Attitudes About Privacy, Security and Surveillance,” Pew Research Center, May 20, 2015. At http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/. 7 Chris Kahan and David Ingram, “Three-Quarters Facebook Users as Active or More Since Privacy Scandal: Reuters/Ipsos Poll,” Reuters, May 6, 2018. At https://www.reuters.com/article/us-facebook-privacy-poll/three-quarters-facebook-users-as-active-or-more-since-privacy-scandal-reuters-ipsos-poll-idUSKBN1I7081.8Tim Weiner, “Why I Spied: Aldrich Ames,” New York Times, July 31, 1994. At https://www.nytimes.com/1994/07/31/magazine/why-i-spied-aldrich-ames.html.

TYPESOFPAEI& POTENTIALVALUE

S O C I A L M E D I A

SocialmediaisthemostprevalenttypeofPAEI,andinmanycasesthemosttelling of an individual’s state of mind. A person’s postings to Facebook,Twitter,Instagram,YouTube,LinkedIn,andotheronlinepublishingplatformsmayreflectunusuallynegative(andevenviolent)sentimentstowardhisorheremployer,colleagues,publicfigures,familymembersandformerpartners.Itmayalsorevealdisturbingorevenillegalbehavior,suchasserialdrunkennessordruguse.Socialmediapostscanalso,however,revealpersonalcommentsor behavior that aremerely embarrassing and shed no light on a person’sfitnessforservice.

Becauseof thewide rangeofpersonal thoughts andactivities thatpeopleshare on social media, many employees may consider monitoring of theirsocialmediaoverlyintrusive.Despitethepublicnatureofsocialmediasitesandthefailurebymanyuserstomakeuseofavailableaccesscontrols,manyAmericans feel that their socialmediaandbroaderonlineactivitydeservessomemeasureofprivacyprotection.Yetbyfailingtomakeuseofavailableprivacysettingsonmanysocialmediaplatformsandwebsites,manypeoplemaketheironlineactivitiespubliclyvisible.Whilea2015Pewpollindicatedthat55percentofAmericansbelievetheyshouldhavetheabilitytousetheInternetcompletelyanonymously,6anApril2018Reuters/Ipsospollindicatedthat 45percentof Twitter users and 40percentof Instagramusersdidnotknowwhattheirprivacysettingswere.7

I N F O R M AT I O N R E G A R D I N G F I N A N C I A L H E A LT H

Bankruptcies,creditreports,bankdata,taxreports,andsimilardocumentationmay indicate sudden changes in financial health, including unexplainedaffluenceorfinancialdifficulties.Excessivedebt, includingneworespeciallydirecircumstances,andhabitsoflivingbeyondone’smeanscouldleadatrustedemployeetosellclassified,sensitive,orprivilegedinformation.CIAturncoatAldrichAmes, for example, citedmoney as oneof his primarymotivationsforspyingfortheSovietUnion.8Informationonemployees’financesiseasilyavailablethroughcreditchecks.Indeed,informationgatheredundertheFairCredit Reporting Act (FCRA) has enabled employers to gain legal accesstodataaboutanemployee’sfiscalhealthearlierthanwouldbepossiblebypublicrecordsalone.

6 |IntelligenceandNationalSecurityAlliance|www.INSAonline.org

L AW E N F O R C E M E N T A N D C O U R T R E C O R D S

Documented insider threat incidents suggest a persondoesnotdecide to commit a crimeatworkovernight;rather, indicators frequently mount leading up to theincident.Lawenforcementandcourt recordscanbringsuchturmoilinanemployee’slifetolight.Investigations,arrests,convictions,civilsuits,andprotectiveordersmayindicate unpredictability, volatility, strained personalrelations,addiction,and/oraninabilitytofollowlawsandestablished procedures. Law enforcement involvementin an employee’s life can also reflect drug, alcohol,sexual and psychological problems. When viewed inthe aggregate, independent events may indicate theemployee needs help and/or to be removed from aposition of trust.

