b"<html>\n<title> - INCORPORATING SOCIAL MEDIA INTO FEDERAL BACKGROUND INVESTIGATIONS</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n   INCORPORATING SOCIAL MEDIA INTO FEDERAL BACKGROUND INVESTIGATIONS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         GOVERNMENT OPERATIONS\n\n                                AND THE\n\n                            SUBCOMMITTEE ON\n                           NATIONAL SECURITY\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 13, 2016\n\n                               __________\n\n                           Serial No. 114-158\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                                 ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n26-067 PDF                     WASHINGTON : 2017 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n                      \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY'' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                         Jack Thorlin, Counsel\n                          William Marx, Clerk\n                 David Rapallo, Minority Staff Director\n                 Subcommittee on Government Operations\n\n                 MARK MEADOWS, North Carolina, Chairman\nJIM JORDAN, Ohio                     GERALD E. CONNOLLY, Virginia, \nTIM WALBERG, Michigan, Vice Chair        Ranking Minority Member\nTREY GOWDY, South Carolina           CAROLYN B. MALONEY, New York\nTHOMAS MASSIE, Kentucky              ELEANOR HOLMES NORTON, District of \nMICK MULVANEY, South Carolina            Columbia\nKEN BUCK, Colorado                   WM. LACY CLAY, Missouri\nEARL L. ``BUDDY'' CARTER, Georgia    STACEY E. PLASKETT, Virgin Islands\nGLENN GROTHMAN, Wisconsin            STEPHEN F. LYNCH, Massachusetts\n                                 ------                                \n\n                   Subcommittee on National Security\n\n                    RON DeSANTIS, Florida, Chairman\nJOHN L. MICA, Florida                STEPHEN F. LYNCH, Massachusetts, \nJOHN J. DUNCAN, JR., Tennessee           Ranking Minority Member\nJODY B. HICE, Georgia                ROBIN KELLY, Illinois\nSTEVE RUSSELL, Oklahoma, Vice Chair  BRENDA L. LAWRENCE, Michigan\nWILL HURD, Texas                     TED LIEU, California\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on May 13, 2016.....................................     1\n\n                               WITNESSES\n\nMr. William Evanina, Director of National Counterintelligence and \n  Security Center, Office of the Director of National \n  Intelligence\n    Oral Statement...............................................     4\n    Written Statement............................................     7\nMs. Beth Cobert, Acting Director, U.S. Office of Personnel \n  Management\n    Oral Statement...............................................    11\n    Written Statement............................................    13\nMr. Tony Scott, U.S. Chief Information Officer, U.S. Office of \n  Management and Budget\n    Oral Statement...............................................    17\n    Written Statement............................................    18\n\n \n   INCORPORATING SOCIAL MEDIA INTO FEDERAL BACKGROUND INVESTIGATIONS\n\n                              ----------                              \n\n\n                          Friday, May 13, 2016\n\n                  House of Representatives,\n Subcommittee on Government Operations, Joint with \n                 Subcommittee on National Security,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 9:03 a.m., in \nRoom 2154, Rayburn House Office Building, Hon. Mark Meadows \n[chairman of the subcommittee] presiding.\n    Present: Representatives Meadows, DeSantis, Walberg, \nJordan, Mica, Hice, Massie, Hurd, Mulvaney, Carter, Grothman, \nChaffetz, Connolly, Lynch, Maloney, Lieu, and Kelly.\n    Mr. Meadows. The Subcommittee on Government Operations and \nthe Subcommittee on National Security will come to order. And \nwithout objection, the chair is authorized to declare a recess \nat any time.\n    We're here today to discuss incorporating social media into \nthe Federal security clearance and background investigations. \nHaving a security clearance means, by definition, you have \naccess to information that would hurt our national security if \nit got out, and that is why we perform background \ninvestigations on individuals who want a security clearance. \nThe goal of our background investigations must be to find out \nif an individual is trustworthy. Back in the 1950s, that meant \ntalking to neighbors and family.\n    Today, with more than a billion individuals on Facebook, \nwhat a person says and does on social media can often give a \nbetter insight on who they really are. Since 2008, various \nFederal agencies have conducted studies on using social media \ndata in investigations, and they all find the same thing, that \nthere is a wealth of important information on social media.\n    This issue now facing the Federal Government is how to use \nsocial media information while respecting the legitimate \nprivacy concerns that are often brought forth. The good news is \nthat using social media checks in security clearance \ninvestigation does not have to be a binary decision between big \nbrother and an ineffective system. There are several reasonable \noptions available to us to use social media data in a \nresponsible way.\n    It is encouraging to see that ODNI announced this morning, \nin advance of today's hearing, a new policy that will allow \nFederal agencies to review publicly available social media \ninformation as part of the clearance investigation process. We \nwill continue to work with the agencies to ensure that the \nsocial media data of people with security clearances is used in \na safe and responsible way.\n    Mr. Meadows. I would like to thank the witnesses for coming \nhere today and I look forward to their testimony.\n    And with that, I would recognize the ranking member of the \nSubcommittee on Government Operations, my good friend, Mr. \nConnolly.\n    Mr. Connolly. I thank my friend, the chairman, for holding \nthis hearing to examine the usefulness of social media and \nother crucial enhancements to the Federal background \ninvestigation process.\n    On January 22, the administration announced that the \nFederal Investigative Services, a former entity of OPM, would \ntransfer its functions to a new national background \ninvestigations bureau. The Department of Defense assumed \nresponsibility for designing and operating all information \ntechnology for the new NBIB. I think it makes abundant sense to \ntask our national security experts with protecting the \nsensitive personal information of millions of clearance \nholders.\n    Today, we're discussing another enhancement, the inclusion \nof social media in the background investigation process. The \nArmy has a pilot program which used publicly available data \nfrom social media sites to enhance information available to \ninvestigators during background check processes. Currently, the \nDepartment of Defense is also conducting a pilot program that \nlooks at all publicly available information online, such as \nnews articles and commercial Web sites. I'm interested in \nlearning the major findings and lessons learned from these \npilot programs.\n    While social media is a promising and valuable source, \npotentially, of information, I remain concerned that the \ngovernment should not retain social media data of third parties \nwho happen to engage with the applicant but have not consented \nto waiving their privacy rights. We must not forget to discuss \nother ways to enhance security clearance processes.\n    The Performance Accountability Council is establishing a \nlaw enforcement liaison office that will communicate with local \ngovernments to expedite the requests for local criminal \nrecords. That's a major enhancement. We must remember that on \nSeptember 16, 2013, Aaron Alexis, a Federal subcontractor with \na secret-level clearance, entered the Washington Navy Yard and \ntragically killed 12 people and injured 4 others. He had a \nsecurity clearance. The background investigation failed to \nidentify that Mr. Alexis had a history of gun violence. The \nlocal police record of Mr. Alexis' 2004 firearms arrest had not \nbeen provided to Federal investigators. Improvements in \ncommunication between local law enforcement and Federal \nbackground investigators could prevent and could perhaps have \nprevented a tragedy like that that occurred in the Washington \nNavy Yard.