Saturday, August 18, 2018

Security Clearances and Information Technology


Remember the old saying? “Rank has its privilege”? It’s not always prudent to assume certain privileges just because you have means and intent. It’s not safe to assume just because you have access to government Information Technology (IT) systems as a manager or system administrator, for example, that you have the authority to do so anytime and for any reason. Use of government IT systems takes into consideration how an applicant has used technology on the job. Viewing pornography, working non-mission related tasks, hiding evidence, and harassing fellow employees while using employer computers are some indicators that an applicant could bring risk to sensitive information residing on information technology.

Guideline M: Use Of Information Technology is a very important criteria since cleared employees must demonstrate the ability to follow rules and regulations. This is especially critical as more and more sensitive information resides on computers. Gaining unauthorized access, downloading malware, manipulating data, or otherwise misusing information technology could increase risk to sensitive and classified information. An applicant’s history and pattern of use can provide indicators of their ability to protect what resides on information systems. The following are case studies where Guideline M concerns were either mitigated or clearance was denied:

CYBER POWERED SEX ADDICT

An applicant installed an email program on the company’s computer to allow him to access anonymous email accounts. He also logged onto pornographic sites, downloaded pornographic materials, wrote and posted 30 sexually explicit stories, doctored a photograph of a female former coworker in a sexually explicit manner and posted it, sought sexual partners and engaged in sexual activity as a result of people answering the posted requests. The applicant was eventually fired for the activity.

The applicant did seek help and engaged in group therapy including a sexual compulsive addicts’ group. Sponsors, group participants and counselors made statements that the applicant was indeed recovering and demonstrates remorse for his activities. Both he and his wife are continuing to get marriage counseling.

The judge ruled favorably in that the applicant mitigated the risk to national security for the concern Use of Information Systems. However, he was not able to mitigate other concerns such as those that arose from his Personal Conduct and Sexual Behavior.


I WAS GOING TO PUT THEM BACK

After a female employee accused him of sexual harassment, the applicant decided to take matters into his own hands. His plan was to temporarily hide incriminating emails so that his coworkers would not find the files. The applicant followed through and took advantage of his position to move the implicating emails to a separate location, with the intent of moving them back.

Unfortunately for him, he was unable to restore the files following a software upgrade. The messages were lost and could not be restored. His deeds were discovered, and Guideline M concerns had to be addressed in a hearing.

Surprisingly, the judge ruled in favor of the applicant. The judge determined that the applicant did not intend to delete the files. Government counsel was concerned that he was granted a security clearance although he gained authorized access to her computer to get rid of evidence.

HAD I KNOWN YOU WERE LOOKING…

An applicant used his government computer to download pornography; clearly violating policies, rules, and regulations to misuse his computer. Further, when interviewed by Defense Security Services (DSS), he lied about the incident.
He responded in the hearing the he was very sorry and that he did not mean to break rules. He also stated that had he known that the pornographic files existed on his computer, he would not have lied about accessing the porn. He also offered that the incident happened a few years prior and that he has been given increasing responsibilities and positions of trust since then.

Unfortunately, saying sorry is not enough. While a good first step, it does not mitigate the activity. Additionally, whether records of adverse behavior exist, he has no excuse for falsifying his statement to DSS. As a result, his clearance was denied.

Because of the increasing reliance on information systems, a cleared employee must be able to demonstrate that they can be trusted to not abuse privileges, information systems, and responsibilities. Past performance that demonstrates breaking information system policies, procedures, rules and regulations indicate potential risk to information residing on the systems. Employees who use computers as intended and only for authorized and work-related projects should have no problems demonstrating compliance with Guideline M.

Adjudicative Guideline L: Outside Activities

Outside activities are those jobs or relationships occurring outside of the United States and involving relationships with foreign countries, persons and businesses. With the internet, social media, and connectivity, there are great opportunities to meet other like-minded business people. The world seems to be getting smaller, while opportunities are increasing. Forming businesses with foreign people and companies can create new jobs, products, and services. These opportunities can also elevate partners to senior management levels and with high value stocks. However, they could come with a cost to those who might seek a government security clearance. Let’s look at a few examples:

It’s Complicated

An applicant is the president and CEO of a company incorporated in Singapore. Key management employees and decision makers are foreign citizens and almost half of his income is from the company. He spends time oversees, with foreign citizens, and other foreign companies related to his business.

His ability to safeguard classified and sensitive information could be influenced by his business interests, foreign relationships, or financial portfolio. Pressure from his outside activities could cause him to disclose classified or sensitive information to unauthorized persons through coercion or exploitation. Therefore, the decision to deny the applicant a security is made in favor of the national security.

Hail Britannia

The applicant is the president of an American subsidiary of a British-based company that does business with the Department of Defense. Prior to the promotion, he was an employee at the same foreign company. He has a substantial financial stake with the company by virtue of his high valued stock. Because of his employment in the foreign organization and serving as a representative of the foreign country, his clearance was denied. His high position in the company, share of stocks, and possible relationships with foreign partners could cause him to be vulnerable to coercion or exploitation.

Risk Mitigated

An applicant worked as vice president of business development for a wholly-owned subsidiary of an Israeli company. In his position, he marketed computer hardware and software to U.S. companies. He was hired for the job after meeting the owner at a trade show, but had very infrequent interaction with the owner.

The applicant has not worked for the company in a few years. Also he no longer has ties with the company neither by positions, finances, relationships, or shares. His relationship and interaction with his former employer and employees is infrequent if ever. The applicant has mitigated concerns raised by Guideline L by completely separation himself from the business. This demonstrated separation has greatly reduced the likelihood of any potential security incident and therefor has been granted a security clearance.

Outside activities where U.S. persons enjoy foreign positions, relationships, and financial benefits can be rewarding but do come with a cost. Though these are great opportunities, they can be detrimental to those who are or wish to eventually pursue jobs requiring U.S. government security clearances. Security clearance applicants should demonstrate that they are not bringing additional risk to classified or sensitive information through their outside activities. The concern for Guideline L is that certain types of outside employment or activities is of security concern if it poses a conflict of interest with an individual's security responsibilities and could create an increased risk of unauthorized disclosure of
 classified or sensitive information.