How ThreatSwitch might have stopped Iran spy, Monica Elfriede Witt
I was saddened to read about yet another case of an employee at a defense contractor spying for a foreign power. This time it was Monica Elfriede Witt, who wasn’t just some low level clearance-holder like Manning; she had access to some of our most sensitive national security information in her counterintelligence and Special Access Program roles. This is truly a devastating setback.
Here’s what we know about Monica, according to Air Force Magazine:
- Her most recent role was as a defense contractor working on a DoD Special Access program
- She was a former Air Force Office of Special Investigations special agent
- She held a TS/SCI, presumably SAP access, and worked on sensitive CI contracts
- She traveled to Iran on multiple occasions
- She had contact with Iranian nationals including government personnel
- She attended at least one conference in Iran
We will undoubtedly learn more about her and what led to her radicalization, but the warning signs were certainly there.
The thing is, there are very clear guidelines provided to defense contractors and their personnel on what information has to be tracked and reported. Anyone who has a clearance knows they have an obligation to report their own activities. In addition, Security Executive Agent Directive 3, issued by the Director of National Intelligence, requires that every employee of a government agency or contractor is required to report on others they know to be engaged in these kinds of behaviors. I don’t know whether Witt’s travel and activities started before or after her private sector employment, but I have to believe that some of her co-workers were aware of some of it even if she was no longer employed.
So why didn’t this get picked up sooner? As simple as it sounds, it’s because it’s not easy and convenient for people to report to their security teams, or easy for those security teams to pass that information on to the right investigation authority. No one likes to fill out forms, send scary information around via email, or have a face to face sit down with their security officer. It’s just not fun.
We started ThreatSwitch to solve this problem, and have strong feelings on the matter. I absolutely believe that if the people around Monica Witt had ThreatSwitch (or something like it), she might have been caught much earlier. Let me back that up with a few specific examples:
- ThreatSwitch would have identified Witt as high risk because of her role. Monica Witt’s SCI and SAP accesses would immediately bump her risk score up in ThreatSwitch, just because of what she was doing in her job.
- ThreatSwitch would have made it easier to report and track Witt’s foreign travel.
If a former co-worker had an easy, web-based way to report her travel, they probably would do it. Fill out a long fillable adobe doc and email it? Probably not. - ThreatSwitch would have provided a simpler way to identify Witt’s Foreign contacts.
Just like travel, most companies make it painful for employees to report foreign contacts directly. ThreatSwitch gives them an easy, quick alternative. - ThreatSwitch would have allowed her co-workers to report her unusual conferences and other outside activities.
All employees can access ThreatSwitch and report anything related to national security, reporting guidelines, or cyber attacks. - ThreatSwitch would have aggregated all of this information and flagged her as high risk.
In addition to allowing all of this information to flow easily to the security team, and within that team, Threatswitch would immediately flag Witt because the combination above would flag her among thousands of employees.
There are many sophisticated technology tools out there that monitor activity on networks, application use, and hundreds of other systems-focused data points. The thing is, that is only helpful if the person is already doing nasty stuff in your organization. They don’t do anything to highlight the risk factors that occur before a person goes rogue. So while those kinds of algorithms are indispensable for detection, they are pretty late in the game.
We believe at ThreatSwitch that security can be stronger, and companies can follow regulations more effectively, if companies make it simpler, easier, and friendlier to report, communicate, collaborate, and participate. That’s why our customers tell us that people report more often, with better information, when they use ThreatSwitch.
See for yourself how ThreatSwitch can help you protect what matters most.
*Photo courtesy of FBI courtesy photos.