STAFF: Good afternoon, everyone. I'm Lieutenant Commander Tim Gorman, and I'll be moderating today's briefing.
As a reminder, we're on background. All information from our briefer should be attributed to "a senior defense official." The material emailed earlier to you, as well as the information in this briefing is embargoed until the conclusion of this briefing.
Our briefer today is (inaudible). She will have some opening comments, and then we will move into Q&A. I'll call on reporters, and in the interest of time, I ask that you limit yourself to one follow-up. For the Zoom participants, I have your names here. When I call on you, please take yourself off mute to ask your question.
With that, over to (inaudible) for opening comments.
SENIOR DEFENSE OFFICIAL: Hello, everyone. Hope you all had a happy Fourth of July. Thanks for joining me today.
Late last week, Secretary Austin completed his review of the findings and recommendations of the comprehensive review of security programs, policies and procedures that he directed. That review, led by the Under Secretary of Defense for Intelligence and Security in coordination with the DOD Chief Information officer and the Director of Administration and Management, focused on an in-depth review across four key areas: personnel security, information safeguarding and accountability, physical security and education and training.
While the review found the majority of DOD personnel with access to classified national security information, or as we call it, CNSI, comply with security policies, procedures and processes and recognize the importance of that information in maintaining our national security, the review also identified a number of areas where the department should seek to improve its security posture and accountability measures. These areas include improving individual and collective accountability for CNSI, the security posture at facilities used to develop process and store CNSI and information sharing to ensure both appropriate security clearance eligibility determinations by the Defense Counterintelligence and Security Agency and appropriate access management by unit commanders, supervisors, and their personnel.
As a result of this review, Secretary Austin issued guidance to the department's senior leaders on the actions they must take in the near and medium term for the department to improve its security posture and accountability measures. These will help us prevent the compromise of CNSI to include addressing insider threats. As these actions progress over the coming weeks and months, USD (I&S) will provide the Secretary regular updates on the progress until completion.
With that, I thank you again for your time and look forward to your questions.
STAFF: All right, first question, Lita from Associated Press.
Q: Hi. Thank you.
Can you give us a better sense of what the key failures, shortcomings -- whatever you want to say -- of -- you know, there were a number of changes to beef up security both physically and at monitors. What was the biggest shortcoming that the department found? Which of these proved to be sort of the bigger issue?
And could you give us a sense of -- I mean, you say "a majority," but what -- in how many – in what -- even if it's a broad percentage of places were -- were there shortcomings, were there failures? Can you give us a sense of how big the problem is?
SENIOR DEFENSE OFFICIAL: So I think the way I would describe the problem is that we have a widespread population, as well as constellation of facilities. Some of those are what we would describe as inside of a defense in-depth compound like the Pentagon or like the Defense Intelligence Agency, which is on a military installation, and others are standalone kind of secure compartmented information facilities, right?
So I think for us, as the department's population of cleared personnel and the number of facilities have grown over the past years, it has underscored the need to have a comprehensive and evolving security in-depth posture.
Q: Okay, but again, give us sense of where you found the largest shortcomings. Was it in, you know, people not having -- not cataloging everything? Was it people taking information in or out? Was it people with unauthorized devices? Give us a sense of which of these we should prioritize.
SENIOR DEFENSE OFFICIAL: Sure.
So I think one of the biggest takeaways from the review was the need to create a consistent way of checking the two-way dialogue between the Defense Counterintelligence and Security Agency and the kind of owning unit supervisors and commanders to make sure that both DCSA is looking at the personnel when they're determining eligibility for a clearance, but that, as we've transitioned to trusted workforce and continuous vetting, those that are day-to-day responsible for personnel understand the kind of consistent availability of information on those individuals and work to optimize a two-way dialogue.
STAFF: Okay. Go to Phil Stewart from Reuters.
