“High-risk.”
That’s how the U.S. Government Accountability Office — an internal watchdog for the federal government — has classified the nation’s security clearance vetting process for the past five years.
The latest report to Congress dropped amid several national security threats from current and former government employees this year alone: 21-year-old airman Jack Teixeira leaked defense documents on a gaming social media site; a jailed neo-Nazi Marine Corps vet allegedly saved classified materials on his computer; a former FBI analyst was sentenced to nearly four years in federal prison for retaining defense documents in her home.
Then there’s former president Donald Trump, charged with 39 felony counts related to his alleged retention and conspiracy to conceal classified documents.
“A high-quality security clearance process is necessary to prevent the unauthorized disclosure of information that could cause exceptionally grave damage to U.S. national security,” the Government Accountability Office report stated.
A multi-agency effort to reform government personnel vetting called Trusted Workforce 2.0 launched in 2018. It overhauls vetting technology, implements a new “continuous vetting” process and reshuffles bureaucratic security clearance responsibilities.
Yet five years later, the system is still a work in progress. Notably, it’s susceptible to vulnerabilities that come from gaps in agencies’ and contractors’ inconsistent adoption of security technologies, recruitment challenges exacerbated by perceived biases against some minority populations and investigation policies that potentially ignore publicly available warning signs for why someone should be denied a clearance.
“My concern is the outlier is actually the norm, but no one can easily see that,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a nonprofit digital rights group.
Raw Story spoke with more than 15 national security experts for its three-part “Losing Track” series — read Part I and Part III here— to examine the systems and processes the government uses to vet and track the nation’s more than 5 million clearance eligible individuals.
“Were there things that [Teixeira] was doing that should have triggered an alert in the continuous vetting system?” said Charlie Sowell, CEO of IT government contractor SE&M Solutions LLC and former deputy assistant director for special security at the Office of the Director of National Intelligence.
“In a really good continuous vetting system, I would say, yes, that there were things that should have triggered.”
The most trigger-ready element of all?
Social media.
Inconsistent and manual
For government contractors and employees seeking security clearances for their jobs, a social media post about illegal activity or violence, or one that threatened another person’s well-being, could disqualify them from accessing classified information.
But government officials in charge of vetting people for security clearances may never know what someone is doing in the depths of a social media network, whether on a common platform such as Twitter — now rebranded as X by owner Elon Musk — Facebook, LinkedIn and Threads, or social networks and messaging apps that have attracted far-right agitators and ideologues, such as Telegram, TRUTH Social, 4chan and 8kun.
This is particularly true if they endeavor to hide their activity.
And it’s a big “maybe” as to whether government vetting officials attempt to check social networks in the first place.
In short, it depends on the agency conducting the vetting and whether potentially dangerous social media activity among government employees who handle sensitive material is ever identified, collected or reported.
RELATED ARTICLE: National security at 'high risk' as 'old school' methods degrade government security practices
Take Teixeira. The low-level airman in the Massachusetts Air National Guard posted the classified defense documents he stole on the gaming social media platform, Discord, and he revealed his suspicions about the government, preparations for violence and racist views on the site’s private servers, as reported by the Washington Post. Social media is widely used by extremists, playing a role in the radicalization processes of nearly 90% of the extremists studied in 2016, according to research from the National Consortium for the Study of Terrorism and Responses to Terrorism.
Unless there's a public record of a concerning behavior — say a bankruptcy, lawsuit or criminal charge — the government isn't given the resources to fully vet individuals seeking clearances, including scouring social media for each individual, said Ron Sykstus, managing partner of Bond, Botes, Sykstus, & Tanner P.C., who specializes in security clearance concerns.
"There's a lot of expectation on the system to vet everything ... we've give lip service to 'hey, you better do a really good job at vetting everyone who's given access to classified material,' but they're underfunded. They don't have enough investigators. They don't give them the wherewithal to do each searching," said Sykstus, who is also a former Army JAG officer. "How much vetting can they really do? That's kind of an imperfect system."
Teixeira’s concerning social media activities easily escaped monitoring because government officials didn’t appear to be screening for it. Plus, he was posting on private Discord servers, and the government doesn’t investigate password-protected information, just what can be found in a public search.
“The ability to utilize social media checks in personnel vetting is available to departments and agencies, but they implement it the way they want to implement it,” said Mark Frownfelter, assistant director for the Special Security Directorate within the National Counterintelligence and Security Center at the Office of the Director of National Intelligence.
Government agencies can choose the extent to which they include information from an internet search, as well as publicly available social media information, in their personnel vetting processes, Frownfelter said. Initial guidance on this topic came out from the Office of the Director of National Intelligence in 2016.
Some agencies evaluate publicly available electronic information “across the board” when it comes to an initial determination about getting a security clearance — some don’t at all, and others will do an individual search only if a concern triggers the need for a social media check, Frownfelter said. Checking social media for every security clearance applicant would cause major timeliness issues, he said.
“It’s a manual process now, so there's not a lot of bang for the buck in that area,” Frownfelter said. “In fact, it's been described to us as a high-volume effort for a low yield of return.”
Individuals going through the vetting process need to consent to having their public online information potentially included in the evaluation process. This consent typically occurs when they fill out what’s known as Standard Form 86, the 136-page document that asks an applicant seeking a security clearance numerous questions on topics like employment history, residences, criminal history and drug use.
Resistance to opting in hasn’t been a problem, Frownfelter said.
“I haven't heard of anybody saying, ‘absolutely not, you can't do an open source internet search on me of publicly available electronic information,’” Frownfelter said.
Third parties can report concerning behaviors — say, a visit inside the Capitol on Jan. 6, 2021 — which might prompt a social media check, but concerns can come up about consent when an individual doesn’t know information about them is being shared, and identity resolution challenges can occur, especially for people with common names, Frownfelter said.
“It could be any type of information which surfaces that you want to either validate or confirm or just see if you can solicit more information on that front would trigger a social media check,” Frownfelter said. “But some agencies, if you go through the vetting process with no blemishes, no concerns, it may not warrant a social media check.”
Currently, the Defense Counterintelligence and Security Agency, which conducts 95 percent of background investigations for the federal government, does not automatically monitor service members' social media, and individuals can voluntarily allow such information in a background investigation, said Royal Reff, a spokesperson for the agency.
People never need to provide their passwords, log into a private account or “take any action that would disclose private social media information,” he added.
The Defense Counterintelligence and Security Agency has conducted pilot programs using publicly available social media information to “inform personnel vetting and continuous evaluation determinations for eligibility to access classified information, suitability for government employment and fitness for contractor employees,” Reff said.
The agency has been “successful” using such information when a specific issue is identified, Reff said.
“These counter insider threat-oriented reviews are conducted using different authorities and procedures than background investigations and continuous vetting,” Reff said. “We remain committed to ongoing efforts, and further exploration and development of [publicly available social media information] monitoring programs that can contribute to the efficacy of our personnel vetting programs.”
Rather than reinvestigate employees with security clearances every five to 10 years, the new continuous vetting system prompts automatic database checks in areas such as public records, credit, financial activity and foreign travel for existing cleared personnel.
"There's no more waiting five years before you can disclose this person just got a DUI or domestic violence. They're going to know within months," said Dan Bradley, principal consultant and owner of DC Security Clearance Consultants.
But social media isn’t a part of that automatic process and would only be checked if a concern is reported that would trigger a search.
Nor will social media be a part of continuous vetting “until we can find a vendor that would be able to do that in an automated fashion,” Frownfelter said.
“I don't want to say it’s totally off the books,” Frownfelter said. “That's been discussed, but right now, most agencies, it's a manual process, so it wouldn't be part of the continuous vetting capability.”
Sowell said the continuous vetting system is “missing a lot of potential worrisome activity.” For instance, a foreign agent would be more likely to send money via Venmo than have a transaction appear on a credit report, he said.
“If a person can hide behind a private group in a social media account, and yet share classified information with their private group members, that is a glaring siren to me,” Sowell said. “If you're not looking for the sources of information that would surface that, well, then you're just going through the motions, aren't you?”
Spying on social media: is it ethical?
Still, Sowell says the thought of his social media being evaluated in the personnel vetting process gives him some pause.
“The old adage of if you're not doing anything wrong, you don't have anything to hide … that just doesn't fly in current government,” Sowell said. “I really worry about, for example, if an adjudicator had a completely different political leaning than I do, in today's day and age, I don't know if I would trust an adjudicator to make a fair decision if they looked at my Twitter account.”
Chrissy McGarry is currently going through the background investigation process for her role as chief operating officer of Second Front Systems, a government contractor national security software company.
Using social media or mental health information to determine access to clearances might not be fair, she said.
“How do you navigate these delicate waters to ensure that we are running, operating in the safest manner that we can?” McGarry said.
ALSO READ: Feds banned this violent J6er from nuclear plants — but they still haven’t arrested him
Including social media in the background investigation process brings up some concerns about First Amendment rights as well, said Patrick Eddington, a senior fellow in homeland security and civil liberties at the libertarian think tank, the Cato Institute.
The 1969 Supreme Court case, Brandenburg v. Ohio, created a litmus test that determined free speech can only be prohibited if it is inciting or likely to produce “imminent lawless action,” meaning that Clarence Brandenburg, a Ku Klux Klan member, was able to publicly express his racist comments at a KKK rally.
“If Teixeira was on there talking about how he would like to engage in violence, let's say against a particular individual, that's the kind of thing at the end of the day that the social media company from their content moderation standpoint ought to be taking a very close look at and get their counsel involved to make a determination as to whether or not they believe that the Brandenburg v. Ohio threshold has been crossed,” said Eddington, a former CIA analyst.
“If it's just generalized popping off about stuff, and there's no actual direct threat to a specific human being, it gets a lot murkier. It gets you into that space where the speech might be offensive, might be deeply troubling, but also might not necessarily be indicative of any intent to actually do anything.”
For the privilege of access, should you give up some privacy?
Social media monitoring should be a standard part of the vetting process, says Joe Ferguson, co-director of the National Security and Civil Rights Program at Loyola University Chicago and former inspector general for the City of Chicago.
“It's clearly a problem, and it's a growing problem,” said Ferguson, who is also a former assistant U.S. attorney with the United States Attorney’s Office for the Northern District of Illinois.
Up-front consent is key to getting people on board with agreeing to a social media check, he said.
“The concern, generally and culturally, is of government entities basically spying on people who are engaged in such activities,” Ferguson said. “We don't want that, but if you're being given clearance, and you have a benefit, either through a job or through a contract with the government that affords you access — and for which your character and integrity because you are an agent of the government may matter — I think a front-end disclosure that it’s going to be done … we mitigate the concern about the government secretly doing things that relate to people's free speech activities.”
But even if there are people who don’t want the government looking at their public social media during the vetting process, Robert Sanders, distinguished lecturer in the national security department at the University of New Haven and former Navy JAG captain, says that those with access to classified information should be open to relinquishing some privacy in order to have such jobs.
“We have a level of privileges that we expect based on our presence in the nation’s citizenship, but do you give some of that up when you take these jobs?” Sanders said. “My answer is, you do. You should. It's part of the deal, or it should be part of the deal.”
Manually checking social media in the initial security clearance investigation and continuous vetting processes isn’t the only part of the security clearance system that is lacking 21st century capabilities — how government agencies and contractors track their cleared employees concerns national security experts as well.
And personnel problems have continued to challenge the nation’s clearance vetting system for years.
“Losing Track” is a three-part Raw Story series investigating problems lurking within the U.S. government’s security clearance system. Read Part I and Part III .
