[ISN] Guard the Secrets, Then Catch the Spies

From: InfoSec News (isnat_private)
Date: Wed Aug 29 2001 - 05:27:20 PDT

  • Next message: InfoSec News: "[ISN] Netwar!"

    August 28, 2001
    WASHINGTON -- Last Thursday, when Brian P. Regan entered a metal
    detector at Dulles airport in Washington, he held a high security
    clearance and worked at one of the nation's most sensitive
    intelligence agencies. Before he could reach his plane he was under
    arrest for conspiracy to commit espionage. Grabbed by the Federal
    Bureau of Investigation as he was about to board a flight to
    Switzerland, Mr. Regan became the latest in a long line of people
    accused of marketing America's deepest secrets in this case, according
    to news reports, to Libya.
    Despite the end of the Cold War, the selling of secrets by those
    entrusted with them continues unabated. Between 1982 and 1999,
    according to the General Accounting Office, 80 federal employees and
    contractor personnel were convicted of espionage. Yet the thinking of
    those responsible for plugging the leaks remains frozen somewhere in
    the 1950's.
    The main problem is that our government focuses almost exclusively on
    the initial security clearance process. Joining the intelligence
    community is like trying out for a fraternity. The prospective
    employee must undergo a rugged pledge period during which his finances
    are examined, his neighbors questioned, his background searched and
    finally, after a heart-pounding, perspiration-inducing session with
    the polygraph operator, he is given thumbs up or thumbs down. Once he
    is admitted, except for a routine check every five years (for
    top-secret clearances), his worries are over.
    Unfortunately, this method is nowhere near sufficient. John Walker in
    the Navy, Aldrich Ames in the C.I.A., Robert Hanssen in the F.B.I.,
    and on and on all successfully passed the clearance process and then,
    years into their careers, decided to sell out. At that point, with
    counterspy procedures focused on the new recruits, they simply emptied
    the warehouse.
    The arrest of Brian Regan underscores just how broken the clearance
    process has become. Until last August, when he retired from the Air
    Force and left his job at the National Reconnaissance Office, he held
    one of the highest clearances in the country, Top Secret Sensitive
    Compartmented Information. He was employed at an agency that, until a
    few years ago, no outsider was even allowed to know existed, and he
    was granted access to a computer system, Intelink, containing many of
    the spy world's most valuable secrets. Meanwhile, by February 2001 his
    consumer debt had climbed to $53,000. In June, when he returned to the
    N.R.O. as a civilian, he got his clearance back. By then, however, he
    was already under suspicion by the F.B.I.
    Given the state of the agency charged with most security clearance
    investigations, it is easy to see how potential problems slip through.
    Overworked and underfunded, the Defense Security Service, which
    handles investigations for the Department of Defense, has pushed
    incompetence deep into uncharted territory. In a 1999 study, the
    Government Accounting Office called the agency's performance "a risk
    to national security by making DOD [the Department of Defense]
    vulnerable to espionage."
    It then backed up the charge with statistics. For example, in the more
    than 500 cases they reviewed in which clearances were granted, 92
    percent were based on incomplete investigations. Also, the agency was
    so far behind in required reinvestigations that no one really had any
    idea of the number that were overdue somewhere between 600,000 and
    700,000. But considering that 94 percent of the reinvestigations
    reviewed by the G.A.O. were deficient, it probably makes little
    Given the sad state of the government's clearance process, it is time
    to do what the commercial world does consider everyone a potential
    crook. Merchandisers do not have the luxury of giving everyone who
    enters their stores a background investigation and polygraph exam.
    Instead, they let everyone in and then develop ways to prevent
    customers and employees from walking out with the goods. Because it is
    either this or go out of business, they are far ahead of government in
    product control. If someone attempts to walk out of Barnes & Noble
    with an unpurchased book, an alarm will go off. It makes no difference
    whether the thief holds a top-secret clearance or just got out of Sing
    Sing. Employees also must go through routine bag checks in many large
    retail establishments prior to leaving for the day.
    Sensitive government agencies have never developed similar security
    procedures. Everyone has a clearance appropriate to his or her level
    of access, the philosophy goes, and thus can be trusted. So there is
    no need for additional controls. That is why William Kampiles was able
    to walk out of C.I.A. headquarters in 1977 with the operations manual
    to the KH-11 spy satellite one of the most secret documents in
    government stuffed under his jacket. He probably had less fear of
    detection than someone would swiping a cookbook from Borders. It is
    also why Robert Hanssen was able to leave F.B.I. headquarters with
    enough secret documents to fill large green garbage bags. And Jonathan
    Pollard filled suitcases with documents for his Israeli handlers, more
    than half a million pages in all. In this most recent case, Brian
    Regan is suspected, to judge from the F.B.I. affidavit, of removing
    spy satellite photos and C.I.A. reports from the National
    Reconnaissance Office.
    In espionage, such documents are the coin of the realm. Russian
    intelligence, for example, has little enthusiasm, let alone
    capability, for debriefing volunteer spies, who likely have limited or
    faulty memories. Intelligence agencies are interested in reports,
    messages, photos and intercepts. If you prevent the documents from
    leaving, you prevent the espionage. Yet even at C.I.A. headquarters
    there is no such thing as bag checks for exiting employees.
    At a minimum, intelligence agencies should begin by adopting some of
    the techniques used by private industry. The most sensitive manuals
    and reports can be magnetized and detectors placed at exits. Employees
    should undergo bag checks. Eventually, methods should be developed to
    scan employees electronically for any indication of hidden documents,
    discs or other items, and greater controls can be placed on copying
    By tightening up on unauthorized removal of information, it may be
    possible to do away with antiquated, less reliable, and odious forms
    of security. This includes the polygraph, which gets it wrong and may
    destroy careers about 10 percent of the time. The savings from
    abandoning such methods could help finance research into document
    Brian Regan has a wife and four children. If the charges are true,
    perhaps better document controls might have deterred him. And his
    family would not now be passing through the gate to what will probably
    be a long and ugly nightmare.
    James Bamford is the author of "Body of Secrets: Anatomy of the
    Ultrasecret National Security Agency, From the Cold War Through the
    Dawn of a New Century.''
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 07:41:38 PDT