Leak Puts New Spotlight Around Security Clearance Process

Not at all unusual, and when I saw all of that pushback, it made me die a little bit inside because I feel like there was so much ignorance around this issue and the fact that we need young people in national security careers and that we have a vast number of 18-to-21 year olds who have a Top Secret security clearance because they are performing intelligence, IT, various functions that actually do require that level of eligibility. Now, I think the money question here is, did this airman have the need to know for the specific piece of information that he had? I’m not sure, and I don’t know enough to comment. But I think saying that he needed a top secret security clearance based on his position facility is not the issue. I think, definitely, it looks like his position was, one, serving in that intelligence wing, to have a top secret security clearance was not an issue, and I always have that pushback.

Do we want people to be cleared less? Do we want less vetting for folks who are working in those positions? I think the answer is no. Do we want better data security around things? Absolutely, but I think getting somebody vetted at the right level for someone who is potentially going to deploy or is supporting troops in different locations and supporting key senior leadership and having access to a secure IT system, just being on or aware of that system would require some form of security clearance, and that is not at all uncommon and not the issue, I think, at hand.

That was my experience as well. I mean, certainly the vast majority of clients, when I was practicing law and defending security clearance holders, the vast majority of clients that we had were not 21 years old, but it was not uncommon either to have college age students who were even getting an internship for the first time where they were going to go intern at the CIA or the State Department or somewhere that they were going to be working on really sensitive information. And I always tell people who aren’t familiar with Washington, D.C., that is a city run on interns and young 20-somethings. I agree with you that it’s kind of the wrong thing to focus on. I think what was more interesting about this, to me in particular, is what this says about some of these online communities that are out there and the extent to which they have a draw and this sort of false sense of safety, security, friendship, for a lot of young people.

And so, what’s your sense on this? I mean, do you feel like this is becoming an emerging issue or something that the intelligence community is looking at more seriously now?

I think for sure. I think we’ve known or seen this move for a while, that young people are definitely more active online, definitely more tied to online and virtual communities, sometimes than they are their communities of people next door, and that’s something the process definitely has to look at because I think we used to have this… I mean, you remember as a background investigator, you’re talking to neighbors. How much viable information can you actually get from somebody’s neighbor today based on how we do our communities? A lot of folks have taken those same connections and put them online. The interesting takeaway that I’ve also heard from some folks across government and out is talking about the fact that we used to be worried about the honey pot scheme, now we need to worry about the gaming scheme, and we’ve seen that. This isn’t the first time folks have shared classified information on gaming platforms to build clout. So building clout online and feeding that through these online communities and forums is an emerging issue and one that we’ve just really seen bubble up over the past several years.

I think that’s been, really, one of the more astounding things, from my perspective, just kind of… As an amateur psychologist, if you will, the extent to which some of these younger folks do feel the need to build that “street cred” or clout, as you put it, within these online communities. And in doing so, engage in really extraordinarily risky behavior, whether it’s this sort of thing, whether it’s bragging about illegal activity that they’re doing on the dark web. I’ve seen some pretty wild stuff over my career. Some of the internet stuff, I think with the shield or the perceived shield of anonymity that comes with it, people are willing to say and do a lot of things that they might otherwise be very hesitant to do in person. I guess I would be interested, first of all, to know, in all of the cases that you’ve read of the security clearance denials and revocations in recent years, have you seen this as a problem? Or if not, now that we certainly know, at least anecdotally, that there’s an issue with it, what, if anything, can we be doing better to sort of root this out?

Yeah, looking through, I can’t think of a DOHA case that I’ve read or an appeal case through another agency that was as specific as this around some issue where somebody shared something and it was found out through an online forum or a video platform, but I think it’s something that’s been pointed to. There was a RAND study, but I think it was like a year or so ago that they released, and it talked about the need for this cyber vetting scenario saying that the risk factors that we’re seeing for young people, a lot of them are around what folks are doing and sharing online and how do we create better questions in the security clearance process around that? Now, I do think the personal vetting questionnaires, the update to the SF 86 form that they’re looking at, tries to dig in a little bit more around that unauthorized disclosures piece and vetting out for who is potentially likely to disclose information, but that is a really nuanced problem and really hard to vet out. When you look at the adjudicative guidelines, it’s not as straightforward as doing drugs or not doing drugs. Kind of having a borderline narcissistic personality that likes to get recognition on the internet is… I mean, you’re a former background investigator, that’s a tough one to figure out.

