Reforming the Security Clearance ProcessFeds Consider Continually Monitoring Those with Clearances
Security experts are sizing up the challenges that would be involved in implementing a federal government proposal to continuously monitor employees and contractors with security clearances in hopes of preventing leaks of sensitive information.
"We've got 5 million cleared professionals working all over the globe," says Evan Lesser, who has closely followed the government's security-clearance apparatus since co-founding the employment site ClearanceJobs.com in 2002. "Even if half of them were continuously monitored, it's a huge undertaking."
See Also: 2021: A Cybersecurity Odyssey
The White House Office of Management and Budget last week issued a report - Suitability and Security Process Review - that recommends the government accelerate initiatives to continuously evaluate security-cleared employees.
Several recent events catalyzed the government to review its security clearance policies: Leaks by National Security Agency contractor Edward Snowden (see NSA Moves to Prevent Snowden-Like Leaks) and Army Pfc. Chelsea Manning, formerly known as Bradley Manning (see Manning Verdict's Influence on Snowden), and the fatal shootings at the Washington Navy Yard by subcontractor Aaron Alexis. All three individuals had security clearances.
Under current policy, the government periodically investigates those with security clearances. Those investigations occur every five years for top-secret clearances, 10 years for secret clearances and 15 years for confidential clearances.
The review concludes that existing re-investigation practices fail to re-evaluate cleared security workers adequately or mitigate risk appropriately. "Lengthy periods between re-investigations do not provide sufficient means to discover derogatory information that develops following the initial adjudication," the report says.
The report cites government tests of continuous evaluation that assessed automated data checks from multiple sources, such as credit checks, social media, personnel records and self-reporting records, that might reveal relevant information that would prompt further investigation and allow agencies to focus their efforts on those who appear to have the highest risk.
One pilot program that the Defense Department conducted tested the value and effectiveness of an automated continuous evaluation system. According to the report, that test studied a sample 3,370 Army service members, civilian employees and contractors, and identified that more than one in five had previously unreported "derogatory information," such as financial troubles or marital problems, that had been identified since their last investigation. Another 3 percent had serious derogatory information that resulted in a revocation or suspension of a security clearance. "This and other [continuous evaluation] pilots provide compelling evidence for many benefits of this more continuous approach to background investigations," the report says.
But Lester Rosen, chief executive of Employment Screen Resources, a firm that conducts employment and security background checks for businesses, says the report fails to consider adequately the individuals who would use that information to make decisions about whether to revoke security clearances. Instead, he says, the review focuses too much on the process.
"At the end of the day, you can have all sorts of matrixes and adjudication criteria but what they don't address is where the locus of responsibility is," Rosen says. "Who's responsible at each agency? Who's going to look at it and say that 'I want that person' or 'I don't want that person?' This proposal misses the mark. They're so focused on process, but at some point someone is going to have to make a decision. At some point, the buck stops."
Re-evaluating Use of 'Derogatory Information'
Rosen says so-called derogatory information shouldn't necessarily disqualify someone from getting or retaining a security clearance because the severity of these problems varies widely.
Under existing policies, those with a history of, for example, financial or marital problems often are considered security risks because they are considered more prone to leak information or change their behavior in a radical way.
Lesser also says the process of gathering and assessing information in almost real-time will prove to be a challenge, asking: "What information would be monitored? How does it technically get done? Who reviews the monitored information and makes decisions from it? Cleared people understand the need for transparency, but will continuous monitoring open the door for privacy and security concerns? Consider that security-cleared workers undertook their oaths with the understanding that they would be re-investigated every five to 15 years."
The report only makes brief mention of privacy and civil liberties: "Any such strategy must ensure systems include capabilities to safeguard individual privacy and civil liberties, consistent with the needs of national security and workplace safety."
Lesser wonders whether some workers might quit if a condition of employment is continuous monitoring. And that could put government at risk by having fewer qualified personnel handling classified materials.
Government workers and contractors with security clearances have been required for years to sign a national security document, known as SF-86, which allows the government to monitor their private lives, though in the past that rarely involved the extensive use of sophisticated technologies, such as data mining.
"People signed those forms, but then nothing had happened in the past," Robert Carey, DoD's principal deputy chief information officer, said in an interview with Information Security Media Group about the use of data mining for those with security clearances who pose an insider threat to the government (see Protecting Against the Insider Threat). "Now, we have more positive knowledge about our workforce for what it's doing and not doing than we did in the past. That's good, but to the nominal national security workforce member, it's a little bit of a change. This makes people uncomfortable for a while until such time as it becomes standard."
One complaint about the current security clearance process is the heavy reliance on contractors to conduct investigations of employees and contractors. But the report does not recommend replacing contractors with government employees to vet individuals for security clearances, instead favoring to reform the process.
That decision didn't sit well with the American Federation of Government Employees. Union President David Cox Sr. says the report completely misses the mark by continuing to allow security clearance investigations to private contractors. "The overriding goal of contractors is to increase profits, which means completing investigations as quickly as possible so the work keeps flowing," he says.
In a statement, Cox cites the Nov. 5, 2009, killing of 13 people at Fort Hood by Army psychiatrist Nidal Malik Hasan, as well as the Alexis shooting and Snowden and Manning security leaks, as evidence of the failure of contractors to adequate perform security background checks. "All of these men held active security clearances, even though there were plenty of red flags being raised by their co-workers and supervisors that might have been caught by a more robust and focused security clearance process," Cox says.
Lesser, though, says he isn't concerned that the government would continue to use contractors to vet federal employees and contractors for security clearances. "Contract investigators are fine, cost-efficient, and likely necessary to deal with the natural ebb and flow of cleared human capital needs," he says. "But contract clearance investigators must be given realistic workloads, updated tools to take on the job and maximize their time, the ability to use social media in investigations, and solid guidance from the OPM [Office of Personnel Management] as to expectations."