Having taken over the security clearance apparatus, the Defense Department has been busy updating the technology process for clearance. But what about the criteria for granting or withholding clearance? A deep dive by the RAND Corporation says it might be time to revise them because times have changed. For more, Federal Drive with Tom Temin turned to RAND social scientist and report co-author, Marek Posard.
Insight by CyberArk: Learn how the CDC is using the least-privilege model to limit how much damage hackers can do in federal networks in this free webinar.
Tom Temin: Mr. Posard, good to have you on.
Marek Posard: Thanks for having me.
Tom Temin: And you have found that there’s a new generation of people potentially coming into the federal workforce, or contractor workforce for that matter, that needs security clearance, but they’re millennial and younger. And therefore, what’s the difference?
Marek Posard: So what we argue in a report is that there are age based trends. Society changes, and younger generations might potentially be early signals for these broader changes. And as a result, you want to update the clearance process. And in particularly the standards by which you adjudicate who can get a clearance based on some of these social changes. So for example, back in the 60s, homosexuality, as well as cohabitation, were considered risk factors. Today they’re not. And so what you want to look at is these broader social changes based on data to see where you might want to make adjustments, not throw the baby out with the bathwater, but see if there’s adjustments that one can make within the criteria, as well as the mitigating factors that might be relevant to particular applicants.
Tom Temin: Yes, because the example that comes up so often is, well if someone smokes pot, or they take some illegal substance, which has been pretty much a rule out until now, but as these things gain, I guess, more social acceptance, and now more legal acceptance, that’s the kind of thing that might need to change.
Marek Posard: Exactly. And one thing that we recommend in the report is that factoring in the local laws and jurisdictions of an applicant, because quite frankly, it’s easy to find yourself in a situation where you might be increasing your risk profile, particularly just where you live. The example can be if you live in Maryland versus the District of Columbia versus Virginia versus West Virginia, there’s this patchwork of laws surrounding marijuana use. And this is a perfect example of a broader social change where you want to not necessarily say, well we’re not going to use that as a criteria anymore, but say you want to potentially adjust it because you don’t want to dissuade people from applying for national security positions. You also don’t want to artificially remove people from having those positions in the first place.
Tom Temin: And you’re also arguing that looking at financial distress and some of the financial issues surrounding people might be time for revision — explain that one a little bit more.
Marek Posard: So we’ve seen, I think it’s pretty well documented and we document this in our report as well too, that there has been a dramatic increase in student loan debt. And that’s predominantly by younger individuals. And there’s two factors that we discuss in there related to security clearances and student loan debt. The first is that if you have student loan debt now, and then you end up forming a family, having children, buying a home, there’s other types of debt that you’re going to take on. And so that could be potential risk factor in the future because if you already have the student loan debt hanging over your head, and then you have these other types of debts for car loans or whatnot, when you start forming families, that might be a concern that you want to keep in mind. But with that being said, we actually recommend that one focus on the management of debts instead of whether you’re fulfilling the debts, because in many ways you might be refinancing your loans, you might be behind different types of payment plans. And given the nature of a lot of national security positions, you do in many cases need a college degree or a post high school diploma, or some type of training to get into these positions in the first place, which for a lot of people requires them to take on that. And so making sure they can manage that that instead of just seeing if they have that or not, or fulfilling the debt or not, is going to be important.
Tom Temin: And another area I wanted to ask about is associations and outside activities. And those have changed and morphed over the years, depending on societal change as to what is considered dangerous or unacceptable. What do you find in that whole area?
Marek Posard: Well, today, we just have more opportunities to interact with foreign nationals. Younger students today are more likely to study abroad than in the pas. We also have more foreign nationals studying at our universities. And the internet makes it quite easy to interact with a broad range of diverse populations. Now, to be clear, we’re not saying that if you interact with someone from another country, that you’re automatically a risk. But there might be risk profiles that change based on who you’re interacting with and what countries they’re from. And so one nice place to look is the Office of the Director of National Intelligence does have assessments of countries that might be higher or lower risk. And on top of that, you want to also keep in mind that the people you’re interacting with in other countries might be embedded in networks where they have individuals, either their friends or families, who are working for foreign intelligence services, are working for certain types of government agencies abroad, that might increase the risk profile. So one thing that we propose is that that network is actually really important, not just the individual you talk to you, but their network that they’re connected to, just to take that into account when adjudicating who should get a clearance.
Tom Temin: What are some of the eternals that should still just automatically rule someone out regardless of what else they might do or be?
