The one constant is the human mind, the way we think, which is ultimately the source of all acts of espionage. 

By John Irvin

A friend drove up in the classic 1960s sports car he has just purchased at considerable expense to both his personal finances and his marital relationship.  It was a genuinely beautiful machine and he was justifiably proud, constantly washing and waxing it and meticulously wiping off the slightest trace of dirt or grime as soon as it appeared.

Despite his obsessive efforts to prevent any damage to befall his beloved possession, within a few months it was essentially scrap metal.  While taking great pains to protect those parts of the car he could see from any external damage, keeping the motor running smoothly and the paint and chrome sparkling, he failed to consider the possibility that it was basically rusting from the inside out.

While there are many lessons to be learned from his experience, the one that relates most directly to the issue of insider espionage was his faulty assumption that because it appeared fine, it was fine.  Because it ran smoothly and looked good, everything was alright.  Moreover, he trusted the person he had purchased it from and took him at his word that he did not need to be concerned about the integrity of the vehicle, about what was going on inside and out of sight.

In the US government and in private industry, we often make the same mistake in assuming that “cleared” employees are and will remain reliable.  When faced with the reality that they sometimes become unreliable, as in the case of insider espionage, we have the choice of tackling the problem by either relying on an improved clearance process (that is, improved screening) or acknowledging that the process is not the end, but just the beginning of maintaining employee reliability.

So it should be with mixed feelings that we welcome an 11 December 2015, report by Nichole Ogrysko of Federal News Radio that “the White House is poised to stand up a new agency that will own the federal security clearance process.”[1]  The proposed organization, the National Background Investigations Bureau (NBIB) would appear to be an attempt at security clearance reform, taking the burden of overseeing the process of providing security clearances for government employees away from the Office of Personnel Management (OPM) and centralizing it in an organization dedicated specifically to that task.

OPM has suffered criticism for its handling of the security clearance process, to include a notorious September 2015, hack suspected to have originated in China which compromised the sensitive information of 22.1 million federal employees and contractors, as well as their friends and family.[2]  Actions necessary for dealing with the hack inevitably led to a temporary OPM shutdown of clearance investigation and issuance, creating a backlog and adding further delays to what was already a complex and lengthy process.[3]

This backlog was already significant given the problems associated with USIS, a private company that was the main contractor for federal security background checks.  In August 2014, USIS suffered cyber-attacks that led to the potential compromise of sensitive information.  For that, OPM and the Department of Homeland Security suspended contracts with USIS.[4]  At the time, USIS was already part of a lawsuit filed by former employee and whistleblower Blake Percival alleging the company defrauded the government by failing to perform background checks it claimed to have completed and attempting to hide the practice from OPM.

In 2013, the Department of Justice joined Percival’s lawsuit[5] and in February 2015, USIS’ parent company, Altegrity Inc., filed for bankruptcy.  In December, after a four-and-a-half-year legal battle, Percival was awarded $3.3 million, his share of a $30 million settlement.[6]  Percival’s successful lawsuit, with the support of the DoJ, highlighted the fact that serious effort was needed to fix a dysfunctional federal security clearance process.

It would appear the proposed plan to create a NBIB is a logical and necessary solution to what recent events suggest is a broken security clearance process.  For that, the effort should be commended and support should be genuinely and enthusiastically provided from every individual and organization involved, in order to ensure the new agency functions effectively.  Creating a NBIB seems a reasonable fix for a broken system.

The issue to be concerned with, however, is that espionage is a profoundly human activity and human beings are not systems.  Individual human behavior is not reducible to universally-applicable algorithms, flow charts, or templates.  Rather, behavior is the result of subjective mental processes that include both an individual’s sense of self and a worldview that may not always conform to objective reality.  Moreover, research demonstrates that behavior is driven more by emotion and bias than by reason and rational thought.[7]  Systems are what we create to minimize the potential negative impact of our own individual humanity.

With establishing a NBIB, especially an effective one that appears to have solved the clearance process issue, comes the hidden danger of assuming that the problem is fixed.  A NBIB that executes thorough investigations and issues clearances in a timely manner is very desirable, but it then runs into the psychological tendency toward complacency.  The system is fixed.  The problem is solved.  Everything looks good and is running smoothly.  Move on to the next issue.

As with the unfortunate vehicle owner mentioned above, taking care to prevent damage coming from the outside is only half of what is needed.  Failure of the security clearance screening process to identify psychopaths like Washington Navy Yard mass shooter Aaron Alexis or classified information thieves such as Edward Snowden demonstrate the need for effective screening.[8]

The problem is that no organization, whether a private company or the federal government, knowingly hires an insider spy or a psychopath.  Even with effective screening, individuals will be hired who pass all the tests, clear all the hurdles, and receive the seal of approval, yet later engage in undesirable behavior.  With effective screening, these individuals have earned the trust that has been placed in them at time of hire.  The problem is that even the best screening does not guarantee future reliability.

