How to Fix the Government’s Security Clearance Mess

Navy security stands watch at the Washington Navy Yard, Sept. 19, 2013. The Washington Navy Yard began returning to nearly normal operations three days after it was the scene of a mass shooting in which a gunman killed 12 people.

Charles Dharapak/AP

AA Font size + Print

Navy security stands watch at the Washington Navy Yard, Sept. 19, 2013. The Washington Navy Yard began returning to nearly normal operations three days after it was the scene of a mass shooting in which a gunman killed 12 people.

We need to continuously monitor who has top secret clearance. Here’s how. By Steve Nguyen

The federal government’s security clearance process has been under intense scrutiny since last year’s Washington Navy Yard shooting by Aaron Alexis, a Marine Corp contractor with secret-level clearance and Edward Snowden’s unprecedented leak of classified information.  In March, Defense Secretary Chuck Hagel pledged to correct “gaps or inadequacies in the department’s security” that could facilitate these types of incidents. If the federal government applied the same sort of risk analysis tools that insurance companies perform when they take on new clients, we could remove internal threats and maintain the safety of federal employees and government contractors.

The secretary’s announcement came shortly after the Obama administration released recommendations for changing the security clearance process for government employees and contractors following an extensive review by the Office of Management and Budget, or OMB. The administration called for better background investigations and continuous evaluation of the 5.1 million people who hold security clearances, including confidential, secret or top secret.  

Under the current system, federal employees granted ‘confidential’ clearance are re-checked every 15 years. Security clearances at the secret level are reviewed only 10 years. A top secret clearance is reviewed only every five years . But major life changes can occur within any  5, 10- or even 1-year timeframe, such as bankruptcy, liens or financial troubles, arrests, criminal activity, undue foreign sympathy or influence, marital status changes and drug abuse that can affect an individual’s stability.

Clearance holders are required by law to self-report these changes, but very rarely does that happen. Because of lengthy periods between reinvestigations, red flags in an employee’s background go unnoticed and troubling gaps in the security clearance process pose serious internal threats. In fact, Hagel’s review found that threats to military and civilian personnel and DOD contractors were increasingly coming from within, including from colleagues with security clearances.

Not only does the government face the monumental task of maintaining accurate and current information on employees, many agencies face a huge backlog of reinvestigations. OMB found about 22 percent of top secret and secret clearance holders were overdue for review. Agencies simply lack the necessary resources required and a solution to continuously monitor all of the clearances manually. Hagel’s proposed changes will require time and technology before it can offer real-time alerts. Until then, agencies will most likely have to focus on reviewing a subset of clearance holders – either by random selection or by targeting individuals – which still leaves gaping holes in our nation’s security and counterintelligence efforts since troubled individuals may be overlooked. This is a serious issue with serious consequences.

The government is being asked to provide solutions by September 1 in the 120-day report. Many agencies, and defense and intelligence contractors, are considering approaches beyond traditional physical security and network system log reviews, focusing on life events for a full picture of the sort of risk an individual may pose.

We need to move from checking clearances every few years to continuous evaluation.  To get rid of the backlog the government needs to better automate the security clearance process. They need to understand who they are dealing with, what is going on in their life and their associates, all valuable information in assessing an individual’s risk profile and doing so in closer to real time. Agency officials need to be able to receive an automated alert of certain life changes, such as a marriage, divorce, bankruptcy, or one of the other items noted above, allowing them to make a decision on appropriate next steps. The way to do this is to automatically monitor millions of cleared individuals with data from public records, social media and government data sets.

The government also needs to make greater use of big data through a risk- and analytics-based approach. By looking at personal risk behavior data, agencies can make better and faster decisions on who needs additional scrutiny. In fact, this process is similar to monitoring systems already in use by the insurance and financial industries, which for years have been successfully determining if individuals qualify for insurance and loans and at what rate they should be charged. They determine premium and risk by taking into account an individual’s history and assigning a risk score. These same statistical models can be customized to support the risk modeling of individuals with security clearances.

The idea of continuous workplace monitoring may sound invasive to an increasingly surveillance-wary public. But when a government employee seeks clearance, which often comes with the ability to monitor or analyze sensitive information the public can’t access, that employee voluntarily gives permission for ongoing reviews and has no expectation of privacy.

Our concerns about government eavesdropping don’t apply to this situation. The problem isn’t privacy; it’s that we aren’t monitoring our monitors.

Fixing these glaring problems as quickly and as efficiently as possible before another tragedy occurs should be a top priority for our government. The government needs to be proactive, with the ability to monitor every individual with a clearance for potential risks. There are solutions that can make this an easy process, serving as a key function in maintaining our national security.

Steve Nguyen is vice president of government solutions and LexisNexis Special Services Inc. at LexisNexis.

Close [ x ] More from DefenseOne
 
 

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • GBC Issue Brief: Supply Chain Insecurity

    Federal organizations rely on state-of-the-art IT tools and systems to deliver services efficiently and effectively, and it takes a vast ecosystem of organizations, individuals, information, and resources to successfully deliver these products. This issue brief discusses the current threats to the vulnerable supply chain - and how agencies can prevent these threats to produce a more secure IT supply chain process.

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Information Operations: Retaking the High Ground

    Today's threats are fluent in rapidly evolving areas of the Internet, especially social media. Learn how military organizations can secure an advantage in this developing arena.

    Download

When you download a report, your information may be shared with the underwriters of that document.