A new wave of news coverage for alleged leaker Airman Jack Teixeira spiraled after an 18-page filing from the U.S. Justice Department outlined several significant issues from Teixeira’s past, including disturbing statements allegedly made in high school along with social media postings made more recently. The news has caused a Twitter and major news outlet storm of criticism around the security clearance process, with many saying the background investigations process is broken and the system of granting security clearances a failure. Even worse, a number of news outlets are implying that systemic issues are flooding the security clearance community with racist, extremist, unfit professionals.
In my opinion, that’s simply not the case.
Yes, the security clearance process could be better (unfortunately, that’s probably always going to be the case). Yes, there were clearly issues in Airman Teixeira’s background that raise red flags. No, it’s not clear that the system ‘missed’ something it should have – but that in a world where risk can never be eliminated, but only mitigated, more needs to be done to protect sensitive information.
Lost in translation with the release of court documents is that the criminal justice system is one thing, and the security clearance vetting system entirely another. The security clearance process is very specifically limited to ascertaining if behavior is likely to lead to an unauthorized disclosure of classified information. In that vein, the whole person concept is applied to ensure it’s clear you don’t have to be perfect to have a security clearance – but you do need to be trustworthy. The security clearance process is limited in breadth and scope, and it’s entirely possible that issues that would come up in a court filing would not be a part of the background investigation process. Incidents that took place when an individual was a minor, or that never resulted in a criminal citation may not be an issue. Personnel subject interviews and reference interviews may take place – but without reviewing the notes, it’s impossible to say if they revealed more troublesome issues or if they mitigated the red flags.
Statements made by Teixeira in the criminal complaint are disturbing. But it doesn’t outline where they are found. If they were posted under usernames only known today, even a robust social vetting system would be hard pressed to find them.
Who Has a Security Clearance?
Blanket characterizations are never a good look. Unfortunately they’re often the norm. I do not believe we are facing a widespread, systemic issue of extremists overrunning the security clearance population. We just don’t see the numbers to support it. The Capitol Hill riot caused a worthwhile and necessary look into why service members were among those arrested. Five service members out of 800 is too many. But 5 out of a military population of over 1 million is another perspective. Every breach is one too many. But one breach out of a population over 4.6 million is also not systemic.
The process can do better. And it knows it. Office of Management and Budget Deputy Director Jason Miller recently announced new security clearance processing benchmarks – and how process improvements over the next several years would be needed to get there. The Trusted Workforce 2.0 effort has fundamentally overhauled the security clearance process. We know more about candidates today than we did even five years ago. And we have better frameworks for even self reporting and reporting issues with coworkers – and for seeking help when it’s needed.
The Security Clearance Vetting Process Isn’t Broken – But Something Is
The bigger (and much, much more complex issue) is still access, accountability, and need to know. Did Airman Teixeira need to see the information he was accessing? How did he print it and remove it from a secure facility? And were there red flags that should have been identified and reported up by leadership or coworkers through insider threat training programs? We also can’t assume the airman had signed the proper nondisclosure agreements and was aware of his own role in safeguarding what he had access to. Security training can be a check the block. Or fail to occur properly, particularly in overstretched Guard units.
The reality is – the pendulum between productivity and protecting accessibility is in a frequent seesaw. Post 9/11 there was a significant push across the Intelligence Community to better share information. Post Snowden, we saw some tightening of controls and access. In the years since – as we face a significant cleared talent shortage and had security clearance backlogs of 500+ days, making onboarding talent a nightmare – the need for productivity may have created another shift where need to know has not been as adequately enforced as it needs to be.
The elephant in the room
The ongoing elephant in the room is overclassification – are we currently drowning in so much information that is improperly classified, that we’re not adequately protecting information that truly needs to be? And have we created confusion with our classification designations? Those are much bigger questions than a single article or news cycle will solve – and likely why they’re not the ones being asked.
What Is and What Isn’t
Rare is the mainstream media article mentioning major security clearance reform efforts, including the elements of Trusted Workforce 2.0 being implemented today – the phased rollout of continuous vetting and the two major muscle movements yet to be accomplished – the move from a 1.5 CV vetting solution to a 2.0 vetting solution (basically, more records being checked). Another big change today is the rollout of CV across the entire trusted government population – which actually has the potentially to create a greater number of flags and more outcry about the state of the security clearance workforce.
The security clearance background investigations process isn’t perfect. It could be better. But two things are true – it’s vastly better than it ever has been, and it’s also not clear even the progressive solutions proposed would have precluded Airman Teixeira’s eligibility. You can hide your crazy comments anonymously in a dark website or private forum like Discord. And unless you’re willing to accept Minority Report (*cough PRISM *cough) – statements you make online may not be caught even with a robust social media monitoring program. The reality is that age, immaturity, and passage of time are mitigating factors for many issues. We may find out that there were issues that were missed in a background investigation. But my person opinion, as of this date, is that saying so is an overstatement of the facts, and interpreting the security clearance background investigation process under the same lens as a criminal investigation – and the two are vastly different.
National Security Is a Community
The national security community still constitutes a great, mission-focused and vast group of professionals, many of whom have sacrificed higher pay, time with family, and great personal sacrifice to promote national security both at home and abroad. To characterize the workforce as rampant with extremists and incapable of vetting for them misses the point. Workforce issues, and security issues, are best uncovered and addressed at the management level. Perhaps the greatest takeaway from the current debate is that it is mission-essential in the national security environment to have better awareness of what your cleared employees are doing (ie, printing documents in a SCIF should not be one of them). Companies, military agencies and organizations need to have management structures and ongoing training that helps address issues. And as always, the best scenario for protecting classified information is to develop the proper need to know around information, and improve overclassification so we’re only protecting what needs to be protected.
With growing budgets, ongoing hiring needs, and growing threats (you don’t have to read a bunch of classified documents on a Discord channel to know that), breaking our security clearance vetting process and creating another 500+ day wait for a Top Secret security clearance is simply not the best option – but one I fear we may be barreling toward. Instead of just attacking the process at the person, attack it at the document. I hope the Information Security Oversight Office (ISOO) is getting the interest, oversight, and resourcing that the vetting and policy proponents are.
