Skip to main content

tv   Hearing Considers Inclusion of Social Media in Federal Background Checks  CSPAN  May 17, 2016 1:44am-3:01am EDT

1:44 am
1:45 am
federal government's role in funding state transportation projects.
1:46 am
the federal government will start checking social media soon as part of background checks for employees seeking security clearance. white house and counter intelligence officials testified on the new policy at a recent house oversight hearing. this is an hour and a 15 minutes. the sub-committee on government operations and the sub-committee on national security will come to order and without objection, the chair is authorized to declare a recess at any time. we're here today to discuss incorporating social media into the federal security clearance and background investigations. having a security clearance means by definition you have access to information that would hurt our national security if it got out. and that is why we perform
1:47 am
background investigations on individuals who want a security clearance. the goal of our background investigations must be to find out if an individual is trustworthy. back in the 1950s, that meant talking to neighbors and family. today, with more than a billion individuals on facebook, what a person says and does on social media can often give a better insight on who they really are. since 2008, various federal agencies have conducted studies on using social media data in investigations and they all find the same thing, that there is a wealth of important information on social media. this issue now facing the federal government is how to use social media information while respecting the legitimate privacy concerns that are often brought forth. the good news is that using social media checks in, security clearance investigation, does not have to be a binary decision
1:48 am
between big brother and an ineffective system. there are several reasonable options available to us to use social media data in a responsible way. it is encouraging that -- to see that o.d.n.i. announced this morning, in advance of today's hearing, a new policy that will follow -- that will allow federal agencies to review publicly available social media information as part of the clearance investigation process. we will continue to work with the agencies to ensure that the social media data of people with security clearances is used in a safe and responsible way. i would like to thank the witnesses for coming here today and i look forward to their testimony. and with that, i would recognize the ranking member of the sub-committee on government operations, my good friend mr. connelly. >> i thank must friend the chairman for holding this hearing to examine the
1:49 am
usefulness of social media and other crucial enhancements to the federal background investigation process. on january 22nd, the administration announced that the federal investigate services, a former entity of opm, would transfer the functions to a new national background investigations bureau. the department of defense will assume responsibility for designing and operating all information technology for the new nbib. i think it makes abundant sense to task our national security experts with protecting the sensitive personal information of millions of clearance-holders. today we're discussing another enhancement, the inclusion of social media in the background investigation process. the army has a pilot program which used publicly-available data from social media sites to investigate background check processes. currently, the department of defense is also conducted a pilot program that looks at all publicly available information
1:50 am
online such as news articles and commercial websites. i'm interested in learning the major findings and lesson learns from the pilot programs. while social media is a promising and valuable source potentially of information, i remain concerned that the government should not retain social media data of third-parties who happen to engage with the applicant but have not consented to waiving privacy rights. we must not forget to discuss other ways to enhance security clearance processes. the performance accountability council is establishing a law enforcement liaison office that will communicate with local governments to expedite the local government information. that is an enhancement on september 16th, 2013, aaron alexis, a federal subcontractor with a secret level clearance entered the washington navy yard and tragically killed 12 people and injured four others. he had a security clearance.
1:51 am
the background investigation failed to identify that mr. alexis had a history of gun violence. the local police record of mr. alexis' 2004 firearms arrest had not been provided to federal investigators. improvements in communication between local law enforcement and federal background investigators could prevent and could perhaps have prevented a tragedy like that that occurred in the washington navy yard. i welcome each of the witnesses back from the full committee february hearing and look forward to hearing on the progress on the administration's plan to reform the security clearance and background investigation process while preserving privacy rights. thank you, mr. chairman. >> i thank the gentleman. the chair now recognizes the chairman of the sub-committee on national security, mr. desantis for his opening statement. >> i thank you chairman. i just want to say, i think this is an important issue and it looks like we just got a
1:52 am
directive late last night where this is now going to be an implemented policy. so i'm interested in hearing how that is going to be implemented so i'm sure that's a result of your oversight so thank you for doing that and i look forward to hearing to the witness testimony. >> chairman desantis, thank you for your leadership on so many of the issues and i look forward to working with you. i now recognize the ranking member on the sub-committee on national security, the gentleman from massachusetts, mr. lynch. >> thank you, mr. chairman and also like to thank chairman desantis and my friend mr. connelly for holding this hearing. it is important for a number of reasons, which you both have touched on already. when an individual applies to receive an in ishl or renewed security clearance the federal government conducts a background investigation to determine whether he or she may be eligible to access classified national security information. every security clearance candidate is required to complete a standard form 86. i have one right here.
1:53 am
and i have -- it likely goes into a number of very personal aspects of each person's life. this 127-page form already requests a variety of personal applicant information such as criminal history, any history of alcohol use or illegal drug use, any mental health counseling. it does not currently request social media information. but as chairman desantis noted last night at about 11:00, we got copies of this policy. and i want to say thank you. we have now -- not always have information forthcoming in a timely manner and even 11:00 at night is timely around here. a few hours before the hearing. but i appreciate you sending it. i thought it might be a mistake, actually, that you sent the policy over. i did have a chance to read it a couple of times last night and it raises some questions.
1:54 am
but i think it is a very good first effort. and we appreciate it. in december of 2015 congress passed and president obama signed a bipartisan funding legislation that included a robust directive to enhance the security clearance process. the recent omnibus appropriations act also requires the director of dni to direct the federal agencies to use social media and other publicly available government and commercial data when conducting clearance of security holders. the law provides guidance on the types of information that could be obtained from social media and other sources and may prove relevant to a determination of whether an individual should be granted clearance at all. this includes information suggesting a change in ideology, or ill-intent or allegiance to another country. and the main impetuous was the
1:55 am
terrible incident at the washington navy yard. and also i would add there has been exploitation of twitter, facebook, what's app and telegram by the islamic state and also at one point we had everyone who filled out a -- a standard form 86 hacked by the chinese as well. so they have a list of everybody who filled out a -- a 86 security request clearance and which is troubling. there is a lot that needs to be talked about here. we're going to gather the information on individuals in one place. in light of what has happened, with the chinese hack, i'm concerned about putting medical information, all of this about people who apply in one place where it might be accessed by hostile or nefarious actors. so we're going to talk a little bit about that this morning.