\n    I welcome each of the witnesses back from the full \ncommittee's February hearing and look forward to hearing about \ntheir progress on the administration's plan to reform the \nsecurity clearance and background investigation process, while \npreserving privacy rights.\n    Thank you, Mr. Chairman.\n    Mr. Meadows. I thank the gentleman.\n    The chair now recognizes the chairman of the Subcommittee \non National Security, Mr. DeSantis, for his opening statement.\n    Mr. DeSantis. Thank you, Chairman Meadows. I just wanted to \nsay, I think this is an important issue. And it looks like that \nwe just got a directive late last night where this is now going \nto be an implemented policy. So I'm interested in hearing how \nthat's going to be implemented, but I'm sure that's partly as a \nresult of your oversight. So thank you for doing that and I \nlook forward to hearing the witness testimony.\n    I yield back.\n    Mr. Meadows. Well, Chairman DeSantis, thank you for your \nleadership on so many of these issues and I look forward to \ncontinuing to work with you.\n    I now recognize the ranking member of the Subcommittee on \nNational Security, the gentleman from Massachusetts, Mr. Lynch.\n    Mr. Lynch. Thank you, Mr. Chairman. And I would also like \nto thank Chairman DeSantis and my friend, Mr. Connolly, for \nholding this hearing. It's important for a number of reasons, \nwhich you both have touched on already.\n    When an individual applies to receive an initial or renewed \nsecurity clearance, the Federal Government conducts a \nbackground investigation to determine whether he or she may be \neligible to access classified national security information. \nEvery security clearance candidate is required to complete a \nStandard Form 86. I have one right here; rather lengthy. It \ngoes into a number of very personal aspects of each person's \nlife. This 127-page form already requests a variety of personal \napplicant information, such as criminal history, any history of \nalcohol use or illegal drug use, any mental health counseling. \nIt does not currently request social media information.\n    But as Chairman DeSantis noted, last night about 11 \no'clock, we got copies of this policy. And I want to say thank \nyou. You know, I--we have not always had information \nforthcoming in a timely manner. Even 11 o'clock at night, \nthat's timely around here, you know, a few hours before the \nhearing. But I appreciate you sending it.\n    I thought it might be a mistake, actually, that you sent \nthe policy over. I did have a chance to read it a couple of \ntimes last night and it raises some questions, but I think it's \na very good first effort. And we appreciate it.\n    In December of 2015, Congress passed and President Obama \nsigned a bipartisan funding legislation that included a robust \ndirective to enhance the security clearance process. The recent \nOmnibus Appropriations Act also requires the director of DNI to \ndirect the Federal agencies to use social media and other \npublicly available government and commercial data when \nconducting periodic reviews of their security clearance or \nclearance holders. The law also provides guidance on the types \nof information that could be obtained from social media and \nother sources and it may prove relevant to a determination of \nwhether an individual should be granted clearance at all.\n    Now, this includes information suggesting a change in \nideology or ill intent or vulnerability to blackmail in \nallegiance to another country. The main impetus, as Mr. \nConnolly noted, was the terrible situation at the Washington \nNavy Yard. And also I would add, there has been exploitation of \nTwitter, Facebook, WhatsApp, and Telegram by the Islamic State. \nAnd also at one point we had everyone who filled out a Standard \nForm 86 hacked by the Chinese as well. So they have a list of \neverybody who filled out, you know, an 86 requesting security \nclearance, which is very troubling.\n    There's a lot that needs to be talked about here. We're \ngoing to gather all this information on individuals in one \nplace. In light of what has happened with the Chinese hack, I'm \nconcerned about putting medical information, all of this about \npeople who apply in one place where it might be accessed by \nhostile or nefarious actors. So we're going to talk a little \nbit about that this morning.\n    As I said, I appreciate the Security Executive Agent \nDirective Number 5 and, you know, I think it's a very good \nfirst effort and I appreciate your transparency with us. Thank \nyou.\n    I yield back.\n    Mr. Meadows. I thank the gentleman. And I will hold the \nrecord open for 5 legislative days for any member who would \nlike to submit a written statement.\n    We'll now recognize our panel of witnesses. I'm pleased to \nwelcome Mr. William Evanina, Director of the National \nCounterintelligence and Security Center in the Office of the \nDirector of National Intelligence; Ms. Beth Cobert, Acting \nDirector of the U.S. Office of Personnel Management. And I \nmight add, in her new role working incredibly well in a \nbipartisan and very transparent way that is recognized by this \ncommittee. So thank you so much. Mr. Tony Scott, the U.S. Chief \nInformation Officer at the U.S. Office of Management and \nBudget.\n    Welcome to you all. And pursuant to committee rules, all \nwitnesses will be sworn in before they testify. So if you would \nplease rise and raise your right hand.\n    Do you solemnly swear or affirm that the testimony you're \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    Thank you. Please be seated.\n    Let the record reflect that all witnesses answered in the \naffirmative. In order to allow time for discussion, please \nlimit your oral testimony to 5 minutes. You're very familiar \nwith the process. But your entire written statement will be \nmade part of the record.\n    And so, Mr. Evanina, you are now recognized for 5 minutes.\n\n                       WITNESS STATEMENTS\n\n                  STATEMENT OF WILLIAM EVANINA\n\n    Mr. Evanina. Good morning. Good morning, everyone. Chairman \nMeadows, Chairman DeSantis, Ranking Member Connolly, Ranking \nMember Lynch, and members of the subcommittee, thank you for \nhaving me here as part of this team to participate in today's \nhearing.\n    As the National Counterintelligence executive and the \ndirector of the National Counterintelligence Security Center, \nI'm responsible for leading and supporting the \ncounterintelligence and security activities of the United \nStates Government, which includes the entire U.S. Government \nand the private sector throughout the intelligence community. \nIn addition, I'm responsible for providing outreach to U.S. \nprivate sector entities who are at risk of becoming a target of \nintelligence collection, penetration, or attack by foreign and \nother adversaries.\n    I also support the Director of National Intelligence's \nresponsibilities as a security executive agent, the role under \nwhich the social media directive was developed. And I work \nclose in partnership with the Office of Management and Budget \nand the Office of Personnel Management, and my colleagues to my \nleft. Department of Defense also partners in this effort as \nwell as part of the PAC. Agencies across the executive branch \nare also part of today's process and the successes we have \nachieved with this policy.\n    When I last appeared before this committee on February 25, \nwe discussed the formation of the National Background \nInvestigations Bureau and security clearance reforms. Today, \nI've been asked to discuss the administration's policy on the \nuse of social media as part of the personnel security \nbackground investigation and adjudication process.\n    Mr. Chairman, we have been steadfastly at work on a \ndirective that addresses the collection and use of publicly \navailable social media information during the conduct of \npersonal security, background investigations, and \nadjudications. I want to acknowledge the important \ncontributions to this effort made by our entire executive \nbranch colleagues, particularly at the Office of Management and \nBudget and OPM. And I'm pleased, as you referenced, to announce \nthat the Director of National Intelligence has recently \napproved this directive which is being publicly released.