Unfortunately,policeandcourtrecordsarenotuniversallyavailable,noraretheyconsistentnationwide.Suchdataisstoredbyawiderangeoflawenforcementandjudicialinformationentitiesatthefederal,state,municipal,andtribal levels, each of which has different standards forcompiling, reporting, and disseminating their records.Somejurisdictionsupdatetheirdatamorefrequentlythanothers,makingitpossibletodevelopanoverconfidencethatelectronicdatausedbyCEprogramsisalwayscurrentanduptodate.TheCEmethodologiesemployedbytheIntelligenceCommunityandDefenseDepartmentmustaccountforthedisparityintheavailabilityandtimelinessoflawenforcementdata.

T R AV E L

Travel information, particularly undisclosed visits toforeigncountries,isextremelypertinenttoinsiderthreatinvestigations. Individuals who commit espionage onbehalfofforeigngovernmentsoftentraveloutsideoftheU.S.clandestinelyorwithoutreportingit,eithertoreceiveinstructionsortrainingortodeliversensitiveinformation.DIAanalystAnaMontes,whospiedforCuba,repeatedlytraveled clandestinely to Cuba.9 Aldrich Amesmet hisSoviet handlers in Bogota, Caracas, and Vienna,10 and State Department diplomat Felix Bloch met with hisSoviethandlersinParis,Brussels,andVienna(oftenwhileon official travel).11 Chinese security services routinelyinviteprivatesectorexpertsinsensitivetechnologiestomeetingsor conferences inChina,atwhich they solicitproprietaryinformationandattempttorecruitthevisitorsas spies.12

Federal government employees and contractors withsecurityclearancesarerequiredtoreportforeigntravel;such reports are used to identify unusual patterns ofbehavior and to assess the significance of travel thatis discovered despite employees’ failure to report it.Private companies could impose similar requirementson personnel with access to sensitive data to identifyemployees who may be collaborating with foreigngovernmentsorcompetitors.Althoughrecordsoftravelmay not be publicly available, individuals may makereferences to unreported travel or to their overseasactivitiesonsocialmedia,onblogs,andinotherpublicfora.Similarly,ifanemployeemakesapresentationataconferencewithoutseekingpriorapproval, theagendafortheconferencemayneverthelessbepostedpubliclyon the event’s web site and thus be available to theorganization’ssecurityteam.

9 Brian Latell, “New Revelations About Cuban spy Ana Montes,” Miami Herald, August 2, 2014. At https://www.miamiherald.com/opinion/issues-ideas/article1978099.html. 10 Select Committee on Intelligence, U.S. Senate, An Assessment of the Aldrich H. Ames Espionage Case and Its Implications for U.S. Intelligence, November 1, 1994. At https://fas.org/irp/congress/1994_rpt/ssci_ames.htm.11 David Wise, “The Felix Bloch Affair,” New York Times, May 13, 1990. At https://www.nytimes.com/1990/05/13/magazine/the-felix-bloch-affair.html.12 Michael Balsamo and Angie Wang, “Feds: Chinese spy tried to steal US aviation trade secrets,” Associated Press, October 10, 2018. At http://www.startribune.com/feds-chinese-spy-tried-to-steal-us-aviation-trade-secrets/496661981/.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 7

C I V I C A C T I V I T Y

An individual’s in-person andonline social activity can provideindicationsabouttheirvaluesandpublic activities. Association withpersonsorgroupsthatareunderinvestigation or are themselvesconsidered threats may indicatea desire to cause harm. Suchgroups may include (but arenot limited to) violent extremistorganizations (whether foreignordomestic), organizations with ananti-U.S.ideology,andpublishersof classified information, suchas WikiLeaks. While many oftheseactivitiesmaybeprotectedfrom criminal prosecution underthe First Amendment, theConstitution does not forbid employers from deciding thatsuch activities are inconsistent with their organization’svalues. Publicly stated views indicating an individualmayharmthemselves,theircolleagues,orthe interestsof theorganization canbe factored intoanemployer’scomprehensive insider threat analysis to determinewhetherthatemployeecancontinuetoholdapositionoftrustintheorganization.