1:56 am
as i said, i appreciate the security executive agent directive number five. and i think it is a very good first effort and i appreciate your transparency with us. thank you. >> i yield back. >> i thank the gentleman and i will hold the record open for five legislative days for any members who would like to submit a written statement. we'll now recognize our panel of witnesses. i'm pleased to welcome mr. william evanina, director of the national counter intelligence and security center and the office of the director of national intelligence. miss beth cobert, acting director of the u.s. office of personnel management and i might add in her new role, working incredibly well in a bipartisan and transparent way that is recognized by this committee so thank you so much. mr. tony scott, the u.s. chief information officer at the u.s.
1:57 am
office of management and budget. welcome to you all. and pursuant to committee rules all witnesses will be sworn in before they testify. so if you will please rise and raise your right hand. do you solemnly wear or affirm the testimony you are about to give, will be the truth, the whole truth and nothing but the truth? thank you. please be seated. let the reflect that all witnesses answered in the affirmative. in order to allow time for discussion, please limit your oral testimony to five minutes. you're very familiar with the process but your entire written statement may be made part of the record. so mr. evanina, you are now recognized for five minutes. >> good morning, everyone. chairman meadows, desantis and ranking member connelly and ranking member lynch, and members of the sub kwhity, thank you for having me here as part of this team and participating in today's hearing. as a national counter intelligence executive and director of the security center,
1:58 am
i'm responsible for leading and supporting the counter intelligence and security activities of the united states government, which includes the entire u.s. government and the private sector. throughout the intelligence community. in addition i'm responsible for providing outreach to u.s. private sector entities who are at risk of becoming a target of intelligence collection, penetration or attack by foreign or other adversaries. i also support the director of national intelligence responsibilities as a security executive agent. the role under which the social media directive was developed. and i work close in partnership with the office of management and budget and the office of personal management and my colleagues to my left. the department of defense and all partners in this effort and as well as part of the pack. agencies across the executive branch are also part of today's progress and the processes we have achieved with this policy. when i last appeared before this committee on february 25th, we discussed the formation of the
1:59 am
national background investigations bureau and security clearance reforms. today i've been asked to discussion the administration's policy on the use of social media as part of the personal security background investigation process. mr. chairman, we've been steadfastly at work on a directive that addresses the collection and use of publicly available social media information during the conduct of personal security, background investigations and adjudications. i want to acknowledge the important contributions to this effort made by our entire executive branch colleagues, particularly at the office of management and budget and opm. and i'm pleased, as you referenced, to announce that the director of national intelligence has recently approved this directive, which is being publicly released. the data gathered via social media will enhance our ability to determine initial and continued eligibility for access to national security information and eligibility for sensitive
2:00 am
positions. i realize that the federal government's authority to collect and review publicly available social media information in the course of a personal security background investigation adjudication raises some important legitimate civil liberties and privacy concerns. nevertheless, let me be clear, i'm strongly of the view that being able to collect and review powerbally available -- publicly available information available to the public is an important and valuable capability to make sure the individuals with access to our secrets continue to protect them. and that the capability can be aligned with the appropriate civil liberties and privacy protections. i would note to the committee that by the term publicly available social media information, we mean social media information that has been published or broadcast for public consumption, is available on request to the public, is accessible online to the public, is available to the public by subscription or purchase, or is
2:01 am
otherwise lawfully accessible to the public. i believe the new directive on social media strike this is important balance. under the new directive only publicly available social media media information pertaining to the individual under investigation will be intentionally collected. apps are a national concern or criminal reporting requirement, information pertaining to the individual's others than the individual being investigated will not be investigated or pursued. in addition, the u.s. government may not request or require individuals subject to the background investigation to provide passwords or log--in into private accounts or to take any action that would disclose nonpublicly available social media information. the complexity has led to a lengthy review by the departments and agencies affected by this policy. as well as coordination with different members of civil liberties and privacy offices, privacy act offices, and offices of general council. mr. chairman, the new guidelines approved by the director of
2:02 am
national intelligence for the collection and use of potentially available social media information in security clearance investigations ensure this valuable avenue of investigation can be pursued consistent with subjects civil liberties and privacy rights. the use of social media has become an integral and public part of fabrics of most american's daily lives. it is critical that we use this source of information to help protect our nation's security mr. chairman, i welcome any questions of you and your colleagues have regarding this directive. thank you. >> thank you for your testimony. miss cob ert, you are recognized for five minutes. >> chairman meadows, chairman desantis, ranking member connelly and liynch and members of sub-committee, thank you for the opportunity to testify before you today on the use of social media in the federal background investigation process. opm plays an important role in conducting back ground investigations for the vast majority of the federal government. currently opm federal
2:03 am
investigate services, fis, conducted $1 million investigations for over 100 federal agencies. approximately 95% of the total background investigations government-wide. these background investigations include more than 600,000 national security investigations and 400,000 investigations related to suitability, fitness or credentialing each year. as we discussed in february, we are in the process of transitioning to the new national background investigations bureau nbib which will absorb fis and the mission to become a government wide service provider for background investigations. the department of defense with the unique national security perspective, will design, build and secure and operate the nbib investigate it systems in cooperation with the nbib. to provide context for our discussion today, would you like to take a few minutes to review how the current security clearance process operates in most cases.
