The cyber hack of the Democratic National Committee, and the subsequent release of 19,000 e-mails by Wikileaks, is the leading political news story today, with the news media reporting on ignominious details from many of the e-mails, and the DNC Chairwoman resigning her position at least in part as the result of these e-mails. Moreover, numerous reports indicate that many experts and government officials believe that one or more Russian intelligence agencies are behind the hack, using Wikileaks as a cut-out to disseminate the e-mails.
This cyber hack and data dump is the latest in a series of similar such attacks against organizations and individuals over the past few years, including the Sony hack in 2014 (reportedly carried out by North Korea), the hack of CIA Director John Brennan’s personal e-mail account in 2015, and hacks and massive data dumps of informaion from private sector companies such as Stratfor, HBGary, and Hacking Team. In each of these cases, and especially with Sony, the news media reported not just on the fact of the hack but also on the contents of the stolen and leaked information. This reporting has magnified the impact of all of these hacks, helping the hackers and leakers to achieve the intended consequences of their efforts, and thus implicitly encouraging future hacks and data dumps.
This trend raises serious questions as to how the news media should act with respect to hacked information:
1. Should the news media be reporting at all on the content of stolen, hacked information? Would news media outlets report on materials that had been physically stolen from companies’ offices? If not, then why is cyber different?
2. If the answer to the question above is ‘yes’, are there limits on what should be reported on? Is “newsworthiness” enough? Should there be some standard of wrong-doing (criminal activity, corruption, etc.) as the basis for reporting, similar to standards for whistle-blowing within the US Government?
3. Should the news media exercise different degrees of restraint depending upon the target of the hack, i.e. whether it is a government agency, corporation, non-profit organization or individual?
4. How should information about the likely perpetrator of the hack influence decisions by the news media about what to publish? For example, with respect to the DNC hack, it appears probable that a foreign intelligence service is conducting an operation that is intended to undermine and influence the democratic process in the U.S. Does the U.S. news media really want to be in the role of facilitating such an operation?
5. How should the additional factor of a criminal investigation or indictment influence decisions by the news media to report on the leaked content from hacks?
These issues are as deserving of discussion within the news media as the content of the leaks themselves. While there is no feasible way to completely restrain dissemination of hacked information from such leaks, given the proliferation of blogs and independent news media outlets over the last decade, I would hope that mainstream news media outlets would develop a self-enforced code of conduct and set of policies for reporting on such hacked information, guided by the core principle that information from a cyber hack is the ill-gotten gain of a criminal act and should be treated with the same restraint as information purloined from the burglary of an office suite.
If we continue to see broad-based reporting by the media on hacked information, however, then there is a strong risk that this cycle of hack and leak will only grow worse, in a way that not only harms the hacked organizations but undermines American interests and values.
Yesterday the New Jersey Office of Homeland Security and Preparedness (NJOHSP) publicly released a report entitled “Terrorism Threat Assessment 2016”, a detailed assessment of the current terrorism threat in the state of New Jersey. The report is a solid analysis of the different dimensions of the terrorist threat to the state; it concludes that homegrown violent extremists pose the greatest threat to the state in 2016, and also assesses that there is a “moderate” terrorism threat from other groups (ISIS, AQAP, white supremacists, militia groups, and sovereign citizens).
What is especially notable about the report is the fact that the state is releasing it publicly on its website, a contrast to the previous practice of marking such reports “For Official Use Only” (FOUO) and restricting their distribution narrowly to law enforcement officers, other public safety officials, executives at critical infrastructure companies, etc. This decision seems to reflect a deliberate recognition of the value in directly informing the American public about the terrorist threat, and appropriately enlisting them in efforts to detect and prevent terrorism, instead of treating them as passive bystanders. As the director of the NJOHSP notes in the foreword to the report, “Security is a collective responsibility and we are all in this fight together.”