\n    The data gathered via social media will enhance our ability \nto determine initial and continued eligibility for access to \nclassified national security information and eligibility for \nsensitive positions.\n    I realize that the Federal Government's authority to \ncollect and review publicly available social media information \nin the course of a personnel security background investigation \nand adjudication raises some important legitimate civil \nliberties and privacy concerns. Nevertheless, let me be clear. \nI am strongly of the view that being able to collect and review \npublicly available social media and other information available \nto the public is an important and valuable capability to ensure \nthat those individuals with access to our secrets continue to \nprotect them and that the capability can be aligned with \nappropriate civil liberties and privacy protections.\n    I would note to the committee that by the term ``publicly \navailable social media information,'' we mean social media \ninformation that has been published or broadcast for public \nconsumption, is available on request to the public, is \naccessible online to the public, is available to the public by \nsubscription or purchase, or is otherwise lawfully accessible \nto the public.\n    I believe the new directive on social media strikes this \nimportant balance. Under this new directive, only publicly \navailable social media information pertaining to the individual \nunder investigation will be intentionally collected. Absent a \nnational security concern or criminal reporting requirement, \ninformation pertaining to the individuals, other than the \nindividual being investigated, will not be investigated or \npursued.\n    In addition, the U.S. Government may not request or require \nindividuals subject to the background investigation to provide \npasswords or login into private accounts or to take any action \nthat would disclose nonpublicly available social media \ninformation. The complexity of these issues has led to a \nlengthy and thorough review by the departments and agencies \nthat would be affected by this policy, as well as coordination \nwith different members of civil liberties and privacy offices, \nprivacy act offices, and office of general counsel.\n    Mr. Chairman, the new guidelines approved by the Director \nof National Intelligence for the collection and use of publicly \navailable social media information and security clearance \ninvestigations ensure this valuable avenue investigation can be \npursued consistent with subjects' civil liberties and privacy \nrights.\n    The use of social media has become an integral and very \npublic part of the fabric of most American's daily lives. It is \ncritical that we use this important source of information to \nhelp protect our Nation's security.\n    Mr. Chairman, I welcome any questions that you and your \ncolleagues have regarding this directive.\n    [Prepared statement of Mr. Evanina follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Mr. Meadows. Thank you for your testimony.\n    Ms. Cobert, you're recognized for 5 minutes.\n\n                    STATEMENT OF BETH COBERT\n\n    Ms. Cobert. Chairman Meadows, Chairman DeSantis, Ranking \nMembers Connolly and Lynch, and members of the subcommittee, \nthank you for the opportunity to testify before you today on \nthe use of social media in the Federal background investigation \nprocess.\n    OPM plays an important role in conducting background \ninvestigations for the vast majority of the Federal Government. \nCurrently, OPM's Federal Investigative Services, FIS, annually \nconducts approximately 1 million investigations for over 100 \nFederal agencies, approximately 95 percent of the total \nbackground investigations governmentwide. These background \ninvestigations include more than 600,000 national security \ninvestigations and 400,000 investigations related to \nsuitability, fitness, or credentialing each year.\n    As we discussed in February, we are in the process of \ntransitioning to the new National Background Investigations \nBureau, NBIB, which will absorb FIS and its mission to be the \ngovernmentwide service provider for background investigations. \nThe Department of Defense, with its unique national security \nperspective, will design, build, secure, and operate the NBIB's \ninvestigative IT systems in coordination with the NBIB.\n    To provide some context for our discussion today, I would \nlike to take a few minutes to review how the current security \nclearance process operates in most cases.\n    First, an executive branch agency will make a requirements \ndetermination as to the sensitivity and risk level of the \nposition. If an agency determines that a position requires a \nclearance, the employee completes an SF-86 and submits \nfingerprints, both of which are sent to OPM, along with an \ninvestigation request. OPM, through FIS now and NBIB in the \nfuture, conducts the investigation by doing all of the checks \nrequired by the Federal investigative standards. The results of \nthe investigation are then sent to the requesting agency for \nadjudication.\n    The clearance decision is made from the information in the \ninvestigative report in conformance with the adjudicative \nguidelines that are the purview of the Office of the Director \nof National Intelligence, ODNI.\n    The requesting agency sends their decision back to OPM, who \nmaintains the records for reciprocity purposes. The individual \nwill also be reinvestigated on a periodic basis.\n    As the committee is aware, agencies make security clearance \ndecisions using a whole-person approach, meaning that \navailable, reliable information about the person, past and \npresent, favorable and unfavorable, should be considered by \nadjudicators in reaching a determination.\n    One component of that approach in the 21st century is the \ntopic of today's hearing, social media. ODNI, in its role as \nthe security executive agent, has developed a social media \npolicy that has undergone extensive coordination with relevant \ndepartments and agency officials. OPM looks forward to \nimplementing the policy as part of its ongoing efforts to \nstrengthen its investigative processes.\n    In April, OPM issued a request for information seeking to \nbetter understand the market and the types of products vendors \ncan provide to meet social media requirements. The RFI is in \npreparation for a pilot that OPM is planning to conduct this \nyear that will incorporate automated searches of publicly \navailable social media into the background investigation \nprocess. This planned pilot will be conducted by OPM in \ncoordination with the ODNI.\n    The pilot will obtain the results of searches of publicly \navailable electronic information, including public posts on \nsocial media from a commercial vendor for a population of \nsecurity clearance investigations using pertinent investigative \nand adjudicative criteria. This pilot is distinct from other \npilots in that it will assess the practical aspects of \nincorporating social media searches into the operational end-\nto-end process; the mechanics of adding this type of report to \na background investigation and the affects on quality, costs, \nand timeliness.\n    In addition, the pilot will assess the uniqueness of the \ninformation provided through social media checks as compared to \ninformation provided through traditional investigative sources.\n    Supporting the implementation of the NBIB and aiding its \nsuccess in all areas will continue to be a core focus for OPM, \nas well as the Performance Accountability Council, the PAC. Our \ngoal is to have the NBIB's initial operating capability \nofficially established with a new organizational design and \nleader in place by October 2016. The implementation work will \nremain to be done after that date.\n    On behalf of OPM, I am proud to be part of this most recent \neffort by the administration, and I look forward to working \nwith my colleagues on this panel and with this committee in a \nbipartisan manner on this important issue. I'm happy to answer \nany questions you may have.