Schneier on Security
A blog covering security and security technology.
« Steganography Using TCP Retransmission |
| News from the Fingerprint Biometrics World »
May 28, 2009
Faking Background Checks for Security Clearances
What do you do if you have too many background checks to do, and not enough time to do them? You fake them, of course:
Eight current and former security clearance investigators say they have been pressured to work faster and take on crushing workloads in recent years, as the government tried to eliminate a backlog that once topped 531,000 cases.
Investigators have eliminated that backlog, but they now are trying to meet congressionally mandated deadlines to speed up the security clearance process. The 2004 Intelligence Reform and Terrorism Prevention Act requires agencies to issue at least 80 percent of initial security clearances within 120 days after receiving a completed application. This December, agencies must issue at least 90 percent of their initial security clearances within 60 days.
"This job is a shredder, and agents are grist for the mill," said K.C. Smith, an OPM investigator in Austin, Texas, with 23 years of experience. "There are people who are getting sick, under a lot of stress, their family life is suffering. They are just beat down."
Investigators say it is common practice to spend nights, weekends and holidays writing up reports, and some don't report the overtime they work for fear it will be held against them in their performance evaluations.
Some say their superiors have made it clear that the priority is to close cases, and they say they have felt pressure to turn in even incomplete cases that lack crucial interviews or records if it will help them keep their numbers up. A recent Government Accountability Office report found that the Defense Department's security clearance process is plagued by such incomplete cases: 87 percent of the 3,500 initial top-secret security clearance cases Defense approved last year were missing at least one interview or important record.
It's all a matter of incentives. The investigators were rewarded for completing investigations, not for doing them well.
Posted on May 28, 2009 at 2:40 PM
• 26 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The priority is to close cases? Reminds me of a story by a professor who specialized in Soviet economics:
A glass factory priority was to generate tonnage, so all the windows were fat, heavy and did not fit frames.
This was found unacceptable, so the priority was changed to dimension and all windows produced were super thin and broke before they could be shipped.
And so on...until they realized resources including input needed to be factored.
I'm not sure it's a huge problem, provided the faked ones are selected randomly...
Hm, interesting. That explains a letter I got in January, thanking me for allowing myself to be interviewed for a security clearance given to an acquaintance working with the Obama Transition team. I was, in fact, never contacted or interviewed.
There was no easy way to correct the misimpression, so I ignored it. I suspect this is deliberate, and means that when investigators fake clearance materials, they are doing it with the connivance of their superiors, who understand what is necessary to meet the caseload. Not that those superiors are at risk of prosecution, apparently.
The USG gives security clearances to crazy numbers of people, including low-level personnel, secretaries, janitors (someone has to empty the trash behind the fence) etc., apparently in the same pool of clearance investigations with people hired to design nuclear weapons. You'd think they'd do some prioritization, and maybe create some new, low-security categories that can be cleared more easily. But the ass-uncovering risk to the senior securocrats would evidently be too great.
No, it's not a matter of "incentives". Somethings are just not doable. This is a perfect case of security theater actually destroying security.
For the amount of money we are willing to spend, the level of background checks demanded is undoable. So, why are we asking for them? So we can pump up numbers -- no one really asks whether these background checks really gain anything. It's CYA again.
And by demanding the impossible or the impractical, you're in practice demanding cheating. It's like putting 3 layers of security to enter the lab for no obvious reason; a smoker is going to leave the backdoor open so he can grab a five minute break.
There's way way way too many security clearance background investigations to begin with.
It wasn't too long ago that only legitimately sensitive national security information was classified. Not only is the government involved in much more of this activity, which can be troubling in itself, but a lot of it is overclassified as a c.y.a. Nowadays they classify algebra and basic science among other things. And handle everything with any personal information as if it was highly classified.
Not that there shouldn't be security measures in place, but to require full on background investigations requiring travel and personal interviews for hundreds of thousands of people is ridiculous.