D A R K W E B

ActivityontheDarkWeb–onlineforumsandexchangesrelatedtoguns,drugs,illicitpornography,hacking,andfraudulent financial activities – is often highly suspect.Although many legal activities take place in privateareas of the Internet, Dark Web usage suggests thatanindividualwouldliketoremainanonymousandmaybe engaged in or planning illegal activity. However,sinceDarkWeb actors typically hideor limit access totheir online forums through software that anonymizesusers and encrypts communications, it is not entirelyclear whether the information on such forums can beconsideredtobe“publiclyavailable”.

8 |IntelligenceandNationalSecurityAlliance|www.INSAonline.org

CONSIDERATIONS&RECOMMENDATIONSBoth public and private sector organizations must weigh the benefit ofusingPAEIforsecurityandinsiderthreatevaluationsandcometoadecisionthat fits their legal interpretations and corporate cultures. Below are somerecommendationsthatallorganizationsshouldconsider.

F E D E R A L G O V E R N M E N T

AgovernmentdecisionregardingtheuseofPAEIforpersonnelsecurityandinsider threatpurposeswill set thestandard for theuseof such informationby organizations in both thepublic andprivate sectors. Efforts to institutea continuous evaluation program for the government’s trusted workforce– a critical element of initiatives to reform the security clearance process –havebeenhamperedbyagencies’ inabilitytodecidewhatPAEIsourcesarerelevanttosecuritydeterminationsandwhetherandhowtocollectandassessemployees’socialmediaactivities.

The Director of National Intelligence (DNI), as the government’s SecurityExecutiveAgent,mustworkwiththeDefenseDepartment,whichisassuminggovernment-wide investigation and adjudication responsibilities, to takeseveralkeysteps:

1. Decide, based on credible research, what sources of publicly available information are relevant to security determinations.ThePerformanceAccountabilityCouncil(PAC)–aninteragencybodychairedbytheOfficeofManagementandBudget(OMB)–hascommissionedrigorousstudiesofsomedatasources,butithasnotmadearecommendationonwhatdatashouldbeconsultedandhowitshouldbeweighed.

2. Develop a single legal interpretation of what PAEI – including social media data – may be collected and analyzed for personnel security purposes.AttorneysfromtheDefenseDepartmentandIntelligenceCommunityagenciesmust,inconjunctionwiththeDepartmentofJustice,establishacommonunderstandingofhowthesedatacanbeusedunderthelaw.Otherwise,asecurityclearancegrantedbyanagencythatfailstoconsidersocialmediacouldberejectedbyanagencythatrequiresevaluationofsocialmedia.Acommonlegalinterpretationisneededtosetandimplementcommonsecuritystandards.

3. Develop policies for how PAEI – including social media data – may be used for security-related personnel determinations.Cleargovernment-widepolicies,disseminatedbytheSecurityExecutiveAgent,areneededtoensurethatPAEI,includingsocialmediaposts,arecollected,analyzed,andappliedconsistentlyacrossagencies.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 9

Attorneys from the Defense Department and Intelligence Community agencies must, in conjunction with the Department of Justice, develop a single legal interpretation of what PAEI – including social media data – may be collected and analyzed for personnel security purposes.

P R I VAT E O R G A N I Z AT I O N S

Private companies and other non-government entitiesmust apply their own standards to determine if theorganization is comfortable using PAEI for insiderthreatpurposes.Thisdecision-makingisindividualistic,oftenbaseduponanorganizationalcultureandacost-benefitanalysiscomparingthevalueofexpectedinsiderthreat deterrence and detection versus the impact onemployeemoraleandattrition.Tominimizepotentiallynegativeworkforceperceptions,someorganizationsmaywish tomakeuseofPAEI that is somewhat invisible toemployees – such as commercially availabledatabasescontaining information on personal finances, credit,lawenforcementencounters,andthe like– rather thaninformationthatemployeesfeelmorepersonallyvestedin,likesocialmediacontent.