The decision to release this report publicly warrants praise, and is a practice that the federal government and other states should emulate. For example, the Department of Homeland Security and the Federal Bureau of Investigation jointly release dozens of Unclassified/FOUO intelligence reports each year, the contents of which are rarely sensitive; in many instances, their findings are copied and pasted nearly verbatim from official statements about terror-related indictments. Given that these reports are already widely disseminated to state and local law enforcement and other stakeholders, there is little justification for not making them public at the outset, rather than allowing them to eventually leak to the news media, as they often do. The revised National Terrorism Advisory System (NTAS), which I wrote about last month, may also provide a basis for such broader dissemination of threat information. Many state fusion centers also produce similar reports to New Jersey’s assessment, which could be publicly released.
A shift toward issuing such analyses publicly could improve the American public’s understanding about the terrorism threat, leading to several tangible benefits. As noted earlier, well-informed citizens are more likely to play a role in detecting and reporting suspicious activity and potentially then preventing the next attack. Well-informed citizens are also less likely to make inappropriate reports about activity that should not be deemed suspicious, which wastes law enforcement agencies’ time with false leads. Finally, an American public that develops a sober, fact-based understanding of terrorism threats from professional non-partisan analysts (instead of from other filtered sources: cable news, social media, Hollywood, politicians, etc.) is more likely to react in a measured and resilient way to terrorist attacks and periods of elevated threat.
By no means is such public dissemination of threat information a panacea: but if such efforts lead to an improved public understanding of the terrorism threat even among a small percentage of the U.S. population, these efforts will be more than worthwhile.
Earlier today the Department of Homeland Security publicly released a Congressionally-mandated report entitled “Entry/Exit Overstay Report, Fiscal Year 2015.” The report presents detailed country-by-country information on visa overstays for Fiscal Year 2015: data that I don’t recall being compiled or publicly released in previous years.
Two key insights from the report:
1. VWP vs. non-VWP overstay rates. Overall, the report calculates the in-country visa overstay rate for Visa Waiver Program (VWP) countries at 0.65% and non-VWP countries at 1.60%. But it is notable, in taking a granular country-by-country look at the data, that many large non-VWP countries have lower overstay rates than some of the VWP countries. For example, non-VWP country China’s overstay rate is calculated at 0.89% – lower than Austria’s at 1.28%. Indonesia’s overstay rate is 1.21% – lower than Spain’s at 1.40%.
It is of course noteworthy that these are not apples to apples comparisons: the non-VWP countries’ travelers are all people applied for and were approved for visas (whereas many of their compatriots were likely rejected for visas); but travel is permitted freely (pursuant to an ESTA approval) for the vast majority of citizens of VWP countries. But in spite of this fact, it is worth looking more closely at why certain lower and middle-income countries have relatively low overstay rates, and whether there are other non-economic factors (e.g. political stability, social cohesion) that influence overstay rates and should be considered in assessing countries’ applications to join the Visa Waiver Program.
2. Assessment of pilot projects and studies. The report also provides detailed information on current and planned projects at Customs and Border Protection (CBP) that are intended to enhance efforts to reduce overstay rates. Notably, the report discusses CBP’s Biometric Exit Mobile pilot, and notes that it “has afforded a small amount of biometric departure data and provided a significant law enforcement benefit for existing outbound operations.” The report does not quantify what is meant by a “significant law enforcement benefit,” but if such biometric data collection provides a valuable means to detect fugitives and absconders, in addition to its value from a border security standpoint, then an investment to scale up such a pilot project into a nation-wide capability may be warranted.
Late last Friday afternoon, the Department of Homeland Security announced a set of new deadlines for final implementation of the REAL ID Act, postponing the date when TSA would stop accepting certain non-compliant states’ drivers licenses for aviation screening purposes until January 2018. It had previously been expected that such a deadline would be set for mid-2016 for a number of non-compliant states. This delay to the aviation screening deadline is not unexpected, given the likely disruption to air travel that would have resulted from TSA no long accepting many states’ ID’s as an acceptable form of identification.
Thus, the day of reckoning for REAL ID is postponed for another two years, for a new leadership team at DHS to confront. But it is unclear what will change in the next two years to alter the current status quo, where many states are reluctant to implement elements of REAL ID, the detailed statutory mandates from the 2005 law remain in place, and DHS is still charged with implementing the Act but retains the authority to delay its enforcement of the Act – authority that it has used repeatedly since 2007. While some states are likely to make progress on the REAL ID requirements in the next two years, it is hard to envision that the current impasse over full implementation will end in the next two years, and the next Secretary of DHS will likely be announcing additional delays in late 2017. And meanwhile, more than ten years have already passed since REAL ID was signed into law.
Given this reality, leaders in Congress, the executive branch, and the states have a choice to make. They can allow this dynamic of delay, confrontation, impasse, and further delay to cycle through the system one more time, resulting in gradual (but perhaps outdated) improvements to the security of state-issued identification. Or they can do what I believe is called for now: a serious re-examination of the requirements of the REAL ID Act.
Such a re-examination would include a detailed inquiry into the following questions:
1. What have been the demonstrable security benefits of the REAL ID Act to date, particularly with respect to counterterrorism, but also with respect to other national priorities (e.g. immigration enforcement, fraud prevention)? What elements of the REAL ID Act requirements (of which there are nearly 100) have delivered security benefits, and which have not, from a cost/benefit standpoint? (This would be a good question for a new GAO request by Congress, building off the findings of this 2012 GAO report).
2. Given the development and maturation of other counterterrorism capabilities in the past decade, how relevant and valuable is REAL ID (and secure identification generally) today with respect to domestic counterterrorism? For example, I would assert that it is much more difficult for would-be foreign terrorists (like the 9/11 hijackers) to travel to the United States today and engage in lengthy pre-operational activity than it was before 9/11, given investments in aviation pre-screening, watchlisting, visa security, information-sharing, domestic investigative capabilities, etc. Given how these other layers of security have been enhanced, has the marginal value of REAL ID today from a counterterrorism standpoint diminished or otherwise changed?
3. The terrorism threat facing the United States is significantly different than it was a decade ago, due to factors such as the increase in homegrown terrorism and the rise of ISIS and other new terrorist groups. How have these shifts in the terrorism threat changed the value of the REAL ID Act from a security standpoint? Have we seen changes in terrorist tradecraft with respect to the potential use of drivers’ licenses and other forms of identification?
4. How has technology involved in the past decade with respect to secure identification? Is the REAL ID Act mandating things in law that are now obsolescent from a technology standpoint? For example, what is the significance of digital identification technologies (which are being adopted now in many countries) for REAL ID? What is the significance of recent developments in areas such as biometrics and encryption? How do these technological developments affect the value of current REAL ID requirements?
5. In light of these external factors, how can the dynamics of governance over secure identification be changed so that state and federal actors are working together towards shared objectives, rather than in opposition to each other? Would it be helpful to move toward legislation that is focused on outcomes (similar to many other regulatory models), rather than the checklist approach that is codified in law today? Are there new coordination structures or funding mechanisms that can be used to align incentives?
Given these changes over the past decade, it is time for policy-makers (particularly in Congress) to be asking these questions, rather than allowing the status quo to prevail and REAL ID to continue on its current slow trajectory. A re-examination of REAL ID, and subsequent legislation based on the findings of such a review, would improve our homeland security and help to ensure that state and federal funds are being spent effectively and in a way that addresses today’s threats, instead of in response to yesterday’s threats and outdated requirements.
Buried within the omnibus appropriations bill signed into law in December 2015 is a provision (Section 563 of Division F, the Department of Homeland Security Appropriations Act) that allows DHS to establish a common appropriations structure, starting with the FY 2017 budget request that will be released in early February. This is something that DHS Secretary Johnson originally requested as part of the FY 2015 DHS budget request, as described in this testimony from March 2014:
As part of this agenda we are tackling our budget structure and process. DHS currently has 76 appropriations and over 120 projects, programs or activities, and there are significant structural inconsistencies across components, making mission based budget planning and budget execution analysis difficult. We are making changes to our budget process to better focus our efforts on a mission and cross-component view.
In the reports that accompanied the FY 2015 and FY 2016 DHS appropriations bills, the appropriations committees were mixed in their support for a transition to such a common appropriations structure in report language. In FY 2015, the House Appropriations Committee (HAC) believed that “DHS would benefit from the implementation of a common appropriation structure across the Department,” but the Senate Appropriations Committee (SAC) remained silent on this proposal.
