• Failed Faith: Why Security Clearances Fail (And a Way to Fix Them)

    October 7, 2013 // 9 Comments »

    (This article originally appeared on Fire Dog Lake)

    Whistleblower Edward Snowden had one of the highest levels of security clearance, and exposed the most secret of NSA work. Chelsea Manning held a Top Secret clearance, and disclosed hundreds of thousands of classified records to Wikileaks. Aaron Alexis held a security clearance and used a shotgun to murder twelve people at the Washington Navy Yard. Over four million other Americans today hold some form of security clearance from the Federal government. Can we trust them? How did they obtain those clearances? Are Snowden, Manning and Alexis exceptions, or was the process one that could never have been expected to work in the first place? What can be done to make the clearance process work the way it was intended?

     

    What is a Security Clearance?

    A security clearance is issued by a part of the U.S. Government (Department of Defense, CIA, the State Department) and says that as a result of some sort of background investigation, and perhaps a polygraph examination, the holder can be trusted to handle sensitive documents and duties and to do so in secret. At the low end, this may mean a contractor like Alexis can enter the Navy Yard without a body search, or at the extremes mean that a person will assume a completely new identity, live abroad, and conduct sensitive, clandestine actions on behalf of the U.S.

    Government-wide there are three basic levels of classification and access: Confidential, Secret and Top Secret. There are formal definitions, but the basic idea is that the higher you go up the ladder, the more harm and damage disclosure would create. Added to this three-tiered system are many subcategories, including Sensitive But Unclassified, for well, unclassified things that are still sensitive, such as an applicant’s social security number, Law Enforcement Sensitive and the self-explanatory like. Once more or less the top of hill, Top Secret, TS, is now supplemented by Sensitive Compartmented Information (SCI), often used to denote information obtained from intelligence sources. There also many, many flavors of Special Access Programs (SAP) that require both a very high level clearance and permission to access just that single project. A clandestine operation against Iran, or the identities of spies in Syria, might be in this category. The military also creates its own lexicon of classifications.

    While the range of what “cleared” people do for the United States covers much territory, the clearance process is largely a variation on a single note: let’s look into what this person has said and done in his/her life prior to seeking a clearance, and then try to extrapolate that into what they will do once cleared. But because, like with your mutual funds, past performance is no guarantee of future success, the process is inherently flawed.

     

    How To Get Cleared

    Despite the wide variety of clearances available, the process of obtaining one is similar. What changes is less the process of looking into someone’s life than the depth and granularity of the look.

    Most everyone seeking a clearance begins at the same place, filling out Standard Form 86, Questionnaire for National Security Positions, form SF-86. The form itself is no secret, and available on line, though many agencies have supplemental forms and requirements not public.

    The SF-86 is mainly a very detailed autobiography, the raw material that fuels the rest of the process. Young people filling out their first SF-86 invariably end up on the phone to mom, gathering old addresses they lived at as kids, birthdays of disconnected relatives, foreign countries visited on family trips and more, a lot more: the SF-86 runs some 129 pages. Some interesting stuff is near the end; almost silly questions such as “Have you ever engaged in an act of terrorism?” and a follow-up requiring you to describe, in one line, “The nature and reason for the terror activity.”

    However, after a hundred pages of names and dates and silly questions, the SF-86 dips into the deal breakers, the questions that weed out quickly those who are unlikely to get very far in the clearance process. Applicants are asked to self-describe financial problems, debts, drug use, gambling, drinking, mental health issues, legal troubles, job firings and more. Whether out of duty and honor, or more likely a thought process that the agency will find out anyway and lying is an automatic disqualification (it usually is; if one lies on a security check, what else is fair game to lie about?), most applicants do tell the truth and easily disqualify themselves.