\n    [Prepared statement of Ms. Cobert follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    Mr. Meadows. Thank you for your testimony.\n    Mr. Scott, you're recognized for 5 minutes.\n\n                    STATEMENT OF TONY SCOTT\n\n    Mr. Scott. Thank you.\n    Chairman Meadows, Chairman DeSantis, Ranking Member \nConnolly, Ranking Member Lynch, and members of the \nsubcommittees, I appreciate the opportunity to appear before \nyou today.\n    The administration recognizes the importance of gathering \naccurate up-to-date and relevant information in its background \ninvestigations to determine Federal employment and security \nclearance eligibility. And as a government, we must continue to \nimprove and modernize the methods by which we obtain relevant \ninformation for these background investigations.\n    Since 2009, various government agencies have conducted \npilots and studies of the feasibility, effectiveness, and \nefficiency of collecting publicly available electronic \ninformation as a part of the background investigations process. \nThose pilots have informed the development of a new social \nmedia policy that has been issued by the director of National \nIntelligence in his role as the security executive agent. And I \nwill defer to ODNI on the further details of this policy.\n    But as you know, OMB chairs the interagency Security and \nSuitability Performance Accountability Council, or PAC, to \nensure interagency coordination. And the new policy will \nreflect, I believe, an appropriate balance of a number of \nconsiderations, such as protecting national security; ensuring \nthe privacy of and fairness to individuals seeking security \nclearances and associates of that individual; the veracity of \nthe information collected from social media; and the resources \nrequired to process the collection, adjudication, and retention \nof the relevant data collected.\n    As the policy is implemented, the administration will \ncontinue to assess the effectiveness and efficiency of the \npolicy. To do so, the government must keep pace with \nadvancements in technology to anticipate, detect, and counter \nexternal and internal threats to the Federal Government's \npersonnel, property, and information. This need must also be \nconsidered with the full legal and national security \nimplications in mind. I'm confident that this new policy will \nstrike the correct balance between all of these considerations.\n    I thank the committee for holding this hearing and for your \ncommitment to improving this process. We look forward to \nworking with Congress, and I'm pleased to answer any questions \nyou may have.\n    [Prepared statement of Mr. Scott follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n     \n    Mr. DeSantis. [Presiding.] I thank the gentleman.\n    The chair now recognizes himself for 5 minutes.\n    And this is for each of you. Are your agencies utilizing \ncommercially available software to vet security clearance \napplicants, monitor security clearance holders, and detect any \ncybertheft of these individuals' personal information?\n    Ms. Cobert. Congressman, in the process of the \ninvestigations, we do work with commercial vendors of publicly \navailable vetted information. That is sort of our core element. \nWe use that and other methods to gather the information in the \ninvestigative process. I'm not sure if I've completely answered \nyour question.\n    Mr. DeSantis. Well, there's certain off-the-shelf \ntechnology that the Federal Government will use in other \ninstances, and I just wanted to ask if there is any type of \nprohibition on doing that or if you guys just aren't doing that \nor you're actually trying to using all the tools that are \npotentially at your disposal?\n    Ms. Cobert. We use a variety of tools to gather information \nfrom public sources, from both governmental and \nnongovernmental, so there's a variety of tools we use to do \nthat. Those are used to, you know, gather some of the \ninformation, whether there's a national, you know, law \nenforcement database from which we get information. We do, for \nexample, use electronic methods to gather appropriate--\nappropriately gather information about financial history. So we \ndo use some of those tools. I'd be happy to get back to you \nwith more of the specifics, if that would be helpful.\n    Mr. DeSantis. Okay. Thank you.\n    Mr. Evanina. Sir, I would concur with my colleague. I think \nwe encourage the most robust and effective, efficient tools \nthat are processed for ensuring a speedy, effective background \ninvestigation. That's going to be different--this process will \nbe different, depending which agency is doing the background \ninvestigation, the tools that they are capable of, the expense, \nand the number of--the volume of people that are applying for a \nclearance.\n    Obviously, we would encourage the ODNI, the most effective \nand efficient off-the-shelf capabilities, as long as it's \nwithin the rules, regulations, and policies set forth.\n    Mr. DeSantis. Let me ask you this: In the years leading up \nto Edward Snowden's theft of classified info, he made several \nposts to online forums using a consistent user name complaining \nabout government surveillance. And these posts may have alerted \nauthorities that he could be an insider threat. Have any of the \nsocial media pilot programs evaluated to date been capable of \ndetecting that sort of post where the subject is posting under \nan online identity that is not explicitly the individual's \nname?\n    Mr. Evanina. Sir, I'm not specific to the exact nature of \nthe depth and granularity of those particular pilots. But I can \ntell you, those particular posts from Mr. Snowden that he did \nwould not have been caught in the social media because it's not \npublic facing and there was private chats with other \nindividuals beyond the password protection.\n    Mr. DeSantis. So if they're using semi-anonymous names, to \nthe extent that there are public forums, would requiring the \ndisclosure of any alternative online identities on the FS-86 \nform be something that would be helpful?\n    Mr. Evanina. Sir, we're currently not planning on asking \nanyone to provide any other alternative passwords or email \naccounts or individual reference to their online persona.\n    Mr. DeSantis. So, basically, if--so we'll look at social \nmedia, if they're posting. If John Smith applies for security \nclearance and you'll look for John Smith, but if he goes by, \nyou know, Jack Scott, then you're just not going to require \nthat. So they can post whatever there and that's not going to \nbe something that would be considered?\n    Mr. Evanina. Not currently, unless they're willing to \nconsent to provide that information to us.\n    Mr. DeSantis. Okay. What reason could allow extensive \nquestioning of friends--so I mean, the FS-86 is a very \nintensive investigation. I mean, you'll call up people's \ncollege roommates. You'll call up people's neighbors when \nthey've lived--even if they've lived in a place for a short \nperiod of time. So there's a lot of extensive investigation. So \nwhy would you want to do that? And I'm not saying you shouldn't \ndo that, but why would you want to do that but then not get the \nwhole, I guess, picture of their online identities?\n    Mr. Evanina. Well, I think if the additional information is \nobtained that an individual has a pseudonym or has--an \nindividual has an offline persona that's different than his \nname, that can be pursued investigatively, but that's not \nsomething we are going to ask, or there's really not a way for \nus to identify Bob Smith who is really Dave Jones online \nwithout someone telling us that.\n    Mr. DeSantis. But what would be the reason to just--since \nthere's so much information required in the FS-86, what would \nbe the negative of just asking, hey, do you post online under \nany type of pseudonym?\n    Mr. Evanina. I think when you get past the public-facing \ninterface of social media, you get to the, I think, the border \nof privacy and civil liberties in terms of what are your \npractices beyond what you would do in the course of your daily \nlives. And by this, the analogy would be, we don't look at \ntheir emails and we don't look at their telephone conversations \nas part of the background investigation as well.\n    Mr. DeSantis. Okay. My time is up.\n    I now recognize the gentleman from Virginia for 5 minutes.\n    Mr. Connolly. Thank you, Mr. Chairman, and welcome.\n    Help me understand how this works. Because it's one thing \nfor a private individual to be sort of trolling in Facebook; \nit's another for the government to be doing it. And so how does \nthis work? I mean, I--somebody in government gets on the \nInternet and looks up your Facebook history? You're subject--\nyou're Harry Houdini. You've applied for a security clearance \nand we're looking at, you know, through social media, anything \nthat you used, Twitter, Facebook, YouTube, Hulu, whatever it \nmight be. So we just go online and look at whatever we can find \nunder his, Harry Houdini or Shirley Jones' name. Is that right?\n    Mr. Evanina. Sir, I'll start--I think----\n    Mr. Connolly. If you could pull the mic closer. Thank you.\n    Mr. Evanina. I'm sorry, sir.\n    Congressman, I think when we set forth this policy, we \nlooked at it and tried to provide the most flexibility for \ninvestigative agencies and service providers to do what they \nfeel is most practicable and most reasonable for their \nindividual agency. So, for instance, some of the bigger \nagencies may provide a data service provider, they aggregate \nthis data for multiple people to go out and do the search. We \nare clearly acknowledging that the effort will be exhaustive \ninitially to identify people's social media footprint that's \nout there.\n    Mr. Connolly. Okay. What are the red lights, though, that \nflag for us, got to follow up on this? So, you know, my \nFacebook posting, you know, we're talking about the block party \nfor July in my cul-de-sac. You know, talking about maybe a \nfamily reunion and interspersed with all of that, oh, by the \nway, the President needs to die. How do we flag the serious \nfrom the trivial and how do we make sure that if it's all \ntrivial, that's the end of it. It's deleted, it's not retained, \nbecause there may be other names in that Facebook. There may be \npictures of other people who are not the subject of an \ninvestigation, unless that association is suspect.\n    How do we make sure that we don't just have some enormous \ngovernment depository of personal information of American \ncitizens that's really not at all relevant, or parts of it may \nbe? How do we do that?\n    Mr. Evanina. That's a great question, Congressman. I think, \nputting this in context, the social media utilization is just \none tool of many that we currently already use in background \ninvestigations. And the collection and retention of that data \nwill be parallel to any other data we collect on an individual. \nAnd to your example of Facebook, and the examples you gave, the \nonly relevant information that were there for investigative \nadjudicative processes would be the issue to the President. All \nthe other stuff would not be retained, although we would \ncollect and retain the Presidential, if----\n    Mr. Connolly. Let me interrupt, though.\n    Mr. Evanina. Yes, sir.\n    Mr. Connolly. God forbid, but should there be such a \nreference, well, the other stuff is not being retained. \nActually, I might now want to take a fresh look at your \nassociations because maybe they're involved or--I mean, \nwouldn't we want to check that out?\n    Mr. Evanina. Sir, so I was going to say----\n    Mr. Connolly. If for no other reason than to talk to the \nneighbors to say, does Harry Houdini talk this way often? Have \nyou ever heard him--you know, right?\n    Mr. Evanina. Right. So the social media application here, \nlike many other tools that are at the disposal of \ninvestigators, would provide an investigative lead. So that \nparticular post on your Web site would lead to an investigative \nlead to be furthered up with your colleagues, your family, your \nfriends, your neighbors as just another lead; no different than \nwe would find in an anomalous financial disclosure.\n    Mr. Connolly. Ms. Cobert and Mr. Scott, in the time I have \nleft, I'd be derelict on behalf of my constituents if I didn't \nreturn to the OPM security breach, and if you can take some \ntime to bring us up to date. Weaknesses identified, have they \nbeen addressed so that there can't be a recurrence? And how are \nwe coming in trying to make people whole again in terms of the \ncompromise of their personal information?\n    Ms. Cobert. Let me start in the response to that one. In \nterms of improving the security of our systems, we have made \nsignificant strides in our ongoing effort and we will continue \nto do so. Working closely with DHS, with DOD as part of the \nNBIB standup, we actually have staff from DOD now on site \nworking with us as well as ongoing working sessions. We've \ninstalled the latest versions of EINSTEIN. We've got a whole \nseries of improvements that we've made to our firewalls. We now \nhave the ability to much----\n    Mr. Connolly. Excuse me, EINSTEIN 3 is in place now?\n    Ms. Cobert. We are one of the first agencies to put that in \nplace.\n    Mr. Connolly. Because it wasn't in place at the time of the \nbreach, right?\n    Ms. Cobert. No.\n    Mr. Connolly. Right. Excuse me.\n    Ms. Cobert. So we continue to work to try and put in place \na whole series of tools and we've seen real improvements in \nthat, as well as strengthening. We have a new chief information \nsecurity officer. I could go on and on, but we still will \ncontinue to work at that issue.\n    In terms of the individuals whose information was taken, we \nhave the identity theft, identity monitoring contracts in \nplace. We continue to monitor those in terms of the quality of \ntheir customer service. We are also actively working to put in \nplace the provisions to extend the identity theft insurance to \n$5 million, as well as being in the process of figuring out how \nto extend those to the 10 years that was also approved by \nCongress. So we continue to work at these quite closely, \nincluding with Tony and the team from OMB.\n    Mr. Scott. And I would just add, I'm seeing almost as much \nof Beth as I did when she was at OMB as we work on this \nproject. And Beth and I and the DOD CIO meet regularly to \nreview the progress that the teams are making in both the \ntransition, but also ensuring the security and integrity of the \nexisting system. So I'm pleased with the progress.\n    Mr. Connolly. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. DeSantis. The chair now recognizes the gentleman from \nGeorgia, Mr. Hice, for 5 minutes.\n    Mr. Hice. Thank you, Mr. Chairman.\n    Mr. Evanina, let me begin with you. As we all know, in \n2008, there was a commissioned study in regard to showing the \nbenefits of examining certain aspects of social media. Why has \nit taken 8 years to implement this thing, to get it started?\n    Mr. Evanina. Congressman, I can't really answer the 8-year \nissue, but I can tell you that to get to where we are took a \nlot of extensive effort and interagency coordination to be able \nto strike the right balance between what we need to obtain or \nshould be obtained reasonably from social media in the ever-\ngrowing Internet age and balance that with the civil liberties \nand privacy of our, not only clearance holders, but U.S. \ncitizens. So that process not only was exhaustive, but it was \nthe right thing to do.\n    Also, I think with the pilots that have started and \ncontinue to move on, we haven't really identified the correct \nvalue or weighted measure for what the efforts of social media \ncollection will be or has been. So we're still efforting the \npilot process to identify, is the effort resource allocation \nworthy of collecting other social media and using it as part of \nthe background investigation process, number one. And number \ntwo, if it is, where do we allocate that within the \ninvestigative process, the beginning, the middle, the end? \nBecause it will be resource intensive.\n    Mr. Hice. Well, it seems like 8 years is an awfully long \ntime to try to find a balance between privacy and, you know, \nthat which is public information. I mean, this is not highly \nprivate information that people are publicizing out on social \nmedia like this, and I understand that we want to be very \ncareful with that. We all do. But----\n    Well, let me ask you this: It seems that the new policy \nthat we saw this morning, that within there--and correct me if \nI'm wrong, but it seems like finding information on an \nindividual's background appears to be largely at the discretion \nof individual agencies. Can you tell me why ODNI decided to \nleave that decision to individual agencies rather than opening \nthis up for all departments of our Federal Government?