R E C O M M E N D AT I O N S

IfanorganizationhasdecidedtomakeuseofPAEI forpersonnel security and insider threat purposes, thefollowingpracticescanhelpitdosoeffectively.

1. Ensure leadership support

LeadershipmustendorseandpromotetheuseofPAEIasavalidsecuritytoolthatcanbeusedinamannerconsistentwiththeorganization’smission,culture,andvalues.Withoutsuchleadershipsupport,PAEIusagemaycauseresentmentandpushbackfromtheworkforce.

2. Define and communicate internal policies

Organizationsmustcodifyinwritingtherulesthatwillgoverntheacquisitionanduseofdata,anditshouldcommunicatetheserulesandtheirapplicationtotheworkforce.

OrganizationsshoulddevelopwrittenpoliciesregardingtheuseofPAEIfornew-hirevetting,insiderthreatevaluation,continuousevaluation,andotherapprovedpurposes.AnorganizationmaywishitspoliciestospecifythatthewaysinwhichPAEIcanbecollectedorconsulteddifferdependingonthepositionoftrustthatanindividualoccupies;someonewithaccesstosensitiveinformationornetworksmayreceiveahigherlevelofscrutinythansomeoneholdingamoreroutineposition.

PAEIpoliciesshouldalsoconsidertheextenttowhichemployeestakeproactivemeasurestokeeptheirdataprivate.Forexample,ifanemployee’sFacebookprofilehasnoprivacysettingsandisopentoanymemberoftheplatform,his/herFacebookpostscanreasonablybeconsidered“public”.Similarly,ifanemployeehas“friended”co-workersonFacebookwhocanseepostsofworrisomebehavior,anorganizationmayconsideritreasonabletoevaluateconductthatsuch“friends”reporttohumanresourcesofficialsorinsiderthreatprogrammanagersnomatterwhatprivacysettingstheemployeehasused.Suchconsiderationsshouldbeevaluatedbyanorganization’sattorneysandaddressedbyitsPAEIpolicy.

Organizationsshouldincorporateconsentlanguageintohiringdocumentssothatprospectiveemployeesarefullyawareof,andconsentto,PAEI-basedmonitoringbeforetheybeginonboarding.ThegovernmentdoesthiswiththeSF-86form,whichiscompletedbyalljobapplicantsseekingasecurityclearance–applicantsforpublictrustpositionscompleteanSF-85–butotherorganizationsmayneedtoadjusttheirhiringdocuments.

10|IntelligenceandNationalSecurityAlliance|www.INSAonline.org

Todevelopandmaintainsupportforthepolicies,organizationsshoulddisseminatethemtoallemployeesandexplainhowtheywillprotecttheorganization,itspeople,anditsfacilities.Leadersandmanagersshouldexplainwhatinformationwillbegathered–aswellaswhatinformationwillnotbecollected–andhowitwillbeusedfordifferentpurposes.

TopromotetrustinthePAEIpolicyandtheorganization’sinsiderthreatprogrammorebroadly,thepolicyshouldgrantemployeestheabilitytoredressinformationusedtomakepersonneldecisions.Specifically,theindividualmusthaveaccesstothe“raw”datacollectedfrompubliclyavailable(andother)sourcesinordertochallenge,correct,ordisputeit.

Anorganization’spoliciesshouldbuildsupportforaninsiderthreatprogramamongtheworkforceandhelpsetclearprocessesforcollecting,analyzing,andhandlingpersonaldata.Theabsenceofclearpolicies–orthefailuretocommunicatethemeffectively–mayleademployeestoviewtheuseofPAEIascountertotheorganization’sculturalnormsandtoviewtheorganizationwithdistrust.