     

    First Level of Background Checks

    Though the details vary from agency to agency, everyone gets some standard checks run on them. Since U.S. Citizenship is the most basic and unwaivering requirement for a clearance, every applicant’s claim is verified. In my own case (I held a Top Secret clearance for 22 years), investigators obtained a certified paper copy of my actual birth certificate from a distant city, and were nice enough to give it to me when the process was over in case I needed it for something. I’m not sure they’re as nice these days.

    Every applicant then gets a run through whatever databases and electronic records can be found. This step is increasingly detailed as more and more of our lives move on line. The goal is to verify quickly as much of the self-provided data on the SF-86 and to skim off the low-hanging fruit. A serious arrest record, neck-deep financial problems and the like will be easily found. Checks are also run through the various intelligence files (a “National Agency Check”) to make sure while you’re applying for a job at the State Department you are not on some secret list of bad guys over at CIA. Before everything went on line that used to happen once in awhile, though now the biggest problem is both too much irrelevant information and the need to wonder about the accuracy of what was found; that record entry from the Pigeon Hollow local police department from 1983– accurate enough to deny someone a career over?

    Absent any whoppers uncovered, most applicants are given a chance to explain abnormalities. Some say this is to be fair, some say it makes the agency’s job much easier if the applicant will either self-incriminate with even more details, or just voluntarily withdraw knowing she was caught.

    For some low-level or short-term clearances, the process can stop here and a decision is made. The time period varies, but usually is in the area of a couple of months for a background-only clearance. Much of this work, due to the volume and perceived simplicity of the process, is farmed out now to private contractors. Alexis, the Navy Yard killer, had such a background-only clearance, done by a contracting firm in Northern Virginia that specializes in such work for the government. The same firm worked on a part of Edward Snowden’s clearance.

     

    Full Background Investigation

    For higher level clearances, including Top Secret, a full spectrum background investigation is required. Someone, typically a combination of someones including agency investigators and contractors, will comb through the SF-86 and whatever the electronic searches uncover and conduct field interviews. The investigator really will visit an applicant’s home town school teachers, her second-to-last-boss, her neighbors, her parents and almost certainly the local police force and ask questions in person. As part of the clearance process, an applicant will sign the Mother of All Waivers, basically giving the government permission to do all this as intrusively as the government cares to do. This is old fashioned shoe leather police work, knocking on doors, eye balling people who say they knew the applicant, turning the skepticism meter up to 11. The investigator will ask each interviewee to keep quiet about the interview, but typically the applicant will get a hushed phone call or email from some old acquaintance saying the Feds just knocked. Many of the contract investigators at this level are retired FBI or Secret Service people and often will present their old ID to add some gravitas to the procedure. If an applicant lived abroad, the process is tasked out to various liaisons and the nearest U.S. Embassy.

    The process is proactive; the investigator must find people to talk to who know the applicant. If he can’t (say wrong addresses, or no one from the USG can track down an old college roommate now in Tehran) the investigation often “pauses,” sometimes indefinitely. Not being able to find adequate information on an applicant is a big negative.

    As you can imagine, this process is not quick. Most full background investigations take at least a year and complex lives, especially if the applicant has lived abroad and has many foreign contacts, can drag… on… for… years… All this on-the-street work does not come cheap. It is hard to put a number on it, as obviously the complexity of the applicant’s life will dictate costs, but a full background investigation can run $15-20,000.

     

    The Box

    For many agencies, including the CIA and NSA, another step in the clearance process is the polygraph, the lie detector. The federal government polygraphs about 70,000 people a year in connection with security clearances.

    What portion of the polygraph process that isn’t shrouded in movie drama is classified, but the basics are simple; even TV’s Mythbusters show looked into it. The process is based on the belief that when one fibs one’s body involuntarily expresses stress in the form of higher blood pressure, changes in pulse, breathing and perspiration rate. Those things can be precisely monitored. Did you ever steal anything? No? That’s a lie– see here, your heart rate went up 15 percent when you answered.

    The reality is much more complex. Though I have never been polygraphed, I have spoken with many government employees who have been. Here’s what they had to say.

