New plan to stop leaks: Squeal on your cubicle mate who may or may not be a whistleblower
The U.S. is after Edward Snowden for leaking top-secret NSA documents.
In November, months before Edward Snowden would become a household name, President Obama issued a memorandum to the heads of federal agencies, spelling out new guidance for deterring the security threat of insiders.
Predictably, the commander-in-chief positioned the memo, which followed his formation of an Insider Threat Task Force a year earlier in the wake of WikiLeaks, as a means by which classified information and national security could be protected.
The memo defines the insider threat as "potential espionage, violent acts against the government or the nation, and unauthorized disclosure of classified information." The announcement drew relatively little news coverage, but it promulgated some basic new requirements:
Technology. Education. Privacy protection.
Standing alone, these "minimum standards" sound similar to the protocols that would be listed as part of any robust insider threat program. Still, the guidance was met with a fair amount of skepticism from the civil liberties community, who worried it failed to include any distinctions around whistleblowing.
Now, a new report from McClatchy Newspapers, which examined government documents surrounding the program, has confirmed those apprehensions. The Obama administration's initiative is much more expansive than previously understood.
The documents McClatchy analyzed show that the program encourages employees to be on the constant lookout for suspect behavior exhibited by their colleagues, and it can impose very severe penalties for failing to speak up. In addition, the program is broadly defined, meaning agencies can implement it as they see fit, which could open the door for significant abuse.
Some agencies have taken this "latitude" as justification to equate whistleblowing with malicious behavior as egregious as aiding the enemy, a conflation that could have a chilling effect on a worker who seeks to report, either through the recommended channels or otherwise, unethical or possibly illegal conduct in the workplace.
Not only could the program significantly discourage whistleblowing, but because it relies on employees to profile, be inherently skeptical of one another and possibly file dubious claims, camaraderie and morale undoubtedly will suffer.
And once you've been fingered as a violator, you might be out the door.
Information exposed by Edward Snowden and, before him, Bradley Manning underscore the need for organizations to further bolster their insider threat strategies. They must be built with the understanding that the portrait of the malicious insider has changed. He or she may not necessarily be someone operating out of their own self-interest – like a worker wanting to steal a customer list so they can start a competing company or a disgruntled employee wishing revenge on a superior – but may actually be a "conscientious objector," someone who is motivated by their morals and ethics and the betterment of others.
The Obama program reportedly offers "greater protection for whistleblowers who use the proper internal channels to report official waste, fraud and abuse," but would you feel comfortable signaling wrongdoing in an environment where snitching on a co-worker is considered good form? Nobody wants to work in a climate of paranoia, distrust, intimidation and fear. And that's why this initiative seems to be less about collaring the true malcontents and more about going after the men and women who potentially could embarrass the government. Remember, President Obama's administration has prosecuted more government officials for releasing secret material than all other administrations combined.
Then again, if you're as slick as Snowden, who reportedly joined Booz Allen Hamilton for the sole purpose of exposing surveillance documents – something security expert Jeffrey Carr on Tuesday called the "targeted insider threat" – nothing may be good enough to prevent it. Carr suggests implementing better "background investigations and post-hire monitoring for network access anomalies" to combat this prospect.
Sounds more effective than turning Jane from Accounting into a clinical psychologist.