In the FY 2016 bills, the HAC included bill language to establish a common appropriations structure, and noted emphatically that “implementing this methodology is a strategic imperative and must move forward with haste.” But the SAC was lukewarm to the proposal in its Committee report for FY 2016. The Committee acknowledged the DHS leadership team’s reasons for considering such a shift: “the goal of following funds from planning through execution is critical to departmental oversight of the components as well as establishing a capability to make tradeoffs in resource allocation and budget development decisions.” But it expressed concern about the potential harm to transparency and congressional oversight from such a shift, and expressed concerns about being unable to compare prior years’ appropriations following such a restructuring. It urged DHS to “tread carefully in this area and work closely with
The provision included in the final omnibus appropriations bill is a modified version of the House provision, changing the word “shall” to “may” in a few places to soften the mandate for DHS to implement a common appropriation structure for the forthcoming budget request, and requiring that DHS provide a detailed report by April 1, 2016 to the committees on the transition to a common appropriations structure, as a precondition for getting the full authority to implement these changes. These minor changes are not likely to inhibit the ability of DHS to move forward with carrying out this transition, consistent with the intent of the Department’s leadership.
As the new language specifies, and as illustrated in the report “A Common Appropriations Structure for DHS: FY 2016 Crosswalk” (made public on the DHS website late last year), all DHS appropriations will now be allocated in one of four top-level categories: (1) Operations & Support, (2) Procurement, Construction and Improvements, (3) Research and Development, and (4) Federal Assistance. These top-level categories are similar to the structure used by the Department of Defense, where funds are primarily allocated with the categories of (1) Personnel, (2) Operations and Maintenance, (3) Procurement, and (4) Research, Development, Test and Evaluation.
The primary intent of this structure is to facilitate the ability of DHS leadership and Congress to develop greater insight into how funds are being allocated and spent across the Department. Currently, in many of the Department’s components, funds for day-to-day operations (salaries, rent, etc.) are mixed together in budget accounts with long-term capital investments (new ships, screening equipment, etc.), making it difficult to assess whether the right balance is being struck between present-day needs and future requirements. The new structure should also make it easier to identify and compare similar investments being made in different DHS components, and hopefully then find savings and efficiencies, consistent with the stated objectives of the Department’s Unity of Effort Initiative.
A secondary benefit of this reorganization is that it should enhance the ability of authorizing committees to pass authorization bills for DHS on a regular basis. The information provided to Congress in budget requests under a common appropriations structure can be used as a basis for authorizing funds, in a similar way to how the Armed Services Committees use information from DOD budget requests and the Future Years Defense Program to inform their annual authorization bills. The new common appropriations structure would not eliminate the jurisdictional issues that have made it difficult for Congress to pass DHS authorization bills over the past decade, but it would provide a basis for authorizing funds on a cross-cutting basis that is not wholly tied to the fragmented component-level jurisdiction over DHS in the House and the Senate.
Overall, this shift to a common appropriations structure is an encouraging development for the ongoing maturation of DHS, and if executed successfully in the coming year will be a significant accomplishment for Secretary Johnson and his team.
The New York Police Department has settled long-standing lawsuits pertaining to the surveillance of Muslims, as reported this afternoon by The Washington Post and The Wall Street Journal. Notably, under the settlement agreement, the NYPD will be required to make significant changes to its Guidelines for Investigations involving Political Activity (aka the Handschu guidelines), as listed within Exhibit 1 of this PDF containing the settlement documents. In addition, the NYPD will be removing its 2007 report “Radicalization in the West: The Homegrown Threat” from it website as part of the agreement. (It is still available on the NYPD site as of posting, but if this link doesn’t work, it means it has been removed from the site. We’ve saved it here on our site for if/when that happens).
It is disappointing that the Radicalization in the West report will be removed from the NYPD’s website as a result of this settlement. While the report has always had limitations due to its case-study methodology (as the authors would likely acknowledge), and it has become somewhat dated due to external developments in the past eight years (e.g. growth of social media, rise of new terrorist groups, increase in lone actor terrorism), many of its general findings on the radicalization process have stood the test of time, and still provide insight into terrorists’ activities today, including the Paris attackers and other recent plotters.