    The whole polygraph experience is set up as a mind game. Subjects can be kept waiting a long time, or left in a too-cold or too-hot room, and interviews can be scheduled and then canceled to create stress. A planted staffer in the waiting room can tell the applicant they are being watched, even make a comment such as “You shouldn’t read that kind of magazine while waiting, they judge that too.” There may be mirrors, real or imagined two-way viewing panels. This is referred to as the pre-test. It sets the stage.

    Some say that the presence of the polygraph machine itself may be mostly for show, and the real nuts and bolts of the process are actually just clever manipulation and interrogation techniques as old as dirt. An awful lot of information obtained via a polygraph has nothing to do with the needles and dials per se, but the applicant’s fear of them and belief that they “work.” Polygraphers are allowed considerable freedom in style, and some get more into role-playing than others.

    That said, most polygraphers will first establish baseline readings with irrelevant questions– “Is your name John?” Yes. “Is your name Micheal?” No. He will try and put the subject at ease, asking softball questions such as “Do you plan to tell the truth today?” Nobody can answer no honestly (it is believed) and this helps create a trusting atmosphere where the polygrapher assures the subject that everyone has told little lies and his job is to sort those out from the “big” ones. The polygrapher will also likely point out things on the charts or “explain” the details of his work; the goal is to plant the idea in the subject’s head that the machine is an accurate way to detect lies. This sets up the next phase.

    The polygrapher will have reviewed the background investigation results and slowly move into the meat of the interview, asking both broad questions– “Do you have a drinking problem?” and specific ones– “Then why did you have this DUI in March 2003?” Many times the got ya’ question, including a why or when or who, is really a way to play off the applicant’s fear and get her to talk. Look at the sequence above. It is unlikely that someone will admit to a drinking problem, yet the next query is about an actual DUI. The applicant’s natural inclination will be to explain, to talk about the DUI, all the time knowing her answer is being run through a “lie detector.” Often the applicant will self-incriminate.

    Lastly, there is the post-interview test, often the time when the most information is disclosed. The subject feels at ease, having “finished” the polygraph. One tactic is, after a lengthy review of the charts and after much hemming and hawing, maybe a sigh or two and a consultation with “another expert” outside the interviewing room, the polygrapher comes in and says “I think you’re a nice kid, and I like you. I know you want this job and I want to help you get it. The problem is, here (gestures to some squiggly line marked in red), where you said you never used drugs, the machine indicates you might not have told the truth. Now, look, I’ll turn off the machine and you just tell me what really happened and I’ll try to go to bat for you.” Self-incrimination follows, game over, thanks for playing today!

    In some instances, only a limited polygraph will be conducted, as opposed to a full-lifestyle test. In a “coordination of expectations” test, used in many military and update-only situations, very specific and limited questions will be asked. Sometimes the subject will even know the questions in advance, such as “Since your last polygraph, have you transferred classified information without authorization?”

    There exists a point of view that the polygraph is indeed more useful than simply as a prop, and that you can “fool the box” physically and pass the test. There are people who purport to teach tricks and techniques designed to do so. The basic idea is to register false anxiety during true relevant questions, thus making your real anxiety on lies less clear. People are taught to clench their sphincter to induce a measurable but false stress reaction, to bite their tongue or to place a tack inside their shoe to poke themselves and send pain-induced stress indicators. Others teach a kind of meditation. As counter-countermeasures, there are rumors of polygraphers placing real or fake “stress” pads on the seats of chairs, and inspecting applicants’ shoes. For the most part, however, the Feds just poo-pooed these ideas, claiming over the years that they were a waste of money because they just did not work.

    Interestingly, however, the government has very recently changed its position, and is now actively seeking to prosecute those who teach “how to beat the box.” Prosecutors have raised the specters of terrorists infiltrating the CIA, or pedophiles securing sensitive positions. The possibility that the prosecutions are only security theater is also real, an expansion of the mind game, given that despite the prosecutions strategies for passing a polygraph are still just a Google away, including on the ever-so-pedestrian WikiHow.