Q: One of the recommendations that's being made is the creation of an electronic device tracking system for all the SCIFs, and I'm wondering, in the survey that you sent around, what were the kind of questions and answers related to this that we would, you know, find relevant? You know, were there a lot of people who didn't -- you know, who were bringing in or had seen materials in SCIFs that, you know, perhaps need to be, you know, there needed to be tightened controls based on those responses? What kind of questions did you ask? What kind of responses did you get?
SENIOR DEFENSE OFFICIAL: Yeah, so I think it was both the survey responses and the kind of review group that was put together from across the department that really helped kind of focus that recommendation. I think what we saw was that there were different applications of those -- that type of technology across both the intelligence community and non-intelligence community elements, and then across different parts of the department.
And so as we looked at what might be appropriate to look at as a holistic, you know, best practice that we could spread across the department, I think the idea that we should explore whether or not these should be more widely mandated in SCIFs was a key finding. It helps with, you know, alerting people who just do it by accident, it helps with detection, all of those things.
And so I think we saw in the surveys some required it, some did not, and then we also saw that there was a best practice there that we could look at over the next year.
Q: I mean, I guess what I'm wondering -- what were the questions? Were the questions like, you know, have you seen people bring in, you know, non-classified electronic devices in the SCIFs? Some people said yes, some people said no, and so you're trying to create a better -- you -- I'm just trying to understand how --
SENIOR DEFENSE OFFICIAL: Oh, yeah --
Q: -- be a little more specific.
SENIOR DEFENSE OFFICIAL: Absolutely. So I think we were asking questions about what have you, like, observed over the last year, so asking components about security violations and patterns of behavior that they had observed, and then also about what they require in the SCIFs that are under their purview.
STAFF: Tom, NPR?
Q: Yeah, I'm just wondering, in this review, did anything pop maybe similar to what happened at Otis Air Force Base, where someone walked out with information or was downloading information that person shouldn't have? Did anything pop that requires further investigation?
SENIOR DEFENSE OFFICIAL: No, I think what the review showed was that we needed to revalidate things like distribution lists and make sure that we had appropriately kind of modernized our requirements with the way technology can enable kind of print tracking, those types of things, so that we have better accountability for when individuals are working in classified environments and printing materials, for example, or when we have, you know, new technology that allows us to better understand what users are doing on the system, what products, for example, they're accessing.
Q: -- so nothing popped that would require further investigation?
SENIOR DEFENSE OFFICIAL: So this was a review of our security processes and procedures. I want to be clear, you know, there are still ongoing investigations as part of the law enforcement piece of this, as well as in part of the Air Force. And so this is looking at kind of that umbrella level of the department's things and policies and procedures without getting into very -- specifics of the -- of the situation at Otis.
Q: And one last thing that -- I was talking to a retired senior officer who said, you know, "if I have someone working for me that downloads information -- let's say this person is at working European Command and is downloading something about Taiwan -- security would pop, there would be an alert and they would notify the boss, and that boss would go to the worker." Is that accurate? And -- and is it working?
SENIOR DEFENSE OFFICIAL: So this is an area where we are focused on making sure that we are using those tools to the best of the department's capabilities. So that's the user activity monitoring kind of technology that is available.
So one of the key outcomes here, in consultation with DOD CIO, is to make sure we're using that, as it informs both exactly that type of example but also our insider threat hubs.
STAFF: Lara Seligman, Politico?
Q: Thank you. I'm just wondering -- I noticed that the date on this is June 3rd. So that was more than a month ago. Why are we only hearing about this now?
SENIOR DEFENSE OFFICIAL: So the -- I believe the date on the memo is June 30th.
Q: 30th? Okay, sorry -- Okay, sorry about that. I missed that.
Okay, so a second question then. If you could just kind of tell us, cause there was a lot of information here, what are the main courses of action that you think will be the most effective in fixing this problem?
SENIOR DEFENSE OFFICIAL: So I think if I was to pick them now -- and I think, you know, my answer will probably evolve over the coming months as we do some of this work -- I think the first is going to be some of the two-way dialogue that I referred to before.
