When news broke that 21-year-old Massachusetts Air National Guard airman Jack Teixeira leaked defense documents on the social network Discord, experts and concerned citizens alike began questioning who vetted this low-level service member who potentially caused grave damage to national security.
The Teixeira saga, which will likely play out for years to come across courtrooms, Capitol Hill and the Pentagon, laid bare how a troubled young man with extremist tendencies needed only a computer and reliable home internet to disseminate government secrets.
But on a more fundamental level, Teixeira’s leaks represent just the dramatic, final failure of an enfeebled national security vetting system that struggles at times to track which employees have access to classified information at all.
A three-month Raw Story investigation indicates that some government contractors and agencies are still tracking employees’ security clearance status using pen and paper or consumer-grade desktop computer spreadsheet programs. From federal agency to federal agency, and contractor to contractor, clearance tracking practices vary wildly, with some using technology fit for a sci-fi blockbuster, and others, an elementary school classroom from the 1950s.
Raw Story spoke with more than 15 national security experts for “Losing Track,” a three-part series that examines the systems and processes the government uses to vet and track the nation’s more than 5 million security clearance-eligible individuals, per government records. (Read Part II here.)
Some outliers’ lack of technological progress potentially adds to the already tenuous nature of the government-wide personnel security clearance process, which the U.S. Government Accountability Office has classified as “high risk” for the past five years.
'Dress the naked emperor'
There’s hope: the government is in the midst of a multi-agency reform effort called Trusted Workforce 2.0.
This includes building out what’s called the National Background Investigation Services (NBIS), the new personnel vetting IT system that’s poised to standardize vetting procedures from start to finish — and continuously vet government workers who’ve already been cleared to handle sensitive documents.
But massive problems remain.
Despite being initially introduced to nearly all 115 federal agencies, the National Background Investigation Services won’t be fully operational for the foreseeable future.
Government contractors, meanwhile, including those that possess defense and military secrets, are still likely to use their own, internal personnel tracking systems in addition to the government’s databases — a security risk if those internal systems are antiquated. A person who no longer has security clearance may be listed as having it, for example.
Jack Teixeira, a Massachusetts Air National Guardsman, in a photo his mother posted on social media.
Compounding the government’s effort: none of this addresses private, password-protected social networks of the sort that Teixeira used to allegedly publish classified documents — and unleash chaos.
The government’s catch-up effort “feels like a lot of bureaucratic initiative to continue to dress the naked emperor, but it's like handkerchief by handkerchief,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a nonprofit digital rights group. “It's a totally messed up system.”
Tracking security clearances the ‘old school’ way
A 2023 report from ClearanceJobs, a network for employees with government security clearances, revealed that 20 percent of surveyed facility security officers, who manage a company or agency’s security personnel and facilities information, were tracking their cleared employees in Microsoft Excel, 8 percent with other spreadsheets and 2 percent were using pen and paper.
Local branches of the federal government, local governments and government contractors are particularly prone to using what Joe Ferguson, co-director of the National Security and Civil Rights Program at Loyola University Chicago, calls such “old school” practices — information technology and accounting systems that seem straight out of another century.
“We're talking about a pen and paper spreadsheet that is in someone's desk drawer that other folks are not aware of as the reference points and is not systematically updated and reviewed — you're talking about a huge security risk right there,” said Ferguson, who previously served as inspector general for the City of Chicago and assistant U.S. attorney with the United States Attorney’s Office for the Northern District of Illinois.
“People move on from the organization or the project, and their names are still on a list that says they have clearance,” Ferguson said. “That means they may have continuing access, and an organization that does this on pen and paper probably is an organization that does not have a reliable, accountable set of exit protocols to cut people's access off, to remove their access from files and systems that might be accessed electronically.”
Still, pen-and-paper tracking, while relatively rare, is a problem that is not widely known, according to the government agencies Raw Story interviewed. The practice is more likely to be found with contractors who only employ a few cleared personnel, experts say.
It’s much easier to find the consumer-grade spreadsheet problems, even at larger companies and agencies, sources tell Raw Story.
Yet, none of this is readily transparent as government contractors and agencies generally keep how they track their clearances as a secret.
'No unified system'
“I have had conversations with security offices who never challenged somebody's security clearance, which is kind of a surprise,” said Dan Meyer, partner at law firm Tully Rinckey PLLC’s Washington, D.C. office and former Navy communications security officer who used to process security clearances. “I did encounter one security office that had no program at all, so it wasn't that they were tracking off paper, they just weren’t tracking anybody at all … it's true that there's no unified system.”
Meyer, who also formerly worked for the U.S. Department of Defense Inspector General, said the government department that was not tracking its cleared personnel at all in the 2010s was a “nonintelligence agency with a fair number of security clearances, but even more importantly, databases that were absolutely sensitive and very important that our enemies not get access to them.” The government swiftly stepped in and brought in security professionals, Meyer said.
“The general mission of the agency was not national security or intelligence-based, but it had databases that it operated for the federal government that were absolutely essential to the security of the United States, and it was just a mismatch,” Meyer said. “The security office was operating under the premise that its employees really didn't need clearances and a few had them, and they didn't have to worry about it, so they didn't develop the full security program.”
Thomas Langer, retired vice president of security for BAE Systems, one of the government’s largest aerospace contractors, says security enterprise resource planning databases are needed by government contractors so their facility security officers can securely store the numerous pieces of information they need to track about their cleared personnel — ideally, with a dashboard that shows potential risks, too.