     

    Adjudication

    Up to this point the clearance process has been mostly the aggregation of information. Along the way some applicants might be picked off, people whose U.S. Citizenship wasn’t verifiable, people who made whopping self-incriminations, applicants scared off or afraid what the process might reveal. But overall, most applicants for a clearance end up in Adjudication. And in Adjudication lies the core problem in the clearance process: it relies on human judgment.

    The basics of an adjudication look at vulnerabilities, and especially at past examples of trust kept or violated.

    Vulnerabilities are more concrete, and thus easier, to determine. Historically, people betray their country’s trust for (in rough order) money, sex, ego or ideology. People with loads of debt or a gambling problem are more susceptible to bribes. People with records of infidelity or a pattern of poor judgment with partners might be lured into sexual encounters that could be used to blackmail them. In the bad old days when most gay and lesbian applicants were deeply closeted, this was used as a one-size-fits-all pseudo-reason to deny them employment. Ego is a tougher one to pin down, but persons who lack self-esteem or who want to play at being a “real spy” might be tempted to become “heroes” for the other side. Ideology is a growing issue as more and more hyphenated Americans seek government work and, needing qualified language employees, more and more are recruited by the government. Will a Chinese-American’s loyalty fall to her new home or to the old country? What about a born-and-bred whitebread American, but with a spouse from Egypt? Would his allegiances be blurred? Even if he bleeds red, white and blue, could the Egyptians cajole, blackmail or threaten his spouse’s parents back home to make him cooperate?

    Back in the good old days, when qualification for high level positions required one to be male, pale and Yale, these things were less of concern. Fathers recruited sons, professors noted promising students and no one thought much about the messy range of people now eligible– or sought– for government work. Need fluent Pashtu speakers? You’re going to have to recruit farther afield than the country club. Agencies who used to toss back into the pond pretty much anyone without a pristine background now face unfilled critical positions. So, standards change, always have changed and will continue to change. Security clearances just work that way.

    If vulnerabilities seem sometimes ambiguous to adjudicate, the next category, trust, is actually much harder. Persons who have kept trusts extended to them, not been fired, not broken laws, paid their bills, saw to their responsibilities, are in the Nice category. Those who didn’t end up over in Naughty. The adjudication part becomes important because very few people are perfect, and very few are really bad. Most everyone falls in the middle, and so agencies must make judgment calls.

    For example, in modern America some casual drug and alcohol abuse is not outside the boundaries of normal, especially when it is self-admitted, and done when a person was young and maybe in an experimental phase of life such as college. So, while twenty years ago copping to smoking some weed was an automatic no for a clearance, now, hypothetically, a 26 year old grad student who says she might have smoked a joint four years ago at a party but didn’t like it so did not do it again, and who passes her current urine test, might be approved. Same for debt; it is not unusual for an American today to carry heavy credit card debt or a six figure student loan, but if he’s paying it off, maybe not so bad. Mental health issues are tricky; again, nowadays seeing a mental health professional and taking common meds like anti-depressants is a very commonplace thing with little stigma attached. The key issue under question is whether or not an applicant’s judgment is impaired by a mental health condition, and often real medical professionals get involved to sort this out.

    There are rules and standards for these adjudications, some of which are even on line. The problem is not having or knowing the rules, the problem is figuring out how to apply them. In one of my own assignments at the State Department, I was part of a group that reviewed background investigative reports. I saw a lot of them, mostly new applicants, and was part of a process that was used to help determine “suitability” for employment. The easiest way to win a fight is not to get into a fight, and so instead of formally denying a security clearance and opening a potential can of worms, some agencies conduct a suitability review to basically weed out people unlikely to get a clearance, on a more amorphous, less-challengeable, vaguer not-so-legalistic basis. Different hallway to the same exit door, it is the clearance process at work nonetheless.