2:04 am
first, an executive branch agency will make a requirements determination as to the sensitivity and risk level of the position. if an agency determines that a position requires a clearance, the employee completes an sf-86 and submitted fingerprints, both are sent to opm with an investigation request. opm conducts the investigation by doing the checks required by the federal investigative standards. the results of the investigation are then sent to the requesting agency for adjudication. the clearance decision is made from the information in the investigate report in conformance with the adjudication guidelines under the operation of intelligence, odi. the requesting agency sends their decision back to opm who maintains the records for reciprocity purposes. the individual is reinvestigated on a periodic basis. as the committee is aware, agencies make security clearance decisions using a whole person
2:05 am
approach. meaning that available and reliable information about the person, past and present, favorable and unfavorable, should be considered by adjudicators in reaching a determination. one component of that approach in the 21st sscentury is the toc of today's hearing. social media. and odi and the security agent has developed a social media policy that has undergoen coordination with officials. opm looks forward to implementing the policy as part of the ongoing efforts to strengthen the investigate processes. in april opm issued a request for information seeking to better information the market and the types of products venters -- vendors could provide to meet social media requirements. the rfi in preparation for a pilot that opm is planning to conduct this year that will incorporate publicly available social media into the background investigation process. this plan pilot will be
2:06 am
conducted by opm in coordination with the odi. the pilot will obtain the results of searches of publicly available electronic information, including public posts on social media from a commercial vendor for a population of security clearance investigations using pertinent investigative and adjudicateive idea. this pilot is different in that it will assess the practical aspects of in corporating social media into the operational end to end process. the mechanics of adding this type of report to a background investigation and the effects on quality, cost and timeliness. in addition, the pilot will assess the uniqueness of the information provided through social media checks as compared to information provided through traditional investigative sources. supporting the implementation of the nbib and aiding its success in all areas will continue to be a core focus for opm as well as the performance accountability
2:07 am
council, the pack. our goal is to have the nbib official operating cab asity established with a new leader in place by october 2016, though implementation work will remain to be done after that date. on behalf of opm, i'm proud to be part of this most recent effort by the administration and i look forward to working with my colleagues on this panel and with this committee in a bipartisan manner on this important issue. i'm happy to answer any questions you may have. >> thank you for your testimony. mr. scott, you are recognized for five minutes. >> thank you. chairman meadows, chairman desantis, ranking member connelly, ranking member lynch, and members of the sub-committees, i appreciate the opportunity to appear before you today. the administration recognizes the importance of gathering accurate, up to date and relevant information in its background investigations to determine federal employment and
2:08 am
security clearance eligibility. and as a government, we must continue to improve and modernize the methods by which we obtain relevant information for these background investigations. since 2009, various government agencies have conducted pilots and studies of the feasibility, effecti effectiveness and efficiency of collecting publicly available electronic information as part of the background investigations process. those pilots have informed the development of a new social media policy that has been issued by the director of national intelligence in his role as the security executive agent. and i'll defer to odi on the further details of this poll sixty b -- this policy. but as you know they have the suitability performance accountability counsel or pac to ensure coordination and the new policy will reflect, i believe,
2:09 am
an appropriate balance of a number of considerations, such as protecting national security, ensuring the privacy of and fairness to individuals seeking security clearances and associates of that individual, the veracity of the information collected from social media, and the resources required to process the collection, adjudication and retention of the relevant data collected. as the policy is implemented, the administration will continue to assess the effectiveness and efficiency of the policy. to do so, the government must keep pace with advancements in technology. to anticipate, detect and counter external and internal threats to the federal government's personnel, property and information. this need must also be considered with the full legal and national security implications in mind. i'm confident that this new
2:10 am
policy will strike the correct balance between all of these considerations. i thank the committee for holding this hearing. and for your commitment to improving this process. we look forward to working with congress and i'm pleased to answer any questions you may have. >> thank you. the chair now recognizes himself for five minutes and this is for each of you. are your agencies utilizing commercially available software to vet security clearance applicants, monitor security clearance holders and detect any cyber theft of these individuals' personal information? >> congressman, in the process of the investigations, we do work with commercial vendors of publicly available vetted information. that is sort of a core element. we use that and other methods to gather the information in the investigation process. i'm not sure if i've completely answered your question.
2:11 am
>> well there are certain off the shelf technology that the government will use in other instances and i just wanted to -- to ask if there is any type of prohibition on doing that, if you just aren't doing that or are you trying to use all of the tools that are potentially at your disposal? >> we use a variety of of tools to gather information from public sources from -- from both governmental and nongovernmental so there is a variety of tools we use to do that. those are used to, you know, gather some of the information, whether there is national -- law enforcement data base from which we get information, we do, for example, use electronic methods to appropriately gather information about financial history, so we do use some of the tools. would you be happy to get -- i would be happy to get back to you with more specifics if that would be helpful. >> okay, thank you. >> sir, i would concur with my colleague. i think we encourage the most rebust and effective and --
2:12 am
robust and effective tools that are processed for ensuring a speedy and effective background investigation. it is going to -- the process will be different pending which agency is doing the background investigation, the tools that they are capable and the expense and the number -- the volume of people applying for a clearance. obviously we would encourage the odmi and the most effective and off the shelf capability and as long as it is within the rules and policies set forth. >> let me ask you this. in the years leading up to the edward snowden classified info he made several posts using a consistent user name complaining about government surveillance and the posts may have alerted authorities that he could be an insider threat. have any of the social media pilot programs evaluated to date capable of detecting that sort of post where the subject is posting under an online identity that is not complicitly the individuals' name. >> sir, i'm not specific to the
2:13 am
nature of those particular pilots but those posts from mr. snowden that he did would not have been caught in social media because it is not facing but there was private chats with other individuals beyond the password protected. >> so if they are -- if they are using semi anonymous names to the extent that there are public forums, would requiring the disclosure of any alternative online identity on the fx 86 form be helpful. >> sir, we are not planning on asking anyone to provide any passwords or e-mail accounts or individual reference to their online persona. >> so basically, if -- so we'll look at social media if their posting of -- if john smith applies for security clearance and you'll look for john smith. but if he goes by, you know, jack scott, then you're just not
2:14 am
going to require that, so they could post whatever and that is not something considered? >> not currently, unless they are willing to consent to provide that information to us. >> okay. what reason could allow extensive questioning of friends -- so the fs-86 is a very intensive investigation. you'll call up people's college roommates, you call up people's neighbors when -- if they lived in a place for a short period of time. so there is a lot of extensive investigation, and so why you would want to do that. and i'm not saying you shouldn't do that, but why would you want to do that and not get the whole, i guess, picture of their online identity. >> i think if the additional information is obtained that the individual has -- a pseudonym or an offline persona that is different from his name, that could be pursued but that is not
2:15 am
something we could ask or a way for us to identify bob smith who are is really david jones online without someone telling us that. >> but what would be the reason, because of the information required in fx-86, could you ask do you post online under any type of pseudo nem. >> when you get past the public interface of social media, you get to the border of privacy and civil liberties in terms of what are your practices beyond what you would do in the course of your daily lives and this analogy is we don't look at thur e-mails or twelve conversations as part of the back ground investigation as well. >> my time is up. i'll recognize the gentleman from virginia for five minutes. >> thank you, mr. chairman and welcome. help me understand how this works. because it is one thing for a private individual to be sort of trolling facebook. it is another for the government to be doing it.
