Misuse of Information Technology Systems and Security Clearances

When applying for a security clearance, the misuse of information technology systems if often an issue of concern – particularly the illegal download of information via file sharing websites

facility-security-tech

Navy Photo

POTENTIALLY AFFECTED PERSONS

The “Use of Information Technology Systems” criterion (Guideline M) of the “Adjudicative Guidelines For Determining Eligibility for Access To Classified Information” can potentially affect the clearance eligibility of many applicants. Over the past few years Administrative Judges (AJ) at the Defense Office of Hearings and Appeals (DOHA) have reviewed numerous cases involving Guideline M issues. Most of these cases have involved only 1 of the 8 potentially disqualifying conditions”—the “unauthorized use of a government or other information technology system.” These cases have almost always involved the viewing of pornographic material on a government or company-owned computer in violation of their employers’ rules. Most of the other cases also involved workplace misconduct such as: sending inappropriate email, unauthorized viewing of other peoples’ email, intentionally deleting files from a server, and preventing access to computer programs.

In 2001 “the Ninth U.S. Circuit Court affirmed a trial court’s decision that about 75 million users were infringing copyright by exchanging music files via a peer-to-peer network.”* Because of this, perhaps the greatest Guideline M concern to many clearance applicants is the potentially disqualifying condition of “introduction, removal, or duplication of hardware, firmware, software, or media to or from any information technology system without authorization, when prohibited by rules, procedures, guidelines or regulations.” This condition can apply to cases where applicants violate copyright laws using a computer. Late last year the “Questionnaire for National Security Positions” (Standard Form 86) was changed, and 3 questions specifically addressing “Use of Information Technology Systems” (questions 27a, b, & c) were added to the form. This change could significantly increase the number of cases involving Guideline M issues.

SECURITY CONCERN

Guideline M uses broad language in defining the security concern regarding the use of information technology systems:

Noncompliance with rules, procedures, guidelines or regulations pertaining to information technology systems may raise security concerns about an individual’s reliability and trustworthiness, calling into question the willingness or ability to properly protect sensitive systems, networks, and information….

Guideline M goes on to list 8 specific examples of potentially disqualifying conditions that could result in a clearance denial or revocation. Three of these potentially disqualifying conditions duplicate disqualifying conditions under Guideline K (Handling Protected Information). The remaining 5 are:

(a)  illegal or unauthorized entry into any information technology system or component thereof;

(b)  illegal or unauthorized modification, destruction, manipulation or denial of access to information, software, firmware, or hardware in an information technology system;

(c)  use of any information technology system to gain unauthorized access to another system or to a compartmented area within the same system;

(e)  unauthorized use of a government or other information technology system;

(f)  introduction, removal, or duplication of hardware, firmware, software, or media to or from any information technology system without authorization, when prohibited by rules, procedures, guidelines or regulations.

EVALUATION OF IT SYSTEMS MISUSE

The following factors are evaluated in determining security significance of IT system misuse:

• Knowing and willful rule violation.

• Frequency and extent of rule violation.

• Amount of potential or actual harm.

• Intent of the conduct and degree of malice.

For applicants who have duplicated copyrighted software and other media on the internet without authorization, a November 2008 DOHA decision (ISCR Case No. 03-17291) is instructive. In this case potentially disqualifying conditions (a), (c), and (f) under Guideline M were alleged. The AJ determined that the applicant only entered or accessed systems available to the public when he downloaded (duplication) programs and files without paying for them (authorization). The only unresolved matter in the remaining Guideline M allegation (f) was whether the applicant’s actions were “prohibited by rules, procedures, guidelines or regulations.”

From 1993 to 2007 the applicant downloaded between $750 and $1,000 worth of files or programs without paying for them. He did it for private financial gain in that he avoided payment for the downloaded materials, but he never sold or profited from anything he downloaded. On at least one occasion “he downloaded a serial number for a multimedia program and used it unlock the program and view a movie trailer. The serial number would have cost $29.99 if purchased, but applicant was able to download it without paying for it.” The AJ considered the applicant’s conduct in light of:

• Sony Corporation of America v. Universal City Studios (US Supreme Court, 464 U.S. 417 [1984])

• AHR—Audio Home Recording Act of 1992 (17 U.S.C. 1008)

• NET—No Electronic Theft Act of 1997 (17 U.S.C. 506)

• DMC—Digital Millennium Copyright Act of 1999 (17 U.S.C. 1201)

In Sony Corporation of America v. Universal City Studios the Supreme Court ruled that recording movies for personal, noncommercial use is not a violation of The Copyright Act (17 U.S.C. 106, et seq). The AHR extended that exception to recording music for personal, noncommercial use.

The NET makes electronic copyright infringement a crime when it is committed for the purpose of private financial gain by the reproduction or distribution, during any 180-day period, of copyrighted works having a total retail value of more than $1,000 or by the distribution of a work being prepared for commercial distribution by making it available on a computer network accessible to members of the public knowing that the work was intended for commercial distribution. The applicant did not violate the NET because the total value of the items he downloaded was not more than $1,000.

However, the DMC provides that, “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” By downloading the serial number for a multimedia program and using it unlock the program, the applicant circumvented the access control to a protected work and violated the DMC. Based on this, the AJ decided that the applicant’s conduct was “prohibited by rules, procedures, guidelines or regulations.” The AJ found no applicable mitigating condition under Guideline M and therefore ruled against the applicant

For most people who use their own computer to download publicly accessible copyrighted files from the internet without paying for them or to participate in file sharing on a peer-to-peer network, their activity doesn’t amount to criminal conduct, which is probably necessary to support a security clearance denial or revocation under disqualifying condition (f) of Guideline M. Only when a person downloads and/or shares more than $1,000 worth of copyrighted files in any 180-day period without paying for them or tries to circumvent a security measure used to protect copyrighted material, does he risk an adverse security clearance determination.

MITIGATION OF SECURITY CONCERNS

Conditions that could mitigate security concerns under Guideline M include:

(a)  so much time has elapsed since the behavior happened, or it happened under such unusual circumstances, that it is unlikely to recur or does not cast doubt on the individual’s reliability, trustworthiness, or good judgment;

(b)  the misuse was minor and done only in the interest of organizational efficiency and effectiveness, such as letting another person use one’s password or computer when no other timely alternative was readily available;

(c)  the conduct was unintentional or inadvertent and was followed by a prompt, good-faith effort to correct the situation and by notification of supervisor.

As with most other security/suitability issues, when an applicant’s past misconduct was intentional and serious, the most common and successful mitigating condition is (a) above. This is because the basic purpose of the security clearance process is to attempt to predict future conduct based on past and current conduct, and rehabilitation as evidenced by passage of time without recurrence is one of the strongest predictors of future conduct.

* Quoted from ISCR Case No. 03-17291, referring to A&M Records, Inc. v. Napster, Inc.

Copyright © 2009 Last Post Publishing. All rights reserved.