We’re either on the worst-executed mole hunt ever right now, or we’re acting like we want to be. The DoD Insider Threat Management Analysis Center (DITMAC) — another big database project with federal sponsors— is ramping up surveillance inside federal agencies, raising questions about security, free speech, and information warfare. Set to launch in part by next month, the database will gather information from 43 Defense components. Like all mass security screenings for low prevalence problems, DITMAC — which includes behavioral analysis, predictive analytics, risk rating tools, and insider threat systems for centralized reporting — jeopardizes security.
The database was probably already in development before the Government Accountability Office (GAO) issued a report in July calling on Defense to respond to the attacks at Fort Hood, Texas, on November 5, 2009, and at the Washington Navy Yard, D.C., on September 16, 2013, by enhancing information-sharing and oversight to protect U.S. installations. That would explain why the database ignores GAO’s main recommendations and common sense.
For example, DITMAC fails to act on GAO’s advice to formulate and disseminate a policy for when people should report what to whom when they see someone carrying a weapon. It creates more technology when GAO couldn’t even identify which of the 79 Fort Hood recommendations were implemented, because DoD installations reported only some information, only some of the time. So DITMAC adds red tape on top of dysfunctional red tape. And there’s insufficient evidence supporting the notion that a more centralized information-sharing system will work better than a decentralized one.
There are several reasons to suspect that DITMAC’s centralizing approach to the insider threat problem is backwards. Adding a new database on top of old ones without a stated plan to phase out the old will tend to worsen interoperability problems across DOD components. This is security risk.
At the same time, DITMAC and the centralizing approach it embodies create big, juicy targets for leaks, hacks, and spying — on the heels of what may have been the largest compromise of cleared personnel data in history. Sensitive compartmentalized information should probably be treated as sensitive, and compartmentalized. Without implementing basic improvements in the information security practices on which systems like DITMAC are built, creating another big database that can be compromised probably poses more security risk than it might mitigate.
Internal security threats tend to be internal. So beefing up centralized bureaucracy to share information dealing with local threats might actually create more distance instead of less. People with local threat information most need to get that information to local responders as soon as possible. Having a standardized protocol for local agencies to make their own one-page call list to disperse local threat information seems awfully analogue — like a PTA phone tree and cupcakes solution to a terrorist mole problem. But its simplicity and decentralization are what make it less susceptible to exactly the sorts of abuse of information that DITMAC itself is meant to address.
Issuing a protocol for making, disseminating, and updating local emergency information for a local one-page cheat sheet to have in case of threat at every Defense installation is the most important thing DoD can do to better protect its people.
Here are seven other things DoD can do to improve its security without another behemoth database initiative:
1. Do Something Systematic and Serious
Give everyone basic information security training starting in middle school. For example, issue secure devices and guidelines on using them. Train everyone with security clearances on information security and hold them to it. Not just to the peasants, but also to high-level security officials — like former CIA directors. And while you’re at it, stop those guys from continuing to write unencrypted email to their journalist mistresses in Gmail servers maintained overseas by other third-party contractors overseas on a Mac made in China.
2. Change the Way We’re Social
If you really believe in the predictive power of Big Data — and there are reasons to be cautious about basing important decisions on it — then people with jobs in security and the military-industrial complex need to use social media differently so that it’s not possible for outsiders to map their networks and otherwise exploit vulnerabilities. For example, intelligence agents probably shouldn’t post top-secret surveillance program code names in their LinkedIn profiles.
3. Protect Encryption and Invest in Future Cryptography Tools
Instead of nerfing cryptography in the public sphere, security experts need to promote the use and development of ever more clever cryptography. Backdoors into encryption invite laziness on the part of cybersecurity forces in the U.S., while committed opponents continue to refining and reinventing more innovative cybersecurity tools and techniques. We can’t risk locking ourselves out of this arms race through complacency.
4. Invest in American Manufacturing
Stop outsourcing manufacture of ostensibly secure devices to foreign countries that may be military opponents in the near future. (To be fair, that’s basically anyone.)
5. Redefine Insider Threats.
The real insider threats are people who violate rule of law. Not either lawful whistleblowers, or whistleblowers who jump the chain of command with classified information in order to inform outside authorities and the people of what is going on in their name, in the public interest. American law must protect both types of whistleblowers. Currently, federal whistleblowers of both types lack effective legal protections. That lack of protection disincentivizes the kind of information sharing that is essential for democracy and for the way the U.S. Government in particular was designed to work. According to Madison in Federalist #51, our political system is basically designed for information warfare — for competing interests and views to duke it out in a free marketplace of ideas. The formal structure that sits on top of that marketplace and is supposed to be a microcosm of it is our system of checks and balances. Criminalizing information-sharing in the public interest when something is wrong undermines that system and the freedom it’s meant to protect.
6. Win the War on Attention First.
Then, worry about everything else. Parts of the brain are built to weight negative over positive information, potential threat cues over all the other, vast environmental noise. In other words, your brain is full of bears. This is why we need a positive psychology of risk management — a new branch of research combining evidence-based insights about building out from bright spots, with what we know about decision science, violence prevention, and other branches of science relevant to minimizing risk. The very name “risk management” turns on the bear-seeking brain — directs us to look for risk, for threat. And that attention to threat can degrade cognition in ways that in turn make us less safe. That might explain why Defense tends to focus on threats that kill far fewer Americans by the numbers than larger, real threats that don’t look like bears — threats that can seem like abstract forces rather than people (pollution), or isolated incidents rather than the product or organized forces (car accidents and gun violence).
7. Uphold the Law
Lawfulness is about having one standard for applying the law equally to everyone — not having federal law books so broad and deep that statistically, everyone commits three felonies a day and the feds can always come after you for something if you step out of line. It’s about one person having one vote — not one corporation or special interest effectively having many. And it’s about protecting the freedoms that make us free for everyone — not just people we may disagree with whose political expression threatens the powerless, like the KKK, but also people whose political expression threatens the powerful, like WikiLeaks.
Benjamin Disraeli said, “As a general rule, the most successful man in life is the man who has the best information.” This is the security rationale for mass surveillance — of which DITMAC is just one more form — and curtailment of civil liberties such as freedom of the press. It’s illegal, unethical, and backfires.
Defense’s information security problem isn’t not having the information. It’s that best practices around sharing (or not sharing), using, and protecting that information can be better. That’s the problem DITMAC tries to address. We can do better.