3. Determine legal constraints

Allinsiderthreatprogramsmustcomplywithexistingprivacylawsandregulations.Generally,theapplicantoremployeemustbeadvisedinwritingontheuseofPAEIfordecisionsabouttheiremployment,beofferedadescriptionofthenatureandscopeoftheinvestigationandprovidewrittenpermission.FCRAdatarequiresemployeereleaseformspriortoPAEIcollectionanddisclosure,butnon-FCRAdatadoesnot.Identifyingandresolvingentitiesofinterestwithoutinadvertentcollectiononnon-wittingUSpersonsisoftendonebyhandtoensurecompliance.

Asarule,socialmediachecksoncurrentandprospectiveemployeescanbelegallyconductediftheorganizationcomplieswiththeFairCreditReportingAct(FCRA),EqualEmploymentOpportunityCommission(EEOC),SecurityExecutiveAgentDirective(SEAD)5andotherrelevantstateandfederallaws.

4. Identify relevant information sources

Onlyactivitiesthatindicateanemployeeposesapotentialrisktohim/herself,co-workers,facilities,orsensitiveinformationmeritcollection,analysis,andfollow-up.Programmanagersshoulddevelopcriteriathatidentifythekindsofdatathatarerelevanttoworkplacesecurity,thedatasourcesthatmeetthesestandards,andthetypesofpotentiallyderogatoryinsightsthatmeritfurtherinvestigation.Onaregularbasis,thePACshouldreportitsresearchfindingsonwhatinformationisvaluableinthisregardsogovernmentagencies,clearedcontractors,andothercommercialorganizationscanusedata-drivenassessmentstoguidetheiruseofPAEI.

5. Establish policies for the use of PAEI

Pastbehaviorisnotalwaysanindicatorofsimilarfuturebehavior.Oldexpressionsofsupportforananti-democraticorganizationmaynotreflectaperson’scurrentbeliefsoractivities;previousself-destructivehabits,suchasexcessivedrinkingorgambling,maynolongerbeanissue.Informationonpastactionsmustbeevaluatedinthecontextofanemployee’scurrentpersonalandprofessionalbehavior.

RatherthanconsiderderogatoryinformationidentifiedthroughPAEIasademonstrationthatsomeoneisuntrustworthy,insiderthreatprogrammanagersshouldtreatsuchredflagsasindicatorsthatanin-depthevaluationmaybeneeded.PAEIshouldnotbeusedinisolationtomakepersonneldecisions;itmustbeplacedinthecontextofanindividual’slife.Datathatanemployeehastakenoutasecondmortgagecouldindicatefinancialproblems,oritcouldindicatethathe/sheisundertakinganexpensiverenovationtoaccommodatetheneedsofanelderlyparent.Exceptincaseofapotentialimminentthreat,PAEIshouldoperateasa“tripwire”thatidentifiestheneedforadditionalresearchandanalysisregardinganindividual’sbroaderbehaviorandlifecircumstances.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 11

6. Assess timeliness, credibility and accuracy of PAEI

Somedataismorecurrent,andthusmorerelevanttoariskassessment,thanothers.Indicationsoflong-agofinancialdifficulties,forexample,maynotaccuratelyreflectone’scurrentfinancialhealth,whereasasuccessionofloansintheprevious12monthsismorelikelytoindicatethatanemployeehasveryrecentlyfacedcashflowproblems.Someinformationismoreconclusivethanothers;arecordofanarrestindicatesonlythatanemployeemayhaveengagedincriminalactivity,whileaconvictiondemonstratesprovencriminalmisconduct.

Anorganizationmustalsohaveawayofassessingthecredibilityandaccuracyofthedataitconsults.Ifitreliesonadataaggregatorofdubiouscredibility,itismorelikelytoreceivefalseindicatorsofmaliciousactivityandmisscriticalsignsofriskybehavior.Inbothcases,anorganizationwillpotentiallyallocateinsiderthreatresourcesinefficiently,failtomitigaterisk,andalienateitsworkforce.