2:16 am
and so how does this work? i mean, somebody in government gets on -- on the internet and looks up your facebook history? you're harry houdini and applied for security clearance and we're looking at, you know, threw social media, anything that you use, twitter, facebook, you tube, hulu, whatever it might be and so we go online and find out under harry houdini or shirley jones' name. >> sir, i'll start -- >> if you could pull the mike closer. >> when we set forth the policy, we tried to provide the most flexibility for investigative agencies and service providers to do what they feel is most practicable and most reasonable for their individual agency. so for instance, some of the
2:17 am
bigger agencies may provide data service provider, the aggregate data for multiple people to go out and do the search. we are clearly acknowledging that the effort will be exhaustive initially to identify people's social media footprint that is out there. >> okay. what are the red lights that -- that we have to follow up on this. so, my facebook posting, we're talking about the block party for july, in my cul-de-sac, and you know, talking about maybe a family reunion and interspersed with that, and oh, by the way, the president needs to die. how do we flag the serious from the trivial and how do we make sure that if it is all trivial, that is the end of it. it is diluted and it is not re -- deleted and not retained because there may be other names and pictures in facebook not the subject of an investigation unless that association is
2:18 am
suspect. how do we make sure that we don't just have some enormous government depository of personal information of american citizens that is not at all relevant or parts of it may be -- how do we do that? >> that is a great question, congressman. i think to put this in context, the social media utilization is one tool of many that wur currently already used in background investigation and the collection and retention of that data is parallel to any other data we collect on an individual. and to your example of facebook, the examples you gave, the only relevant information that is there for aveefltive processes -- investigative processes is issues related to the president. we would collect and retain the presidential -- >> let me interrupt though. gor god forbid -- god forbid being a reference, and the other stuff not retained, i might want to take a fresh look at your associations because maybe they are involved. wouldn't we want to check that
2:19 am
out? >> sir, so i was going to say -- >> if for no other reason than to talk to neighbors to say does harry houdini talk this way every day. >> and the social media, like many other tools at the disposal to investigators will provide a lead. so that post on your website would lead to an investigative lead to be followed up with your colleagues or family or friends or neighbors as just another lead. no different than what we would find in an online financial disclosure. >> miss cob ert and the scott, in the time i had left, i would did he da der licht if i didn't bring up the opm update, weaknesses identifi identified, have they been addressed and ho are we coming in terms of making people whole again in terms of the compromise of their personal information. >> let me start in response to
2:20 am
that one. in terms of improving the security of our systems, we have made significant strides in our ongoing effort and we will continue to do so, working closely with dhs and dod as part of the nbive b stand-up, we have staff from dod on-site working with us and on going working sessions. we've installed the latest version of einstein. we have a whole series of improvements that we've made to the fire walls. we now have the ability to -- >> excuse me. einstein three isn't in place now. >> we are one of the first agencies to put that in place. >> because it wasn't in the place at the time of the breach. >> no. so we continue to work to put in place tools and we have a new chief information security officer. i could go on and on. but we still will continue will work on that issue. in terms of the individuals whose information was taken, we have the identity theft -- identity monitoring contracts in
2:21 am
place. we continue to monitor those in terms of the quality of those customer service. we are also actively working to put in place the provisions to extend the identity theft insurance to $5 million and as well as being process -- in the process of extending that to the ten years that was approved by congress so we continue to work on these quite closely, including with tony and the team from omb. >> and i would just add, i'm seeing almost as much of beth asdy when she was at omb, as we work on this project. and beth and i and the dod, cio, meet regularly to review the process the team are making in the transition and also ensuring that the security and integrity of the existing system -- so i'm pleased with the progress. >> thank you. thank you, mr. chairman. >> chair now recognizes the gentleman from georgia, mr.
2:22 am
hice, for five minutes. >> thank you, mr. chairman. mr. evanina let me begin with you, as we all know in 2008, there was a commission study to -- in regard to the showing the benefits of examining certain aspects of social media. why has it taken eight years to implement this thing? to get it started? >> congressman, i can't really answer the eight-year issue, but i could tell you that to get to where we are took a lot of extensive effort and inner agency coordination to strike the right balance between what we need to obtain reasonably from social media and the every growing internet age and balance that with the civil liberties of the clearance holders and u.s. citizens. so that process was not only exhausted but it was the right thing to do. also i think with a pilots that
2:23 am
have started and are continuing to move on, we haven't really identified the correct value or weighted measure for what the efforts of social media collection will be or has been. so we're still efforting the pilot process to identify is the effort resource allocation worthy of collecting other social media and using it as part of the background investigation process, number one. and number two, if it is, where do we allocate that within the investigative process, in the beginning, middle or the end because it will be resource intensive. >> well it seems like eight years is an awfully long time to try to find a balance between privacy and -- and that which is public information. this is not -- highly private information that people are publicizing out on social media like this and i understand that we want to be very careful with that. we all do. but -- let me ask you this.
