How social media can help spot insider threats

In May, Director of National Intelligence James Clapper signed Security Executive Agent Directive 5 on the "Collection, Use and Retention of Publicly Available Social Media Information in Personnel Security Background Investigations and Adjudications." The directive was released the night before a House Oversight and Government Reform Committee hearing on the same topic.

It has been a long time coming and overall is a great step forward. However, it might not go far enough.

Under Section E (Policy), the directive states that "agencies may choose to collect publicly available social media information in the personnel security background investigation process." In my opinion, that could have been worded more strongly because the word "may" conveys something optional.

I realize that making a stronger policy statement would lead to questions about funding and tactics. However, reviewing social media is one of the best ways to evaluate individuals against the adjudicative guidelines for determining whether someone should have access to classified information. Those guidelines define what investigators should look for in a background investigation.

The first three guidelines cover:

1. Allegiance to the United States
2. Foreign influence
3. Foreign preference

The new directive also states, "Only publicly available social media information pertaining to the covered individual under investigation shall be intentionally collected."

That statement leaves too many loopholes. Standard Form 86, the Questionnaire for National Security Positions, does not ask applicants to list the social media platforms they use and does not ask for their online identities. That makes it very difficult for investigators to ensure that they are looking at the correct person's online activity. Unless someone uses his or her name for a Twitter handle, public Instagram feed or YouTube channel, how can an investigator be sure?

Chances are if people are applying for security clearances and posting anti-U.S. sentiments online in their spare time, they are probably not doing it in a way that can easily tie back to themselves. Therefore, technology must improve so that investigators can associate disparate user names across multiple social media platforms with a single individual.

The security clearance directive seems to recognize the identity resolution challenge, and in Section E, paragraph 7, it states: "Authorized investigative agencies shall make reasonably exhaustive efforts to verify that any information collected that is discrepant or potentially disqualifying pertains to the covered individual."

It also goes on to say any information that would disqualify an applicant must be investigated, and ultimately, the covered individual must be given a chance to review the proceedings.

The latter part reminds me of the Fair Credit Reporting Act's requirements for issuing adverse-action notices and resolving consumer disputes. It would be difficult to bring social media disputes under similar reporting requirements, but the government seems to be heading in that direction.

However, FCRA's accuracy requirements for identity resolution would be hard to meet, and the consumer dispute process would become overwhelming if applied to social media activity and security clearances.

Further, in the social media world, it is not clear to whom FCRA's data-furnisher requirements would apply because in this context, the individual is furnishing his or her own data.

Every initiative must start somewhere, of course, and Security Executive Agent Directive 5 is a definite improvement over the previous status quo. If the government is serious about strengthening the clearance process, however, more must be done.