TSA drops ‘insider threat’ label from spyware buy

David Goldman/AP

Agency hopes modifying name of anti-leak tool will broaden competition.

Government agencies worldwide are installing personnel surveillance software following the 2009 transfer of thousands of classified materials associated with the Middle East wars to anti-secrets website WikiLeaks. 

The Transportation Security Administration has reissued a June 20 purchase order for spyware that monitors employees’ computer activities under a new name, explaining that contractors complained the scope of the earlier descriptor was too constricting.

The agency now is shopping for “host-based monitoring and digital forensics software” after announcing in June it needed “insider threat software.” The two solicitations are nearly identical, each bearing an itemized list of keystrokes and other digital evidence of snitching that the technology must capture.

The new request for proposals, released Friday, drops all references to insider threats.

When TSA first asked for product submissions in June, the feedback from vendors suggested that the language in the request was too narrow in scope, an agency official told Nextgov.  The official acknowledged that TSA is re-soliciting industry with no changes to the technical requirements.

The new write-up reads: “The scope of this procurement is an enterprise solution to host-based monitoring and the collection of digital forensics information. The information assurance and cybersecurity division /focused operations branch supports areas of cyber threats and digital forensics. FO is seeking an enterprise technology that will automate enterprisewide host-based monitoring.”

The old scope read: “Focused operations is in need of a tool to help detect an insider threat. The focus is to monitor at the host level. FO has determined that the best method to monitor and detect insider threats is at the user host level. The scope of this procurement is an enterprise insider threat software package. In order to detect an insider threat, technology is required to monitor and obtain visibility into users' actions.”

Nextgov asked a TSA official why the “insider threat” label was limiting options, given that some experts narrowly define the new term “digital forensics” to mean the practice of scrutinizing digital records for evidence that can hold up in court.

The official replied that because new vendors are constantly entering the market, the thinking is it makes sense to see if a second request will yield additional vendors capable of providing adequate software that fulfills the agency’s desires.

The sought-after system will be designed to record keystrokes and chat sessions, monitor emails and attachments, log website visits and file transfers, track the movement of documents, and capture screenshots. All the surveillance will be fed to a central command center.  

The technology is intended to run without the target’s knowledge. “The end user must not have the ability to detect this technology,” and must not have the power “to kill the process,” both work descriptions state.

The software will be configured to sift through aggregated information to spot connections and trends, or “mine through all the collected data using built-in or third-party tools,” the contracting papers noted.

McAfee currently supplies the Pentagon with a similar leak-prevention tool called the Host-Based Security System. The NATO force that fights Afghan insurgents also is installing an anti-leak product, because it has had no way of detecting unauthorized downloads and data sharing.