2:24 am
from the -- it seems that the new policy that we saw this morning, that within there, and correct me if i'm wrong, but it seems like finding information on an individual's background appears to be largely at the discretion of individual agencies. can you tell me why odi decided to leave that decision to individual agencies rather than opening this up for all departments of our federal government? >> it is a great question, congressman. butly say that there is -- but i will say there is only 22 agencies with the authority to conduct background investigations. so, they do that at behest of other organizations or departments who require that. so those individuals who are covered on that policy. the policy was purposely made flexible because i will proffer that from 2008 until two years
2:25 am
ago the social media definition has changed dramatically and will continue to change. so in order to provide the agencies who conduct the investigations the maximum flexibility to go about utilizing social media as part of the process was paramount in this effort, because i'm pretty sure a year from now the social media definition may change and we wanted to make sure that each agency had the flexibility from a resource perspective to identify the best and most efficient way to implement the policy. >> do you believe the other 22 agencies will begin utilizing this? >> i do. >> okay. missco bett kobe ert, could youn how they plan to implement this policy. >> as i mentioned in my testimony, we are working through this pilot process to figure out the best way to utilize social media as a standard, consistent part of the process. as mr. evanina described, we are committed to its value. it is a question of how. we need a way to make sure that when we gather information on
2:26 am
social media, it is accurate. it is not always accurate. what you find is not always the reality. we need to find a way to make sure, as we do this, that we're -- we have the resources to follow up on whatever information is revealed. how do we get those resources to follow up on those things. so that is embedded into the operational process. are there places whereby using social media or other tools that we could reuse those resources today. could be thbe used somewhere else. and will the value of the information merit adding resources. and we are starting the pilot process before the end of the fiscal year. we also will continue through the pack and other forums working with d.o.d. and other agencies as they start to implement this. so we all can learn from each other. we've got to figure out how to do this right and to do it at scale. and we want to move
2:27 am
expeditiously but cautiously as we do that. >> thank you. could you provide committee with a time frame for implementation, besides just by the end of the year. more specific time frame? >> we'll get back to you. the first piece is the pilot and then we'll take that learning and we're happy to provide you more information on what we're doing next. >> thank you. very much. i yield. >> the gentleman's time is expired. we recognize mr. lynch from massachusetts for five minutes. >> thank you, mr. chairman. and thank you for holding this hearing and thank the witnesses for their help. you know, every once in a while my happy talk alarm goes off and sometimes i think i'm hearing happy talk and i think i just heard some. look, i appreciate the idea that we got this eight-year continuum of improvement and we're trying to improve our systems and there is this cautious progress of protecting and balancing private information versus doing these
2:28 am
background checks. but the reality on this committee is ten months ago ms. goldberg, your predecessor, miss archuleta, sat there and told me that ten months ago, we were not even encrypting the social security numbers of the 4 million people hacked at opm. that is the reality. 10 months ago, we weren't even encrypting social security numbers. and she had to painfully admit that and her legal counsel was with her and they confirmed that fact. so i'm concerned about what is happening. and i'm very encouraged that d.o.d. is going to take over cyber security in your shop. and you're going to help them with that. how is that going and what steps have you taken -- be specific -- that should give me some level of reassurance that we don't
2:29 am
have another problem like that? >> thank you, congressman. let me start with how we're working with d.o.d. in the stand-up of the nbib and then i could come back to some things we have underway and we will be doing in that context. we are working very closely with d.o.d. as mr. scott described, in a process -- >> let me cut you off because i don't want go to go off in a long diatribe. but have you encrypted the social security numbers for all of the employment. >> there are still developments that are difficult to encrypt. we have a multi-layer defense. >> and you have different systems. i understand that. i've been at this a while. and we've tried to get ahold of this. and i've been here for years working on this problem. and it has been very difficult. and there is no shame in admitting how difficult that is. but i don't want happy talk that it is all going well. that is the problem.
2:30 am
because we have another hearing and there is nashing of teeth and criticism and somebody else in your spot. so what i'm trying to get at is, is what are we getting done and where are the obstacles and if there are obstacles in what you are trying to do. i believe you are all trying to do the right thing. mr. scott as well. you could get in on this because you are part of this. what are we actually doing to try to protect the information that we do gather? >> well, i would say, as bebth was saying, there is all kinds of work done. penetration testing, new tools depl deployed, multiple examinations and ongoing help from d.o.d., dhs and so on. so i think opm is leading federal agencies right now in terms of, you know, their efforts and the amount of progress that they've made. they've applied tools to the
2:31 am
limits that they can within the limits of current technology. but as best said, there is some things that just can't be encrypted because the technology doesn't allow it. >> d.o.d. funding in this area is -- is much better than opms and some of the other departments. so are we using their personnel now or have they come over and taken over this? >> absolutely. they've been in. they are side by side with the team at opm, helping not only review, but look at architecture and also build out the plans for the future nbib technology. so i'm pleased with where it is going. i don't think there is anybody who would say our job is done or that we're not, you know, interested in pursuing what else we can do. >> the cost estimate, we've had some pilot programs that tell us it is somewhere between 100 and $500 per person for a private vendor to do the screenings,
2:32 am
this gathering of social media information. is that pretty close to what the -- in practice, what we're finding? >> yeah, i would say some of the pilots that have run the estimates have been in that range. clearly one of the things that will have to happen, and i think the pilots will inform this, is some greater level of automation. as you could probably approa appreciate, when you do a search, you get a ton of data that has to be sifted through and adjudicated and i happen to be a person that has a name that is shared with, you know, a professional baseball player, a pro-russian fe professional actor and a movie player and a simple search would turn up stuff that isn't relevant. so some degree of automation will have to help bring the cost down of that. >> i see my time is expired.
