In October, I told the tale of Anthony Kim, a program analyst in the Weapons Division of the Naval Air Weapons Station China Lake, who suffered retaliation at the hands of his supervisors after raising concerns over the security of two mobile mapping apps called KILSWITCH and APASS. The apps, which were available for easy download through the National Geospatial-Intelligence Agency’s online app store, enjoyed widespread use across the Marine Corps and special operations communities.
As a reward for his diligent oversight of critical cybersecurity issues, Kim had his security clearance suspended. The air liaison officer and joint terminal attack controller in the Washington Air National Guard and former Navy pilot did everything by-the-book, and still got betrayed by the system.
Wednesday, he got to enjoy a little taste of vindication.
Sweeping cybersecurity problems with kilswitch and apass under the rug
We’ve also discussed the Office of Special Counsel (OSC) in this space. Not to be confused with Robert Mueller’s team, the OSC investigates issues like Hatch Act violations and protecting Federal employees from whistleblower retaliation. Its letter to the President summarizing the KILSWITCH issue would not sound any better if Kim and his lawyer, ClearanceJobs contributor and noted security clearance expert Sean Bigley, had written it themselves.
The letter confirmed that “The [Navy’s] investigation substantiated [Kim’s] allegations, finding that the software had significant cybersecurity vulnerabilities,” followed by four and a half lines of redaction, presumably in which Special Counsel Henry J. Kerner outlines those vulnerabilities (which the Navy has determined to be “For Official Use Only,” one of several “caveats” placed on “sensitive but unclassified” information). “[Kim] should be lauded for his determination to protect the safety and well-being of military personnel who risk their lives to protect the United States.”
Despite the fact that developers knew the software wasn’t ready for deployment to the field, NAWSC officials pushed for the operational use of KILSWITCH and APASS “to secure political and capital gains” for the office. In other words, the bosses knew the apps would be a hit, so in order to get credit for building them, and to secure future funding for other development projects, they promoted the apps despite knowing they were riddled with cyber problems.
the Navy needs to hold someone accountable
Kerner concluded that although the Navy’s report “meets the statutory requirements” (meaning they did only exactly what the letter of the law required and nothing more), he has “serious doubts about the lack of institutional oversight [redacted] facilitated the distribution of untested, unsecure proof of concept software to military personnel involved in combat missions.” Kerner wrote that the Navy’s “blatant disregard for procedure endangered the lives of military personnel.”
The special counsel urged the Navy to “conduct an accountability review” of the officials involved in the software’s release, who presumably are the same people responsible for retaliating against Anthony Kim, “and take any disciplinary action it deems appropriate.”
While the OSC conclusions are welcome news, they don’t represent the end of the line for Kim. He still awaits the results of a separate Department of Defense investigation into his retaliation claims. As all cleared professionals understand too well, without the clearance, there’s no work to be had in the DoD. Kim is still waiting to get his back so he can return to work, although hopefully not on the same team with the people in China Lake who tried so hard to make him out to be the bad guy.
Anthony Kim is not alone
Bigley is naturally thrilled with the outcome. In an email, he told Daily Intel, “OSC’s findings are a welcome vindication of Maj. Kim, who was ostracized, stripped of his paycheck and security clearance, and accused of being mentally unstable – all for having the courage to report a grave threat of harm to U.S. troops.” There is, however, more to do, he said. “Although the system ultimately worked here, the reprisals endured by Maj. Kim are demonstrative of why many government employees and contractors, including the Edward Snowdens of the world, choose to either ignore government malfeasance or illegally leak it to the media.”
Bigley also urges Congress to pass the Adam S. Lovinger Whistleblower Reprisal Act of 2018, which Republican Rep. Louie Gohmert of Texas introduced in October. The House took no action on it this year, but Gohmert should refile it in January and force it through, sending a bipartisan message that it’s not okay to suspend or revoke an employee or contractor’s security clearance for drawing attention to official malfeasance.
With so much else going on in Congress and the DoD at the moment, that would be a great way to ring in the New Year.