Creating a NBIB could potentially help solve half of the problem of preventing insider espionage, in that it would seek to resolve the issue of a security clearance process that is often slow, subject to cyber-attack and loss of sensitive information, and which recent events suggest sometimes grants undeserved clearances.  It could keep the wrong people, those who would clearly cause damage, from entering into the system.  The other half of the problem is dealing with those who were legitimately allowed into the system who later, under just the right circumstances, become “the wrong people” and cause damage to the system.

NOIR-LogoTo deal with this reality, Dr. David Charney has proposed establishing another government agency, a National Office for Intelligence Reconciliation (NOIR).  This organization would address the second half of the problem of insider espionage – those who are already in the system who then secretly, invisibly begin causing damage from the inside out.  This NOIR would employ Dr. Charney’s theory of the true psychology of the insider spy[9] and function based on the proposition that an otherwise trustworthy and thoroughly screened individual legitimately granted access to classified information can make the seemingly inexplicable transformation into an insider spy, typically as a result of what Dr. Charney calls a psychological perfect storm.[10]

Is it easier to fix a broken system than to deal with subjective issues of individual psychology?  Of course it is.  It is easier to find the flaws and correct the problems of a process, to make it run more smoothly and efficiently, than to address the complex issue of individual human motivation.  Perhaps that is why there is an effort within the government to create a NBIB but, so far at least, no similar effort to create a NOIR.  But to only address the former is to invite the inevitable problems that will arise from failing to address the latter.

Does the US government need a NBIB?  Yes, recent events suggest it does.  The system needs to be fixed, the process to be made more reliable and timely.  But it also needs a NOIR.  Half-solutions are not solutions and only addressing half of the problem never effectively solves the entire problem.  Furthermore, half-solutions virtually guarantee future difficulties.  Like the aforementioned sports car, what you end up with may look fine, run smoothly, and be a great source of pride and comfort, but that doesn’t mean it isn’t rusting away from some unseen and unconsidered corner deep inside.

Systems, like technology, continually change over time, with old ones replaced and new ones adopted.  The one constant is the human mind, the way we think, which is ultimately the source of all acts of espionage.  We need to address both the systemic and the human in order to find real, lasting solutions to the problem of insider espionage.  We need both a NBIB and a NOIR.

What we need most immediately, however, is the realization and acknowledgement of those individuals in a position to bring such new organizations into existence, whether politicians or federal employees, that engaging in half-measures may give one the satisfaction of accomplishing something, but will never be fully effective.  When it comes to the security of our nation and the safety our fellow citizens, half a solution is not a solution.

If the political will exists to create a NBIB, if the realization exists on the part of those responsible for our national security that it is needed, if the funding can be found to support it, why isn’t there a similar effort to create a NOIR?  Great things can be achieved, but only if there is the will to achieve them.

References

[1] http://federalnewsradio.com/defense/2015/12/new-agency-likely-federal-security-clearance-process/

[2] https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/

[3] https://www.washingtonpost.com/news/federal-eye/wp/2015/07/01/shutdown-of-security-clearance-system-will-only-worsen-existing-delays-industry-says/

[4] https://www.washingtonpost.com/business/capitalbusiness/usis-cuts-more-than-2500-jobs-after-losing-contracts-in-wake-of-cyberattack/2014/10/07/5816cfb2-4e3f-11e4-babe-e91da079cb8a_story.html

[5] https://www.washingtonpost.com/world/national-security/justice-department-joins-lawsuit-against-usis-over-background-checks/2014/01/23/db16e244-8432-11e3-8099-9181471f7aaf_story.html

[6] https://www.washingtonpost.com/business/economy/the-whistleblower-who-exposed-uss-flawed-security-clearance-system-finally-gets-his-reward/2015/12/18/4f329492-a1ec-11e5-9c4e-be37f66848bb_story.html?hpid=hp_rhp-top-table-main_whistleblower-1240pm:homepage/story

[7] Shermer, M. (2011) The Believing Brain: From Ghosts and Gods to Politics and Conspiracies – How We Construct Beliefs and Reinforce Them as Truths. New York: Times Books.

[8] https://noir4usa.org/quis-custodiet-ipsos-custodes-who-will-guard-the-guards/

[9] Charney, D. (2010) “True Psychology of the Insider Spy.”  The Intelligencer: Journal of U.S. Intelligence Studies, Volume 18, Number 1, Fall/Winter 2010. Pages 47-54.

[10] https://noir4usa.org/a-psychological-perfect-storm-the-jeffery-delisle-case-part-i/

Additional

The Way Forward for Federal Background Investigations (White House)
Summary: Today, the Government announced a series of changes to modernize and strengthen the way we conduct background investigations and protect sensitive data.

What do you think?