Guard the Secrets, Then Catch the Spies

[InfoSec News <isn () c4i org>]

http://www.nytimes.com/2001/08/28/opinion/28BAMF.html?searchpv=nytToday

By JAMES BAMFORD
August 28, 2001

WASHINGTON -- Last Thursday, when Brian P. Regan entered a metal
detector at Dulles airport in Washington, he held a high security
clearance and worked at one of the nation's most sensitive
intelligence agencies. Before he could reach his plane he was under
arrest for conspiracy to commit espionage. Grabbed by the Federal
Bureau of Investigation as he was about to board a flight to
Switzerland, Mr. Regan became the latest in a long line of people
accused of marketing America's deepest secrets in this case, according
to news reports, to Libya.

Despite the end of the Cold War, the selling of secrets by those
entrusted with them continues unabated. Between 1982 and 1999,
according to the General Accounting Office, 80 federal employees and
contractor personnel were convicted of espionage. Yet the thinking of
those responsible for plugging the leaks remains frozen somewhere in
the 1950's.

The main problem is that our government focuses almost exclusively on
the initial security clearance process. Joining the intelligence
community is like trying out for a fraternity. The prospective
employee must undergo a rugged pledge period during which his finances
are examined, his neighbors questioned, his background searched and
finally, after a heart-pounding, perspiration-inducing session with
the polygraph operator, he is given thumbs up or thumbs down. Once he
is admitted, except for a routine check every five years (for
top-secret clearances), his worries are over.

Unfortunately, this method is nowhere near sufficient. John Walker in
the Navy, Aldrich Ames in the C.I.A., Robert Hanssen in the F.B.I.,
and on and on all successfully passed the clearance process and then,
years into their careers, decided to sell out. At that point, with
counterspy procedures focused on the new recruits, they simply emptied
the warehouse.

The arrest of Brian Regan underscores just how broken the clearance
process has become. Until last August, when he retired from the Air
Force and left his job at the National Reconnaissance Office, he held
one of the highest clearances in the country, Top Secret Sensitive
Compartmented Information. He was employed at an agency that, until a
few years ago, no outsider was even allowed to know existed, and he
was granted access to a computer system, Intelink, containing many of
the spy world's most valuable secrets. Meanwhile, by February 2001 his
consumer debt had climbed to $53,000. In June, when he returned to the
N.R.O. as a civilian, he got his clearance back. By then, however, he
was already under suspicion by the F.B.I.

Given the state of the agency charged with most security clearance
investigations, it is easy to see how potential problems slip through.
Overworked and underfunded, the Defense Security Service, which
handles investigations for the Department of Defense, has pushed
incompetence deep into uncharted territory. In a 1999 study, the
Government Accounting Office called the agency's performance "a risk
to national security by making DOD [the Department of Defense]
vulnerable to espionage."

It then backed up the charge with statistics. For example, in the more
than 500 cases they reviewed in which clearances were granted, 92
percent were based on incomplete investigations. Also, the agency was
so far behind in required reinvestigations that no one really had any
idea of the number that were overdue somewhere between 600,000 and
700,000. But considering that 94 percent of the reinvestigations
reviewed by the G.A.O. were deficient, it probably makes little
difference.

Given the sad state of the government's clearance process, it is time
to do what the commercial world does consider everyone a potential
crook. Merchandisers do not have the luxury of giving everyone who
enters their stores a background investigation and polygraph exam.
Instead, they let everyone in and then develop ways to prevent
customers and employees from walking out with the goods. Because it is
either this or go out of business, they are far ahead of government in
product control. If someone attempts to walk out of Barnes & Noble
with an unpurchased book, an alarm will go off. It makes no difference
whether the thief holds a top-secret clearance or just got out of Sing
Sing. Employees also must go through routine bag checks in many large
retail establishments prior to leaving for the day.

Sensitive government agencies have never developed similar security
procedures. Everyone has a clearance appropriate to his or her level
of access, the philosophy goes, and thus can be trusted. So there is
no need for additional controls. That is why William Kampiles was able
to walk out of C.I.A. headquarters in 1977 with the operations manual
to the KH-11 spy satellite one of the most secret documents in
government stuffed under his jacket. He probably had less fear of
detection than someone would swiping a cookbook from Borders. It is
also why Robert Hanssen was able to leave F.B.I. headquarters with
enough secret documents to fill large green garbage bags. And Jonathan
Pollard filled suitcases with documents for his Israeli handlers, more
than half a million pages in all. In this most recent case, Brian
Regan is suspected, to judge from the F.B.I. affidavit, of removing
spy satellite photos and C.I.A. reports from the National
Reconnaissance Office.

In espionage, such documents are the coin of the realm. Russian
intelligence, for example, has little enthusiasm, let alone
capability, for debriefing volunteer spies, who likely have limited or
faulty memories. Intelligence agencies are interested in reports,
messages, photos and intercepts. If you prevent the documents from
leaving, you prevent the espionage. Yet even at C.I.A. headquarters
there is no such thing as bag checks for exiting employees.

At a minimum, intelligence agencies should begin by adopting some of
the techniques used by private industry. The most sensitive manuals
and reports can be magnetized and detectors placed at exits. Employees
should undergo bag checks. Eventually, methods should be developed to
scan employees electronically for any indication of hidden documents,
discs or other items, and greater controls can be placed on copying
machines.

By tightening up on unauthorized removal of information, it may be
possible to do away with antiquated, less reliable, and odious forms
of security. This includes the polygraph, which gets it wrong and may
destroy careers about 10 percent of the time. The savings from
abandoning such methods could help finance research into document
control.

Brian Regan has a wife and four children. If the charges are true,
perhaps better document controls might have deterred him. And his
family would not now be passing through the gate to what will probably
be a long and ugly nightmare.


James Bamford is the author of "Body of Secrets: Anatomy of the
Ultrasecret National Security Agency, From the Cold War Through the
Dawn of a New Century.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.