Marek Posard: Well, one of the big ones that we identify in the report actually is digital personal conduct, but in particular, this dramatic rise in child pornography cases, particularly those who are in their late 20s and 30s. And so there are certain things such as that where that should be an automatic rejection if there’s a clear case that can be made. And there’s other instances to where if you do have direct contact with someone from a foreign intelligence service, that’s going to raise a lot of flags. If you are doing heavy drugs, and you have a track record of abuse of heavy drugs, particularly opioids, which is a problem in certain parts of the country, those might increase your risk profile. I do want to note that it’s not a black and white decision. We all have risks in our life, you have risks in your life, I have risks in my life, the government just trying to assess and weigh if those risks are acceptable enough to hold it clearance. So even if one does have certain types of risks, the question really does, is it acceptable enough? And so I think it’s just clarifying that for individuals, it’s never really a black and white decision.
Tom Temin: Earlier, you mentioned in prior decades, homosexuality was a rule out and just maybe to be charitable to the people back then maybe they thought that was because people could be blackmailed, homosexuals could be blackmailed, because in those days, because it wasn’t socially unremarkable as it is now. Is there anything today that subjects people to potential blackmail or openness to bribery by foreign powers?
Marek Posard: Well, I mean I would argue that when you have to hide who you are, let it be your sexual orientation, let it be your gender identity, that creates opportunities for adversaries to exploit. And so I think it’s always better for people to just be forthcoming with who they are, and our guidelines should be accepting for people for who they are. And I think what we’ve seen over time is that the guidelines have been revised accordingly to get away from some of those kinds of all or nothing types of risk profiles or risk assessments. And I think, today, it really is a matter of, just again, weighting these factors, and I don’t necessarily think there’s anything equivalent to homosexuality or anything related to gender identity issues that you’re seeing in the guidelines today. But with that being said, I think those are great lessons in the past of what not to do. And I think that we’ve seen how societies changes in terms of their acceptance of these various factors that were once considered risks. And I think it’s a good lesson of what not to do going forward.
Tom Temin: And so the new criteria that you have suggested here, that you argue for the new set of criteria, how does that get into place? What do you recommend as a process for evaluating and then coming up with something that everybody can agree to? Defense Department, Intelligence Community, Congress.
Marek Posard: Well, ultimately, the government is continuously reassessing these guidelines. And the guidelines are housed right now in what they call the SC84. And those are constantly being reassessed. And I think it’s just a matter of really kind of going through each of the guidelines and the risk factors and mitigating factors and seeing where there can be potential tweaks and adjustments made. And one thing that we do argue in the report is that the data that we use to kind of give a broad overview of these trends, most of it’s freely available, and most of its actually collected by the federal government. And so what you want to do is monitor these types of trends over time and make the adjustments over time gradually, instead of just kind of doing a one shot deal. We outline all the data sources that we looked at. And there’s many more out there. I mean, the example that I would give is that if you look at, for example, the opioid crisis, that’s a risk factor, particularly if you’re surrounded or have interaction or have experimented with certain types of highly addictive drugs. And I think it’s important for the government just to kind of keep tabs on those trends earlier rather than later so they can make adjustments accordingly, and probe accordingly to make sure that they’re not taking unnecessary risks by giving someone a clearance.
Tom Temin: It sounds like this new idea of continuous monitoring, using third party data sources and the government’s own tools can really aid in that constant adjustment, and knowing when someone might need to be rechecked. For example, I would say, and you can confirm this if I’m right or wrong, the sudden acquisition of large debts or the sudden acquisition of really expensive properties could be a clue that someone needs to be examined.
Marek Posard: Exactly. They already do a lot of this already. And I think one thing that we propose is that our data, we’re looking at broad trends, not individualized data. And so what you can kind of get a feel for is where are there potential trends that might be of concern? Where are there potential trends that might signal an adjustment? But we’re not necessarily saying we should look at your individual profile over time. It’s more there’s an investigative process that does this with one’s consent. But there are these broader social changes. When you want to kind of assess the guidelines that you want to keep on top of so you don’t have outdated guidelines, that might dissuade people or outdated guidelines that might unnecessarily ding people for risk that really isn’t a risk after all.
Tom Temin: And ultimately, do we really know about any individual anyhow? If you look at the last several decades of turncoats that have turned up in spectacular cases, they were the most ordinary unremarkable people you could think of, starting with Edward Snowden and on back.
Marek Posard: You’re right, exactly. And the process really has this, they call it the whole person, is basically they look at the whole person when making these kinds of decisions, right. And so there’s a lot of different variables in our lives that you can weigh. The investigations are very individually based. So there’s not a cookie cutter model necessarily that one can apply. And I think it’s just a matter of really kind of adjusting that criteria, because we’re not going to catch every potential Snowden. But on the flip side of it, we want to make sure we can increase the probability of detecting problematic or risky types of life events that might signal a potential Snowden. Although we’re never going to be perfect with it, we want to try to pick up those signals as best we can.
Tom Temin: Marek Posard is a social scientist and co-author of the RAND Corporation report on security clearance guidelines. Thanks so much for joining me.
Marek Posard: Well thank you.