Watch out for “Hema.”
A security training test created by a Defense Department agency warns federal workers that they should consider the hypothetical Indian-American woman a “high threat” because she frequently visits family abroad, has money troubles and “speaks openly of unhappiness with U.S. foreign policy.”
That slide, from the Defense Information Systems Agency (DISA), is a startling demonstration of the Obama administration’s obsession with leakers and other “insider threats.” One goal of its broader “Insider Threat” program is to stop the next Bradley Manning or Edward Snowden from spilling classified or sensitive information.
But critics have charged that the Insider Threat program, as McClatchy first reported, treats leakers acting in the public interest as traitors — and may not even accomplishits goal of preventing classified leaks.
DISA’s test, dubbed the “CyberAwareness Challenge,” was produced in October 2012, a month before the Obama administration finalized its Insider Threat policy. The slide about Hema is included in a section of the training about “insider threats,” which are defined by an accompanying guide as “threats from people who have access to the organization’s information systems and may cause loss of physical inventory, data, and other security risks.”
Both Hema’s travel abroad and her political dissatisfaction are treated as threat “indicators.” Versions of the training for Defense Department and other federal employees are unclassified and available for anyone to play online.
“Catch me if you can,” the training dares.
In a statement to The Huffington Post, Pentagon spokesman Lt. Col. Damien Pickart said, “DISA was sensitive to any civil liberty concerns that might arise from any portion of the curriculum, which is why it coordinated with 26 federal agencies to ensure the maximum amount of input was received before going live.”
“When considering personnel for a position of trust that requires a security clearance, there are many potential indicators that must be considered when evaluating for insider threat concerns,” he explained. “The department takes these variables into consideration based on past examples of personnel who engaged in spying or treasonous acts.”
Several million people across the federal government have taken the training since it was released, Pickart said, and there has been only one complaint. He added that the next version of the security awareness training, to be released in October, is being updated so that its insider-threat test focuses more on behavior, “not personal characteristics or beliefs.”
Notably, the CyberAwareness Challenge is given to a wide range of federal employees whose roles have far less to do with security threats than that of a National Security Agency contractor like Snowden. The Department of Housing and Urban Development even requires its private business partners accessing a tenant rental assistance database to complete the training.
The Defense Department version of the “CyberAwareness Challenge” shows a healthy familiarity with Manning’s disclosures to WikiLeaks: In one training slide, the user is asked what to do when contacted by a reporter from “WikiSpills.”
Identifying “WikiSpills,” even hypothetically, as a legitimate journalist organization is quite different from how military prosecutors have approached the real WikiLeaks in the trial of Manning. There the military has suggested that WikiLeaks founder Julian Assange took few steps to verify the leaks he received before publication and acted as a virtual co-conspirator with his source.
Steven Aftergood, an expert on government secrecy at the Federation of American Scientists, said the DISA training slide was “ignorant and clumsy.”
“The item ‘speaks openly of unhappiness with U.S. foreign policy’ simply does not belong on the list,” Aftergood wrote in an email to HuffPost. “It is not a threat indicator. It could apply to most members of Congress, if not to most Americans. By presenting the matter this way, the slide suggests that overt dissent is a security concern. That is an error.”