National Security
5:23 pm
Fri June 14, 2013

Defense Department Trying To Plug Leaks Before They Happen

Originally published on Fri June 14, 2013 6:12 pm

Transcript

AUDIE CORNISH, HOST:

News leaks have stirred a lot of controversy lately. And when Edward Snowden claimed responsibility for leaking documents about top secret NSA surveillance programs, all eyes fell on the huge industry of private contractors who work on government intelligence. Between the military government and private industry, nearly a million-and-a-half people have top secret clearance. And the Defense Department's Advance Research Projects Agency, better known as DARPA has been in the market for technology that will comb through that community and catch a leaker before they strike.

Joshua Keating is associate editor at Foreign Policy, where he writes the War of Ideas blog. He tracked down some of the research that's developing in this field of so-called anomaly detection and he joins us now. And first, Joshua, anomaly detection, what is it and what is the government's goal here?

JOSHUA KEATING: Well, in a dataset of that size with that many users spread throughout military and government and private agencies, it's just sort of a mountain of data. And you can't possibly keep tabs on every one of these users individually. So what they're hoping is that you can train software to actually detect unusual behavior in these huge datasets and you can see if somebody's behaving unusually before what their leaking turns up in the media.

CORNISH: When you talk about detecting certain behaviors, what kind of behaviors are we talking about? I mean, how do we know somebody is going to be a leak?

KEATING: Every user on the system is a kind of data point. And some of these data points should be communicating with each other, some of them shouldn't. So when they find that one user is corresponding with a lot of users that they wouldn't normally be corresponding with or they wouldn't - they shouldn't have reason to be corresponding with, that could indicate that, you know, that user's looking for something.

It's really looking at how these points on the system are interacting with each other. And when they start doing things they shouldn't normally be doing, that's a sign that it's somebody that you should be keeping an eye on.

CORNISH: So I'm going to ask you to describe some of the proposals here, the technologies that people are putting out there. For example, you write about decoy documents and also software that analyzes or IDs people by how they type.

KEATING: Right. Well, the challenge here is not so much to identify an unusual pattern, because in any dataset that size you're going to get a lot of that. It's to root out the false positives and decide what it is you need to ignore. So one way that they want to do this is to actually sort of leave fake enticing files on a network - they call them honey pot files - where, you know, when a possible leaker will click on these it'll alert the administrator. And they'll know that they have somebody who's looking at stuff they shouldn't be looking at.

Another program that I found really interesting was actually they funded research in keystroke analysis. So this is ways that you can actually distinguish a person by the way that they type. So, you know, in order to study this, they had people typing the same passwords 50 times. And you can tell by how long they held down the T key on the keyboard, you know, they could tell one person from another.

Even that, there's often as high as a 60 percent error rate, but these are sort of the kind of programs they're looking at to distinguish people on a network and then hopefully tell if they're up to something suspicious.

CORNISH: Now, you calculate that the government has spent millions on this kind of research in just the last few years. Is there any sense that it can really work?

KEATING: Well, this is definitely not operational yet, but it's clearly a major priority for the government. President Obama signed an executive order in 2011 identifying insider threat detection as a priority in establishing a taskforce for this. So I would imagine that, you know, these efforts are only going to be ramped up now.

CORNISH: Joshua Keating, thank you so much for coming in to talk to us.

KEATING: Thanks, Audie.

CORNISH: Joshua Keating is associate editor at Foreign Policy where he writes the War of Ideas blog. Transcript provided by NPR, Copyright NPR.