The new monitoring regime is designed to give contractors early warnings. Aiming to stop the next Snowden

The next Edward Snowden may find it more difficult to leak government secrets.

The Pentagon plans to issue new rules in the coming months requiring certain contractors that work with classified government networks to monitor what employees are doing in those systems.


Information about employees’ browsing on those networks will be combined with data analysis tools to spot suspicious behavior such as a Middle East analyst rooting around in intelligence documents related to China or Russia or an employee accessing documents at unusual hours.

The new monitoring regime is designed to give contractors early warnings that one of their employees may be stealing classified information either to leak it to the public as Snowden and Pvt. Chelsea Manning did or to pass it to a foreign government.

The affected contractors will be required to sign forms acknowledging their browsing on classified networks is subject to monitoring and that records of that browsing could be used against them in a criminal trial or administrative action, said Defense Department spokeswoman Navy Cmdr. Amy Derrick-Frost. The networks will also feature banners that warn all browsing is subject to monitoring, and contractors will be required to hold annual training on insider threat awareness, she said.

The new requirements will affect a relatively small number of contractors that have access to classified government networks on their premises. Those contractors are certified by DOD to have classified spaces, known as sensitive compartmented information facilities, or SCIFs, in their offices. SCIFs restrict usage of cellphones, wireless Internet or anything else that might give a foreign government a digital entry point.

Contractors whose employees have security clearances but don’t access classified information outside government facilities will also be required to establish insider threat programs under the new rules, Derrick-Frost said. Those programs will be required to “gather, integrate and report relevant and available information indicative of a potential or actual insider threat,” she said.

There’s been little pushback from contractors briefed on the proposed changes. Such firms say they know a security clearance requires an extra level of scrutiny, though some have voiced concern that the new rules could favor larger companies that have more financial resources to implement them.

The new requirements are part of a series of updates to the National Industrial Security Program Operating Manual, or NISPOM, the official guidebook for federal contractors’ handling of classified information — which is awaiting final approval from the Defense Security Service, a division of DOD.

The service has been briefing industry groups for about 10 months on the NISPOM requirements. They are based on President Barack Obama’s 2011 executive order, which was aimed at improving insider threat protection following Manning’s leak of diplomatic cables to WikiLeaks, as well as provisions in the 2013 National Defense Authorization Act.

DOD plans to publish the final version of the new rules before the end of this year, according to Derrick-Frost. After that, contractors will have six months to set up the new programs.

In the private sector, sophisticated insider threat programs employed by large companies often extend beyond basic network monitoring to include evaluating other behavior such as when people enter and leave the office, when they enter classified areas and how they move through the building, said Mike Gelles, a director at Deloitte Consulting and a former chief psychologist for the Naval Criminal Investigative Service.

There’s been no discussion about subjecting cleared U.S. contractors to what’s called “continuous evaluation,” a nascent program promoted by the Office of the Director of National Intelligence that involves scanning public records such as divorce, arrest and credit records to pinpoint employees under stress who might be considering leaking documents for self-aggrandizement or profit, contractors said.

Continuous evaluation systems are most often deployed at top financial firms and have also been piloted in the U.S. Army. ODNI officials plan to have roughly 5 percent of the intelligence community’s most highly cleared employees subject to continuous evaluation by the close of 2015, as a supplement to the process of reissuing security clearances, which happens every five or 10 years.

Many larger contractors have already implemented insider threat programs or are in the process of building them or acquiring the technology. That’s partly because companies want to be ahead of the curve when requirements come out. It’s also because companies don’t want their reputations to be tarnished by employing the next Snowden.

“I do believe strongly that many of them are doing this because they want to position themselves to be in compliance with any requirements that may come down,” Gelles said. “At the same time, they want to be in a position to protect their assets and their reputation.”

They also want to keep up with the state of the industry.

“It’s very similar to what happened when cybersecurity became cybersecurity,” said Mike Miller, chief operating officer at Tanager, a cybersecurity and insider threat mission integrator. “Everyone realized, ‘Hey, we’re getting hacked,’ and executive orders were put in place and guidelines. The government locked stuff down and behind that, industry did the same thing. It’s a similar path.”

The contractor Lockheed Martin has begun using its big data analysis tool LM Wisdom to track insider threats on its own networks and is marketing the tool to other contractors and companies. When it’s pointed at the outside world, Lockheed has used LM Wisdom to predict which governments were most likely to be overthrown during the Arab Spring and which hospital patients are most likely to develop sepsis.

When the tool is tasked with tracking insider threats, it’s basically a matter of throwing different data sets at it, said Jason O’Connor, vice president of analysis in the contractor’s defense and intelligence solutions practice.

“It’s the same technology, the same tool we use for those other missions,” O’Connor said. “It’s the ability to sift through data and apply advanced algorithms and mathematics to come up with very specific recommendations for analysts. You can apply that to the insider threat world or the social stability world or the medical world. … When it comes to insider threats, we’re able to get down to a numerical score that says where there might be problems.”

Raytheon offers another insider threat tracking product called SureView.

Many smaller companies are biding their time because they don’t have the financial wiggle room to launch programs unless it’s an industry-wide requirement.

One benefit of mandating that contractors have insider threat programs is it will essentially “raise all boats to the same level” so smaller contractors know their competitors are expending the same startup money, said Tom Mahlik, a director of global security services at the MITRE Corp. and a former FBI section chief and NCIS special agent.

Some are still wondering, though, whether the requirements will be one-size-fits-all or if they’ll leave more leeway for smaller companies that can’t rely on the same economies of scale, contractors said.