And I don't know how effective the background investigations are anyways. If you have a clean criminal and credit record, you are past 90% of what trips people up. And there's very little that you need to do to falsify elements on your questionnaire anyways. If you don't provide incriminating evidence, they don't tend to investigate beyond what you reveal on your own.
Curious. What's the cost of revoking a clearance relative to granting one?
> I was, in fact, never contacted or interviewed.
Being the paranoid guy that I am, I'd be uneasy if my name were included in falsified government records.
Then again, starting a scandal and making non-friends at the FBI (or whoever) wouldn't appeal to me either.
Maybe the best thing to do would be to leave a record of what happened (or didn't) somewhere, like in a journal, or some established blog somewhere, perhaps a site dedicated to security and octopi.
@Alex - re falsifying entries on the questionnaire: I think you'd be surprised at how effectively the investigating agents sometimes corroborate evidence gathered from multiple sources. I'd wager that lying on the e-QIP is one of the *fastest* ways to be denied a clearance. The process is, in many ways, less about what you've done but more about your susceptability to blackmail, penchant to keep doing it, respect for laws, etc. See the recent hubub about the brits losing CDs full of interview audio with people admitting all sorts of illegal things. Most of those people probably got cleared, iff (two f's) they were up-front about their past misdeeds and were damn certain they weren't going to go there again.
(Caveat: I'm speaking for the investigations where they conduct interviews. Lower levels of clearance don't require the same one-on-one interviews, and so they're less likely to find out that you lied -- but I wouldn't want to be you if you later try to get a higher clearance and were found to have lied on the previous background check...)
Is it really necessary for one in every 600 Americans to hold a security clearance? And that's just based on the *backlog*.
Of course it can all potentialy go horribly wrong even if people have not lied.
There was an interesting report about a senior officer in the US armed forces. When he retired, the office reponsable for calculating various things to do with reconable service noticed the following,
1, He was actually a Russian army officer.
2, He was non naturalised.
3, he had been cleared to the highest security levels.
How did this happen, well he was transfered over during the second world war, and was one of the lucky ones who did not go back (Stalin had a lot of returning officers shot as deserters even though they had been fighting abroad against Germany).
During his transfer he had been given equivalent rank and put on the pay roll. Come the end of the war he was in a position where he was usefull and did not get demobed.
Nobody had noticed or asked about his staus as he worked his way up the ranks. Even through very many interviews nobody had asked...
He had seen many secrets during the cold war that might well have been usefull to the Russians. However there was no evidence that he had ever been in contact or done anything to prejudice security or secracy.
I guess it's just one of those things that happen when allies change and people get left behind.
Hey, at least they don't do any of those fake clearances for any (US) immigration related paperwork clearances. I thought the 'FBI namecheck' part was supposed to be automatically pre-cleared to "yes" if nothing came in searches in 6 months. How long it's been in the namecheck state I don't know but I'd guess most of the 793 days of counting up for the immigration paperwork. 793 days and nothing...
Is it really necessary for governments of, by, and for the people to traffic in such huge quantities of information-to-be-withheld-from-the-public that it requires such a large number of clearances?
Is it really possible for such a government to be accountable to the sovereign people from which it derives its just powers?
Is it really possible for the government of the United States to possess and manage such large quantities of secrets, without usurping powers denied it by its own charter document (the U.S. Constitution)? Even if possible, is it really likely?
Carlo wrote "The USG gives security clearances to crazy numbers of people, including low-level personnel, secretaries, janitors (someone has to empty the trash behind the fence) etc., apparently in the same pool of clearance investigations with people hired to design nuclear weapons. You'd think they'd do some prioritization, and maybe create some new, low-security categories that can be cleared more easily."
1. There are categories. They're called "Confidential clearance," "Secret clearance," "Top Secret clearance."
2. The janitor who has access to the nuclear labs needs as much of a background check as a scientist. The janitor could is in a position to access computer records, riffle through trashcans, learn who works onsite and who visits, see what's going on. Secretaries have even more access and often know more of what's going on than the bosses. Not just about work, either. They often know a lot about the employees' personal lives, which translates into which employees might be persuaded or blackmailed into turning spy.
