Remember the old saying? “Rank has its privilege”? It’s not always prudent to assume certain privileges just because you have means and intent. It’s not safe to assume just because you have access to government Information Technology (IT) systems as a manager or system administrator, for example, that you have the authority to do so anytime and for any reason. Use of government IT systems takes into consideration how an applicant has used technology on the job. Viewing pornography, working non-mission related tasks, hiding evidence, and harassing fellow employees while using employer computers are some indicators that an applicant could bring risk to sensitive information residing on information technology.
Guideline M: Use Of Information Technology is a very important criteria since cleared employees must demonstrate the ability to follow rules and regulations. This is especially critical as more and more sensitive information resides on computers. Gaining unauthorized access, downloading malware, manipulating data, or otherwise misusing information technology could increase risk to sensitive and classified information. An applicant’s history and pattern of use can provide indicators of their ability to protect what resides on information systems. The following are case studies where Guideline M concerns were either mitigated or clearance was denied:
CYBER POWERED SEX ADDICTAn applicant installed an email program on the company’s computer to allow him to access anonymous email accounts. He also logged onto pornographic sites, downloaded pornographic materials, wrote and posted 30 sexually explicit stories, doctored a photograph of a female former coworker in a sexually explicit manner and posted it, sought sexual partners and engaged in sexual activity as a result of people answering the posted requests. The applicant was eventually fired for the activity.
The applicant did seek help and engaged in group therapy including a sexual compulsive addicts’ group. Sponsors, group participants and counselors made statements that the applicant was indeed recovering and demonstrates remorse for his activities. Both he and his wife are continuing to get marriage counseling.
The judge ruled favorably in that the applicant mitigated the risk to national security for the concern Use of Information Systems. However, he was not able to mitigate other concerns such as those that arose from his Personal Conduct and Sexual Behavior.
After a female employee accused him of sexual harassment, the applicant decided to take matters into his own hands. His plan was to temporarily hide incriminating emails so that his coworkers would not find the files. The applicant followed through and took advantage of his position to move the implicating emails to a separate location, with the intent of moving them back.
I WAS GOING TO PUT THEM BACK
Unfortunately for him, he was unable to restore the files following a software upgrade. The messages were lost and could not be restored. His deeds were discovered, and Guideline M concerns had to be addressed in a hearing.
Surprisingly, the judge ruled in favor of the applicant. The judge determined that the applicant did not intend to delete the files. Government counsel was concerned that he was granted a security clearance although he gained authorized access to her computer to get rid of evidence.
HAD I KNOWN YOU WERE LOOKING…An applicant used his government computer to download pornography; clearly violating policies, rules, and regulations to misuse his computer. Further, when interviewed by Defense Security Services (DSS), he lied about the incident.
Unfortunately, saying sorry is not enough. While a good first step, it does not mitigate the activity. Additionally, whether records of adverse behavior exist, he has no excuse for falsifying his statement to DSS. As a result, his clearance was denied.
Because of the increasing reliance on information systems, a cleared employee must be able to demonstrate that they can be trusted to not abuse privileges, information systems, and responsibilities. Past performance that demonstrates breaking information system policies, procedures, rules and regulations indicate potential risk to information residing on the systems. Employees who use computers as intended and only for authorized and work-related projects should have no problems demonstrating compliance with Guideline M.