Bradley Manning, Eric Snowden and Aaron Alexis.
These are names of co-workers and fellow employees with security clearance who violated trust. After each incident reviews were established to discover: How did they get security clearances? How, in the case of the spies, did classified information get taken? In the case of work place violence, how did such untrustworthy and threatening persons get security clearances?
A Pentagon report released last week provided an independent review of the Navy Yard Shooting, and asked the critical question – are there currently too many individuals with access to classified information?
Current Practice; Defend the Perimeter
Proscribed security measures to protect classified information are in found in government agency security classification guides, policies, instructions and procedures. Where classified information exists, there are countermeasures required to protect that information. Depending on the classification level, these protection efforts include proper classification markings; storing classified information in General Service Administration (GSA) approved security containers and vaults; using alarms, sensors, a guard force, or a combination.
Current security measures are deemed adequate to protect classified information from falling into the wrong hands. After all, a thief or spy would have to go through several layers of security to get their hands on national security information at significant risk to themselves; or would they? These days, sometimes all they have to do is ask nicely and an otherwise authorized employee might just bring it to them.
Protection measures only go so far to deny unauthorized persons access sensitive information. In a time where the biggest threats to national security are the Bradley Mannings and Eric Snowdens, trusted employees walking out with the goods; physical security measures are just not enough as they keep bad guys out, but do little to prevent the insider threat.
This is not limited to the federal government and contractors, but also occurs elsewhere. Theft of proprietary information, personally identifiable information, intellectual property, workplace violence and more are perpetrated by the co-worker who was so quiet and hardworking.
Findings
The Washington Navy shooter, Aaron Alexis held a SECRET clearance. According to the report, he was awarded his security clearance while in the Navy, but this was a “just in case” measure and not based on need to know. The result is the ability to maintain the security clearance for 10 years as long as he didn’t have too long of a break between jobs requiring a secret clearance. Once hired by The Experts, Inc., he was back in the system. His eligibility would depend on self-reporting any adverse information, and the periodic review due at the 10 year mark. Couple that with the rapid growth of cleared personnel, and we see how an insider threat can grow unchecked. The risk was the inability to connect police records and other historical data that might have indicated that he was ineligible for a security clearance.
A New Paradigm
Some of the findings of the Pentagon’s review break the paradigm of relying on “defending the perimeter” to focus on the challenges of protecting National Security from those within our own ranks.
The first recommendation is to: “Cut the number of Department of Defense employees and contractors holding Secret clearances, and adopt a “just in time” clearance system more tightly linked to need to know.”
This solution may appear extreme and many reading this may take issue with such cuts. After all, many cleared defense contractors rely on having the adequate pool of cleared contractors and offer salaries and benefits tied to security clearance levels. Those holding security clearances may feel the pressure of such cuts as career ending.
These cuts are recommended as a countermeasure to free the workload of investigators and focus on more efficient and effective adjudication. As such, this could be just the countermeasure needed to protect national security. Further study demonstrates the intent is not to cut positions, but to determine whether or not existing positions require a security clearance. Validating the need for a clearance early is a determining factor. The cuts are simply requiring better stewardship and oversight of the security clearance process. Jobs do not need to be cut, but justification for requesting security clearance investigations and follow-on security clearances needs to be better defined and controlled.
Bring Back Need to Know
Many cleared employees may concede that access to classified information is based on a security clearance level AND the need to know classified information. Many times the need to know is not fully understood nor properly identified for security clearance requests. Defense contractors are granted facility security clearances based on a contractual need. After being granted a facility security clearance they then request personnel security clearances for employees who will need access to perform on the classified contract. In many cases this breaks down occurs when the cleared defense contractor or government agency requests security clearances using a standardized tool based on position or to form a pool of classified personnel in case they are needed.
This review recognized that the current state of security clearance process was flawed. That made sensitive information and the workplace vulnerable to the insider threat. The report makes recommendations to exercise more control of the security clearance process, making a greater argument for resting justification on need to know.
Internal Controls
One clearance justification practice used by cleared defense contractors is to have management provide rationale in a statement or security clearance request form of the need to request a clearance on a particular employee. Another practice is to directly link the new-hire employee to an employment opportunity requiring access to classified information to perform the job. However, these successes are based on internal controls and policies of the responsible cleared contractor, and not strictly enforced by government oversight.
The review made many other recommendations to streamline and improve oversight of the security clearance process for contractors. Whether or not the recommendations are acted upon remain to be seen. However, industry can become part of the solution by properly justifying the need for a clearance.