WASHINGTON: Spurred by the Navy Yard shootings, the Pentagon has effectively gone back to 1999 and is again considering slashing the number of people who get Secret and Top Secret clearances. The Defense Department also may engage in persistent monitoring of all cleared employees to make it harder for those with family or money troubles, mental illness, or a sudden desire to loot their country’s secrets to engage in espionage or violence.
Very little of this is new. Former Deputy Defense Secretary John Hamre, now the head of the Center for Strategic and International Studies, tried without much success to push the Pentagon to amend its approach to classification and to clearance. The Defense Science Board report on globalization — a seminal December 1999 paper still worth reading — that Hamre commissioned said this:
“Few of the many U.S. citizens who have betrayed their country over the last 50 years entered government service with the intent to commit espionage. People and their circumstances change through time. Thus, while a background investigation may provide solid information regarding an individual’s past, it can never reliably predict future conduct. Nor should we expect it to; there is a limited life history and range of experience on which to base a judgment. Inevitably, some public servants will during the course of their careers see their marriages fail, develop a dependence on drugs or alcohol, overextend themselves financially, become disgruntled employees, etc. Of these, only very small percentages—yet still too many in absolute terms—become serious security risks. The five to 10 years between clearance reinvestigations is far too long to wait to detect such developments.”
So the problems have been known for some time and little has been done to fix them, aside from shortening the time it takes to get a security clearance.
The three reports released Tuesday assess the weaknesses in the government’s security regime that allowed a troubled employee who had recently been questioned by police and flagged as mentally ill to walk into the Navy Yard with a gun and kill 12 people. We will leave the specifics that deal with the shooting itself (covered capably elsewhere), and focus on the larger strategic recommendations from the independent panel and the immediate actions ordered by Defense Secretary Chuck Hagel.
Top of the list has to be Hagel’s decision, “to establish automated reviews of cleared personnel that will continuously pull information from law enforcement and other relevant databases.” For example, if police respond to a call about a cleared person acting strangely, this would cause an automatic warning to be issued to security supervisors. That monitoring will generate much more data much more quickly than the current system is designed to handle.
To manage all that information, the Pentagon will create an Insider Threat Management and Analysis Center to gather and analyze the automated record checks and decide what to do with the information. One person in the office of the undersecretary for Intelligence will be responsible for this and for physical security at DoD installations, consolidating functions now spread across several offices.
One of the problems familiar to anyone who has been interviewed for a security clearance is that most of the personnel involved are, to be polite, not the crack folks from any organization or company. Some are very young and inexperienced. Some are retired government employees on their second career. Having been interviewed by five of them and spoken to many military and civilians about their experiences over the last decade, one factor stands out: the quality and depth of the interviews is deeply worrying, to put it nicely. The need for an in-depth polygraph interview stands out, as does the need for forensic investigation of people’s finances. It already costs almost $4,000 to do a Top Secret clearance. I would argue much of that is wasted, especially given the mechanical nature of the investigations and the fact there are five to 10 years between investigations.
Clearly wary of the quality of interviews done by outside companies, officials said at the Tuesday press conference that the Pentagon may follow the State Department and do clearances itself. That should result in better personnel standards and training, if it’s well managed. Making the whole process more effective will require much closer analysis of personal data and less reliance on stupid standards such as automatically suspecting people because they or their parents weren’t born in America.
Again, the DSB Globalization study states the broad problem simply and effectively:
“DoD will likely never be able to assure that all military, government and industrial personnel with access to sensitive information or equipment are trustworthy and reliable. Realistically, the security investigative and screening process can do little more than identify individuals with criminal records or other conspicuously irresponsible conduct. For too long, however, government employees and organizations alike have acted as though the granting of a security clearance eliminated the need to remain vigilant or assume responsibility for the conduct of subordinates and colleagues. In short, unrealistic expectations of the clearance process have undermined, albeit unintentionally, the very alertness, accountability and situational awareness that are increasingly necessary to provide security in a networked world.”
The study also knew what needed to change, calling in 1999 for DoD, “to develop an enhanced situational awareness approach to personnel security that takes account of new vulnerabilities, threats, and response requirements. Many new technologies hold the seeds of effective defensive options. For example, DoD is currently exploring the near real-time data mining of financial and foreign travel databases, as well as the detection of computer misuse, to be used in concert with other contextual leads. Increased use of information technology can also assist in implementing more effective access controls, automated monitoring and audit capabilities, and stronger identification and authentication of users as well as encryption of data. Taken in concert with a policy of compartmentation, these measures can represent an effective response designed to counter the threat posed by both insiders and outsiders with malicious intent.”
But there’s another problem that the Pentagon needs to cope with and has always resisted. Way too much information is classified, all the way from For Official Use Only to Top Secret. At Breaking Defense, we publish documents on a regular basis that are FOUO (here’s the latest example). Why? There is no rational reason for anyone to have wasted time and money stamping most of these FOUO, aside from covering one’s bottom. Let us once again go to the DSB study for wisdom:
“The Task Force is convinced that far more information than necessary is classified Secret or Top Secret by the Original Classification Authorities. As a result, the DoD personnel security program is forced to sweep too broadly and is consequently spread thin. Over-classification also leads to an over-allocation of DoD security resources to the protection of classified information at a time when greater resources must be devoted to developing new types of security measures tailored to the challenges created by global information technology.”
Almost 14 years later, the Pentagon finally is considering a recommendation to cut the number of people cleared for Secret by 10 percent. The Independent Panel that Hagel charged with reviewing DoD’s clearance and security processes notes that the number of people with clearance has tripled in the last 13 years and recommends the reduction in numbers. It put the problem this way:
“Since 9/11, the number of clearances annually approved by DoD has tripled, and continues to grow. This growth magnifies the challenge of investigating clearance seekers, judging their applications, and periodically reviewing them after they are approved. A deeper problem helps fuel this growth: DoD fails to adequately apply the mandate that the Department grant clearances only those who require them (i.e., those whose positions and responsibilities give them a “need to know” classified information).”
All the above takes place under the umbrella of a wider effort by the Obama administration to improve the security of sensitive US information in the aftermath of the Navy Yard shootings. The Office of Management ands Budget released its report yesterday.
OMB said the federal government’s priorities are: “improving access to relevant information, especially state and local law enforcement records, and accelerating the shift to a continuous evaluation model across government; improving risk management approaches to reduce vulnerabilities in our current processes, including reduction of the total number of clearance holders and the backlog of periodic reinvestigations; and improving enterprise operations, to include strengthening oversight and government-wide implementation efforts while effectively managing limited resources.”
The government knew it needed to do most of these things in 1999. Will they act this time?