Saturday, August 18, 2018

Security Clearances and Information Technology


Remember the old saying? “Rank has its privilege”? It’s not always prudent to assume certain privileges just because you have means and intent. It’s not safe to assume just because you have access to government Information Technology (IT) systems as a manager or system administrator, for example, that you have the authority to do so anytime and for any reason. Use of government IT systems takes into consideration how an applicant has used technology on the job. Viewing pornography, working non-mission related tasks, hiding evidence, and harassing fellow employees while using employer computers are some indicators that an applicant could bring risk to sensitive information residing on information technology.

Guideline M: Use Of Information Technology is a very important criteria since cleared employees must demonstrate the ability to follow rules and regulations. This is especially critical as more and more sensitive information resides on computers. Gaining unauthorized access, downloading malware, manipulating data, or otherwise misusing information technology could increase risk to sensitive and classified information. An applicant’s history and pattern of use can provide indicators of their ability to protect what resides on information systems. The following are case studies where Guideline M concerns were either mitigated or clearance was denied:

CYBER POWERED SEX ADDICT

An applicant installed an email program on the company’s computer to allow him to access anonymous email accounts. He also logged onto pornographic sites, downloaded pornographic materials, wrote and posted 30 sexually explicit stories, doctored a photograph of a female former coworker in a sexually explicit manner and posted it, sought sexual partners and engaged in sexual activity as a result of people answering the posted requests. The applicant was eventually fired for the activity.

The applicant did seek help and engaged in group therapy including a sexual compulsive addicts’ group. Sponsors, group participants and counselors made statements that the applicant was indeed recovering and demonstrates remorse for his activities. Both he and his wife are continuing to get marriage counseling.

The judge ruled favorably in that the applicant mitigated the risk to national security for the concern Use of Information Systems. However, he was not able to mitigate other concerns such as those that arose from his Personal Conduct and Sexual Behavior.


I WAS GOING TO PUT THEM BACK

After a female employee accused him of sexual harassment, the applicant decided to take matters into his own hands. His plan was to temporarily hide incriminating emails so that his coworkers would not find the files. The applicant followed through and took advantage of his position to move the implicating emails to a separate location, with the intent of moving them back.

Unfortunately for him, he was unable to restore the files following a software upgrade. The messages were lost and could not be restored. His deeds were discovered, and Guideline M concerns had to be addressed in a hearing.

Surprisingly, the judge ruled in favor of the applicant. The judge determined that the applicant did not intend to delete the files. Government counsel was concerned that he was granted a security clearance although he gained authorized access to her computer to get rid of evidence.

HAD I KNOWN YOU WERE LOOKING…

An applicant used his government computer to download pornography; clearly violating policies, rules, and regulations to misuse his computer. Further, when interviewed by Defense Security Services (DSS), he lied about the incident.
He responded in the hearing the he was very sorry and that he did not mean to break rules. He also stated that had he known that the pornographic files existed on his computer, he would not have lied about accessing the porn. He also offered that the incident happened a few years prior and that he has been given increasing responsibilities and positions of trust since then.

Unfortunately, saying sorry is not enough. While a good first step, it does not mitigate the activity. Additionally, whether records of adverse behavior exist, he has no excuse for falsifying his statement to DSS. As a result, his clearance was denied.

Because of the increasing reliance on information systems, a cleared employee must be able to demonstrate that they can be trusted to not abuse privileges, information systems, and responsibilities. Past performance that demonstrates breaking information system policies, procedures, rules and regulations indicate potential risk to information residing on the systems. Employees who use computers as intended and only for authorized and work-related projects should have no problems demonstrating compliance with Guideline M.

No comments: