RSS

The red herring of better vetting

September 27, 2013, at 12:33 AM
 

If only.

If only that contractor, United States Investigation Service, had not been rushed to complete its re-investigation of Edward Snowden, then his aberrant intentions would have been divined, and maybe he would not have been able to work at the NSA for the purposes of helping to implode it.

Be very wary of arguments like these. They're almost too easy to believe.

It may be straw-manning to say that the system works 99.9 percent of time, but is it not straw-manning to ask whether any other system, with trade-offs, would work better.

If actual federal agents had to do ALL of the security clearance investigations, they would do a lot less federal agenting and a lot more spying/investigating/harassing Americans about other Americans.

Okay, so hire more government employees to vet government employees. This requires a lot of money that Congress is not inclined to spend. It would create an even larger cadre of snoops.

The two other alternatives: Reduce the number of people with clearances or create much better government databases, ones that track information like who you live with, and how much money you make, and where you go on vacation. Okay, I concede that this information exists, and that the government obliges you to give permission to banks and companies to let go of it if you apply for a job requiring a clearance. But human investigators must check and verify everything, which takes a lot of time, because the databases generally are not owned by the government and are not oriented for this purpose. We can change the law and let the government collect, store, and analyze a lot more of this information, and that would certainly make background investigations more efficient, but it would come at a very real cost to everyone.

There are ways to make the system better, and that includes more accountability for the vetters, but there is no way to create a system that will suss out the intentions of an Edward Snowden. The best we can do is to require some sort of team evaluation of someone's trustworthiness every few years. This will be easier for, say, Secret Service agents to do than it will be for contractor system administrators who often don't work with teams. That said, the best predictors of what Edward Snowden will do in a given environment are born from assessments of what he HAS done in a given environment by people who've worked with him in said environment.

Polygraphs? Not terribly useful with someone who is determined to lie.

The truth here is still one that some admirers of the NSA are reluctant to admit: It was far, far too easy for someone to steal NSA's secrets from within. Not just someone, but anyone. The agency put too much faith in the vetting system and in the decades-old classification/compartmentalization architecture that it enabled.

If you were a techie, once you cleared the threshold, you were in. This doesn't comport with the image the NSA liked to create — that it was stingy about sharing anything because it was so secretive. But just as important as NSA's being too secretive was what "too secretive" actually meant. What it meant was: The NSA was too confident that the system worked because it had worked, and was unwilling to examine the dangers of how a closed system of power can foil well-intentioned oversight from within and without.

But I still wonder: A lot of NSAers are really smart. Surely someone knew that a regular, positive permission–based access system was vulnerable to a single-point failure. And surely, NSA's engineers must have been wary, or at least understood, that the kluge internal passport system they created to handle all the post 9/11 expansion had a soft underbelly. I wonder if anyone blew the whistle, or tried to, on how insecure to insider threats the NSA actually was. And if nobody did, why not?

 

THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER

Facebook

Twitter

RSS

Subscribe to the Week