by Tobias Naegle
The Federal government’s security clearance system is outdated and needs to be replaced, but fixing it is going to take time because the government is still years away from fully developing a continuous evaluation process that can replace today’s once-every-five-years investigations.
Director of National Intelligence James Clapper says the current system “doesn’t work.” FBI Director James Comey acknowledges its shortcomings. Intelligence experts from across government and industry agree.
But revamping security clearance procedures for so many people, across so many organizations, will not be easy.
The clearance system is used by at least 70 departments and agencies at 10,000 locations around the world and encompasses millions of security clearances for government employees and contractors.
“That’s a big risk surface,” said William Evanina, director of the National Counterintelligence Center in the Office of the National Director of Intelligence. “Reform has to come with all the appropriate security procedures.”
Evanina spoke as a panel member at the Intelligence & National Security Summit in Washington, D.C., a joint project of the Armed Forces Communications and Electronics Association (AFCEA) and the Intelligence and National Security Alliance (INSA).
Taking place just months after the Office of Personnel Management (OPM) acknowledged a massive data breach of Federal employees’ records, including personal information contained in security clearance investigations, the topic of overhauling the system was on everybody’s minds. The OPM breach exposed the SF-86 data for tens of thousands of government employees, service members, contractors, and others who had completed the form as part of routine security clearance process. The 127-page document provides a definitive data portrait of its subject, containing information not only about an individual, such as health and employment histories, but also contact information about family members and friends.
That’s one reason why Francis Taylor, undersecretary for intelligence and analysis at the Department of Homeland Security and a retired Air Force brigadier general, said reform cannot wait for long.
“We are still essentially applying a 1947 standard on how we are conducting our security investigations,” Taylor said. “We are caught in this bureaucratic bubble of activity.”
That activity is based on conducting exhaustive investigations every five years for every individual with a clearance. But in the real world, a lot happens in five years: People get married and divorce; get into financial difficulty; develop drug or alcohol problems; lose favor with a supervisor or grow frustrated if they aren’t promoted. So a person who was not a security threat last year can become one this year – long before the next scheduled re-investigation.
“Let me tell you: Doing a neighborhood evaluation of Frank Taylor will get you nothing,” Taylor said of himself. Instead, government agencies must develop coherent, supportable, and automated systems that can support continuous evaluation. By regularly monitoring individual actions and behaviors, such as the times staff come to work, or the kind of work they typically do on a government network, potential insider threats can be quickly identified and promptly reviewed to see if further investigation is warranted.
Much of the data needed to conduct such monitoring already exists in private, but accessible, databases. Credit monitoring agencies track credit and payment histories and home address changes, for example; public records list car registration data, along with records for home taxes and building permits; insurance companies track driver and health histories; and social media sites contain all manner of data, from personal contacts to family members, insights into off-duty behavior and interests, political leanings and more.
Says Art Davis, a retired colonel and now director of corporate security at Booz Allen Hamilton: “There are services available to the government [today] which would make a tremendous amount of information available on all of us – information that is basically not utilized today in background investigations. That information could be utilized in minutes, not days.”
Katherine Hibbs Pherson, a retired CIA security expert and consultant, said government leaders need to take their time as they evaluate alternatives to a system that has served them well for decades.
“We seem to have a screaming consensus that we need to change the system,” Pherson said. “But how do we realistically make that transition, particularly in an era of resource constraints? When you make a change as serious as continuous evaluation, you have to be very careful that you are not going to break what works now.”
Pherson advocates pilot programs and tests to prove the concept first – especially when it comes to ensuring trust and buy-in from a workforce whose faith in the safety, security, and privacy of their personal data has been rocked to its core in recent months.
“How do we introduce this to the workforce so that they don’t see it as Big Brother?” Pherson asked. “We have to deal with the cultural challenge that this is.”
The first forays into continuous evaluation are already underway. Contractors reacted quickly to the financial and legal risks posed by the Edward Snowden case, in which a contractor’s employee stole and exposed volumes of secret files. To protect against future Snowdens, contractors are hiring their own internal counterintelligence teams and developing their own continuous evaluation systems and processes.
General Dynamics Information Technology, for example, hired a former CIA counterintelligence official to bolster its security processes and ensure that any internal risks are mitigated to the maximum extent possible. Other companies are following suit. Tony Cothron, former director of naval intelligence and now vice president for customer requirements in GDIT’s Intelligence Solutions Division, said companies are wise to tackle these kinds of threats internally. But industry shouldn’t be expected to take this on alone, he adds. “The government can help reach its goals by incentivizing security investments.”
One way agencies could encourage industry’s continuous evaluation programs is to put a value on that extra layer of security, perhaps by making it a potential differentiator in contract proposal evaluations. Giving firms that invest in increased security an edge would encourage more to follow suit, he said.
Clapper said he has been “on the warpath” over reducing the number of clearance requests, the point being that fewer clearance requests could free up resources to more quickly and thoroughly review those who truly need to be cleared. However, reducing the total number won’t be enough to solve the problem, and reforming the system so it can more quickly respond to changes in individuals’ security profiles remains a priority throughout the intelligence community.
The Office of the National Counterintelligence Executive (ONCIX), part of Clapper’s Office of the Director of National Intelligence (ODNI), has begun to develop an enterprise-wide continuous evaluation program for the Federal Executive Branch. The program will ultimately apply to all Executive Branch departments and agencies with access to Top Secret/Sensitive Compartmented Information (TS/SCI), according to a fact sheet about the program. The fact sheet says program officials are researching the use of publicly available electronic information (PAEI), such as social media, “to ensure that the privacy and civil liberties of individuals are protected.”
Working out all the details for reforming the security clearance system won’t happen overnight. But with leadership squarely in favor of an overhaul – and buy-in almost universal across the security landscape – changes are clearly coming, and possibly faster than some might dare to think.
Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.