Here's a specific example. In the mid 1980s, the Soviets used a janitor at a missile agency. The janitor's assigned job was to look for any interesting paper in the trash. He noticed a page that was shorter than the rest and correctly concluded someone had cut off the parts that said "classified" in the header. The page was about the accuracy of a missile. The same someone had punched out the actual accuracy number. The janitor took it to the Soviets, who paid him. The Soviets could tell that only a single digit had been removed. This was very important because they thought the missile's accuracy was in the double digits. In other words, they had been wrong by a factor of 10. They used this knowledge to gain an advantage in the START talks.
The lesson is, many more people than you think have access to information.
So basically congress performed a denial of service attack on the contractors... And it worked.
Whenever I see a budget that is not sufficient for the task, I see a politician that does not want the task done.
So it seems to me the security clearances are indeed theater. They must be clearly seen, but no one wants any quality.
This is just like the quality of patents or the effectiveness of stopping illegal immigrants from Mexico. Politicians really do no seem to value (or even want) these clearances.
A big driver in clearances is NIST 800-53 PS-3 Personnel Screening. Read broadly it says that anyone working for the government who has access to an information system must be screened. Instead of a quick screening (local law enforcement, credit and national agency checks) to find bad people the guidance given for an minimum background investigation is equivilant to a single scope background investigation, which, in the old days, was enough to get you a top secret clearance.
So we are screening every intern, clerk, keypuch operator and junior analyst to a very high level of suitability. Why? So they can simply log in to their agencies WANs (which are generally rated moderate to high sensitivity (and critical infrastructure in one case I'm aware of) because of their dependency in transporting mission critical data)
I blame DHS. Their rules and interpretation of PS3 made the Department a de facto Americans only club. This created a significant problem for agencies and their foreign born, non-naturalized members. Like members of our armed forces. Do they need access to DoD and DHS networks...uh...yeah. I heard DHS was shocked when State came and told them 'yes we let feir'ners work in our facilities and log into our networks'. I suspect they've resolved the problem by ignoring the issue.
HSPD12 has made things worse. The first time (in the early oughts) around for clearances I submitted paperwork 4 times. ('s nothing I had a fellow work for me who had to resubmit 7 times.) Why? Dunno really. We suspected a big shredder at some building in DC. I've carried a clearance since 85 and now with an active clearance I get a client engagement and I've got to reclear with OPM? every time I change engagements (4 to 5 times a year) to get a new credential. That should be interesting.
All because people without experience in personnel security interpreted a "recommendation" from NIST and other people followed their lead because they didn't have time to do their own thinking.
I joined the US Military in 1978 and was granted my initial clearance within 4 months (and heard from many of my friends that they had been interviewed). Back in Aug '99 I filed my paperwork for a 5-year reinvestigation (needed, oddly enough, every 5 years). That time, the process took 37 (thirty-seven!) months. I was beginning to wonder whether I would have to file the next one while the current one was "ongoing".
At one point my unit asked what the holdup was and the investigators responded that they had been unable to contact me to schedule an interview.
I hope these aren't the same people we have looking for Osama BL, because not only is it unlikely that I was not findable with them having my home, work, military phone numbers and addresses (mostly unchanged for > 10 years), the same for a close relative, 5 friends and 2 supervisors; but they had ALREADY PERFORMED the interview! 6 months later we asked them about it again and bang! the thing showed up next day.
Whenever I see anyone believing in any value to clearances I like to point out that every spy ever caught had a TS clearance, and that seemingly 75% of the people on the Manhattan Project were soviet spies. In fact I am amazed it accomplished anything at all - the 2 or 3 scientists on the project who were actually WORKING (vice spying by the other 50) on the project must have been geniuses, or its just not as a tough a project as people claimed it was.
