“Your network is your net worth.” — Porter Gale
2020 National Security Legal Outlook , hosted by the Intelligence and National Security Alliance, featured a few panel discussions on how to improve personnel security information sharing under existing legal frameworks and managing threats from foreign investments.
The start of the event began with networking. Making connections is one of the most important things about business in an any industry, and that’s no different in the intelligence community. The first hour set the stage for the topics covered for the day… every entity within this community is affected and interested in the updates/changes to security clearance reform, supply chain, insider threats and CFIUS transactions.
The Keynote Address was led by Honorable Jason Klitenic, General Counsel of the Office of Director of National Intelligence (ODNI). His jokes about being a ‘paper pusher’ and ‘sticking to his script so he doesn’t get in trouble’ drew laughs from the audience.
Security clearance reform was on everyone’s minds (and has been for some time). Trusted Workforce 2.0 is an initiative to transform the fundamental approach to vetting and supporting policies that will also overhaul business processes and modernize the IT architecture.
“The clearance process is integral to who we are and what we do,” said Klitenic. He explained that standardizing this process across agencies will improve mobility within the workforce. That, coupled with the move from periodic investigations (PR) to continuous evaluations (CE) will streamline processes and modernize a system in need of overhaul. Klitenic ensured that “nothing will change for clearance holders” reforms indeed come with strings attached – or consequences to current policies.
Klitenic also touched on supply chain, and risk management of insider threats in relation to the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA). FIRRMA expanded the jurisdiction of the Committee on Foreign Investment in the US (CFUIS) and requires threat intelligence assessments to analyze the effect a transaction will have on the US. The timing came perfectly with the U.S. Department of the Treasury’s January 13th issue of two final CFIUS rules (one for non-real estate investments and one for covered real estate investments) along with an interim regulation and request for comments setting a new definition for the term “principal place of business.”
He closed with a final thought on how all of these topics create questions that ODNI is wrestling with:
How much intelligence information can we lawfully share between agencies? What actions on supply chain can we take at the federal and non-federal levels? What is the obligation of the IC to engage with industry on mitigation measures on insider threats?
INFORMATION SHARING DILEMMA
The first panel addressed the obstacles to government sharing of personnel security information to contractors, the lack of information sharing for insider threats, and the legislative options that could foster better information sharing between these entities.
Kevin Phillips, President of ManTech, said “there are 23 different adjudicating agencies and no uniform way to share information.” With no consistency within the general counsels, and different policies within each adjudicating agency, security clearance reciprocity remains difficult to implement.
Due to current interpretations of the Privacy Act and other legislation, if a government agency detects inappropriate behavior by a contractor working at its facility, most agencies AND companies will not disclose the risk. Elizabeth Ames of the CIA discussed routine use and system record of notice, and how that differs for each agency, as well. A system of records is a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual. The Privacy Act requires each agency to publish notice of its systems of records in the Federal Register.
Ben Powell, former ODNI general counsel, noted the challenges but said “none of these are insurmountable on the legal side. The debate usually stops at the Privacy Act within the IC, but the Privacy Act is a statute that does have exceptions.”
The government’s inability to share basic security information with its industry partners transfers risk instead of mitigating potential insider threats, whether they are threatening to our physical being or to our sensitive information.
FIRRMA AND CFIUS CHANGES
Insider threats tend to be hindsight 20/20, where the triggers or indicators are obvious after the fact. CFIUS was put in place to monitor those transactions as a mitigation technique.
“We know there are foreign adversaries attacking our public and private sector and they’re using channels of investment as a way to do so,” said Klitenic in his keynote speech.
The evolution of CFIUS since 1975 was in response to new threats and the rise of foreign direct investments (FDI) by enemy nations. There were shortcomings with CFIUS, such as too many U.S. agencies having influence (too many cooks in the kitchen) and processes that would require approval from inner agencies complicating the entire process and opening a Pandora’s box that no one wanted to touch.
The goal of FIRRMA is to strengthen and modernizes CFIUS to address national security concerns more effectively. This ultimately broadened the authorities of the president and CFIUS to review and to take action to address national security concerns.
Treasury issued the final 2020 regulations in two parts, one pertaining to CFIUS’s general jurisdiction to review investments by foreign persons in U.S. businesses and another regarding CFIUS’s jurisdiction to review transactions in close proximity to certain U.S. real estate. These ‘guard rails’ included a tier program where foreign individuals may not run a business within a certain mile radius (exceptions included residential ownership). The critical technologies pilot program will allow CFIUS to address national security risks and in the process, gain insights that will inform the development of final regulations to fully implement FIRRMA.