\n    Mr. Evanina. That's a great question, Congressman, but I \nwill say that there's only 22 agencies who have the authority \nto conduct background investigations. So--and they do that on \nbehest of all the other Federal organizations or agencies' \ndepartments who require that. So those individuals, the ones \nwho are covered under this policy, the policy was purposely \nmade flexible because I will proffer that from 2008 till 2 \nyears ago, the social media definition has changed dramatically \nand will continue to change.\n    So in order to provide the agencies who conducted the \ninvestigations the maximum flexibility to go about utilizing \nsocial media as part of this process was paramount in this \neffort. Because I'm pretty sure a year from now, the social \nmedia definition may change, and we wanted to make sure that \neach agency had the flexibility, from a resource perspective, \nto identify the best, most efficient way to implement this \npolicy.\n    Mr. Hice. Do you believe those other 22 agencies will begin \nutilizing this?\n    Mr. Evanina. I do.\n    Mr. Hice. Okay.\n    Ms. Cobert, could you explain how OPM plans to implement \nthis policy?\n    Ms. Cobert. Thank you, Congressman. As I mentioned in my \ntestimony, we are working through this pilot process to figure \nout the best way to utilize social media as a standard, \nconsistent part of the process. As Mr. Evanina described, we \nare committed to its value. It's a question of how.\n    We need a way to make sure that when we gather information \non social media, it's accurate. It's is not always accurate. \nWhat you find is not always the reality. We need to find a way \nto make sure, as we do this, that we have the resources to \nfollow up on whatever information is revealed. How do we get \nthose resources to follow up on those things?\n    And so that is the goal of this pilot, is to embed it into \nthe operational process. Are there places where, by using \nsocial media or other tools, we can replace some steps that \nexist today, take those resources and deploy them to something \nelse? Are there other cases where the value of the information \nwill merit adding additional resources? So that is the issue \nwe're working through.\n    And the pilot process that we are starting, we'll be \nstarting that pilot before the end of this fiscal year. We also \nwill continue, through the PAC and other forums, working with \nDOD and other agencies as they start to implement this so we \nall can learn from each other. We've got to figure out how to \ndo this right and to do it at scale, and we want to move \nexpeditiously but cautiously as we do that.\n    Mr. Hice. Thank you. Could you provide the committee with a \ntimeframe for implementation, besides just by the end of the \nyear, a more specific timeframe?\n    Ms. Cobert. We'll get back to you. The first piece is the \npilot and then we will take that learning. But we're happy to \nprovide you some more information on what we're doing next.\n    Mr. Hice. Okay. Thank you very much.\n    I yield back.\n    Mr. DeSantis. The gentleman's time has expired. The chair \nnow recognizes Mr. Lynch from Massachusetts for 5 minutes.\n    Mr. Lynch. Thank you, Mr. Chairman. And I want to thank \neverybody for holding this hearing and thank the witnesses for \ntheir help.\n    You know, every once in a while, my happy talk alarm goes \noff and sometimes I think I'm hearing happy talk and I think I \njust heard some.\n    Look, I appreciate the idea that, you know, we got this 8-\nyear continuum of improvement and we're trying to improve our \nsystems and, you know, there's this cautious progress of \nprotecting and balancing, you know, private information, \nversus, you know, doing these background checks. But the \nreality on this committee is 10 months ago, Ms. Cobert, your \npredecessor, Ms. Archuleta, sat there and told me that, 10 \nmonths ago, we were not even encrypting the Social Security \nnumbers of the 4 million people who were hacked at OPM. That's \nthe reality. Ten months ago we weren't even encrypting Social \nSecurity numbers. And she painfully had to admit that, and her \nlegal counsel was with her and they confirmed that fact.\n    So I'm very concerned about what is happening. And I am \nvery encouraged that DOD is going to take over cybersecurity in \nyour shop and you're going to help them with that. How is that \ngoing? And what steps have you taken--be specific--that should \ngive me some level of reassurance that we don't have another \nproblem like that?\n    Ms. Cobert. Thank you, Congressman. Let me start with how \nwe're working with DOD in the standup of the NBIB, and then I \ncan come back to some things we have underway and that we will \nbe doing in that context.\n    We are working very closely with DOD, as Mr. Scott \ndescribed, in a process to do two things.\n    Mr. Lynch. Let me just cut you off because I don't want to \ngo into this long diatribe. But have you encrypted the Social \nSecurity numbers for all of the employees right now at OPM?\n    Ms. Cobert. There are still elements of the OPM systems \nthat are difficult to encrypt. We have a multilayer defense.\n    Mr. Lynch. And you've got all of these different systems \nand I understand that. I'be been at this a while, okay, and we \nhave tried to get ahold of this. And I've been here for years \nworking on this problem and it's been very difficult. And \nthere's no shame in admitting how difficult that is. What I \ndon't want is happy talk that it's all going well. That's the \nproblem. Because then we'll have another hearing and, you know, \nthere will be a lot of gnashing of teeth and criticisms, you \nknow, and there will be somebody else in your spot.\n    So what I'm trying to get at is, what are we actually--what \nare we getting done and where are the obstacles? If there are \nobstacles here in terms of what you're trying to do--and I \nbelieve you're all trying to do the right thing. Mr. Scott as \nwell. You can get in on this because you're part of this.\n    You know, what are we actually doing to try to protect the \ninformation that we do gather?\n    Mr. Scott. Well, I would say, as Beth was saying, there's \nbeen all kinds of work done in this area, penetration testing, \nnew tools deployed, multiple examinations, and ongoing help \nfrom DOD, DHS, and so on. So I think OPM actually is leading \nFederal agencies right now in terms of, you know, their efforts \nand the amount of progress that they've made. They've applied \ntools to the limits that they can within the limits of current \ntechnology. But as Beth said, there's some things that just \ncan't be encrypted because the technology doesn't allow it.\n    Mr. Lynch. DOD's funding in this area is much better than \nOPM's and some of the other departments. And so are we using \ntheir personnel now? Have they come over and taken over this?\n    Mr. Scott. Absolutely. They've been in there side by side \nwith the team at OPM helping not only review, but look at \narchitecture and also build out the plans for the future NBIB \ntechnology. So I'm pleased with where it's going. I don't think \nthere's anybody who would say our job is done or that we're \nnot, you know, interested in pursuing what else we can do.\n    Mr. Lynch. The cost estimate, you know, we've had some \npilot programs that tell us it's somewhere between, you know, \n$100 and $500 per person for a private vendor to do these \nscreenings, this gathering of social media information. Is that \npretty close to what the--in practice what we're finding?\n    Mr. Scott. Yeah, I would say some of the pilots that have \nrun, the estimates have been in that range. Clearly, one of the \nthings that will have to happen, and I think the pilots will \ninform this, is some greater level of automation. As you can \nprobably appreciate, when you do a search, you get a ton of \ndata that has to be sifted through and adjudicated.\n    Mr. Lynch. Right.\n    Mr. Scott. And I happen to be a person who has a name \nthat's shared with, you know, a professional baseball player, a \nprofessional musician, a movie director, and a bunch of other \nthings, and just a simple search would turn up a bunch of crazy \nstuff that wouldn't be relevant.