And even if I disagreed with the report’s analysis, I would still argue that removing it from the website is the wrong thing to do. The report’s critics should contest and challenges its findings, as they have often done, but should not cheer its suppression through a formal legal process.
More worrying are the proposed changes to the Handschu guidelines. The changes to the requirements for a “Checking of Leads” or “Preliminary Inquiry” as outlined in this document could inhibit the ability of the NYPD to uncover the initial tip or lead that would be the starting point for a broader FBI-led investigation. While the NYPD will retain strong investigative authorities when there is a known threat, the Department’s ability to detect the ‘unknowns’ could be reduced as a result of these policy changes. It is also possible that a culture of risk aversion develops gradually as a result of these and other proposed changes to the guidelines, such as the appointment of a ‘Civilian Representative’ in an ombudsman-like role.
These changes come a month after the ISIS-inspired terrorist attack in San Bernardino, and at a time when the number of terrorism cases within the U.S. has significantly increased, as noted in detail in the recent report on ISIS in America released by my colleagues in the Program on Extremism. While this settlement may be beneficial in the short-term from a civil liberties standpoint, it likely makes it harder for the officers and other employees of the NYPD to play their role in preventing acts of terrorism in New York City, as they have tirelessly worked to do in the years since September 11, 2001.
Earlier today, DHS Secretary Jeh Johnson announced changes to the National Terrorism Advisory System, adding a new category of warning, the NTAS Bulletin, to complement NTAS Alerts, and to be used as follows:
NTAS Bulletins will provide information describing broader or more general trends and current developments regarding threats of terrorism. They will share important terrorism-related information with the American public and various partners and stakeholders, including in those situations where additional precautions may be warranted, but where the circumstances do not warrant the issuance of an “elevated” or “imminent” Alert.
DHS also issued its first NTAS bulletin in conjunction with the Secretary’s statement, a one-pager on the global threat environment that highlights the Department’s concerns with “self-radicalized actor(s) who could strike with little or notice.”
Overall, this introduction of NTAS Bulletins is an improvement to the system, and is particularly warranted given the fact that DHS and the FBI already produced unclassified bulletins for law enforcement and first responders – their Joint Intelligence Bulletins (see this example) – which are widely disseminated and almost always find their ways to the news media a few days after they are issued. It makes a lot of sense to repurpose many of these JIBs into NTAS bulletins, in instances where the vigilance of the general public may help to prevent or disrupt a particular threat.
However, these changes to the NTAS do not address my long-standing concerns about the underuse of NTAS, which I outlined in this blog post last year, noting that there were a number of circumstances in the past 3-4 years where the issuance of an NTAS alert was warranted in my opinion, based on the system’s own standard of a credible threat (for an elevated alert) or a specific and credible threat (for an imminent alert). For example, I still maintain that DHS should have issued an NTAS alert after the Boston Marathon bombings during the four days when the attackers (the Tsarnaev brothers) had not yet been identified and were still at large.
Given the current pace of ISIS-related terror plots, there will likely be similar circumstances in the coming months and years where DHS should issue NTAS Alerts, not to stoke fear but to ensure that the American people have an informed understanding of current threats. Hopefully today’s changes to NTAS will also lead the Department’s leadership to be more forward-leaning in utilizing the system.
But in the meantime, the 25,000+ followers of the @NTASAlerts twitter account are still waiting for that first tweet.
Remedying the OPM hack: we need an innovative policy response, not just credit and identity monitoring
In the wake of the recent major hacks of Office of Personnel Management (OPM) databases, OPM has announced that the federal government will be offering the millions of affected individuals with access to identity theft monitoring and restoration services. For individuals who are affected by the background check database hack, additional online services will be offered to protect against fraud, misuse of minors’ identities, etc.
The provision of these types of identity theft and credit monitoring services has become a reflexive action for companies and government agencies. When Company Z gets hacked and tens of millions of its customers’ personal and financial information is at risk, it offers free credit monitoring. When Government Agency Y has a data breach, the same routine. These entities then offer to provide such online services for a fixed period of time, and a limited number of affected individuals bother to sign up, at a cost to the company or agency at around $5/month per enrollee. Those who do sign up get a sense of security that any financial misuse of their information will be detected.