I think as we've transitioned to continuous vetting, right, we need to get to that local area security manager and make sure they understand what is available to them, what information they can have on their personnel, how important that accountability relationship is, to ensuring that they receive the kind of notifications that continuous vetting intends to be part of it. So I think that is a key one.
I think -- also, as we look across the department at the growing number of facilities that we have, I think we owe it to be nuanced but thoughtful in how we better have a consistent set of understandable standards for security managers to apply there.
You know, we are no longer just talking about a small number of facilities primarily in intelligence community buildings. And so with that, I think we have a real opportunity to clarify and make consistent the expectations across the services.
Q: -- think this will have an impact -- a negative impact on how information is shared between the various agencies?
SENIOR DEFENSE OFFICIAL: We're very mindful to not impede that. I think that was a key concern going into this, was that we didn't, like, lock things down too much to then have to slowly reevaluate whether or not we had overdone anything.
STAFF: David Martin, CBS?
Q: Trying this another way -- did you find that there were loopholes in the regulations and requirements for handling classified information or did you find that people had just gotten lax in their handling of classified information?
SENIOR DEFENSE OFFICIAL: I don't think I would characterize it as loopholes. I think what I found was -- what the review team found was ambiguity in the policies that create inconsistencies as you get further and further out into the department.
And so I think that comes in a variety of forms. So I think one of the key things that I know the Undersecretary of I&S is focused on is the tasking to prioritize our security issuances that require revision, because I think, in there, we can clarify some of the ambiguities we see, you know, in some of the examples, and in particular the review team's conversations about what they hear from their security managers, the types of questions they get, the expectations folks have about what is a reportable security violation, all of those things.
Q: So the lower ranks were just more -- they didn't understand what the security requirements were and details of enforcing security requirements?
SENIOR DEFENSE OFFICIAL: I think that there is ambiguity in the policy that has made it particularly in our workforce that moves around different organizations, works in different SCIFs over the course of their career, all of those things.
I think there are areas where we can be clear about what is required. And particularly between what, you know, the different gradations of classified information, right. So making sure that the requirements -- if there are differences that they're meaningful and they're understandable and if they're not being more standard about what's required to protect classified information versus top secret, SCI, secret, you know, et cetera, et cetera.
Q: The proliferation of SCIFs is not exactly a brand new development in this, so why is -- take this case in -- in Massachusetts to get you to look?
SENIOR DEFENSE OFFICIAL: Absolutely not. I think, you know, you will see it both in the intelligence community and the ODNI have focus on, you know, SCIF accountability and accreditation that is referenced in the memo. I think what this is is an opportunity to the department to consistently check in with their processes for both accountability of our personnel and our facilities to make sure that we're keeping pace with the growth and the proliferation of that type of work.
STAFF: Luis from ABC.
Q: Hi, thank you. Following up on David's question, in his answer -- in your answer you mentioned inconsistencies to further out into the department that you got. Was that surprising to you, number one? And then, you spoke about ambiguity and policy, I mean David's point, I mean those are pretty clear cut policies. So where was the ambiguity in those examples that you spoke about and can you provide an example, please?
SENIOR DEFENSE OFFICIAL: So I think an example that we have discussed in this is whether or not top secret control officers are required, right. I think our public facing policy says that they're optional. But then if -- for different classifications you have to have control officers. Then if you get into what is a reportable offense and who you have to report it to, some of that is also, I think, confusing if you're a local level security manager, you know, managing a joint unit, for example.
Who do you report it to, how do you do all of that? And so I think in looking at this without focusing into the specifics of this exact case, I think those ambiguities are the types of things that we are looking at over these coming months to make sure it is as clear as possible and reflective of today's security environment.
Q: And you -- and you mentioned Advana in -- or Advana is mentioned. Can you explain what that is and how that works, right?
SENIOR DEFENSE OFFICIAL: So that is a visualization tool used in the Department. I think the question here is how do we better have a real time kind of status of understanding where our personnel are, whether everyone is, you know, accounted for by their local level individuals. You know this goes to the optimization issue we were discussing earlier, which is how do we make sure that the system is working to the best of it's ability for both the local level supervisors and commanders as well as kind of the departmental level so we have a snap shot and understand of what's going on with this workforce.
It's consistent with our attempts to try to make sure we have, you know, a growing level of accountability for both our personnel and facilities.
Q: Were you surprised about this ambiguity that -- you know, in the further right you got?
SENIOR DEFENSE OFFICIAL: As someone who's read a lot of DOD policies, I -- they are not the clearest documents always. And so I am not surprised that as they've layered on top of each other as this has grown and as this complex classified information environment has grown that there's a need to make sure that we are looking at them from a stand back distance to make sure they're understandable and that our workforce can use them to the best of their ability.
STAFF: All right, let's go to the phones. So Mike Glenn from Washington Times.
Q: Thank you. I just want to explore. It seems our review has not really informed these questions like, you know, are there simply too many people with high-level security clearances in the DOD? And does the DOD overclassify things? I mean, so this review had more -- more of a granular approach to -- to this particular problem, right? Rather -- rather than sort of an all-encompassing view on security in -- in the Pentagon?
SENIOR DEFENSE OFFICIAL: That's right.
STAFF: All right. Idrees?
Q: Just for a follow-on in this question, there was a story earlier today that said the review essentially has concluded that DOD and Oversight have failed to keep up with the number of SCIFs, but that there was no systemic or single point of failure. Is that something you found? And could you sort of describe what the other sort of -- if there wasn't a single point of failure, what the different points were?
SENIOR DEFENSE OFFICIAL: So there wasn't a single point of failure. I think here, the way to think about it is there are contributing factors to any security incident, and so this was an opportunity whilst the other work goes on with the Air Force and the law enforcement investigation to make sure that we looked at this as quickly as possible to make sure that we made the improvements that we could quickly.
I think what we see here is we have a growing ecosystem of classified facilities and a body of personnel who are cleared. I think within that, we have opportunities to clarify policy. We have opportunities to make sure that we are ensuring that the local-level managers have the best picture, and that we are training our workforce in an understandable way for the information that they are working with.
Q: What were the different points, I guess?
SENIOR DEFENSE OFFICIAL: So I think we have -- as we've discussed previously today, you know, this two-way dialogue and making sure that security managers understand how to pull for relevant information on their personnel and that they have the right kind of relationship with the Defense Counterintelligence and Security Agency, was one. I think the other was making sure that we have clear and understandable regulations for both our security managers, but the folks are working with classified information. And so I think you see that in the policy conversation that we've already had, but also in an effort we're undertaking with our colleagues in Personnel and Readiness to make sure that our training is optimized for this environment and the kinds of scenarios that our workforce is facing today.
STAFF: All right, we'll go back to the phones. Jeff Schogol, Task & Purpose?
Q: Thank you so much. There is a recommendation that says, "In coordination with DOD CIO and appropriate, et cetera, implement a phased approach to increase accountability, manage access and increase security to classified data by August 28th." Does that mean DOD is looking to limit who has access to the Joint Worldwide Intelligence Communications System?
SENIOR DEFENSE OFFICIAL: That recommendation is focused on ensuring that we have the right need-to-know processes and procedures, and that we are using those to the maximum efficiency. So some of that is focused on how do we validate what documents are accessed online? What types of, you know, things do you have to have kind of on your kind of digital passport to access certain products?
Q: So you are looking at limiting who has access to classified information? Am I right?
SENIOR DEFENSE OFFICIAL: No, we're looking to ensure that we have the right need-to-know procedures to ensure that the information that is available on classified networks is accessed by those with a need to know.
STAFF: Go ahead, Tony. All right, tell you what -- we'll come back to you in a minute, Tony.
STAFF: Let's go Natasha.
Q: Your recommendation says that you will work to establish a joint management office for insider threat and cyber capabilities to oversee user activity, monitoring and improve threat monitoring across the networks. Can you explain a bit about what that would entail and what that would look like?