A hundred percent. I mean, I do think where, potentially, this sort of thing can get picked up with the existing process is, at least in theory, my sense is that somebody who’s engaging in that type of behavior online and demonstrating that type of narcissism or willingness to take risks, presumably there’s some spillover of that in their personal life where people who are being interviewed, for example, as references, might be able to say, “Yeah, I’ve got some concern about this person.” If they don’t have anything to back it up with and it’s just sort of general concern, that’s not enough. There has to be some sort of concrete evidence of poor judgment or reliability issues or something along those lines. I do think that this is certainly something that’s going to have to be looked at more seriously going forward. I’m somewhat leery, just as a general principle, of government involvement in the internet.

I mean, I think that most of us are skeptical of government meddling in personal affairs and things like that, but when it comes to security clearance holders, there have been some suggestions that I’ve heard floated recently, which are, for example, requiring people to list usernames that they use for any online forums or social media or anything like that on their SFFA 86, much as crypto now is being required to be reported to the IRS because that was the wild west of finance. So have you heard specifics recently about anything like that or is this still in the very early stages?

I haven’t heard specifics. My impression was that that was going to bubble up because the social media monitoring piece of it has been on this drumbeat that we hear, “Why isn’t the government doing this?” But my pushback here is, even with social media monitoring, you would not have figured out this breach. So I feel like tamping down the data happens at the point of where the spillover happened, where the individual is accessing the information. I think we’re coming at it from the wrong side. So I think people want to attack the policy and the vetting process right now. I don’t think there was anything wrong with the vetting process or anything in policy that would’ve caught this guy. What you need to ask is, why was he accessing what he did and was he accessing things that he shouldn’t have? And that’s where I think the government should have a process to say… Because we’ve seen it with other cases. With Reality Winner, with Snowden. They were all, at some point, accessing things beyond what they needed to.

And there are so many technologies right now, and there are people dying to take the government’s money to help with this right now, I feel like. So how do we track that side of it? I always push back, it’s not a security clearance policy or even a vetting process issue, it is an access to classified information issue and we should have the expectation of privacy. I still want my privacy. I want to be able to go to all of the crazy online internet sites I want to and have my First Amendment rights, but we’ve talked about before, once I access the government system, I get that notification they’re monitoring what I do and I should not have that expectation. So the minute that airman started printing documents for the love of Pete, somebody should have asked, “Why in the heck…”

That’s my bigger question. A 21 year old carrying around paper is the biggest security red flag I’ve ever seen. I haven’t printed off a document in a decade.

Right.

That’s like… If I see a 21 year old with paper and if he’s not applying for a job with a paper resume, I’m like, you’re definitely a danger.

Oh, I completely agree. I mean, I think you’re a hundred percent spot on that this is being looked at, probably, from the wrong angle. I mean, I do think there is some peripheral value in, for example, requiring security clearance holders to disclose usernames for various online forms that they might be participating in because obviously people say crazy stuff online and if you have somebody who’s spouting off really hardcore, “Let’s take down the government,” Kind of stuff, or you have somebody who’s using an online persona to go out and harass people or things like that. I mean, there are scenarios that I could foresee where that type of information would be valuable from an adjudicative standpoint, but from a bigger picture, I think you’re right, this does boil down to, why did this person have access to the information? And yes, I guess he worked in IT, and so that opens up Pandora’s box apparently.

But I was sort of thinking back to when I was a really young, early 20 something and I had a clearance at the SCI level, what sort of stuff I was accessing. And to be honest, I think I was probably accessing a lot of stuff that I didn’t have a need to know just because it was like, “Hey, I’m curious. What’s out there?” And I don’t remember anybody really stopping me or saying, “Oh, you shouldn’t be looking at that.” Now, granted, I also wasn’t sharing it publicly, I was just sort of consuming it on a personal level, but it definitely does surprise me that there are not better and more robust controls in place on just a physical level to prevent this sort of thing. And so I think that does speak to a glaring vulnerability that needs to be addressed.

For those of you who are listening and have a clearance currently, I would certainly brace for some additional safeguards and measures to be put in place in pretty short order, and I think unfortunately, the reality, and this is the case with anything like this, is, the people who are really going to have to deal with the consequences, the non-legal consequences, are the rest of us.