But with respect to the recent hack of the OPM security clearance database, the offering of such services is is a woefully inadequate remedy. As former CIA official Charlie Allen noted in a recent piece, this hack creates “a national security risk unlike any I’ve seen in my 50 years in the intelligence community”. Former CIA and NSA Director Michael Hayden provided a similarly dire commentary in a Washington Times op-ed in June.
Given this context, the offering of online credit and identity monitoring services to the affected population is necessary but should only be viewed as a small, preliminary step in responding to this hack. The U.S. government needs to focus its attention on implementing a broader set of policy remedies that will help to prevent and deter the foreign entity that hacked this database from being able to exploit this information for counterintelligence or other nefarious purposes.
One such policy remedy would be a law or executive order (EO) that protects affected individuals against the adverse consequences of public disclosure of information that had been willfully disclosed on an SF-86 but would provide harm or embarrassment if publicly disclosed. For example, such a law or EO could clarify that it is impermissible and illegal to use SF-85/86 information, if derived from hacked documents, in an employment action or in a legal proceeding, with very limited exceptions. If such a policy remedy were put in place, this would hinder the ability of foreign intelligence services to blackmail and recruit Americans working in positions of trust who are potentially exposed by this hack.
The foreign entity that hacked the OPM security clearance database and stole this information could also attempt in the coming months and years to use information to try to smear and slander individuals (perhaps selectively targeting its high-level critics in government), using unwitting third-parties in the news media and other online mechanisms. The federal government needs to look carefully now at how it can protect otherwise innocent employees against such personal attacks, and needs to bring federal law enforcement agencies and Inspectors General into this discussion, so that they can better differentiate between legitimate predicates for internal investigation versus when they have been baited to investigate by an entity that is using misappropriated information. This will also be an area where Congress will need to carry out judicious oversight and perhaps consider legislation.
These are just two examples. There are other scenarios where one can envision this hack leading to the risk of unique adverse consequences for the affected population, in ways that are ultimately harmful to U.S national security. The federal government needs to be much more forward-leaning in addressing this issue than it has been to date (at least based on its public statements), and develop, publicly explain, and implement innovative policy remedies, working with Congress, that can mitigate the counterintelligence risks of this hack and re-establish trust and confidence within the U.S. national security workforce.
A story in the Washington Post today by Ellen Nakashima looks at a provision in the House Permanent Select Committee on Intelligence (HPSCI) mark of the FY 2016 intelligence authorization bill that would inhibit the Privacy and Civil Liberties Oversight Board (PCLOB) from receiving information that is “related to covert action.” The relevant bill language is as follows:
‘‘(5) LIMITATIONS.—Nothing in this section shall be construed to authorize the Board, or any agent thereof, to gain access to information that an executive branch agency deems related to covert action, as such term is defined in section 503(e) of the National Security Act of 1947 (50 U.S.C. 3093(e)).’’.
Nakashima’s story notes that this provision was drafted in response to a recent opinion piece by PCLOB chairman David Medine, arguing for a new “Drone Board” that would provide independent oversight of the use of UAVs for counterterrorism purposes, and suggesting that the PCLOB could take on this responsibility as an additional duty.
I have mixed feelings about HPSCI’s new legislative proposal. On the one hand, I think that the PCLOB should not be focusing on covert action, given that such a focus would be contrary to the intent of Congress when the PCLOB authorities were established in 2004 and modified in 2007. The policy and legislative debate leading to the PCLOB (including in Chapter 12 of the 9/11 Commission Report) was focused almost exclusively on terrorism-related information sharing and collection issues, and not on counterterrorism operations. It would be outside the scope of the PCLOB’s current authorities for the Board to undertake a direct review of a foreign counterterrorism operations program or activity, whether covert or non-covert.
In addition, there is an existing system in place for the review of covert action programs, as described in this 2013 CRS report. If this system is being utilized appropriately by the executive branch and the Congressional intelligence committees, then creating an additional layer of review by the PCLOB is unnecessary in my opinion, particularly given the longstanding statutory language that a covert action finding “may not authorize any action which violates the Constitution of the United States or any statutes of the United States.”