2:33 am
mr. chairman, thank you for your indulgence and i yield back. >> we recognize mr. massey for five minutes. >> thank you, mr. chairman. this is a great hearing. thank you for conducting it. if you suggest that the government should outsource the background research to the consultants that do opposition research on us, on the politicians, because they seem to find anything, ault way back to june -- all the way back to junior high. but on a serious note, though, i see edward snowden as an example here in our notes as maybe you would have known something about it if you had done social media research. >> that may or not be true. but one thing that stands out is political contributions are available online. and even before social media and the online availability of this, they were available.
2:34 am
so you have an analog or a way to consider or not consider political contributions when doing background research. but now that you have social media available to you, there is -- there is another layer of transparency or layer of opaqueness that has been removed. you could see where somebody supports a political candidate or not. by the way, edward snowden and i have similar contribution histories. so and my colleague here suggested that you should be suspect of anybody that contributes to me as well. but my question is this, mr. evanina, do you take into account political support when you are doing background research in social media? >> we do not. i think it is important for -- for committee to understand that the investigators who won duct background investigations are very well trained and they follow the investigative standards and there are plenty of policies that they put forth
2:35 am
in the rigorous background investigation and they conduct investigation information as to whether or not you are capable of obtaining and holding a clearance and so a political contribution would not be one of those. >> so if they encountered someone in the social media supported a candidate who was strong on the fourth amendment and believed very strongly in the right to privacy, and they are different interpretations, i'm not saying everybody doesn't believe strongly in the fourth amendment, that isn't a consideration. >> your >> absolutely not. that wouldn't have anything to do with whether you could hold or maintain security clearance. >> thank you very much. i'll yield back my time. >> i thank the gentleman. the chair recognizes the gentle woman from illinois, ms. kelly, for five minutes. >> thank you, mr. chair. many of us have become so accustomed to using technology in our day-to-day lives that it seems second nature to examine the social media accounts of individuals applying for a security clearance.
2:36 am
however, it's important to note that when incorporating social media into the federal background check process, a number of steps must be taken that go far beyond those we view as a friend's facebook profile. dr. cobert, opm conducts approximately 95% of background checks governmentwide. that's in our notes. the initial data collection portion of these investigations is completed by federal contractors in part because you must comply with the various laws governing what information can be collected, used and stored by federal government. is that accurate? >> congresswoman, we work with federal contractors in the investigative process to enhance our capacity to conduct background investigations. they have to follow the same federal investigative standards
2:37 am
that mr. evanina referenced. the individuals from those contractors who work on investigations also have to undergo through training against those standards, and we work to ensure that that is the appropriate training. >> okay. the incorporation of social media data's not as simple as it may sound to many people, so i'd like to delve a little deeper into how we get to a vendor running query for publicly available information to the point at which we have variable, verified information for use in the adjudication process. again, to begin with, contractors must conduct social media checks on clearance applicants based on guidance from you about the kind of information relevant to clearance investigations, correct? >> we are going to start with the social media thing -- the social media efforts with the pilot i mentioned. that will help us understand what kind of guidance we should be putting in place when individuals are conducting social media searches to verify that information to ensure we're focused on the pieces that are relevant to a security clearance, not the other issues that are not part of the process. that's why we're going to work this through in a pilot, so we can create standards and
2:38 am
processes that will get us relevant information, reliable information and protect privacy. >> and then your current contractors will need proper training and proper guidance to do all of that. >> they will need training. yes, they will. >> okay. once the data has been collected, a human being is necessary to make a judgment and verify that it does, in fact, belong to the individual in question. >> we are working to find the processes that will enable us to actually match individuals. as mr. scott described, there are multiple tony scotts. so we are working through the pilots, and i think this will be an ongoing process to see where are the places where we need human intervention, where are the places where technology can help with that resolution. >> mr. ebenina, can you speak to some of the challenges associated with verifying identities and social media data? >> yes, congresswoman. i think challenges cannot be understated in where we're headed in terms of, number one, identity resolution.
2:39 am
as my colleagues have mentioned, the ability to identify bob from -- or mr. scott from mr. scott and all that goes with it, the resources that it will take to make sure we are firmly in agreement that mr. scott is mr. scott. then what we found out about mr. scott, is it investigatively and adjudicatively relevant? does it make sense to be put forward? and if so, it's put in the same box all the investigative data would be to make sure it follows the policies and investigative guidelines. i want to reiterate, the social media identification of information is in the same box of all other tools and techniques investigators have. >> and even after we have verified individuals account, additional manual processing is needed in order to analyze, interpret and contextualize information, particularly photographs. is there any way to fully automate the analysis of photographs? >> i want to refer back to my colleague, ms. cobert, in terms of the ability to maximize any
2:40 am
type of automation we can to facilitate not only effectiveness of this tool, but at the end game. but i want to inform the committee that at the end of the day, no matter what we identify, the adjudicator is a fundamentally government role, so the adjudicator will make the ultimate decision if the individual is mr. scott, if the information obtained is relevant and it should be a value add to whether or not he gets a clearance or not. >> thank you. i yield back the balance of my time. >> thank you. the chair recognizes the gentleman from south carolina, mr. mulvaney, for five minutes. >> i thank the chairman for the opportunity. thank you all for coming here. i just have a couple random questions. you said something during your open statement which i wanted to go back to, and a couple of you used the same terminology. and maybe i just don't understand the issue. and full disclosure, mr. massie and i are sort of in the libertarian-leaning wing of the party, so we take civil liberties very seriously.
2:41 am
and you mentioned that there were civil liberties concerns, i think in doing this research in the first place. i don't get that. what civil liberty of mine could be at risk from you doing research on me? >> well, may i correct -- i don't think in terms of the previous pilots and this particular policy -- >> right. >> in order to get to where we went, we had to negotiate strongly to ensure that each individual who applies for the security clearance, we are going to protect their privacy and civil liberties, at the same time collect the information we deem necessary to ensure they can get a clearance. >> and again, i'm not trying to split hairs with you, but if i'm coming to you -- and we've had a very similar discussion, mr. chairman, when it comes to folks who want to come into the country on various visas. the lady who shot the people in san bernardino came on a fiancee visa, and we didn't do any social media on her. and one of the arguments we got from customs enforcement was it would violate her civil liberties to do that.
