Government Warms to Continuous Monitoring of Personnel With Clearances

fotogestoeber/Shutterstock.com

The government’s security clearance process currently “is stuck in the industrial age."

Days after Navy contractor Aaron Alexis murdered 12 people during a shooting rampage at the Washington Navy Yard on Sept. 16, 2013, Pentagon officials acknowledged they had neglected to follow up on a Rhode Island police report the previous month showing that Alexis, who died in a shootout with police, had complained of hearing voices. That turned out to be just one of many red flags in Alexis’ background that Navy officials and security clearance investigators were not aware of prior to the tragedy.

The Navy Yard shooting sparked an outcry about how the government handles the process for granting and reauthorizing security clearances. At the time, “Alexis was one of roughly 4.9 million Americans—over 1.5 percent of our country’s population—that hold security clearances,” a House Oversight and Government Reform report on the shooting noted.

Since then, officials have worked to significantly strengthen the way clearances are granted and managed. With the creation last year of the National Background Investigations Bureau housed at the Office of Personnel Management, security clearance professionals across government have been wrestling down an investigations backlog, which stood at 343,557 unprocessed clearances at the secret level and 72,566 at the top secret level by the end of the third quarter of fiscal 2016. The backlog of periodic re-investigations stood at 156,172.

The background checks are also taking much longer. A February House Oversight and Government Reform report this February found that in 2015, it took on average 95 days to process a secret clearance and 179 to process a top secret clearance; by fiscal 2016 the average for secret clearances had risen to 166 days and top secret clearances to 246 days.

One result of heightened concerns is that the Defense Department and the Office of the Director of National Intelligence are relying more on continuous monitoring to detect insider threats and for the periodic re-investigations of current employees and contractors.

Could technology accelerate the process while improving thoroughness?

The software industry has stepped up with an array of subscription cloud-based products being used by private employers to monitor individuals. They continuously scour open source data to flag events that might indicate that an employee is experiencing a personal crisis that could make them an insider threat.

Thomson Reuters’ Clear, TLOxp and Endera (formerly IDentrix) are among the current offerings, along with others in the dozens of firms that promise human resources monitoring on the General Services Administration’s schedule 738X. “Disgruntled employees, malicious insiders, outside contractors and compromised coworkers will cost you upwards of $7 million this year,” says Endera’s ad for products already in use in the airline industry and other realms of corporate America.

Congress has been pushing the NBIB to better exploit social media—it’s been done only on a pilot basis—to monitor employee states of mind. But agencies and contractors must work within the Fair Credit Reporting Act, which requires the consent of employees and employers before they incorporate social media in their software.

Debate continues over whether such electronic tools are cost-effective. And there is doubt by some that they are fair to employees who may fear that the human resources department will abuse information from their private lives.

“There is little to no evidence that social media monitoring has any actual effectiveness to balance out the significant harm that inaccuracies could cause,” said Jay Stanley, senior policy analyst at the national office of the American Civil Liberties Union. Though the law permits the tapping of public open sources, he said, “not only is there a risk of inaccuracies, there is good reason to believe the inaccuracies would not be distributed evenly in terms of ethnic and racial groups and income groups.”

Even so, the new bureau is warming to adoption of monitoring software as it works to improve a process that has endured years of criticism. “We work closely with industry and we welcome ideas from industry,” Director Charles Phalen said in a statement to Government Executive. “Products such as these are more useful to companies and agencies that have or are developing mandated insider threat programs.”

Past Government Efforts

The government’s security clearance process “is stuck in the industrial age,” said Raj Ananthanpillai, the chairman, CEO and president of Endera, which for more than a decade has been bidding on contracts with the FBI, Transportation and Homeland Security departments. Today’s clearances and continuous monitoring requires that agencies be “quick on their feet and come at it from multiple angles. It’s got to be done by automation to provide accurate and relevant information,” he said.

Endera’s platform taps mostly public sources in 13 areas ranging from arrests to driving violations to financial stress, Ananthanpillai said. “There’s a treasure trove out there. If the data are relevant to the risk, they can produce a timely alert, and then you can take action.” Agency employees and contractors with security clearances are “supposed to self-report on bankruptcies, divorce and foreign travel, but the majority don’t do that anymore,” he said. “So we have to figure out how to do continuous vetting.”

It’s not as if the government hasn’t been trying. The Defense Personnel Security Research Center for two decades has developed its Automated Continuing Evaluation System, which the Homeland Security Department piloted a decade ago, keeping an eye on privacy issues.