Facility security officers need to assess insider threat information and track various documents about a cleared employee’s foreign travel, security education and visit requests, to name a few — and they need to collaborate with different internal departments, too, from human resources to IT and ethics, said Langer, who is a principal at industrial security consultancy, Atlantic Security Advisors.
“I just don't know how you do this as a pen and paper system anymore,” Langer said. “I don't know how you use an Excel spreadsheet because that data is binary. It's not showing you anything. It's not giving you any kind of a readout as to what's really going on with your program.”
ALSO READ: Two bloodthirsty extremists are accused of the same murder, but one won't face trial — here's why
Langer said it’s “one of my professional regrets” not getting one dashboard with metrics on cleared personnel set up before he retired from BAE Systems. “Now I'm on this campaign that everybody needs to get it done,” he said.
The national security experts Raw Story spoke with agreed that government contractors are the ones most likely to internally track their security cleared personnel with dated practices.
"If your security clearance holder tracking is at the individual level with somebody with an Excel spreadsheet on their desktop, that's not probably tracking those individuals and their current accesses the way it should be,” said Lindy Kyzer, director of content at ClearanceJobs. “There are technologies out there, but I think one of the takeaways from security professionals is they're either not using it or not resourced with it or don't have it, and I think there's some concern around that."
It’s not uncommon for contractors to keep track of their secured personnel with an internal system in addition to using required government systems like the Defense Information System for Security. The National Background Investigation Services will replace the Defense Information System for Security and a number of other legacy government IT systems.
“Each cleared company is going to have their own system to do it. I know Lockheed Martin does centrally manage it. I'm sure there are any number of ways that people manage this out locally,” said Cindy McGovern, deputy in the office of communications and congressional affairs at the Defense Counterintelligence and Security Agency. “All cleared personnel to include industry will be in that system under DOD cognizance, but we have no insight or really knowledge of what each individual company would be doing.”
Javelin anti-tank missiles serve as a backdrop for President Joe Biden's speech to employees at Lockheed Martin, a facility which manufactures them, on May 3, 2022 in Troy, Ala. Defense contractors have different methods for tracking security clearances of employees. Julie Bennett/Getty Images
Lockheed Martin, maker of weapons systems such as the Javelin missile and JASSM cruise missile, did not respond to Raw Story’s request for comment.
With more government employees doing remote work, that can lead to less supervision of those with access to highly sensitive information, making internal tracking systems even more critical, Kyzer said.
“You don't have the same eyes on your employees that you did before, so you really need a better way to track your employees across different workplaces and across different staff members,” Kyzer said.
During his time as inspector general for the City of Chicago, Ferguson said he saw many local city government departments and local offices of federal agencies use dated practices to track their staff with clearances, often lacking protocols for cutting off access when employees would leave the agencies. The same concerns happen at the contractor level too, he said.
Picture a concentric circle, Ferguson said.
The further you go from a “core operation” of an agency, oversight and accountability get diluted, he said.
By the time you reach government contractors — private firms, generally, that the government pays for its services — “if you're in an area that is not utmost security-oriented,” there tends to be “a diminution of practice and oversight,” Ferguson said.
A clearance system, as the cliché goes, is only as strong as its weakest links. Therefore, “the same sort of rigor with the same sort of concerns and considerations should apply to all,” Ferguson said.
The slow pace of technological adoption
The government has a reputation for being slow to adopt new technologies, especially when compared to the advances in private industries — as much as a decade behind, Kyzer said.
So while the government has allocated hundreds of millions of dollars to modernize technology infrastructure, it can take at least 12 months — and sometimes, many months more — for agencies to adopt new technologies, said Chrissy McGarry, chief operating officer of Second Front Systems, a government contractor national security software company.
“That's a problem. That's a lot of time and a lot of money. That's a huge barrier to entry and that means you have individuals in our government and national security not running and operating missions with the best technology in hands," McGarry said.
The government says Trusted Workforce 2.0 has been a major effort, but it’s well on the way to making the technological advancements it needs.
The Defense Counterintelligence and Security Agency, which conducts 95 percent of background investigations for the federal government, is using a “develop and deploy model” and conducting an “agile build” of the National Background Investigation Services, said Royal Reff, a spokesperson for the agency.
Mark Frownfelter, assistant director for the Special Security Directorate within the National Counterintelligence and Security Center at the Office of the Director of National Intelligence says the Defense Counterintelligence and Security Agency describes the process as similar to “building the plane as they're flying it.”
With streamlined systems, there are cost savings to government agencies using the investigation services from the Defense Counterintelligence and Security Agency, which is the nation’s largest investigative service provider, McGovern said.
“When we started this journey, you had a plethora, really, of disparate systems that were conducting the background investigations and personnel vetting processes that take somebody from initiating an investigation all the way through the investigation, the adjudicated decision about that clearance investigation, and then to monitoring,” Reff said. “It’s more secure than anything we've ever built, and it replaces those disparate systems that are either outdated or just no longer meet the needs of the government.”
The National Background Investigation Services will continue to be built out “over the next couple of years,” Reff said, and continuous vetting is targeted to be deployed to the rest of the federal government by October 2024, a year after the initial target timeline.
But while Trusted Workforce 2.0 has made progress in reforming how the country manages its national security process, supporters and critics alike agree it’s a work in progress.
Meanwhile, somewhere, there may lurk another disaffected, low-level government employee with his or her hands on weapon schematics or facility blueprints or confidential conversations.
Whether the nation’s security apparatus is able to root out such a threat in time may hinge on their ability to probe into the darkest corners of an otherwise ubiquitous realm: social networks.
“Losing Track” is a three-part Raw Story series investigating problems lurking within the U.S. government’s security clearance system. Read Part II and Part III .
