The federal government’s security clearance process has been under intense scrutiny since last year’s Washington Navy Yard shooting by Aaron Alexis, a Marine Corp contractor with secret-level clearance and Edward Snowden’s unprecedented leak of classified information. In March, Defense Secretary Chuck Hagel pledged to correct “gaps or inadequacies in the department’s security” that could facilitate these types of incidents. If the federal government applied the same sort of risk analysis tools that insurance companies perform when they take on new clients, we could remove internal threats and maintain the safety of federal employees and government contractors.
The secretary’s announcement came shortly after the Obama administration released recommendations for changing the security clearance process for government employees and contractors following an extensive review by the Office of Management and Budget, or OMB. The administration called for better background investigations and continuous evaluation of the 5.1 million people who hold security clearances, including confidential, secret or top secret.
Under the current system, federal employees granted ‘confidential’ clearance are re-checked every 15 years. Security clearances at the secret level are reviewed only 10 years. A top secret clearance is reviewed only every five years . But major life changes can occur within any 5, 10- or even 1-year timeframe, such as bankruptcy, liens or financial troubles, arrests, criminal activity, undue foreign sympathy or influence, marital status changes and drug abuse that can affect an individual’s stability.
Clearance holders are required by law to self-report these changes, but very rarely does that happen. Because of lengthy periods between reinvestigations, red flags in an employee’s background go unnoticed and troubling gaps in the security clearance process pose serious internal threats. In fact, Hagel’s review found that threats to military and civilian personnel and DOD contractors were increasingly coming from within, including from colleagues with security clearances.
Not only does the government face the monumental task of maintaining accurate and current information on employees, many agencies face a huge backlog of reinvestigations. OMB found about 22 percent of top secret and secret clearance holders were overdue for review. Agencies simply lack the necessary resources required and a solution to continuously monitor all of the clearances manually. Hagel’s proposed changes will require time and technology before it can offer real-time alerts. Until then, agencies will most likely have to focus on reviewing a subset of clearance holders – either by random selection or by targeting individuals – which still leaves gaping holes in our nation’s security and counterintelligence efforts since troubled individuals may be overlooked. This is a serious issue with serious consequences.
The government is being asked to provide solutions by September 1 in the 120-day report. Many agencies, and defense and intelligence contractors, are considering approaches beyond traditional physical security and network system log reviews, focusing on life events for a full picture of the sort of risk an individual may pose.
We need to move from checking clearances every few years to continuous evaluation. To get rid of the backlog the government needs to better automate the security clearance process. They need to understand who they are dealing with, what is going on in their life and their associates, all valuable information in assessing an individual’s risk profile and doing so in closer to real time. Agency officials need to be able to receive an automated alert of certain life changes, such as a marriage, divorce, bankruptcy, or one of the other items noted above, allowing them to make a decision on appropriate next steps. The way to do this is to automatically monitor millions of cleared individuals with data from public records, social media and government data sets.
The government also needs to make greater use of big data through a risk- and analytics-based approach. By looking at personal risk behavior data, agencies can make better and faster decisions on who needs additional scrutiny. In fact, this process is similar to monitoring systems already in use by the insurance and financial industries, which for years have been successfully determining if individuals qualify for insurance and loans and at what rate they should be charged. They determine premium and risk by taking into account an individual’s history and assigning a risk score. These same statistical models can be customized to support the risk modeling of individuals with security clearances.
The idea of continuous workplace monitoring may sound invasive to an increasingly surveillance-wary public. But when a government employee seeks clearance, which often comes with the ability to monitor or analyze sensitive information the public can’t access, that employee voluntarily gives permission for ongoing reviews and has no expectation of privacy.
Our concerns about government eavesdropping don’t apply to this situation. The problem isn’t privacy; it’s that we aren’t monitoring our monitors.
Fixing these glaring problems as quickly and as efficiently as possible before another tragedy occurs should be a top priority for our government. The government needs to be proactive, with the ability to monitor every individual with a clearance for potential risks. There are solutions that can make this an easy process, serving as a key function in maintaining our national security.
Steve Nguyen is vice president of government solutions and LexisNexis Special Services Inc. at LexisNexis.