7. Determine how to efficiently process PAEI data

Inbothfinancial-relatedanalyticsandpublicrecordsanalytics,organizationsarequicklyoverwhelmedwhentheyseektoanalyzeflowsofrawdata.Thisisespeciallytrueoflargegovernmentorganizations,wheredatasetscouldrepresentmillionsofcitizens.Organizationsmustadoptsoftwaretoolsthateffectivelyingestdatadeterminedtoberelevant,ensureitconformstoorganizationalpolicies,compareit(oraddit)toinformationgatheredfrominternalsources,andpackageitforevaluationbyaskilledinsiderthreatanalyst.

Manyvendorsofferscoringsystemsandanalyticstoqualifyleadsthatgenerateactionablehits.Theseincludestandardadjudicativeguidelines,standarddeviations,customizedbusinessrules,financialmodels,orotherproprietaryformulas.Thegeneratedresultscanbeusedasinputforaninternalcompanyanalyticstool.A“triggersolution”isamethodologyinwhichlargedataprovidersofferfirst-lineanalyticsandprovideonlyactionableinformationinamanageableformat.Thissolutionrelievestheorganizationofthefirst-levelanalyticsburdenwhichallowstheorganizationtothenfocusitsresourcesonthemuchsmallerhigh-risksegmentof their population.

8. Ensure validity of data

Organizationsshouldinstitutedatavalidationprocessestoensurethatoutsidedataisreliableandattributedtothecorrectemployee.Peoplewithcommonnamesareoftenaccusedof,forexample,owingadelinquentloanheldbysomeonewiththesameorsimilarname.Becauseanunwarrantedinsiderthreatinvestigationcouldcauseanindividualsignificantprofessionalharm,employersusingoutside data have a responsibility to validate the informationandtopreventsucherrors.

9. Adapt to changes in data availability and evolving social mores

Astechnologyevolves,itwillmakeavailableadditionalsourcesofinformationonemployeebehaviors.Thepublic’sexpectationsofprivacy–andlawsgoverningprivacy–willalsochange,inparttoreflectnewwaysinwhichpersonaldataisused.Ifanewsourceofinformationmeetsestablishedcriteriaforrelevanceandusefulnessininsiderthreatanalysis,anorganizationshouldconsiderwhetherandhowtoincorporateitintoitsevaluationprotocol.If,however,itsrelevanceandvaluearenegligible,insiderthreatprogrammanagersshouldresistmakinguseofthedatajustbecauseitbecomesobtainable.

Organizationsmustcontinuetoevaluateanalytictools,methodologies,andstandardstoensurethatanalysisofrawdatayieldsaccurateandactionableassessmentsthatreflectevolvingstandardsandsocialmores.Forexample,reflectingtheevolutioninattitudestowardmarijuana,anemployerinastatethathaslegalizedrecreationaluseofmarijuanamaywishtostopconsideringsocialmediapostsshowingpersonaluseofthesubstanceasa“redflag”indicatingriskybehavior.

12 |IntelligenceandNationalSecurityAlliance|www.INSAonline.org

CONCLUSIONSAstheU.S.Governmentreformsitssecurityclearanceprocessandimplementsacontinuousevaluationprogramformembersofitstrustedworkforce,itmustdevelopgovernment-widelegalinterpretationsandpolicydirectivesthattellagencieswhetherandhowtheycanusePAEI–particularlyemployees’socialmediaaccountsandcommerciallyavailabledatabases–tomakeinformedriskassessments.

For the government, PAEI could enable clearance investigators to collectinformationmorequicklyandefficiently.Thetimesavedwouldhelpeliminatethe processing backlog, facilitate the hiring of cleared workers, facilitatethe movement of cleared workers to where they can be employed mosteffectively,andreducelaborcoststhatareartificiallyinflatedbytheshortageofclearedworkers.Governmentattemptstoreformandimprovethesecurityclearanceprocessmustconsiderthedynamicgrowthinbothdataavailabilityanddataanalysistechnologies.Giventhisdynamism,theSecurityExecutiveAgentshouldregularlyreassesswhethertomodifythePAEIsourcesusedforcontinuousevaluationandtomakeclearancedeterminations.

