In the wake of last week’s announcement that the individual allegedly behind the leak of hundreds of classified documents on a gaming community was a 21-year-old Massachusetts National Guard member, many have (again) been questioning who has access to classified information and if the government is issuing too many clearances. My answer to the question of whether or not too many people have a security clearance is always a resounding ‘no.’ Believe it or not, the government does a good job of tracking its security clearance population overall, even providing regular updates on the number of individuals currently using their clearance eligibility (along with those who are eligible but out of access).
The details of the leak investigation are still forthcoming, but what seems clear to date is that the issue was one of process, not policy. In the wake of any major leak or breach, it’s common for critics to consider what aspects of the process may have gone wrong. Hindsight will always be 20/20, and there may have been issues in Teixiera’s background that should have presented red flags – but often there are not. The government has worked hard in the post-Snowden era to increase the robustness of it’s insider threat training programs. It’s also created frameworks where public-facing social media can be used in the security clearance eligibility process. The government does a much better job of both identifying and addressing potential risks than it did before.
The overall vetting process, including Continuous Vetting, goes far beyond what the security clearance process of even a few years ago was able to consider. In contrast to an era when self reporting significant issues was the only option, today the government has insight into a number of issues that previously weren’t disclosed.
Cyber Vetting
The topic of social media monitoring is a frequent one that comes up in conversations about addressing insider risk and domestic terrorists. While the government has piloted programs to consider social media as a part of the security clearance process, and has a cyber vetting policy, to-date those efforts have been limited in scope and scale. It’s unclear if the reward is worth the effort when it comes to scaling up social media monitoring, but my guess is that is a question the government will get asked with more scrutiny in the weeks to come.
Document Tracking
The big issue in the Teixeira case is how he removed classified documents from a sensitive facility. In the year 2023, the issue shouldn’t be whether or not a 21-year-old should have a Top Secret security clearance (many do) – but why one was walking around with paper. Seriously. Unless Teixeira’s role required him to print off documents from his secure facility, his process of printing, removing from his workplace, and then taking home to document for his Discord community is the bigger issue.
Taking a step back, and looking into how the pendulum swings between information sharing and need-to-know is another aspect of the process that will be under scrutiny in the days and weeks to come. The balance is a difficult one to find, but better tracking of cleared employees (not fewer cleared employees overall), is key.
