A top congressional watchdog is considering calling for the House to launch a program aimed at identifying and deterring internal threats, including through “behavioral monitoring,” according to a draft document reviewed by POLITICO.
The draft recommendations from the House’s inspector general come as the Capitol undergoes a campuswide push to shore up its security in the wake of the Jan. 6 attack last year. The chamber’s current top security official Sergeant at Arms William Walker said in a statement, however, that he does not plan to roll out any new program involving surveillance and monitoring.
The document shows the extent to which congressional security has become a priority since the riot led by then-President Donald Trump’s supporters and the muscular threat-detection tactics that are now under consideration for the Hill. The monitoring recommendations in particular also will face significant pushback because of privacy concerns.
“Everything you told me about that report, I will stand at the top of my lungs and fight against,” said Rep. Kelly Armstrong (R-N.D.).
POLITICO reviewed a draft report titled “Sergeant at Arms Insider Threat Risks,” dated Dec. 30, 2021, and produced by the House’s Office of the Inspector General. The slim document suggested that the House Sergeant at Arms’ office — which leads security for the chamber — start a comprehensive “insider threat” program, which it currently lacks.
National security officials use the term “insider threats” to describe people who deliberately harm their workplaces and employers. The best-known example is Edward Snowden, a former National Security Agency contractor who leaked an extensive amount of classified government material to journalists.
Comprehensive insider threat programs are widely used in the executive branch, particularly in national security agencies, to try to prevent Snowden-style leaks and other security compromises. The programs generally assess typical employee behavior — the average number of pages printed per week, for instance — in an effort to gauge if someone’s online activity has become aberrant. The degrees of scrutiny that these programs level can vary substantially from agency to agency.
Some of the most robust programs track every keystroke that employees make on their work computers.
“Without a program, the House may be vulnerable to insider threats,” the draft inspector general’s office report reads. It then recommends that the Sergeant at Arms “work with House leadership to consider establishing a comprehensive insider threat program.”
The report does not explicitly say which groups of people working on the Capitol Campus should be included in the proposed insider threat program.
The draft report included a letter from Walker, in which he said he's already started developing an insider threat awareness program. Walker told POLITICO that he does not plan any new surveillance as part of that work, but instead is rolling out voluntary training for House staff regarding security.
“The House Sergeant at Arms has no plans, intentions, or interests in conducting any surveillance or monitoring of people who work on the Hill as part of its effort to prevent an insider threat from materializing,” he added.
The House inspector general’s office referred questions about the draft report to the House Administration Committee, where a spokesman did not weigh on the details of the draft report.
Monitoring — behavioral and otherwise
Insider threat programs can take a variety of steps to try to prevent destructive behavior by government employees, as the draft report explains.
“These programs identify anomalous behaviors that may indicate an individual poses a risk,” the report reads, adding that people running insider threat programs aim for “early identification” of potential risks by focusing on “motivation factors.”
A graphic in the report listed a number of steps involved in creating these programs, including developing “a baseline of normal activity.” The report also suggested that the House standardize “pre-employment vetting (background checks), periodic re-vetting of staff, and termination procedures” to deter insider threats.
The potential involvement of security officials in congressional hiring decisions will generate controversy.
“To some degree or another, it’s none of their damn business. The structure of who I hire in my office is between me and the citizens of North Dakota,” said Armstrong. He was one of several House Republicans who raised questions last month after POLITICO reported on Capitol Police intelligence officials separately scrutinizing the backgrounds of people who meet with lawmakers.
Monitoring people would also be important, the draft House inspector general’s office report says: “Monitoring activities may include performing risk-based analytics, conducting internal/ external audits, and monitoring user activity on networks.”
“Various individuals at the House may conduct behavioral monitoring once properly trained,” the report adds in a footnote, “however, network monitoring would be performed by the [Chief Administrative Officer’s House Information Resources] division.”
The report also describes steps that the House would follow when implementing an insider threat program. Those steps include setting up “firm rules of engagement for how the insider threat team should monitor activity, launch investigations, and investigate suspected malicious insiders.”
Another step: “Deploy technology to monitor employee behavior that aligns with your specific requirements, policies, and insider threat team.”
It adds that an insider threat program’s mission and actions must be balanced “with the privacy and civil liberties of employees.”
‘Who are they sharing this with?’
The draft report said that House Sergeant at Arms is working on insider threat prevention, using its recommendations “as a baseline for the development of a more robust program.”
POLITICO shared language from the draft report with Bill Evanina, the former director of the National Counterintelligence and Security Center, who said much of it was standard for executive-branch insider threat programs.
In common parlance around insider threats, the phrases “network monitoring” and “user monitoring” refer to activity on a computer, he said. The phrase “behavioral monitoring,” meanwhile, refers to activity that isn’t online. Evanina questioned whether the report’s authors meant to refer to online behavior when they used the phrase “behavioral monitoring.”
“In any insider threat program, the efficacy starts with implementation and the identification of what behavior is and is not acceptable,” added Evanina, who is now CEO of the Evanina Group consulting firm. “And from that space, what is the standardized behavior you’re looking to monitor? In the insider threat community, that has not been perfected, both inside the government and outside the government.”
Daniel Schuman of the progressive group Demand Progress, meanwhile, said in an interview that he worried about oversight and transparency in regards to any congressional insider threat program.
“Are they using this for intelligence gathering, to create criminal prosecutions?” he said. “Who are they sharing this with? None of this has been developed, certainly not within the public and I’ve seen no evidence of competence in these matters inside the legislative branch.”
Peter Whippy, a spokesperson for the House Administration Committee, said in a statement that panel Chair Zoe Lofgren (D-Calif.) “believes security decisions affecting the House are best made by security professionals. While the Inspector General has not yet issued a report on insider threat risks, the Chairperson will review his findings when they have been finalized and transmitted to the Committee.”
An appendix to the inspector general's draft report included a letter from the Sergeant at Arms.
“I am delighted to report that the [House Sergeant at Arms] Insider Threat Awareness and Risks Mitigation Program has been in development since July of 2021,” he wrote.
Walker said in a statement that his team is rolling out “a strictly voluntary insider threat awareness and risk mitigation training opportunity” for employees.
The training’s goal, Walker continued, is to “make them aware of the potential costs associated with talking about Member and or staff scheduling, travel, meetings, etcetera” with people who might not need that information.
“The goal is to equip employees with the knowledge to help prevent carelessness so they do not accidentally, mistakenly or unwittingly share seemingly trivial or thought to be insignificant information with anyone not having a need to know,” he added.
The big picture
In the months after the Jan. 6 insurrection, concerns grew that people working on the Hill could pose threats. In September, Capitol Police announced that half a dozen officers were being disciplined for misconduct the day of the attack.
And in October, the Justice Department charged a Capitol Police officer with obstruction of justice because of his communications with a rioter in the days after the attack. That rioter had posted on social media about being in the Capitol on Jan. 6.
Days after the attack, Rep. Mikie Sherrill (D-N.J.) claimed to have seen Republican members of Congress lead people through the Capitol on Jan. 5, 2021, as part of “reconnaissance for the next day.” When POLITICO has asked Sherrill in the past for further detail, she has declined to elaborate, referring questions to the D.C. U.S. attorney’s office and the Jan. 6 select committee.