    The adjudication process as I saw it was taken seriously. We were taught to look for patterns of life and not at isolated incidents. The goal was to try and come up with a picture of the person, and then project that picture forward into what they might be like on the job. Like any human-powered process that attempts to predict the future, it was flawed. After pushing the Eagle Scouts to one side and the convicted arsonists to the other, there was always a big pile left in the middle. And we knew that at least statistically we probably made some errors approving the Eagle Scouts and some mistakes turning down at least a couple of the arsonists. The race is not always to the swift and sure, but that’s the way you have to bet.

     

    So How Did Snowden, Manning and Alexis Get Cleared?

    Snowden is the easy case. Based on what is publicly available, Snowden was a slam dunk approval. He had held high level clearances with the government for many years without issue. He did not have any drinking, drug, debt, mental health or personal problems. He seemed like a relatively dull guy actually. Nothing in the security clearance process could have ever peeked into his head and found that he was a person of conscience who decided to blow the whistle and radically alter his life to bring the NSA’s sleazy, illegal activities into daylight. While the NSA certainly should be blamed for unbelievably lax internal controls on who could access and copy its data, the clearance process worked exactly as it was designed to work. Claims that short cuts in the process were at fault are wrong.

    Chelsea Manning is at best a gray area, and likely should never have been given a clearance. She made little attempt to hide her gender confusion inside a hyper-macho world, struggled against the Army system at every turn, fought physically with her supervisors and was alienated and ostracized by her peers. Despite all that, she was deployed into an environment where counseling was unavailable, where security and supervision were lax to the point of criminality and where the stresses of combat conditions pressed heavy on everyone. It is unclear why she was cleared, though the most likely reason was that the Army was desperately short of analysts and could not afford to lose one, even one stuck in a slow-motion train wreck.

    Alexis, the Navy Yard killer, should never have been granted any security clearance. His was a preventable tragedy. Because he held only a lower level clearance, it is very likely that no field investigation took place. All those friends and family members the media found who readily told of his problems with hearing voices, violence and drink were likely never interviewed by the government contractor assigned his case. One screaming red flag, Alexis’ lying about a gun-related arrest, was not considered significant. The system failed for various reasons to pick up on his string of other arrests, and no one seemed to care about his uneven service record in the Navy. Clear human error, likely as a result of turning such clearances over to the for-profit sector.

     

    What’s Next?

    Picking up on Alexis in particular, it is important to note that the clearance process is not a real-time endeavor. Someone applies, some sort of background check is done and a clearance decision is adjudicated. Next case, please. Most clearances are only reviewed every five years and then investigators lean heavily on anything new or changed, and especially on the subject’s performance those five years. There is no 24/7 continuous reevaluation process. A felony arrest properly documented might pop up, and many agencies yearly run standard credit checks and conduct random drug tests. But overall, absent something self-reported or too obvious to ignore, a clearance rides for five years, sometimes literally with no questions asked. How could it be otherwise with over four million active cleared Americans strung across the globe?

    Following Snowden, Manning and now Alexis, much noise will be generated about “doing something.” But what? Dramatically increasing the number and scope of on-the-street investigations will spiral wildly into crazy expenses and even longer waiting periods. It could bring the hiring process to its knees, and spawn more and more “temporary clearances,” a self-defeating act. This all with no assurance of better results due to both limitations on the whole concept (see Snowden) or human judgment errors (Alexis). If done properly, such changes might catch a few of the Alexis’ out there, but to be honest, there are few Alexis’ out there to begin with and most of them will be sending up obvious danger signals at work long if anyone would pay attention before a clearance review catches up.

    It is certain that many in the government will call for more aggressive “monitoring” of employees, having them sign away basically all of their civil rights in return for a job. The government will turn its vast intelligence gathering tools further inward and end up pointlessly compiling CIA officers’ credit card receipts from Applebee’s, the web browsing habits of diplomats’ children and so forth. In truth, a lot of that is probably already going on now anyway (the CIA and other intel agencies have had for years robust counterintelligence operations designed specifically to spy on their own spies.) Yet as noted, even ramped up, real-time monitoring would not have caught the current Snowden and is unlikely to catch the next Snowden (albeit to the nation’s broader benefit!) You just can’t see into a person’s head, or his heart.

