When news broke on June 6, 2017 that government contractor Reality Leigh Winner had leaked classified documents about the hacking of voting machines during the 2016 election, the TV gods smiled. For the NSA, the incident was another embarrassing blow to its reputation as the premier security agency in the United States. Since Snowden’s revelations in 2013, the public and private sectors have endured a series of high profile data breaches caused by contract workers. While some, like the Target breach, were caused by the negligence, the Snowden and Reality Winner incidents were carried out intentionally.
Responding to growing concerns about insider threats among government contractors, the federal government enacted the NISPOM Change 2 Insider Threat Mandate in the waning days of the Obama Administration. In addition to requiring companies with federal contracts to establish insider threat programs, NIPSOM requires all federal contract workers to complete insider threat training to maintain their security clearances. The training mandate went into effect on June 1, 2017, so the jury is out on whether this requirement will neutralize the ever-expanding quagmire of leaks and breaches currently dogging the public and private sectors.
Some government officials, like top intelligence chief Bill Evanina, dispute the threat represented by government contractors, arguing that concerns about the security of this labor force are overblown and that contractors are “kicking butt” in the fight against leaks. However, wen it comes to public perception, Evanina and other protest too much. The general consensus is that insider threat perpetrated by contractors poses a growing threat to data security.
Indeed, the working conditions of contractors can exacerbate the potential for malicious activity, especially at the lower levels, where work is less predictable, pay is lower, and there are no benefits. According to the CERT division at Carnegie Mellon University’s Software Engineering Institute, financial insecurity and discontent over work conditions are two of the top risk factors for creating malicious insiders. Added to these indicators is the fact that contractors don’t work for the organizations who outsource work. They work for companies who contract with these organizations. The loyalty that “company men” held toward long-term employers in the 1950s and 1960s is as archaic as pensions, private sector unionization, and a host of other incentives that once reinforced the allegiance of workers toward their employers.
It would be misleading to characterize all contractors as malcontents nursing a growing pile of grievances toward the organizations that employ them. Independent contractors who are self-employed sole proprietors report greater levels of satisfaction than their counterparts in traditional jobs. Regardless of the potential security risks posed by contractors, government agencies and private corporations show no signs of abandoning outsourcing. According to some sources, contractors make up 70% of the intelligence community, with 5 million holding security clearances and 1.4 million holding top secret clearances. In the private sector, contingent workers, made up of temps, contractors, and part-time workers now make up 40% of the workforce.
With the rise of the gig economy and conservatives controlling all three branches of government, outsourcing is unlikely to decline any time soon. However, the very factors that make outsourcing attractive to employers also pose unique security concerns. If organizations are going to maintain control over sensitive data, they will need to address the economic challenges of an independent workforce that lacks the protections of traditional employment. At the same time, employers must be careful not to create a culture of surveillance that undermines collaboration and morale while miring businesses in a sea of red tape created by security protocol. Even if organizations could implement a top-flight security program, intelligence officials like Evanina believe eliminating all insider threat would be impossible. Organizations who wish to mitigate insider threat will need to balance security requirements with privacy concerns and efficiency. For the time being any way, insider threat appears to be an inescapable cost of doing business.