wfedstaff | April 17, 2015 6:26 pm
Last September’s mass killing at the Washington Navy Yard could and should have been prevented, according to an internal Navy investigation made public Tuesday. In response, the Pentagon said it is taking several measures to prevent a similar incident and to target other insider threats.
The Navy investigation was one of three parallel reviews the Defense Department ordered in the aftermath of the Sept. 16 tragedy in which Navy IT contractor Aaron Alexis fatally shot 12 people and wounded four others over the course of 23 minutes in the Navy Yard’s Building 197.
It found serious failures throughout the Navy’s own system of personnel and physical security, but investigators laid the most serious shortcomings at the feet of the contracting chain that employed Alexis: HP Enterprise Services and its subcontractor, The Experts, Inc.
“If the proper procedures had been followed, the chain of events that led up to the shooting on the 16th of September would have been interrupted,” said Adm. John Richardson, who led the Navy investigation. “If those contractors observe behavior that raises questions about an employee’s suitability for access to installations or information, those concerns should be identified to the Navy, and those requirements were not met. They did observe those behaviors and did not make those reports, and so it was impossible for the Navy to act on that information.”
Insight by Carahsoft: Learn about the efforts today and what’s on the horizon by civilian and the military services in rolling out 5G infrastructure and devices to improve mission effectiveness
Company never reported erratic behavior
The 40-member Navy review team brought forward several instances in which Alexis’ employers allegedly witnessed his unstable behavior, but did not report it to the Navy.
In one example just a month prior to the Navy Yard incident, investigators say police at Naval Station Newport, R.I., were called four times after The Experts’ own travel coordinator reported that Alexis might try to harm himself or others. Police responding to his hotel room found he had disassembled his bed because he believed someone was hiding beneath it.
In another example the next day, Alexis asked to stay in the hotel room of an HP supervisor because he believed people were following him and had checked into the hotel room beneath his. He told police later that night that someone was sending vibrations into his body and speaking to him through the walls.
Neither those nor several other instances of aberrant behavior were reported to the Navy officials who supervise the contract nor those who would have been in a position to suspend Alexis’ security clearance, according to investigators.
In a statement, HP officials emphasized that Alexis never worked directly for them, and said that they had fully cooperated with the Navy’s investigation.
“As the report confirms, The Experts was aware of significant information about Aaron Alexis that was not known to HP. Yet, The Experts made a decision to send Alexis back to work after the incident in Newport, R.I. without sharing any of this information with HP or the government. Based on what we learned about The Experts’ conduct, on Sept. 25 HP terminated its relationship,” HP said in a statement.
The Experts did not immediately respond to an emailed request for comment.
Review cites ‘troubling’ gaps in DoD management
But the Navy report’s critiques of the events leading up to Sept. 16 are by no means limited to the actions of the contractors.
For instance, the shootings might have been prevented were it not for serious shortcomings in the government’s own background investigation process, as Defense Secretary Chuck Hagel acknowledged Tuesday.
“The reviews identified troubling gaps in DOD’s ability to detect, prevent and respond to instances where someone working for us — a government employee, a member of our military or a contractor — decides to inflict harm on this institution and its people,” he said.
For example, the reviews found that Alexis had been arrested numerous times, including two instances in which he had fired gunshots in anger. He was also disciplined for personal misconduct while he served as an active duty sailor, but none of that information found its way into the Joint Personnel Adjudication System (JPAS), DoD’s centralized repository for managing security clearances.
Because none of what the Navy knew about Alexis was entered into JPAS, neither HP nor The Experts — which hired him based, in part, on his existing secret security clearance — had full knowledge of the extent of his troubled history before they hired him in the first place.
And when the Navy first issued Alexis his secret security clearance in 2008, while he was still serving on active duty, it warned him that it was a “conditional” clearance: he would have to make good on past debts, attend financial counseling and maintain financial solvency. But there is no evidence that anyone in the Navy followed up to make sure he did any of those things, nor that the Navy had systems in place to require such a follow-up.
The Navy report also faulted its own officials for failing to properly oversee its own contractors. The Space and Naval Warfare Systems Command, for instance, the organization in charge of HP’s Navy-Marine Corps Intranet contract, which is now transitioning to the Next Generation Enterprise Network provided by the same vendor, has no mechanisms to audit its contractor’s compliance with personnel security rules. It relied entirely on the company to “self-report” negative information about its own employees and subcontractors.
Hagel said he is taking several immediate steps in response to the internal reviews. On Tuesday, he ordered the department to begin to move on from the current background check system, in which secret clearance holders are only reinvestigated once every decade.
“I am directing the department to establish automated reviews of cleared personnel that will continuously pull information from law enforcement and other relevant databases,” he said. “This will help trigger an alert if derogatory information becomes available, for example, if someone holding a security clearance is arrested.”
In concert with that change, Hagel said DoD will create a new Insider Threat Management and Analysis Center that will take on the responsibility of making sure the military services and defense agencies respond to red flags on those automated records checks.
The Pentagon, Hagel said, will also create a new office within the office of the undersecretary of defense for intelligence that will be in charge of for both physical and personnel security across the entire department.
“Currently, these responsibilities are fractured among multiple components within the department,” he said. “This action will identify one person within DoD who is responsible for leading efforts to counter inside threats.”
Hagel also ordered the Defense Manpower Data Center Center to speed up the development of DoD’s forthcoming Identity Management Enterprise Services Architecture (IMESA), a project designed to make sure that every U.S. military base around the world can electronically vet the identities of people who are trying to enter the gates against government databases. Tuesday’s memo tells DMDC to try to deploy that system by 2016.
Increasingly, threats come from ‘inside the perimeter’
But the high-level independent review Hagel ordered last September suggests that DoD go further, and Hagel says he’s told the department to take a deeper look at several of its recommendations and report back to him by this summer.
Dr. Paul Stockton, who co-chaired that examination, said the Pentagon’s biggest problem is that even after the Fort Hood shootings, it is still focusing most of its security resources on defending its perimeters from potential intruders.
“That approach is outmoded, it’s broken and the department needs to replace it. Increasingly, threats — cyber, kinetic, all threats — are inside the perimeter,” he said. “What the Department of Defense should do is build security from within.”
The independent panel’s review found the security clearance review process is not doing its job because it’s made up of a mish-mash of responsibilities that involve background investigations by contractors, plus management by numerous government agencies both in and outside of the Defense Department.
The panel recommended that DoD explore the notion of handling background investigations on its own rather than outsourcing that task to the Office of Personnel Management, which handles that same job for more than 100 other federal agencies according to the same standards. In the wake of the Edward Snowden scandal, OPM said last month that it would use only government employees to conduct background checks, and would no longer use outside contractors.
Stockton said another significant problem the department faces with regard to managing security clearances is that there are far too many cleared personnel, both in and out of uniform.
“We recommend that the Department of Defense conduct a thorough reassessment of need to know, and whether the individuals occupying particular positions in the Department of Defense actually require access to classified information,” he said. “Such a review has not happened in a long time. It’s my working assumption that given the terrific growth since 9/11 in the number of those who hold security clearances, in the absence of such standards, we have folks with security clearances who don’t need them. In an era of terrific pressure on the defense budget, anything we can do to downsize the number of people with security clearances so that only those who require them can then get this intensive, more capable, continuous monitoring, that’s a great way of proceeding.”