2:42 am
if i come to you and i'm asking for a job or i'm asking in my current job to get a security clearance, can't you just ask permission to look at everything? >> yes. the first thing you can do is consent to the government searching you, not only with regard to social media, but all your other financial, medical records. you consent to do that on the s fs-86. >> okay, so there's no privacy concerns. i have the right to waive that and i do, correct? >> correct. >> so there is no privacy issue on the front end when you're doing your background research on me, correct? >> as long as you consent to it -- >> right. okay, good, then we're all on the same page. because the real privacy concerns comes with what mr. lynch mentioned, which is what do you do with the information on me after you had it? because while i consent to let you go and get it, i certainly don't consent with you giving it to other people. so i think that's why the focus, i think for many of us who are interested in our civil liberties, is what are you doing after you have it. and i want to go deeper than just the social security numbers, which i think mr. lynch
2:43 am
properly pointed out. what are you doing with mr. massie's medical records when you're doing the research on him? how are we -- yeah, especially on massie, right, and his mental health records. no. >> actually, i've got it right here. page 17's kind of interesting. >> so, tell me about that, because again, we all know about the risks -- everyone in the country now has gotten hardwired to sort of thing, well, my social security thing is really important. i hope they're protecting that. but what about the stuff that doesn't on its face look like it could be damaging to us? you know, maybe mr. scott went to marriage counseling, okay? not illegal, and i don't even know if that's true and i'm not suggesting it is. i'm using it as an example. it's not illegal. it's certainly not the type of thing, though, that you want to have public. what are you doing to protect that kind of information? not just the number data, not just the social security numbers, but the detail, the meat of the stuff that you might find on anybody that you're looking at?
2:44 am
>> i'll start and pass to my colleague. but i want to ensure that the only collection and retention of data will be what is investigatively relevant to completing and authorizing a background investigation. if it's not relevant to you obtaining a clearance, it won't be retained. >> okay, let's focus on the one word, then, because it's an open-ended question. let's narrow it down. nothing is not retained anymore. once you have it, it's someplace. even if you hit "erase" on your hard drive, it's someplace. what do you do to make sure the stuff that you don't retain really isn't retained? >> congressman, when we get the records of your background investigation, we have a set of rules and guidelines that govern those, that govern the sharing of those. so it is used for the investigative decision, but there are very specific guidelines about how that information is used. we have specific guidelines about records retention consistent with nara and their
2:45 am
policies. and a core element in the cyber security design of our systems, particularly as we're thinking about as we go forward, is how do we make sure we've got the appropriate protections in place for all of that information, not just social security numbers. but there are very explicit policies around records retention, around record-sharing, both externally but within the government, right? this government was gathered for a specific purpose. that's what it was used for, and there are guidelines around that in place. >> just a quick question, and i honestly don't know the answer. but when the data was hacked that mr. lynch mentioned before, was it just social security numbers that were lost or was it other information as well? >> the information that was lost was data in people's backgrounds investigations, so it included a range of information, not exclusively social security numbers. >> thank you. thank you, mr. chairman. >> i thank the gentleman. the chair recognizes the gentleman from california, mr.
2:46 am
lieu, for five minutes. >> thank you, mr. chair. my questions are from mr. evanina. first of all, thank you for your service and i support incorporating social media into federal background investigations. i have a broader concern, which is whether race or ethnicity play a role in security clearance denial or granting. and let me give you some context for this. recently, four american citizens were arrested and indicted for espionage. and then all charges were dropped. these were in different cases. and it turned out that the government just got it wrong. and the one fact that was the same among all these cases is the defendants looked like me. they happened to be asian americans. cases of sherry chen and shu yu li. their lives were turned upside down because of what our government did. "the new york times" has asked our government to apologize. i wrote a letter signed by over 40 members of congress asking the department of justice to
2:47 am
investigate. since i wrote that letter, our office has been contacted by federal employees who happen to be asian american, alleging that their security clearance was denied because of their race or ethnicity. and so, my question to you is does race or ethnicity play a role in federal background investigations? >> sir, absolutely not. and it unequivocally not. i don't think there's ever been a situation where an investigator has used race or ethnicity for determination of clearance for a u.s. citizen, number one. number two, the situation you referenced, i could say that with 19 years in the fbi, i can assure you that the fbi does not conduct investigations relative to whether your race or ethnicity comes to play. >> thank you. let me ask you a question about how this policy would be implemented in terms of social media. let's say a japanese american federal employee has a facebook page and friends of this federal employee living in japan or
2:48 am
relatives post on that facebook page. does this federal employee become more suspicious because of that? >> absolutely not. and the only issue would be if on that public-facing facebook page there is derogatory or negative information that's relevant to an adjudication investigation will result in a follow-up lead. but otherwise, it would not. >> thank you. the u.s. government under the obama administration runs something called the insider threat program, where federal employees are asked to report on other federal employees who may be suspicious. is race or ethnicity allowed to be taken into account under that program? >> sir, first of all, the national threat task force is housed within the national securities center. and again, race or ethnicity has no part in the insider threat process or the criticality we have across the government. >> are federal employees when they're given training on the
2:49 am
insider threat program and how to report, are they given that training about race and ethnicity playing no part? >> well, i think the race -- any fundamental training regarding race and ethnicity crosses all boundaries, not just investigative. that's part of the federal workforce and our fabric as americans, number one. but in terms of the insider threat task force, race, ethnicity or any other type of genre of covered classes is never a part of the task force. our number one mission is to identify potential insiders, spies, espionage matters or those who seek to do harm to others. >> could you provide my office with guidance on how you train federal employees? >> absolutely, sir. >> great. thank you. i have gone to a number of national security events and briefings. i think it's not a secret that the management looks very nondiverse. there's been articles about the state department having trouble recruiting people who are minorities.
