Friday, September 11, 2015

Will the fallout of the Ashley Madison hacking cause a security clearance backlash?

There it is, all the names of the men and women who registered to have  "Discrete Affair".

Harmless right? At first it might seem so, that is until the threat of blackmail and the secret is out. The invitations to register are enticing, and the promise of a secret affair with other like-minded  adults make the offer seem like an appealing proposal. That is until a group hacked the company and exposed the data base for the world to see. 

What was once a hi-brow hook up is now touted as a wall of shame. Suddenly high profile people are now humiliated, losing jobs, credibility, and some have committed suicide. The likes of Josh Duggar and even the Ashley Madison CEO are losing what they have worked so hard to build up. Josh lost his legacy and the business world lost confidence in a company's leader who promised discretion. The cloak that once hid the appealing invitation to participate in the exclusive playground has been removed, exposing it for what it really is; a place for married people to engage in adultery.

This article is by no means meant to pass judgement on these individuals, but to highlight the issue of possible blackmail and security clearances. Specifically,  the bad formula of person possessing the knowledge of national secrets plus something to hide equals security risk. I recall well my military service during the Cold War. I remember reading reports of service members and those in the intelligence community put on trial for acts of espionage resulting from adulterous affairs. Remember the old "honey trap" where a beautiful girl from the Soviet Union befriends a not so deserving victim? Her handlers then record the event and blackmail the unwitting participant into revealing secrets. Yep, a cleared person plus something to hide equals security risk.

The Criteria

Employees are awarded security clearance based on classified contract needs and after a lengthy investigation and adjudication process. This process is based on the 13 security clearance guidelines. They are listed below:

(1) Guideline A: Allegiance to the United States
(2) Guideline B: Foreign Influence
(3) Guideline C: Foreign Preference
(4) Guideline D: Sexual Behavior
(5) Guideline E: Personal Conduct
(6) Guideline F: Financial Considerations
(7) Guideline G: Alcohol Consumption
(8) Guideline H: Drug Involvement
(9) Guideline I: Psychological Conditions
(10) Guideline J: Criminal Conduct
(11) Guideline K: Handling Protected Information
(12) Guideline L: Outside Activities
(13) Guideline M: Use of Information Technology Systems

There are several guidelines that participating in the Ashely Madison offerings could cover. For the sake of brevity, we'll take a closer look at Guideline D: Sexual Behavior.

The Concern. 

Sexual behavior that involves a criminal offense, indicates a personality or emotional disorder, reflects lack of judgment or discretion, or which may subject the individual to undue influence or coercion, exploitation, or duress can raise questions about an individual's reliability, trustworthiness and ability to protect classified information. No adverse inference concerning the standards in the Guideline may be raised solely on the basis of the sexual orientation of the individual.

In this case, married cleared employees may have registered on the website. According to an article at, the blackmail has already begun. Cleared employees on the list could be vulnerable to this blackmail and if investigated, they may find their security clearances in question.

According to the Office of Personnel Management, conditions that could raise a security concern and may be disqualifying include:

(a) sexual behavior of a criminal nature, whether or not the individual has been prosecuted;
(b) a pattern of compulsive, self-destructive, or high-risk sexual behavior that the person is unable to stop or that may be symptomatic of a personality disorder;
(c) sexual behavior that causes an individual to be vulnerable to coercion, exploitation, or duress;
(d) sexual behavior of a public nature and/or that which reflects lack of discretion or judgment.

But this isn't always a clearance killer. 

When adjudicators take a look at the "whole person" concept, there may be some conditions that could mitigate security concerns. These include:

(a) the behavior occurred prior to or during adolescence and there is no evidence of subsequent conduct of a similar nature;
(b) the sexual behavior happened so long ago, so infrequently, or under such unusual circumstances, that it is unlikely to recur and does not cast doubt on the individual's current reliability, trustworthiness, or good judgment;
(c) the behavior no longer serves as a basis for coercion, exploitation, or duress;
(d) the sexual behavior is strictly private, consensual, and discreet.

Other implications

The fallout is still on going. Some accounts "pretend" or otherwise were made using official government and business email. If these are further investigated, clearances could be suspended for violating Guideline M: Use of Information Technology Systems. 

The point is, that just being on the hacked list may not in itself cause the denial or revocation of a security clearance. Cleared people have affairs and maintain their clearances. But problems arise when the affairs are discovered or the individual is susceptible to coercion, exploitation or duress. When these events cannot be mitigated, the of course the person is not trustworthy. However, these will be considered on a case by case basis and with the "whole person" in mind.

Some preventative actions

Cleared contractors would do well to include warnings against such online behavior during annual security awareness and other NISPOM required training. Reminders about continuous observation and maintaining a lifestyle to maintain a security clearance may just be what some cleared employees need to toe the line.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".