\n    Mr. Lynch. Yeah.\n    Mr. Scott. So some degree of automation, ultimately, is \ngoing to have to help bring the cost down of that.\n    Mr. Lynch. All right. I see my time has expired.\n    Mr. Chairman, thank you for your indulgence, and I yield \nback.\n    Mr. Meadows. [Presiding.] I thank the gentleman.\n    The chair recognizes the gentleman from Kentucky, Mr. \nMassie, for 5 minutes.\n    Mr. Massie. Thank you, Mr. Chairman. This is a great \nhearing. Thank you for conducting it.\n    I have a friend who suggests that the government should \noutsource this background research to the consultants that do \nopposition research on us, on the politicians, because they \nseem to find anything all the way back to junior high. But on a \nserious note, though, you know, I see Edward Snowden as an \nexample here in our notes as somebody who maybe you would have \nknown something about if you had done social media research. \nThat may or may not be true.\n    But one thing that does stand out is that political \ncontributions are available online and they--and I suppose even \nbefore social media and the online availability of this, they \nwere available. So you already have an analog or probably a way \nof considering whether you should consider or not consider \npolitical contributions when doing background research.\n    But now that you have social media available to you, \nthere's another layer of transparency--or layer of opaqueness \nthat has been removed. You can see where somebody supports a \npolitical candidate or not. By the way, Edward Snowden and I \nhave similar contribution histories so--and my colleague here \nsuggested that you should be suspect of anybody that \ncontributes to me as well.\n    But my question is this: Do you, Mr. Evanina, do you take \ninto account political support when you're doing background \nresearch in social media?\n    Mr. Evanina. We do not. I mean, I think it's important for \nthe committee to understand that the investigators who conduct \nthe background investigations are very well trained and they \nfollow the Federal investigative standards. And there are \nplenty of policies that they put forth in their rigorous \nbackground investigation and they conduct investigations on \ninformation obtained that's relevant to whether or not you're \ncapable of obtaining and holding a security clearance. So a \npolitical contribution would not be one of those.\n    Mr. Massie. So if they encountered somebody who in their \nsocial media supported a candidate who was strong on the Fourth \nAmendment and believed very strongly in the right to privacy--\nand there are different interpretations of the Fourth \nAmendment. I'm not saying everybody doesn't believe strongly in \nthe Fourth Amendment--that wouldn't be a consideration?\n    Mr. Evanina. Absolutely not. Whether you believe in the \nFourth Amendment would not have any predication on whether you \ncould hold or maintain a security clearance.\n    Mr. Massie. Thank you very much.\n    And I will yield back my time.\n    Mr. Meadows. I thank the gentleman.\n    The chair recognizes the gentlewoman from Illinois, Ms. \nKelly, for 5 minutes.\n    Ms. Kelly. Thank you, Mr. Chair.\n    Many of us have become so accustomed to using technology in \nour day-to-day lives that it seems second nature to examine the \nsocial media accounts of individuals applying for security \nclearance. However, it's important to note that when \nincorporating social media into the Federal background check \nprocess, a number of steps must be taken that go far beyond \nthose we view as a friend's Facebook profile.\n    Ms. Cobert, OPM conducts approximately 95 percent of \nbackground checks governmentwide. That's in our notes. The \ninitial data collection portion of these investigations is \ncompleted by Federal contractors, in part, because you must \ncomply with the various laws governing what information can be \ncollected, used, and stored by the Federal Government. Is that \naccurate?\n    Ms. Cobert. Congresswoman, we work with Federal contractors \nin the investigative process to enhance our capacity to conduct \nbackground investigations. They have to follow the same Federal \ninvestigative standards that Mr. Evanina referenced. There, the \nindividuals from those contractors who work on investigations \nalso have to undergo thorough training against those standards, \nand we work to ensure that that is the appropriate training.\n    Ms. Kelly. Okay. The incorporation of social media data is \nnot as simple as it may sound to many people, so I'd like to \ndelve a little deeper into how we get from a vendor running \nquery for publicly available information to the point at which \nwe have valuable verified information for use in the \nadjudication process. Again, to begin with, contractors must \nconduct social media checks on clearance applicants based on \nguidance from you about the kind of information relevant to \nclearance investigations. Correct?\n    Ms. Cobert. We are going to start with the social media \nthing, the social media efforts with the pilot I mentioned. \nThat will help us understand what kind of guidance we should be \nputting in place when individuals are conducting social media \nsearches to verify that information, to ensure we're focused on \nthe pieces that are relevant to a security clearance, not the \nother issues that are not part of the process. That's why we're \ngoing to work this through in a pilot so we can create \nstandards and processes that will get us relevant information, \nreliable information, and protect privacy.\n    Ms. Kelly. And then your current contractors will need \nproper training and proper guidance to do all of that.\n    Ms. Cobert. They will need training. Yes, they will.\n    Ms. Kelly. Once the data has been collected, a human being \nis necessary to make a judgment and verify that it does, in \nfact, belong to the individual in question.\n    Ms. Cobert. We are working to find the processes that will \nenable us to, in fact, match individuals. As Mr. Scott \ndescribed, there are multiple Tony Scotts. So we are working \nthrough the pilots, and I think this will be an ongoing \nprocess, to see where are the places where we need human \nintervention; where are the places where technology can help \nwith that resolution?\n    Ms. Kelly. Okay. Mr. Evanina, can you speak to some of the \nchallenges associated with verifying identities in social media \ndata?\n    Mr. Evanina. Yes, Congresswoman. I think the challenges \ncannot be understated in where we're headed in terms of, number \none, identity resolution. As my colleagues have mentioned, the \nability to identify Bob from--or Mr. Scott from Mr. Scott and \nall that goes with it, the resources that it will take to make \nsure that we are firmly in agreement that Mr. Scott is Mr. \nScott. Then, what we found out on Mr. Scott, is it \ninvestigatively and adjudicatively relevant? Does it make sense \nto put forward? And if it is, then it gets put in the same box \nall other investigative data would be to make sure that it \nfollows the policies, procedures, and the investigative \nstandards and guidelines.\n    I want to reiterate that social media identification of \ninformation is in the same box of all other tools and \ntechniques investigators have.\n    Ms. Kelly. And even after we have verified an individual's \naccount, additional manual processing is needed in order to \nanalyze, interpret, and contextualize information, particularly \nphotographs. Is there any way to fully automate the analysis of \nphotographs?\n    Mr. Evanina. Well, I want to refer back to my colleague, \nMs. Cobert, in terms of the ability to maximize any type of \nautomation we can to facilitate not only the effectiveness of \nthis tool, but at the end of the game. But I want to inform the \ncommittee that at the end of the day, no matter what we \nidentify, the adjudicator is a fundamentally government role. \nSo the adjudicator will make the ultimate decision if the \nindividual is Mr. Scott, the information pertaining to him is \ninvestigatively relevant, and it should be a value-add to \nwhether or not he gets a clearance or not.\n    Ms. Kelly. Okay. Thank you.\n    I yield back the balance of my time.