2:50 am
and i'm wondering if that has anything to do with security clearances and the inability of some folks or minorities who might not be able to get them. could you provide my office with some data or statistics on who gets security clearances based on race and ethnicity? >> i'm sure we can, sir. >> great, thank you. and with that, i yield back. >> i thank the gentleman. the chair recognizes himself for a series of questions. and i'll be very brief. let me follow up on a couple of clarifying things. you've obviously put out this new policy, and we applaud that. we thank you for that. is there any particular legal reason or practical reason why we would not be asking them for their online identities? >> well, sir, i think as part of the sf-86 application, and when you write your name, it's asked, do i have any other names or aliases that i go by. so that's the first -- >> yeah, but i'm talking about
2:51 am
online identity. so twitter, facebook, you know, because i'm not going to give it in a public forum, but i have actually twitter accounts that don't actually have my name associated with them, and yet, i would tweet out things based on that. so, is there any reason why we wouldn't ask for those types of things? practical or legal? >> i don't believe it's a legal issue. i think it's a policy issue. and i think we have to have some clear differentiation between what is investigatively relevant. and we can get to those areas -- >> but if we're talking about social media, that would be relevant. i mean, there's no expectation of privacy, other than, well, you know, you could perhaps make the case, if i'm wanting to be private about it. i'm not putting my name. but if you just ask for those online identities, would that online identities be synonymous with an alias? >> they could be, sir. they absolutely could be. >> so i guess if there's no
2:52 am
legal or practical reason why we wouldn't do it, why would it not be part of your new policy? >> again, i will say that the policy is a start, where we're going right now to get where we are -- >> so, are you willing to look at that particular component, about asking for other online identities and maybe report back in your philosophy here within the next 60 days to this committee? >> sir, i think we're willing to look at all aspects of social media and how it pertains to background investigations -- >> but specifically with regards to that question. are you willing to look at it and just report back? i'm not asking you to give me a definitive answer, just that you get back to this committee on what your opinion is on -- >> yes, sir. >> -- why you should or should not do that? >> yes, sir. >> thank you. ms. cobert, i'm going to finish with you, and it's really something from in the past. i would just like to ask you, with regards to the cio and ig relationship, how would you characterize that from where it has been and where it is today? if you could speak to that.
2:53 am
>> let me turn that on. thank you, congressman. we have been working across the agency to strengthen our effectiveness of our dialogue with the cio, and i believe we've made real progress in a number of different areas. we've set up a cadence of regular communications at my level with the inspector general, currently acting inspector general. on a bi-weekly basis we meet and get an overview of the issues. we have specific working teams that meet on a periodic basis as well. both around the cio, around procurement. we've set up that same kind of mechanism around the stand-up of the nbib, given the oversight issues and making sure we get those right. so, i think we've made considerable progress in terms of the dialogue, the clarity of the communications. we welcome their input on what we could be doing as better, as we welcome input from our colleagues here and elsewhere. >> so you would characterize it as much improved under your leadership? >> i would characterize it as much improved, yes, sir.
2:54 am
>> all right, thank you. the chair recognizes mr. lynch for a closing question or statement. >> thank you, mr. chairman. and again, i want to thank you for being here. i want to ask a question sort of off the grid here. i appreciate that you're making progress, and that's a good thing. and we're working together with dod to secure our systems. there's another issue. you know, these hackers have become so proficient. you know, this morning we got news that the swift commercial bank system -- i think it's 11,000 banks and companies that handle international banking transactions. they were hacked again. they were just hacked through bangladesh and the new york fed, which is troubling, to the tune of about $81 million. now we find out there's another hack going on similar to that one. so, they're being breached.
2:55 am
the fdic, chinese hackers, news again this morning that the fdic has been hacked. and these are entities that have fairly robust, you know, protections. and we're about to enter into this -- well, we're about to debate the trans-pacific partnership. and one of the provisions in that trans-pacific partnership requires u.s. companies to establish databases in foreign countries. there's about 12 countries, but one of them's vietnam, a communist country. so we would have to -- the u.s. companies would have to establish physically databases in those countries -- malaysia, vietnam. and a lot of the banks and companies involved here are very concerned about the security aspect of this overseas. and i just wonder, especially
2:56 am
mr. evanina, i know you worry about this stuff all the time, as well, ms. cobert, you're dealing with, mr. scott, you as well. what about that dimension of this? i know you weren't prepared this morning to address this question, and i appreciate it if you want to take a pass, but i'm just worried about that, about it's tough enough to protect the data when it's in the united states. and now we're being asked to force our companies that are dealing in international trade to actually deposit their data in these foreign countries that don't have the security protections that even we have. mr. evanina? >> sir, i concur with your concern for cyber security and the need for us to be prepared to at least meet where we are in the global economy. i'm not particularly familiar with requirements contained within this policy, so i can't speak to that, but from the purview of national security, the cyber threat is real and i think we have to take that into consideration for anything we do
2:57 am
moving forward, whether here domestically in the united states or any of our businesses and government operations overseas. >> okay, thank you. ms. cobert, mr. scott, do you want to take a bite at that or are you all set? >> i would just say one of the lessons learned i think worldwide has been that cyber security knows no national boundaries. and concerns about cyber security are, you know, global. physical location is one element, but probably in the case of cyber security not the most dispositive in terms of concerns i would have. it's more about the secure by design sort of notion, you know, what have you put in place and how well is it implemented and so on. so those would be more my primary concerns. >> yeah, my -- >> in some cases the physical location. >> right. my concern is obviously the communist government in vietnam is going to require access.
2:58 am
so that was my concern. you've suffered enough. i want to yield back. thank you. >> i thank you. and i want to thank all the witnesses for being here today. and if there's no further business before the subcommittees, the subcommittees stand adjourned.
2:59 am
3:00 am
the house oversight committee mee


info Stream Only

Uploaded by TV Archive on