DHS Needs to Set Guardrails for Its Expanded Insider Threat Program

The Homeland Security Department needs to put in place more procedures and policies to ensure its insider threat program doesn’t violate employees’ Fourth Amendment rights, according to an internal watchdog.

More than two years after the department significantly expanded its insider threat program, officials still haven’t taken the necessary steps to formalize the new policy, the agency inspector general found. The agency also isn’t properly informing employees that their online activity is being watched, which could potentially infringe on their constitutional rights, auditors said.

In 2017, then-Homeland Security Secretary Jeh Johnson authorized the agency to broaden the scope of its insider threat program. Whereas before officials only monitored activity on the agency’s classified networks, the new order allowed them to track employees behavior on unclassified networks as well.

The expanded insider threat program is now up and running at all Homeland Security headquarters locations, and officials plan to stand up similar operations at each of the department’s components, excluding the Coast Guard. Component agencies will eventually funnel information to the Insider Threat Operations Center, which will be responsible for overseeing all unclassified networks activity.

But before that can happen, the department “needs to address several deficiencies that will hinder the program’s effectiveness and efficiency,” auditors wrote in the report.

Officials aren’t allowed to monitor employees who don’t hold security clearances without their consent, according to internal legal experts, so the agency needs to create a digital banner that lets employees know they’re being tracked every time they log onto the network, the IG said.

“Expanding the [insider threat program] to monitor non-cleared personnel at the components without first ensuring legally sufficient notice is provided … creates the potential for violations of the Fourth Amendment,” auditors wrote. They also said the agency’s chief security officer, who is responsible for overseeing the insider threat program, should conduct new analyses to ensure the program operates in line with privacy laws.

The IG found the agency has yet to update various internal documentation to account for the program’s expansion. Until officials revise responsibilities and oversight authority for the program, as well as formally approve new operating procedures, it “may not be effective in mitigating insider threats,” they said.

Auditors also recommended the agency reexamine the amount of resources needed to fund the expanded program and draft a framework to ensure the program runs smoothly throughout its entire life cycle.

The department agreed with all the IG’s recommendations.