Edward Snowden. Movies have been made, books have been written and tweets have been tweeted. We know more about him now than ever before. And yet if Snowden still worked for the U.S. government today would his insider threat behavior really stand out to security analysts? We believe the answer is yes.
More intriguing still, how much earlier could we have detected Snowden’s adverse behavior and intervened before he fled the country in 2013 after leaking a huge trove of classified government documents?
The short answer is 2007, a full six years earlier.
We all know what kinds of behavior indicate increased risk of leaking classified or sensitive information, but the real challenge is figuring out a way to connect the dots from relevant behavioral and workplace information into something tangible and actionable.
The intelligence community believes that ‘something’ is a risk score that can change over time. In November 2018 the Director of National Intelligence (DNI) published its Insider Threat Program Maturity Framework, which represents a broad consensus on the best ways to deter, detect and mitigate insider threats.
The 14-page framework is segmented into 19 so-called maturity elements, organized according to minimum standards outlined in the 2012 National Insider Threat Policy.
When it comes to Edward Snowden, the most relevant maturity element is ME16 (image below), which prescribes risk scoring as a way to: 1) “manage the multi-source information flow” regarding behavioral and workplace factors; and 2) “support longitudinal analysis, important in detecting concerning patterns that appear over time.”
Besides diversity of data sources, the other primary concept in ME16 is time, and Snowden is a perfect example of why a time-dependent risk score is so important.
According to publicly available anecdotal information, there were several points at which he could have been stopped before doing serious harm to national security – provided the right analytics and a culture of continuous vetting/evaluation were also in place.
At Haystax, ‘the right analytics’ means not just machine learning and similar data-driven techniques but also a probabilistic model that ingests data as evidence and extrapolates future outcomes from it, producing a risk score for each person in the system that continually refreshes as new data is introduced.
By measuring inherent trustworthiness, this risk score measures an individual’s fitness for a promotion, a security clearance or even just increased access to sensitive information in an organization, using the latest available evidence.
Here’s how the ‘whole-person’ model embedded in our Haystax Analytics Platform would have evaluated Snowden’s suitability for obtaining and retaining a security clearance, using a diverse array of publicly available data.
In the Haystax Timeline window (image above), an analyst can see how Snowden’s risk score would have changed over time. This is because new data is introduced, but also because Haystax’s model-based analytics has temporal relevance ‘baked in’ – meaning things that happened 20 years ago won’t be as relevant as if they happened this year. This temporal relevance is a critical piece in the Maturity Framework, and in our ability to find Edward Snowden amid all the noise generated by false-positive alerts.
The timeline shows that after a nine-month illness and absence from high school, Snowden dropped out (indicating he was not committed to school); he later earned his GED (indicating renewed commitment). Because of the temporal relevance factor, his clearance-worthiness increased over time from 1998 to 2003, with no derogatory events.
Snowden joined the Army in 2004 but was medically discharged only five months later. Haystax uses this data point to influence the model’s concepts of unemployment due to the personal and financial stresses of losing one’s job, plus dealing with a medical condition and the cost of medical treatment. Combined with reports of his online anti-government statements, this created the first significant dip in score in 2007 and presented the first opportunity for detection and intervention.
In 2007 he was granted a Top Secret security clearance while working as a contractor for the CIA. During his tenure there, he was suspected of breaking into classified files. This incident could have been reported through the channels available for security clearance administration – such as the Joint Personnel Adjudication System, or JPAS – or by a supervisor or coworker. If it had been reported, this information would have influenced Snowden’s periodic background reinvestigation during 2011. In its absence, the reinvestigation resulted in a successful renewal of his Top Secret clearance.
Most of the world knows what happened in 2013 but in the year before that Snowden’s life was already starting to unravel, and that was when his adverse behaviors were again detectable. In early 2012 he inserted removable media and began his data exfiltration, which – when combined with his continued open criticisms of the U.S. government – were evidence enough to prompt a drastic drop in score.
The most significant obstacle to finding Edward Snowden was the lack of a system of processes and technologies that focused on person-risk, analyzing multiple information sources the way an analyst would and considering how recently each critical event occurred.
With all the relevant behavioral and workplace evidence displayed as model results on a timeline, centered around Edward Snowden the person, there were several points at which a manager equipped with a risk scoring and automated alerting tool such as Haystax could have stepped in – as early as 2007 but certainly by 2012, one year before he took off for Hong Kong.
# # #
Hannah Hein is a Federal Project Manager at Haystax.
Note: Approaches for finding an insider threat employed by the government are somewhat different than those for an insider threat in the private sector. Learn more about how Haystax helps small, medium and large companies find their highest-priority threats by downloading our free white paper: To Catch an IP Thief.