TSA Wants To Monitor Employee Computer Activities

Top 14 Government Social Media Initiatives

The Transportation Security Administration is looking for better ways to guard against insider threats and wants tools that can keep a close eye on employee computer activities.

The agency issued a Sources Sought solicitation in FedBizOpps on June 20, looking for software able to monitor and log a wide range of activities, including keystrokes, emails, attachments, screen captures, file transfers, chats, network activities, and website visits. The solicitation specifies that end users must not be able to tell they are being monitored, and must not be able to "kill" the monitoring.

The software must have the ability to monitor Windows OS, but the solicitation notes it also potentially should have the ability to monitor Mac OS X, as well.

Many of the capabilities TSA is looking for are commercially available now, but are used primarily for computer forensics, to look at activities after they have happened, said Chet Hosmer, VP and chief scientist with WetStone Technologies, a subsidiary of Allen Corporation that specializes in investigative software.

[ Insider threat? Outsider threat? The feds have to deal with them all. Read Feds Bust Hacker For Selling Government Supercomputer Access. ]

"Certainly over the last several years the focus on insider threats has become more prevalent than outsider threats," Hosmer said in an interview. "When we think about 'insider,' we think about people ... but it's not necessarily a human they're looking for. Devices coming in [to networks] could be the threat vector."

Malware continues to evolve in sophistication, he said, and the means and methods of protecting against it has had to evolve as well. For instance, some malware may insert keystrokes; detection might focus on how fast the keystrokes are being inserted, perhaps faster than a human (or that specific human) can type, he said.

The solicitation does not indicate whether TSA aims to store the vast amount of data such monitoring would generate and analyze it after the fact, or whether it is seeking to implement real- or near-real-time monitoring.

Hosmer thought it unlikely the solicitation was a response to the Wikileaks scandal, where a U.S. soldier has been accused of leaking thousands of pages of documents to the public by making them available for posting to the Web.

"Most of the leaks from Wikileaks came from overseas, not here. I haven't heard a lot of chatter about that at all," he said. "I think this solicitation is more serious than that. It sounds broader, the kinds of information they want to monitor ... potentially across agencies. Will contractors be involved? Will their systems be monitored, as well? How's that going to work?"

In an interesting bit of timing, the White House Office of Special Counsel issued a memo on employee monitoring policies to Executive Branch departments and agencies the same day TSA released its solicitation. The OSC warned agencies against using monitoring as a way of muzzling whistleblowers. OSC spokeswoman Ann O'Hanlon said the timing was purely coincidental.

She said the government generally is able to monitor users' computer use, as long as it provides disclosure up front that they are being monitored.

The Office of Management and Budget demands that federal agencies tap into a more efficient IT delivery model. The new Shared Services Mandate issue of InformationWeek Government explains how they're doing it. Also in this issue: Uncle Sam should develop an IT savings dashboard that shows the returns on its multibillion-dollar IT investment. (Free registration required.)