“We have the tools, technology and services to help with insider threat risk mitigation. But these scare some people,” said James Henderson, CEO of the Insider Threat Defense consulting firm, who has contracted as an instructor for agencies, defense contractors and businesses. The data is out there, and from an insider threat perspective, you only know what’s inside the door,” he said. “Email alerts of an employee’s arrest or other indicators of concern from continuous monitoring software such as Endera are invaluable today, he added. “Every little nugget of information helps.”

“When a company or agency uses continuous monitoring and finds an arrest or something that is not right, it could help the company prevent another workplace shooting or other incident”, Henderson said. “But some companies are a little on edge on using continuous monitoring and collecting all this information on an employee.”

Some organizations, Henderson added, don’t do a good job of sharing information about employee concerns with other departments, such as human resources, security and IT offices. “If disgruntled or behavioral indicators are not shared, this information lives in silos, and does not help with insider threat risk mitigation and give a complete picture of an employee’s threat level,” Henderson said. How many times after an incident, he asks, “do you hear the signs were there, but no one spoke up?”

It’s unclear whether such risks to privacy are justified by results. One case study of Endera by the Security Executive Council research firm documented that the software identified more than 800 identity changes of Homeland Security Department employees, “of which 24 actionable alerts were deemed to disqualify the noted persons from continued participation.”

But not everyone is convinced: “The jury is still out,” attorney Lester Rosen, founder and CEO of the background check firm Employment Screening Resources, was quoted as concluding in a December 2016 essay, “Continuous Screening of Employees Will Gain More Acceptance as Critical Post-Hire Due Diligence Tool.”

“There is little in the way of empirical evidence that shows continuous screening results in any advantage to employers … There are no studies to suggest, on a cost-benefit basis, such checks produce results,” he said. “If such checks are done, the next issue is how. If databases are used, then there is the possibility of both false positives and false negatives since databases available to private employers are not always complete, accurate, or up to date.”

Contractor Support

Alan Chvotkin, executive vice president and counsel at the 400-company Professional Services Council, said his contractors group strongly supports the NBIB’s efforts to anticipate insider threats both in pre-employment screening and continuous monitoring of staff and contractors already hired. But the NBIB“does need to do a better job of relying on technology” in background checks, he said. “Knocking on neighbors’ doors is silly—your neighbors have no idea what your behaviors are.”

Companies and agencies have to consider the privacy issues, Chvotkin added, but individuals who apply for a security clearance consent to allowing investigators to solicit their personal information. And employees already hired are “told through their employment agreement that the company owns the resources,” so agencies don’t need employee consent to monitor.

The real challenge, he added, is not privacy but the fact that “the databases are not very good. Not every state has a single database, and not every law enforcement agency participates in state or local databases,” he said. “As we saw in the Navy Yard shooting, “a lot of activity we expected to have been reported was never reported.” That means companies and agencies “can’t rely on any single source—they rely on multiple technologies.”

Trey Hodgkins, senior vice president for public sector at the Information Technology Alliance, is also an advocate of monitoring software. “We have data either in government or the private sector, all of which can or should be available to the oversight entities, that can identify when an event necessitates a deeper investigation,” he said. “The end state we’ve advocated is a single digital record for each person, which starts when they fill out a form online, and [eventually] determines whether that individual should get a clearance.”

That record would be shared among government organizations. The goal would be to create “reciprocity processes, instead of the individual having to get multiple badges, which is the current setup,” Hodgkins said.

His group is keeping an eye on an NBIB report due soon on reducing the background check backlog. “Industry has argued you have no right to privacy in this process,” Hodgkins added. “You sign on the dotted line asking for the privilege of the government granting you a clearance.”

But the ACLU’s Stanley questions whether monitoring key events in an employee’s life really helps predict dangerous behavior. “Is divorce correlated with insider threat behavior?” he asked. “Is there actual evidence, or is it a theory?” He said he’s seen polices based on theories without evidence. An example is “security guards all over America are harassing photographers on the theory that taking photos is an indicator of suspicious activity or terrorism. If the monitoring “is done electronically,” Stanley added, “it’s not clear how much worse the privacy invasion will be if it’s repeated.”

Ananthanpillai bases his hopes for Endera on the idea that the government is now centralizing background checks. “We’ve come full circle” since 2004, when the Defense Department got out of the background check business and outsourced it to multiple companies hired by OPM, he said. “Every agency has its own security department, but why not provide reciprocity across agencies?” he asked. “We automate the rap sheets from the 50 states,” he said. “OPM can’t possibly be monitoring people every five years. The threats are now so asymmetric. You have to stay on top of them. Tougher vetting is possible,” he added. “It’s not rocket science.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.