No particular threat has the potential to draw the concerns of security practitioners more than the fear of the insider. The concept of the insider threat has prompted a whole cottage industry of background investigationcompanies and service providers.
For the vast majority of private sector companies, these background investigation services are workable and generally provide a reasonable level of security for the entry level employee, as most do not utilize periodic background re-investigations. Critical infrastructure owners and operators do not have this luxury. Unknown to most Americans is the fact that the vast majority of our nation’s critical infrastructure is privately owned – yet federally regulated. An interesting separation that brings with it some very unique challenges.
Regulation
Most critical infrastructure in the United States, whether oil and natural gas, chemicals, financial services or electric and nuclear power, is under some form of regulation. This includes many requirements that mandate background investigations and re-investigations for those employees that have access to particularly sensitive areas or information. All of this makes sense and is good security practice. A prime example exists under Section 17f-2 of the Securities Exchange Act of 1934 which requires certain financial employees undergo enhanced criminal history screening, up to and including fingerprint checks through the FBI’s National Crime Information Center (NCIC), a true national repository for criminal history information.
In order to comply with the act, the FBI required its own enabling statutory legislation allowing it to access and release fingerprint information on the behalf of private financial institutions via Public Law 92-544. In this particular case, regulators clearly understood the need to differentiate between those that clearly need to undergo additional screening, and those who do not by specifying which types of employees warranted the enhanced screening.
Private sector background investigations
The private sector currently employs a vast array of methods through which they conduct their background investigations for new applicants and existing employees. For the most part, private companies engage with third party contractors to conduct pre-employment drug tests, credit checks and criminal history checks via name or biographical information. These routine, initial checks are relatively perfunctory and generally satisfy the needs of the vast majority of private sector employers. However, for owners and operators of critical infrastructure, there are four glaring issues:
- True identification. For the vast majority of private sector employers, the current systems for conducting background checks are extremely reliant on the quality, accuracy and veracity of the information provided by the applicant, which is often limited to name, date of birth and Social Security Number. In some limited instances, these checks are supplemented by local and/or regional fingerprint checks; however, most private entities do not conduct a nationwide fingerprint check. Accordingly, a true identity match is often unattainable, which can lead to the expensive and sometimes exhaustive process of trying to clear a person whose identity may have name and biographical criminal history matches in the systems.
- Not comprehensive. Most of the background checks conducted by private sector employers are not comprehensive. Without a true NCIC fingerprint check through the FBI, information is often missed or inaccurate and requires laborious investigation to either verify or discredit.
- Position sensitivity. Owners and operators of critical infrastructure employ persons that have unique access to some of the most critical systems and operations of our country from a national security standpoint. Given the sensitivity of their operations, many of these industries – such as electricity – are heavily regulated and have burdensome background investigation requirements. However, these requirements are vague and do not comprehensively review a potential or existing employee’s history.
- Periodicreinvestigation gap. Unlike many private sector employers, critical infrastructure owners are typically required to conduct some form of periodic background reinvestigation on their critical employees. In many instances, these reinvestigations are conducted every five to seven years. The problem is, how do owners and operators of critical infrastructure account for a sensitive employee’s criminal activities during the lengthy reinvestigation gap? The answer is, they do not.
Solutions
The vast majority of private sector enterprises will continue to use their own judgement and rely on existing pre-employment background investigation systems. This has been, and will continue to be, an acceptable practice, regardless of whether or not periodic gap investigations are performed. However, more difficult risk propositions exist for critical infrastructure. For instance, numerous areas of critical infrastructure rely on the same methods for pre-employment investigations and periodic background reinvestigations. This is true for employees who have access to some of the most critical and important infrastructure systems our nation has tooffer.
Indeed, a true insider breach by a rogue employee in some of these areas could prove crippling. The recommendations discussed below can help close this security gap by mitigating risks associated with the insider threat:
- Biometrics — A true nationwide fingerprint repository check through NCIC for pre-employment and periodic reinvestigations is needed. There is currently no other way to truly determine the veracity of a potential employees’ criminal history claims than through a comprehensive criminal history (CCH) check performed via fingerprints and NCIC.
- Rap-Back — In addition to pre-employment CCH checks, the FBI, as part of its new Next Generation Identification (NGI), has created a system for understanding, managing, and closing the periodic reinvestigation update gap. The Record of Arrests and Prosecutions background check, or Rap-Back, can notify participating critical infrastructure employers if their employee is ever arrested and fingerprinted for a crime during the gap period. This system, although not all encompassing, is an important step forward and should be leveraged by entities with critical infrastructure.
Civil liberties and fingerprint checks
An often repeated claim from civil liberties advocates is that the employee does not have choice in the enrollment of the Rap-Back program. In response to this claim, there are several important counterpoints to consider:
- Numbers. Only a small percentage of workers, including those in critical infrastructure, would qualify for required fingerprint checks. Does anyone think it is bad idea for a daycare worker to have their fingerprint checked? The same holds true for certain critical infrastructure employees given the sensitivity of the information they have access to. The subset of critical infrastructure employees that require this check will need to be defined and notified before implementation of this security measure.
- The choice proposition. Any job, let alone a job in a sensitive position, requires a conscious choice to apply. Simply put, those applying for a sensitive position are notified upfront when a fingerprint check is required. To argue that Rap-Back subjects them to infringements upon their employment status in a protected position is counterintuitive – particularly in industries that already perform periodic reinvestigations but do not conduct another fingerprint check.
Consequences, if any, are determined by the employer. There are significant costs associated with terminating, hiring, retraining, and transferring institutional knowledge of key employees – particularly in critical infrastructure where these types of jobs are highly specialized. Moreover, the FBI simply alerts the employer to the fact that an arrest and fingerprinting has occurred. It will then be up to the employer to investigate the circumstances and determine what level of discipline, if any, is appropriate.
- Source data concerns. Source data concerns simply mean that the FBI is collecting and storing the fingerprints of people who get their fingerprints taken for a variety of reasons, such as applying for a job that requires it. Inclusion in this database does not mean a person is explicitly tied to a criminal justice encounter. The areas are as diverse as child care workers, teachers, police department employees, and so forth. That is why it will be up to the employers to have a robust verification process for investigating notifications before taking action.
Conclusions
As of January of 2017, there are an estimated 123 million workers in the United States. Of these workers, an estimated 1.8 million, or approximately 1 percent, undergo background checks each year whereby an FBI fingerprint record check is required. While these numbers are not overly significant, it does prompt an important value proposition. Should employers impose extra levels of security for those workers that are in the most sensitive positions of critical infrastructure? Or, are we simply crossing our fingers behind our backs after we hire workers in sensitive positions?
The key to balancing the legitimate concerns of critical infrastructure security and of the rights of employees requires nothing more than honest dialogue. Transparency is key. All parties should see the validity of security, privacy and civil liberty arguments and find a way forward for enhanced security for us all.
Travis Moran is a Managing Consultant at Navigant Consulting, Inc. and a former senior physical security specialist at the North American Electric Reliability Corporation (NERC).
Brian Harrell, CPP, is Director of Security and Risk Management at Navigant Consulting, Inc. and a former security executive at the North American Electric Reliability Corporation.
