Lessons Learned: Security Clearances After Snowden
In the past few years, a series of high profile leaks of classified and top secret national security materials, including the WikiLeaks scandal and, more recently, Edward Snowden’s disclosure of the NSA PRISM program, has drawn into focus issues surrounding the granting, and abuse, of security clearances. In our armed forces, intelligences services, and the civilian contractor corps that supplements so much of their work, almost 5 million people hold security clearances.1 Many critics are asking why? Why do so many people have clearances? Why are so many contractors needed? Why is so much information classified?
Here are some thoughts on what these most recent scandals have taught us, along with possible solutions to shore up the gaps causing the leaks that should be taken into consideration by organizations wishing to protect their information.
- Too many people hold security clearances. Another way to analyze this might be to say, “Too many people hold clearances beyond what is required.” With nearly 5 million people possessing security clearances, there’s a solid chance that many of them maintain a clearance above what they need for their current assignments.2 Instead, companies must be vigilant and ensure only those with a need to know obtain and maintain an active clearance.
- Classification versus characterization of information. Currently, an individual with top secret clearance may have access to a wide variety of top secret information, even if that information is not required to do his or her job. The information should be classified and then characterized, preventing someone, like Snowden, from accessing information about a system he is not working on. A heightened awareness of “need to know” is a significant first step within any organization dealing with classified information in the current environment.
- Information systems should contain robust access logs. A simple solution to a complicated problem may be creating more robust access logs for certain types or classifications of information. With such a system in place, a potential leaker could be spotted – and stopped – more quickly. For example, if someone working in IT, accessed information about a world-wide telephone monitoring scheme outside of his assigned project, it would trigger an internal alarm and review of access logs.
- Employees should not be able to extract information onto unauthorized systems or devices. Some, if not all, sensitive information should not be extracted to an external device, and setting up a system to prevent – or at least monitor – the transfer of certain information can also stop potential leaks before they begin. Snowden was able to take one or more laptops containing sensitive material with him out of the United States. If a reliable system were in place to track transfers, he might have been stopped or the damage might have been lessened.
- Some believe uniform guidelines do not exist across the government for different levels of clearance. This means that top-secret clearance at one agency means something completely different at another. Establishing uniform guidelines, and possibly even adding additional layers and types of clearances, could insulate against over-classified transfers having access to information “above their pay grade.”
- Some security clearances are apparently being granted based upon incomplete or inaccurate information. A Senate committee investigating security leaks recently received testimony that almost 87 percent of all background checks are incomplete.3 This is likely due to a large backlog created by the number of people needing security clearances. Some would argue that The Office of Personnel Management (OPM) is understaffed and overworked and it, too, uses contractors to perform about 65 percent of the background checks performed.4 As a result, security clearances are sometimes being granted (or renewed) without proper scrutiny of an applicant’s credentials. Snowden, for example, lied about his college coursework. This lie could have been uncovered if investigators were able to proactively apply more time and tools to each individual application. Some argue that the background investigation should implement additional techniques such as reviews of a person’s social media use, rather than the present approach of talking to the applicant’s neighbors.
- In the recent past, some clearances have been falsified by investigators. Many investigators are very dedicated and thorough in their approach. Unfortunately, in the past few years, approximately a dozen agents for OPM and contractors performing background checks have been convicted of creating false information to complete background checks. Interviews never held, questions never asked and documents not reviewed have allowed for large numbers of applicants to obtain clearances without proper scrutiny. One agent was found to have fabricated over 1,600 checks.5 This outcome could have likely been prevented if the agent’s own background check had not been fabricated by another agent.
- Security clearance background checks are not keeping up with the times. Every security clearance applicant is still asked about his or her view on communism, even though the Cold War is long over. And agents still question the neighbors of applicants, asking them questions ranging from the applicants’ affiliations with foreign powers to the simplest question of all: does the applicant really live here? The problem with this approach is that, in today’s world, neighbors do not interact like they did thirty or forty years ago when some parts of the applications were designed. Neighbors may not be a great source of information, but a vital source is being overlooked: the internet, including Facebook, LinkedIn, Twitter and other social media. Snowden’s web presence was arguably substantial, and he wrote on forums and even his Facebook account about his political leanings. If the procedures were updated, Snowden’s personal issue with “government intrusion” may have been detected.
- The focus on allegiance to the United States could be misleading. One of the most heavily focused on areas in a security clearance background check is an applicant’s allegiance to the United States. But what does that really mean? WikiLeaker Bradley Manning and Snowden both claim they were acting patriotically by releasing classified information. Critics suggest that the security clearance process should be more focused on insufficient allegiance to the United States, but recent numbers suggest that one person is denied on grounds of foreign influence for every 22 people denied for drug use.6 Perhaps a more thorough approach to the idea of “allegiance to the United States” should be incorporated into the screening process, in order to red flag applicants whose sense of patriotism may include harming the United States.
What does this all mean? Changes to the security clearance system are needed and may arrive in the near future. Preparing in advance, by structuring greater oversight and compliance early on will make those with clearances and those who employ security clearance-required positions better suited to handle the transition. As always, it is important for companies and individuals to work with government agents and agencies to be proactive and prevent problems.
1John Bacon and William M. Welch, Security Clearances held by Millions of Americans, USA TODAY (June 9, 2010), available at: http://www.usatoday.com/story/news/2013/06/09/security-clearances-nsa/24.... (Last visited August 2, 2013).
3Personnel Security Clearances: Further Action Needed to Improve the Process and Realize Efficiencies, GAO (June 20, 2013), available at: http://www.gao.gov/assets/660/655360.pdf. (Last visited August 2, 2013).
4David Frances, Here’s How Edward Snowden Got ‘Top Secret’ Clearance, The Fiscal Times (June 21, 2013), available at: http://www.thefiscaltimes.com/Articles/2013/06/21/Heres-How-Edward-Snowden -Got-Top-Secret-Clearance.aspx. (Last visited August 2, 2013).
5Lindsay Wise, Contractor Responsible for Snowden’s Security Clearance Investigated for Inadequate Background Checks, McClatchy Washington Bureau (June 20, 2013), available at: http://www.mcclatchydc.com/2013/06/20/194556/contractor-responsible-for-.... (Last visited August 2, 2013).
6Brian Palmer, Did Edward Snowden’s Views on Internet Freedom Come Up During His NSA Background Check?, Slate (June 11, 2013), available at: http://www.slate.com/articles/news_and_politics/explainer/2013/06/edward.... (Last visited August 2, 2013).