When it comes to fixing the nation’s security clearance review process, one problem — the National Security Agency’s reported mining of public and nonpublic data to graph the social connections of certain Americans — can serve as a solution. Of course, using one problem to solve another creates a problematic solution, and the same is true for a solution derived from the non-troublesome aspects of a problem.
The bipartisan legislation that four senators recently introduced to revamp the national security background check process will encounter this dilemma. And while this bill represents a problematic solution, it is a needed solution nonetheless.
The bill would require the Office of Personnel Management to develop an automated review system that would mine public records and databases to identify any red flags for federal employees and contractors who have been granted security clearance. Although security clearances are subjected to reinvestigations every five, 10 or 15 years, depending on their level, the legislation would require OPM to subject security clearance holders to two random audits every five years.
Currently, agencies do not re-examine a person’s fitness to hold security clearance within these reinvestigation periods, unless he or she reports any personal issues, such as an arrest, contacts with foreign nationals or financial problems. As an attorney who has represented people who received a Letter of Intent or Statement of Reasons detailing the government’s plans to revoke their security clearance, I have seen how such mandatory self-reporting does not always happen.
In some regards, the senators want OPM to mine massive amounts of data similar to how the NSA mines even more massive amounts of data, minus the latter’s reported social-connection graphing and broader scope. OPM’s automated reviews would be limited to “public records and databases,” according to a press release issued by one of the bill’s sponsors, Sen. Susan Collins, R-Maine.
The press release identified the types of information OPM would search as relating to “any criminal or civil legal proceeding; financial information relating to the covered individual; data maintained on any terrorist or criminal watch list; and any publicly-available information that suggests ill intent, vulnerability to blackmail, compulsive behavior, allegiance to another country, or change in ideology of the covered individual.”
In contrast, says the New York Times, the NSA’s data mining searches cover communications metadata along with information from “public, commercial and other sources, including bank codes, insurance information, Facebook profiles, passenger manifests, voter registration rolls and GPS location information, as well as property records and unspecified tax data.”
By focusing on public records and databases, the Collins bill sidesteps the problematic privacy concerns raised by the NSA’s social-connection graphing activities. However, due to the narrower focus of the legislation, OPM’s automated audits may miss a wide swath of conditions that could raise security concerns that may be disqualifying under the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information. These conditions that OPM would likely miss include psychological counseling, sexual behavior such as adultery, and foreign contacts.
It also remains to be seen whether these proposed randomly timed audits would pick up on mental health issues, such as those affecting alleged Navy Yard shooter Aaron Alexis, as the Health Insurance Portability and Accountability Act shields medical records from the government’s prying eyes. It is likewise uncertain whether information in public records and databases could tip the government off to a wavering loyalty to the United States akin to that of NSA leaker Edward Snowden.
These are the types of conditions that investigators are better positioned to catch by interviewing friends, neighbors and co-workers of a contractor or employee who holds security clearance. I just hope Congress does not forget that more national security background investigators will be needed to pursue any leads uncovered by these audits. Or worse, it could place too much faith in the technology and undervalue the human investigations.
Greg Rinckey is a former Army judge advocate general attorney and the managing partner of Tully Rinckey PLLC. He practices security clearance representation and military law, and can be contacted at firstname.lastname@example.org.