If you haven’t heard about the current shortage of STEM and cybersecurity professionals, you must be living under a rock. Hardly a day goes by without another headline announcing another new government cry for increased cyber staff (including last week’s announcement by the Pentagon that they’re looking for 3,000 civilians to take on positions at the half-staffed Cyber Command).
The government frequently cites government salary caps as an obstacle in attracting the best cyber talent. A recent CNBC article notes it’s not just salaries holding some cyber pros back – it’s the requirement to obtain a security clearance.
The attacks against government and civilian networks are often the same. The countries who want to steal government intellectual capital (think Russia and China), would also love to give its industry a nice kick in the pants. A variety of initiatives throughout the years have hoped to increase cyber threat information sharing between government and industry. Neither side has always wanted to play along, and in many ways government is more inclined to share its secrets than industry. (Uncle Sam doesn’t have shareholders and the need to turn a profit).
“U.S. government officials say privately they are frustrated that Silicon Valley technology firms are not obtaining U.S. security clearances for enough of their top executives, according to interviews with officials and executives in Washington and California,” the CNBC report noted. “Those clearances would allow the government to talk freely with executives in a timely manner about intelligence they receive, hopefully helping to thwart the spread of a hack, or other security issues.”
The Snowden Effect
One big reason for Silicon Valley’s renewed disinterest in the federal government’s security clearance process? Edward Snowden’s unclassified disclosures of NSA spying programs. Just as a security clearance is a valued credential for those in the Washington, D.C. area, it appears some Silicon Valley firms fear it will reduce their street cred in the slightly edgier international tech industry. For international firms, there is a particular concern that security-cleared staff may lead to the appearance they’re running a government operation behind closed doors.
Throughout the federal government and security-cleared community, Snowden remains far from popular. But along the other coast, opinions are much more favorable. CitizenFour, the Snowden epic, scored an Oscar and won him the moniker of hero among the Hollywood set. So, steal a trove of federal government data and flee to every-man Vladmir Putin’s house, and you’re a hero in some circles and a traitor in others.
The Security Clearance Misconception
The CNBC article points to some serious misconceptions about the security clearance process and what it means to have one. A security clearance investigation is certainly tedious, time consuming and invasive. But it’s not an induction into the ‘security clearance priesthood,’ as Edward Snowden’s attorney argued. A security clearance provides access to specific classified programs based on clearance level. It doesn’t culminate in being offered a red or blue pill and the location of the elixir of life. (Or maybe I just attended the wrong security briefing). Edward Snowden amassed data, not based on his required access, but based on his desire, and by unlawfully obtaining co-workers’ credentials.
We can argue the merits of what he did, but it had nothing to do with having obtained a security clearance and everything to do with his perspective on the roles of government. His security clearance did not swear him to some otherworldly level of secrecy – it actually afforded him the ability to express his concerns through legitimate whistleblower channels.
Silicon Valley has a solid – and important – right to refuse to obtain security clearances. But as cyber threats increase and the cyber battle space becomes more clogged with both state and non-state actors, there is legitimate concern when an industry opts-out of information. Particularly if their concern is that the security clearance itself creates an expectation to do business differently. A security clearance engenders specific roles and responsibilities. But it doesn’t turn you into a spy, require you to say the pledge of allegiance before bedtime, or force you to agree with everything it does (or maybe I missed that security briefing, as well).