    In addition to a huge waste of money and resources, these measures will inevitably lead to more mistrust and paranoia inside government. Lack of sharing (the CIA believes things it shares with State get leaked, the Army won’t give things away to the Navy, the FBI hoards info so as to not let another agency get credit for the bust, the NSA doesn’t trust anyone, and so forth) is already an issue among agencies, and even inside of agencies, and helped pave the way for 9/11. In addition, handing even more power to security teams will also not work well in the long run. Hyper-scrutiny will no doubt discourage more decent people from seeking government work, unwilling to throw their lives open for a job if they have prospects elsewhere. The Red Scare of the 1950s, and the less-known Lavender Scares, when labeling someone gay inside government would see him fired, show what happens when security holds too many cards. James Jesus Angleton’s paranoid mole hunting at CIA, which ruined many careers, is still a sore point at Langley. In my own case, my unblemished clearance of 22 years was suspended because of a link on my blog. The link was pedestrian but the blog offended the State Department politically, and security was the tool they tried to use to silence me. No, unleashing the bullies won’t help.

     

    Fixing It: Less is More

    As a wise man once said, cut through all the lies and there it is, right in front of you. The only answer to the clearance problem is to simply require fewer cleared people inside government.

    This will require the tsunami of document classification to be dammed. In FY2009 alone, 54 million U.S. Government documents were classified. Every one of those required cleared authors and editors, system administrators and database technicians, security personnel and electronic repair persons. Even the cafeteria personnel who fed them lunch needed some sort of vetting.

    With fewer people to clear, always-limited resources can be better focused. Better background checks can be done. Corners need not be cut, and unqualified people would not be issued clearances out of necessity. Processing time would be reduced. Human judgment, always the weak link, could be applied slower and more deliberately, with more checks and balances involved.

    More monitoring won’t help and will very likely hurt. In a challenge as inherently flawed as the clearance process, the only way forward is less, not more.

    Related Articles:




    Copyright © 2014. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity. Follow me on Twitter!

    Posted in Democracy, Embassy/State

    How to Keep/Lose Your Security Clearance at the State Department

    May 5, 2012 // 10 Comments »




    As an aid to all current and future State Department employees, here are examples of how to keep/lose your security clearance. These example are important, because the Bureau of Diplomatic Security (DS), which grants and withdraws clearances, operates as a type of black hole: information goes in and decisions come out, but nothing that happens inside is visible. One never knows why a decision was made, or on what basis.

    With DS, facts can be hidden from Freedom of Information Act requests and even court-ordered discovery in the name of “security,” and thus manipulated to document pre-determined outcomes. What is called an investigation can morph into an indictment, where the goal is to keep fishing until something, anything, comes up. Actions by Diplomatic Security at the State Department occur without any independent review, and are largely not appealable to the Courts. Diplomatic Security, unlike its counterparts at the Department of Defense and other agencies, even refuses to use the “substantial evidence standard” mandated by the Administrative Procedures Act.

    Here is how to keep your security clearance:

    Commit rape. Tracy Barker, who says a State Department employee sexually assaulted her in Iraq in 2005 has won $2.93 million in arbitration from KBR, the military contracting company that employed her. KBR denies a rape occurred while Ms. Barker remains clear that State Department employee Ali Mokhtare assaulted her in Basra, Iraq. Investigators asked that the State Department suspend Mokhtare’s security clearance, but that request was denied. Clearance remains.


    Here is how to lose your security clearance:

    Write a blog. You can read more here. Clearance suspended.




    Related Articles:




    Copyright © 2014. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity. Follow me on Twitter!

    Posted in Democracy, Embassy/State

IP Blocking Protection is enabled by IP Address Blocker from LionScripts.com.