June 11, 2013

How Does the Government Manage Workers With Access to Classified Information

GWEN IFILL: Snowden's revelations have some wondering that if a 29-year-old got access to classified documents, who else outside government does?

To help us find answers, I'm joined by Washington Post investigative reporter Dana Priest, author of "Top Secret America The Rise of the New American Security State," and Irving Lachow, director of the Program on Technology and U.S. National Security at the Center for a New American Security. Dana Priest, you worked on an investigation of this kind of top secret activity for two years. How extensive would you say it is?

DANA PRIEST, The Washington Post: Well, after 9/11, the government decided to vastly increase what it could do and the size of its intelligence agencies without hiring more federal employees. And the only way that it could do that was to hire more contractors.

And we reported and then the government followed up and reported that there were nearly 400,000 contractors with top secret clearance, three times that many with secret clearance. So we're talking about an increased pool of people who do swear an oath, who understand that they are not allowed to share classified information, who go through at the top secret level pretty intrusive background checks.

But, nonetheless, you open up yourself to more risk when you bring on people, especially in a quick manner that happened after 9/11, when people wanted to increase the capabilities that the government had, and they hired people quickly. And then they got a bottleneck of those -- in those reviews of their background, and the GAO, the government agency that looks at how the government works, did find that there were some shortcuts in the way that security clearances were documented and given out.

So I think that, you know, this is an increased risk when you hire contractors. On the other hand, I think really what it shows is that the government still is coming to grips with its own computer systems. One of the largest number of contractors are in the field that Mr. Snowden says that he was in, which is the I.T. field.

GWEN IFILL: Well, let me ask Irving Lachow about people like Edward Snowden and even Bradley Manning, the -- how do they get access to these documents? How do you get a secret security clearance so high that you can do this much damage?

IRVING LACHOW, Director, Program on Technology and U.S. National Security, Center for a New American Security: Well, so, they go through a process, a background investigation.

And if they are vetted successfully, then they are granted access to a given level of information. And once you have access to that information, there are computer networks that are available that have a lot of information at that level of classification, where you can just go and do a search and find much of that information.

And so if you are Bradley Manning, you can do a search and find all this kind of information, in his case, download it to a disk and potentially walk out the door with it.

GWEN IFILL: Are protections sufficient?

For instance, we heard early on in this that even before Edward Snowden's story had come out, the leaks had actually been published, that the government was onto him. Is that always what happens? Or do we know that there are moles working in the government who we never find?

IRVING LACHOW: Well, so the government is aware that there are people who are going to be trying to do this kind of thing.

And so there are a lot of controls in place, and there's a lot of activity in place to try to catch these kind of activities, but it can be very difficult. As Dana pointed out, there are tens of thousands, if not hundreds of thousands of people who have access to the highest, the most sensitive information that our country has.

And it can be very difficult to control who should have access to what information at what time, because everyone is working on different projects, different programs. They might be doing research, and so it can become very difficult to try to understand who is doing something legitimate and who is doing something they shouldn't be doing.

GWEN IFILL: So, Dana Priest, how do they manage this? How do they -- what kind of controls can they impose?

DANA PRIEST: Well, there are two things right off the bat.

One is that people are regularly polygraphed, maybe once a year, to make sure that they still pass, that nothing has changed in their background that would indicate a risk. The other thing really is that they do rely on other employees to notice differences and to report them. And they do have counterintelligence people who are employed to do just that, to follow people into the watering holes that they frequent, and into the social settings that they frequent, especially if there is a suspicion about somebody, because they are trying to catch something like this before it happens.

But, in the Manning case, for example, even though he technically had access to what he downloaded, in the after-action review that they did, he shouldn't have. The State Department's computer system shouldn't have allowed, they determined later, someone who was studying one particular type of terrorist to have access to State Department cables from around the world. So they're still really trying to adjust their computer systems to give access to people who have a need to know about particular programs.

GWEN IFILL: Last night, we had the former Director of Intelligence Dennis Blair on this program. And he actually in an interesting interview with Dana for her series said, you know, sure we have expanded. Sure, we're doing more. But it's worth overdoing.

Is it worth overdoing, in your opinion?

DANA PRIEST: I think that is what this ...

GWEN IFILL: I was going to ask Irving that, and then I will come back to you, Dana.

DANA PRIEST: OK.

IRVING LACHOW: Well, I think it depends.

So, there are always trade-offs. There are trade-offs between security and liberty. There are trade-offs with relying on contractors. So the benefit of using contractors is, they're easy to hire and fire, or at least much easier than government personnel. So it gives you a lot more flexibility to bring people in with special expertise, people that are hard to bring into the government on a regular basis.

But there are risks. You are relying on people. There needs to be oversight. And oftentimes, the government personnel who are overseeing the contractors may not understand, especially on some technical issues. They may not have the knowledge that the contractors do. And so maybe they don't have a detailed understanding of what is going on underneath them.

And so there are some risks that you potentially introduce into the system.

GWEN IFILL: Dana, you were going to say?

DANA PRIEST: Well, you can see from the reactions that have followed this that some people think it's worth overdoing and some people don't. And other people would just like more information.

The Senate Intelligence Committee, for example, today got briefed by government officials on the program again, and immediately came out and said they would like some of it declassified. The same sort of information that's now being touted as treasonous, they would like to declassify so that we could learn more about it.

And so obviously there are people that think some of that information doesn't damage national security. It probably belies some of the myths that are growing up now as we speak around these programs. So the debate is what Mr. Snowden says he was all about, and obviously has some concerns about the program. I don't see how anybody can really make a decision on whether it's too much without knowing what it is.

GWEN IFILL: Irving Lachow, are we -- is it possible that we as citizens are giving away as much information as they are getting from us when we talk about especially these social media sites?

IRVING LACHOW: Absolutely.

So I think, without -- without knowing it, we all, as we do our daily business, use social media, go on the Internet, we are giving away so much information. I think most Americans don't have any idea how much -- what companies do just by tracking our behavior. They don't need to see the content of what we do, but just by being able to track where we go, what we do, our geolocation, they can put together a picture of who we are, how old we are, how much money we make, who our friends are.

It's remarkable what you can do with that kind of metadata, which is exactly the kind of information that was being collected from these phone records. And so I think, without knowing it, many of us are giving away a tremendous amount of information.

GWEN IFILL: Is there a difference, Dana, between giving it away to the government and giving it away to private industry?

DANA PRIEST: Oh, absolutely, because what privacy advocates are most worried about is the storage of this data. So I may not be under suspicion right now; 10 years from now, you know, they're looking at three parts -- three different sets of my digital exhaust, and they may decide something is suspicious.

And so they can go back and mine the data that they have from 10 years ago. And that's what causes privacy advocates most concern, is that you are going to have this giant database of information about Americans in the Verizon phone records instance.

GWEN IFILL: Dana Priest of The Washington Post, Irving Lachow of the Center for a New American Security, thank you both very much.

DANA PRIEST: Thanks, Gwen.

IRVING LACHOW: Thank you.