Thegovernment’sSecurityExecutiveAgentandtheDepartmentofDefense,whichisassumingresponsibilityforconductingmostclearanceinvestigationsandadjudications,shouldfundrobusttechnologyresearchanddevelopmentand commission studies of how PAEI and other data can be used mosteffectively for employee screening and continuousmonitoring. Toward thisend, the government must partner closely with private sector firms thatcompileandanalyzePAEIdataanddeveloprelatedanalytictools.

Forbothpublic andprivate sectororganizations, PAEI cangreatly improvethe ability to identifymalicious insidersbefore they causedamage to theirinformation assets, people, or facilities. Private companies and other non-government entities must apply their own standards, based upon anorganizational culture and a cost-benefit analysis comparing the value ofexpected insider threat deterrence and detection versus the impact onemployeemoraleandattrition;SecurityExecutiveAgentguidelinesonPAEIcan serveasabaseline fromwhichcompaniescandevelop theirownPAEIstandards.

Background investigations and insider threat assessments seem intrusivetomanypeople,and theuseofPAEIcanmakesuchprocesses seemevenmore invasive. However,giventheharmcausedbyespionage, thetheftofintellectual property, andworkplace violence, it is worth the investment oftimeandresourcestodeterminehowPAEIcanbeusedtoprotectnationalsecurity,valuableassets,andhumanlife.

THEUSEOFPUBLICLYAVAILABLEELECTRONICINFORMATIONFORINSIDERTHREATMONITORING| 13

A C K N O W L E D G E M E N T S

INSAexpressesitsappreciationtotheINSAmembersandstaffwhocontributedtheirtime,expertise,andresourcestodevelop this report.

I N S A M E M B E R S

ValLetellier,CACI

GregCullison,Big Sky Associates

CatherineAlbright,Thomson Reuters

BryanDenson,TransUnion

RandyFort,Raytheon

MikeHudson,ClearForce

DeborahJohnson,Jacobs

SteveLewis,Omniplex

DavidLuckey,RAND Corporation

MattMiller,Goldman Sachs

SandyMacIsaac,Deloitte Chair, Insider Threat Subcommittee

VinceCorsi,IBM Vice Chair, Insider Threat Subcommittee

I N S A S TA F F

ChuckAlsup,President

LarryHanauer,Vice President for Policy

PeggyO’Connor,Director, Communications and Policy

EhrlAlba,Digital Marketing Manager

BillHarley,Intern

Building a Stronger Intelligence Community

(703) 224-4672 | www.INSAonline.org

ABOUT INSATheIntelligenceandNationalSecurityAlliance(INSA)isanonpartisan,nonprofitforumforadvancingintelligenceandnationalsecurityprioritiesthroughpublic-privatepartnerships.INSA’sgovernmentand

privatesectormemberscollaboratetomakegovernmentmoreeffectiveandefficientthroughtheapplicationofindustryexpertiseandcommercialbestpractices.INSA’s160+memberorganizationsareleadersinintelligencecollectionandanalysis,dataanalytics,managementconsulting,technologydevelopment,

cybersecurity,homelandsecurity,andnationalsecuritylaw,andits4,000individualandassociatemembersincludeleaders,seniorexecutives,andintelligenceexpertsingovernment,industry,andacademia.

ABOUT INSA’S INSIDER THREAT SUBCOMMITTEEINSA’sInsiderThreatSubcommitteeresearches,discusses,analyzes,andassessescounterintelligenceandinsiderthreatissuesthataffectgovernmentagencies(particularly,butnotonly,thoseworkingonintelligenceandnationalsecurityissues),clearedcontractors,andotherpublicandprivatesectororganizations.TheobjectiveoftheSubcommittee’sworkistoenhancetheeffectiveness,efficiency,andsecurityofboth

governmentagenciesandtheirindustrypartners,aswellastofostermoreeffectiveandsecurepartnershipsbetweenthepublic,privateandacademicsectors.