On the other hand, I worry that this legislative proposal as it is currently drafted would create the basis for executive branch agencies to deny information to the PCLOB that the Board should legitimately be entitled to receive. Note the language in the proposal: “information that an executive branch agency deems related to covert action.” The language gives executive branch agencies an unchecked right to define what information is related to covert action, and the inclusion of the words “related to” creates an opportunity for IC lawyers to try to define this exception broadly.
For example, a covert action may rely on a particular intelligence collection or analytic activity that is within the scope of the PCLOB’s remit. This bill language, as currently drafted, could allow the agency responsible for that collection or analysis activity to deny the PCLOB necessary access to information about this activity, on the basis of its “relation” to the covert action. Such an outcome would undermine the Privacy and Civil Liberties Oversight Board, in a way that is harmful to its clear statutory role as a balancer of privacy and civil liberties concerns within the broader national policy debate on terrorism issues.
The article in the Post notes that this matter will continue to be debated as the bill moves to the floor of the House and is then reconciled with the Senate’s FY 2016 intelligence authorization bill (which has not yet been introduced) later this year. It is also likely that other committees will have a stake in this issue, since the PCLOB’s founding statute is also within the jurisdiction of the Senate and House Judiciary, Senate Homeland Security and Governmental Affairs, and House Oversight committees. I would suggest that an appropriate resolution to this issue would be modifying this provision into “sense of Congress” language that states that the PCLOB should not place a primary, direct focus on covert action programs, but does not impair the Board’s access to information that is within the scope of its current authorities, even if such information is tangentially related to covert action.
The DHS Office of Inspector General released a redacted version of a report yesterday entitled “TSA Can Improve Aviation Worker Vetting.” The report examines TSA’s performance of its responsibility to conduct background checks on the two million workers (beyond its own employees) that have access to secure areas of airports. One of the findings of the report has been the basis for some disturbing media headlines last night and today, a sampling of which are linked below:
“IG Report: TSA failed to identify 73 workers ‘linked to terrorism’.” (Fox News)
“TSA Missed 73 Workers on Terror Watchlist” (The Daily Beast)
“Investigation Finds the TSA Didn’t Catch 73 Terrorism-Linked Employees.” (Slate)
The general impression that one gets from the media stories to date is that terrorism suspects have slipped through the cracks and are working at U.S. airports, posing a significant threat to the U.S. aviation system. But that is not what the IG report actually says.
As the terrorist watchlisting system is currently implemented, the National Counterterrorism Center (NCTC) manages the detailed, classified repository of watchlisting-related identity information in its TIDE database, which is then exported to the unclassified Terrorist Screening Database (TSDB), run by the FBI, subsets of which are then used by various screening agencies (e.g. Department of State for visas, CBP for border screening, TSA for domestic aviation). There are very clear rules in place as to what types of identities in TIDE and the TSDB can be used for which screening and vetting purposes, based on factors such as the relevant threat and the impact on civil liberties.
This IG report examines TSA’s responsibility to carry out background screening of airport workers, and notes that it doesn’t carry out such screening by checking against all TIDE records:
TSA did not identify these  individuals through its vetting operations because it is not authorized to receive all terrorism-related categories under current interagency watchlisting policy.
The report notes that the excluded TIDE records were for certain categories of terrorism-linked individuals that TSA has not been allowed to screen against to date (details of which are redacted from the report), and that more than a year ago then-TSA Administrator John Pistole formally requested that it be able to conduct vetting against such records, a request that has yet to be approved by the interagency group that oversees watchlisting policies. Such a decision to change current policy would need to be made judiciously, weighing the threat posed by individuals that fall in these TIDE categories (who presumably present a lower relative threat than individuals in other TIDE categories that are currently used for vetting) versus the civil liberties-related impact of conducting vetting that could cause individuals to lose their jobs based on a weak or unproven association.
As a result of such a review, and taking into account current threat-related intelligence, it may be warranted to expand the scope of TSA’s airport worker vetting. But let’s be clear: the current situation is not a “failure” or “omission” on TSA’s part, but the result of a deliberate policy decision. The media coverage of this IG report to date unfortunately lacks such nuance, and is instead hyping the implications of this report in a way that unfairly foments public mistrust of TSA and could lead to rash policy decisions on this issue.