SENIOR DEFENSE OFFICIAL: Sure. User activity monitoring is a tool that is able to be deployed upon computer networks. It's applicable to both our insider threat hubs, but also to this, you know, kind of need-to-know access piece. And so what we have proposed doing is working with our CIO colleagues to make sure that we're jointly managing that program so that as we make user activity monitoring decisions, they are serving the department's full range of interests.
Q: So what is user activity monitoring? What -- like, what -- logistically, what does that actually look like?
SENIOR DEFENSE OFFICIAL: So to the earlier example where security would get notified if someone was doing something unusual on the system, it's that type of processing. And so what we're doing right now is to make sure those types of tools are used appropriately within the department, and that we've appropriately resourced that program, given its applicable uses.
STAFF: All right, Tony, we'll go back to you. We can hear you. Go ahead with your question.
Q: Hi. Can -- can you hear me? Hello?
STAFF: We hear you, Tony.
Q: Yeah, can you -- you can hear? Okay. At the -- senior official, the last paragraph of the release puts out -- you -- you put out the -- you want to be on guard against any overcorrection which may impede progress on information sharing. Is that dealing with the intra-agency sharing of data, or is -- does this deal with the issue of possible over-classification of information to the public or within DOD out of -- over the overabundance of caution?
SENIOR DEFENSE OFFICIAL: This is to ensure that we're appropriately calibrating our response to make sure that we do not inhibit the department's ability to operate with both other components within the department, as well as our interagency partners. So to the earlier question, this is about making sure we're validating need to know, not necessarily, you know, turning off access.
STAFF: We'll go next to Heather Mongilio with USNI News.
Q: Asked and answered, thank you.
STAFF: Alex Horton, Washington Post?
Q: Hey, thanks for that. One of the bullet points in there is to improvements to personnel and physical security data management and information sharing practices. When you talk about physical security data management, can you say how that relates to, like, the physical kind of assessments of SCIFs and you know, going in and coming out of them, what -- or did you find you need improvements on how people with access are coming in and going out, and monitoring what they're collecting, and maybe taking out of those? And secondly, would you say that these recommendations and findings largely seek to kind of reinforce existing policy, rather than create new policies?
SENIOR DEFENSE OFFICIAL: I wouldn't foreclose new policy, as I think right now we see opportunity to optimize the existing policies as the kind of near-term project. But again, as we learn more and as we undertake this work, I expect, you know, it could be possible we would need new policy.
To your earlier question about physical security and how that fit in, I think the unique part for the Department of Defense is, to have a security and depth posture, we had to account for kind of two populations, a population that deals largely in hard copy and then a population that is on electronic systems. We can't have just one approach.
And so I think when we looked at the ecosystem as a total, we needed to make sure that both our personnel security and our physical security policies accounted for the realities of both.
STAFF: All right, we've got time for one more question. Jaspreet Gill, Breaking Defense?
Q: Hey, thanks for doing this. A part of the recommendations made in the fact sheet includes immediate improvement to personnel and physical security data management and information sharing practices. I'm wondering, can you expand on that? What immediate or near term changes can we expect?
SENIOR DEFENSE OFFICIAL: Sure. So I think I would point to the first two items that are directed in the Secretary's memo, which are to make sure that all of our DOD component heads have a plan of action and milestones for accounting for their personnel and designated security information technology systems, as well as an assignment to a security management office by, you know, the end of summer essentially. I think those are the nearest term actions, and some of that is to make sure that we have those processes and a plan in place to do that kind of accountability.
I think the other is to ensure that we are looking at the ways the current, like, online electronic ecosystem works and that -- you know, kind of as I referred to earlier, that kind of digital passport is validating need to know and we understand what folks are able to access.
STAFF: All right. Thank you so much to our Senior Defense Official and thank you all for your time today.
SENIOR DEFENSE OFFICIAL: Thank you all. I really appreciate it.