Since June 2013, Charles Sowell, Senior Vice President of Salient Federal Solutions, has been responsible for the growth and execution of the System and Software Engineering Solutions (SSES) Business Unit. Prior to joining Salient, Sowell served as Deputy Assistant Director for Special Security and senior advisor to the Director of National Intelligence where he worked on modernizing and revising the security clearance process. Sowell’s 27 years as a Naval Intelligence Officer and extensive background in security clearance reform have made him an expert in this field.
Sowell sat down with WashingtonExec in 2014 to discuss the problems and needed changes in the federal government’s security clearance process. One year later, Sowell discusses the progress that has been made in the clearance process and, as learned from the recent OPM security breaches – the immense amount of reform that still needs to be done.
WashingtonExec: We spoke last year on the same topic of security clearances – what progress has been made in security clearance reform since then?
Charles Sowell: There has been some progress since we spoke last year. The revised Federal Investigative Standards initial operating capability for the lower tiers, Tiers 1 and 2 which are low risk public trust and moderate risk public trust positions, has been reached. That is good. There are five tiers in the Federal Investigative Standards; Tier 3 is secret level clearances, Tier 4 is high risk public trust positions and then Tier 5 is top secret clearances. While some progress has been made, it has been at the very low levels of the pyramid.
When I go to the Performance Accountability Council Program Management Office’s (PAC PMO) website and look at the latest progress update, most of the activity in government seems to be planning and developing approaches– that is essential. I don’t want to underestimate the value of planning and approaches, but when it comes to progress I haven’t seen a lot of updates to actual policies or key issues. For example, at the Director of National Intelligence (DNI) Security Executive Agent’s website there were a number of Security Executive Agent directives that were underway when I left the DNI, and I haven’t seen many new ones posted. In fact, I haven’t seen any updates to the website. The reciprocity national policy, publicly available electronic information or social media national policy and adjudicative national policies are supposed to be coming out soon. I know a lot of work is underway but when you ask about the progress, physical documents seem to be a bit lacking.
I believe the greatest risk is not using social media and other publicly available electronic information because it is an incredibly rich and unique source of information on the hardest to find adjudicative guidelines like personal conduct, foreign influence, foreign preference and mental health.
WashingtonExec: You are an advocate of using social media in the security clearance vetting process. What would the risks and benefits of that be?
Charles Sowell: I believe the greatest risk is not using social media and other publicly available electronic information because it is an incredibly rich and unique source of information on the hardest to find adjudicative guidelines like personal conduct, foreign influence, foreign preference and mental health. If you think about the way that our clearance process works, a lot of the investigation is done using records. You search a credit report to get insight into a person’s financial trustworthiness. You would search criminal history to judge trustworthiness when it comes to finding whether or not someone has lied about their criminal history. When it comes to other adjudicative guidelines like the ones I mentioned, there aren’t data sources that show you whether a person prefers the government of China, for example, to the government of the United States. Social media and publicly available electronic information, where people can post on blogs and things like that, is a great source for that information. I would say though that the risk of using social media is in folks seeing it as a definitive source of information as opposed to perhaps a pointer or a lead, but the greater risk is not using it. As you know some things that you find in social media are open to interpretation – but others are irrefutable.
WashingtonExec: What can be done to expedite the security clearance setting without risking an insider threat risk or overlooking certain things?
Charles Sowell: It’s about risk management. You want the clearance process to be thorough enough to catch potential insider threats and keep nefarious actors out in the first place and identify the people that are currently in the system that could go bad. You have to look at things often enough to do that but at the same time there is the constant pressure to get it done faster, cheaper, and with higher quality. In defense contracting we always talk about the “three legged stool,” you can have it good, fast or cheap, and you can pick any two. You can have it good and fast but then it is going to be expensive. If you want it good and cheap then it is going to take a long time. Those are always the pressures that the government faces as they revise the clearance process.
I think the best thing that we can do is continue a move to what the government calls continuous evaluation, because when you stop looking at the background investigation as a one-and-done type of activity, you could go bad tomorrow and if you just had your clearance done . . . well we are not really going to look at you again for five years. But in continuous evaluation, we would look at certain records; criminal records, perhaps financial records, or publicly available electronic information to catch folks that are at risk of going bad early. Government and industry invest a lot of time and money in getting people clearances and keeping people cleared. If we can intervene early, before somebody goes bad we can not only prevent damage to national security, but we can actually help the individual turn things around.
WashingtonExec: Now moving onto more recent events, what would you say are the main repercussions of the OPM hacker’s access to SF-86 forms?
Charles Sowell: There are huge implications about this. This needs to be on the front page of every major publication and there needs to be continued Congressional hearings. The implications are these among others:
First, the cost of issuing identity protection to folks that were identified as having their information compromised was over $20 million. That’s just for the identity protection services, that doesn’t include the cost of the letters that OPM had to send out to millions of people or the remediation activity that OPM has to take to lock down their system. I would estimate this cost will run into hundreds of millions of dollars at least.
The other thing is the number of security clearance holders whose data has been taken isn’t yet known according to Donna Seymour (Chief Information Officer of OPM). She said that the records go back to 1985 and include contractors as well as federal employees. Some government officials are estimating the number could be up to 14 million. Here’s the real problem, it isn’t just the applicants for clearances listed on the SF-86 form, it’s the fact that you have to list your friends, your family, addresses, other publicly identifiable information and in some cases your family member’s social security numbers and dates of birth. That information was in the same system so that’s not getting a lot of play yet …and that’s a huge issue.
The CIO also said that any federal employees who submitted service history records to OPM, whether or not their personnel records were kept by the agency likely had their information stolen. With the SF-50 form showing employment history with the federal government, part of the problem is Intel agency employees who weren’t kept in the main personnel system for security reasons might have been exposed too.
You look at these three big areas; the cost of the breach, the fact that it’s not just the clearance holders but their family members and references that are likely compromised and the fact that Intel personnel were likely compromised as well is huge, absolutely huge.
WashingtonExec: Is there an increased national security threat due to the OPM hacking?
Charles Sowell: Yes, in addition to counter intelligence concerns because if a foreign government has this information they could be using it to target vulnerable employees. You also have what I would say is even worse, and that is the doubt about the integrity of the data in the system. What if the hackers created false records in the system? Would we be able to see that? What if hackers manipulated the data in the system and changed data around? This could cause complete chaos in the clearance process as well as the day-to-day activities across the government agencies that rely on clearance data. In some cases these systems determine what access you have to online systems. In other cases it affects reciprocity so when you’ve got someone going from one agency to another you are relying on clearance databases for reciprocity. Visit certifications could be affected – even things like TSA pre-check. Those are all of the things that need to be looked at as a result of the hack because you don’t know the veracity of the data anymore since a foreign actor has had access to the system.