I think a lot of information is classified needlessly because it might be embarrassing to the govt (rather than damaging to the nation as is required) but that the bulk of it is classified because it is the easy answer (kind of like the formerly common phrase "no one ever got fired for buying IBM"). If I generate a document and dont classify it I have to justify myself, but if I stick it in the safe with a secret stamp, nobody notices; at least until the safe is full. And there have been many programs over the years (from either political party) trying to redirect this, but it always winds up the same. It just human nature.
Plus in order to aggregate information that is both classified and unclassified onto a single information system, you have to raise the classification level of the unclass to match that of the class. So then you wind up with articles from the New York Times (or Pravda/Tass) which are stored in a TS data store.
If this is what is happening to security investigations, clearances, and cases, what about ALL that data we collect about people (honest U.S. citizens) that is supposed to be finding terrorists?
Chances are, little or none of that data is being used (except for marketing), or none of it is usable due to every possible failure in the collection, storage, accessability of that data.
Security theater is the name of the game. That is why nobody is allowed to see anything because the emporor has no clothes (there is nothing to see).
This is a problem endemic to all industries. The core lesson we as managers need to take away is this: if you establish a metric -- any metric -- and reward or punish based on that metric, then that metric will tend towards the rewarded value. This has no bearing on whether or not the thing you hope you are measuring is improving.
It's a classic map/territory category error, and any given organization has a thousand cases, because simple metrics make executive jobs seem easier, and executives decide what metrics to use.
The problem is the mandated time and work load per person both as factors. I quit a job once when mandated law gave the unit little time to finish work - not because I couldn't do it, but because I was getting physical problems (carpal tunnel in both hands) from all the typing, sorting, etc. necessary for the law to be followed. All the work I had was to be done in 60 days from the time of case opening to it being on the system. We didn't have any control over when the counties sent the cases in, so in many instances we'd get a load of work that had to be done in a day or two from a county that was overworked or lazy. I had to have surgery and never went back. Seems something similar happened here, except I would never have worked without overtime. To be blunt, I'd rather flip burgers than have that stress in my life. The way to fix it is expensive - hire extra staff and offer overtime, but it's the only feasible way to have it done right.
Speaking of incentives, having a clearance is incredibly valuable for government contractors. I've heard of companies creatively shuffling staff around to get them cleared for projects they will never work on.
In Washington DC, it's pretty common to see "Active Top Secret Clearance required" on job postings. Note to recruiters: how about putting that at the TOP, so I don't waste my time reading the whole thing?
valuable for the individual but very expensive for the company and if your company is 18 people prohibitive when your technological uniqueness is required for short term niche work.
In the late sixties, the Canadian author and media figure Pierre Berton did a half-hour interview with a British journalist on TV. The journalist was archetypical Fleet Street: plump, chain-smoking, boozy, with a wicked sense of humour. He told a story of visiting the U.S. during the McCarthy period, when so many U.S. citizens were being required to sign loyalty oaths. Arriving at U.S. Immigration, he was handed a form to fill out, which included the question (I don't remember the exact wording, but this was the sense of it): "Do you now, or have you ever, conspired to overthrow the government of the United States of America?" He wrote in, "SOLE PURPOSE OF THIS VISIT," and handed it to the Immigration officer, who tossed it on a pile with all the other forms. He never heard back from U.S. Immigration, presumably because no one looked at the damn things.
So security theatre is nothing new.
Metric based dysfunction is discussed in depth by Robert D. Austin in a book called "Measuring and Managing Performance in Organizations". I strongly recommend it.
One of the examples was a product support department that became very good at minimizing phone time with the clients (by sending replacement parts without making sure the original one did indeed malfunction). They met their quota, but the whole company suffered.
Another problem with background checks is that of PAST performance being no quarantee of FUTURE results.
I've done a lot of writings about improper rewards systems. See things like this in IT as well. People are rewarded for their throughput moreso than their security efforts. That's why the guy that ignores the rules and uses unencrypted emails and mobile media to get more work done faster usually ends up promoted over the guy who takes the time to encrypt and protect.
Incentives make the world go round.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.