\n    Mr. Meadows. Thank you.\n    The chair recognizes the gentleman from South Carolina, Mr. \nMulvaney, for 5 minutes.\n    Mr. Mulvaney. I thank the chairman for the opportunity. \nThank you all for coming. I've just got a couple sort of random \nquestions.\n    Mr. Evanina, you said something during your opening \nstatement I want to go back to, which is you--and a couple of \nyou used the same terminology and maybe I just don't understand \nthe issue. And full disclosure. Mr. Massie and I are sort of in \nthe libertarian-leaning wing of the party, so we take civil \nliberties very seriously. And you mentioned that there were \ncivil liberties concerns, I think, in doing this research in \nthe first place. I don't get that.\n    What civil liberty of mine could be at risk from you doing \nresearch on me?\n    Mr. Evanina. Well, I--correct. I don't think in terms of \nthe previous pilots and this particular policy----\n    Mr. Mulvaney. Right.\n    Mr. Evanina. --in order to get to where we were, we had to \nnegotiate strongly to ensure that each individual who applies \nfor a security clearance, we are going to protect their privacy \nand civil liberties, at the same time collect the information \nthat we deem necessary to ensure they can get a clearance.\n    Mr. Mulvaney. And, again, I'm not trying to split hairs \nwith you, but if I'm coming to you--and we've had this--a very \nsimilar discussion, Mr. Chairman, when it comes to folks who \nwant to come into the country on various visas. The lady who \nshot the people in San Bernardino came on a fiance visa, and we \ndidn't do any social media on her. And one of the arguments we \ngot from customs enforcement was that it would violate her \ncivil liberties to go and do that. Okay?\n    If I come to you and I'm asking for a job, or I'm asking in \nmy current job to get a security clearance, can't you just get \nmy permission to go look at everything?\n    Mr. Evanina. Yes, sir. As a matter of fact, when you apply \non an SF-86, the very first thing you get to do is consent to \nthe government searching you, not only with regard to social \nmedia, but all your other financial, medical records, you \nconsent to do that on the SF-86.\n    Mr. Mulvaney. Okay. So there's no privacy concerns. Because \nI have the right to waive that and I do. Right?\n    Mr. Evanina. That's correct.\n    Mr. Mulvaney. So there's absolutely no privacy issue on the \nfront end when you're doing your background research on me, \ncorrect?\n    Mr. Evanina. As long you consent to it----\n    Mr. Mulvaney. Right.\n    Mr. Evanina. --on your SF-86.\n    Mr. Mulvaney. Okay. Good. Good. Then we're all on the same \npage. Because then the real privacy concerns comes with what \nMr. Lynch mentioned, which is what do you do with the \ninformation on me after you have it? Because while I consent to \nlet you go and get it, I certainly don't consent with you \ngiving it to other people.\n    So I think that's why the focus, I think, for many of us \nwho are interested in our civil liberties there is what are you \ndoing after you have it. And I want to go a little bit deeper \nthan just the Social Security numbers, because I think Mr. \nLynch properly pointed out, what are you doing with Mr. \nMassie's medical records when you're doing the research on him? \nHow are we----\n    Mr. Connolly. Massie.\n    Mr. Mulvaney. Yeah, especially on Massie, right? And his \nmental health records. No.\n    Mr. Connolly. Actually, I've got it right here. Page 17 is \nkind of interesting.\n    Mr. Mulvaney. So tell me about that. Because, again, we all \nknow about the risks. Everyone in the country now has gotten a \nhard wire to sort of think, well, my Social Security thing is \nreally important. I hope they're protecting that. But what \nabout the stuff that doesn't, on its face, look like it could \nbe damaging to us?\n    You know, maybe Mr. Scott went to marriage counseling. \nOkay. Not illegal. And I don't even know if that's true, and I \nam not even suggesting it is. I am using it as an example. It's \nnot illegal. It's certainly not the type of thing, though, that \nyou want to have public. What are you doing to protect that \nkind of information? Not just the number data, not just the \nSocial Security numbers, but the detail, the meat of the stuff \nthat you might find on anybody that you're looking at.\n    Mr. Evanina. I'll start and pass to my colleague, but I \nwant to ensure that the only collection and retention of data \nwill be what is investigatively relevant to completing and \nauthorizing a background investigation. If it's not relevant to \nyou obtaining a clearance, it won't be retained.\n    Mr. Mulvaney. Okay. Let's focus on that one word then, \nbecause again, that's an open-ended questions that I've asked. \nLet's narrow it down.\n    Nothing is not retained anymore. Okay. Once you have it, \nit's some place. Even if you hit erase on your hard drive, it's \nsome place. So what are you doing to make sure the stuff that \nyou don't retain really isn't retained?\n    Ms. Cobert. Congressman, when we get the records of your \nbackground investigation, we have a set of rules and guidelines \nthat govern those, that govern the sharing of those. So it is \nused for the investigative decision, but there are very \nspecific guidelines about how that information is used. We have \nspecific guidelines about records retention consistent with \nNARA and their policies.\n    And a core element in the cybersecurity design of our \nsystems, particularly as we're thinking about as we go forward, \nis how do we make sure we've got the appropriate protections in \nplace for all of that information, not just Social Security \nnumbers?\n    But there are very explicit policies around records \nretention, around records sharing, both externally within the \ngovernment. Right. This information was gathered for a specific \npurpose. That's what it was used for, and there are guidelines \naround that in place.\n    Mr. Mulvaney. Just a quick question, and I honestly don't \nknow the answer. But when the data was hacked that Mr. Lynch \nmentioned before, was it just Social Security numbers that were \nlost or was it other information as well?\n    Ms. Cobert. The information that was lost was data in \npeople's backgrounds investigation, so it included a range of \ninformation, not exclusively Social Security numbers.\n    Mr. Mulvaney. Thank you.\n    Thank you, Mr. Chairman.\n    Mr. Meadows. I thank the gentleman.\n    The chair recognizes the gentleman from California, Mr. \nLieu, for 5 minutes.\n    Mr. Lieu. Thank you, Mr. Chair.\n    My questions are for Mr. Evanina. First of all, thank you \nfor your service, and I support incorporating social media into \nFederal background investigations.\n    I have a broader concern which is whether race or ethnicity \nplay a role in security clearance denial or granting. And let \nme give you some context for this. Recently, four American \ncitizens were arrested and indicted for espionage, and then all \ncharges were dropped. These were in different cases, and it \nturned out that the government just got it wrong. And the one \nfact that was the same among all these cases is the defendants \nlooked like me. They happened to be Asian Americans. The cases \nof Sherry Chen, Xiaoxing Xi, Guoqing Cao, and Shuyu Li. Their \nlives were turned upside down because of what our government \ndid. The New York Times has asked our government to apologize.\n    I wrote a letter signed by over 40 Members of Congress \nasking the Department of Justice to investigate. Since I wrote \nthat letter, our office has been contacted by Federal employees \nwho happen to be Asian American alleging that their security \nclearance was denied because of their race or ethnicity. And so \nmy question to you is, does race or ethnicity play a role in \nFederal background investigations?\n    Mr. Evanina. Sir, absolutely not, and it's unequivocally \nnot. I don't think there has ever been a situation where an \ninvestigator has used race or ethnicity for any determination \nof a clearance for a U.S. citizen, number one.\n    Number two, the situation you referenced, I could say that \nwith 19 years in the FBI, I could assure you that the FBI does \nnot conduct investigations relevant to whether your race or \nethnicity comes to play.\n    Mr. Lieu. Thank you. Let me ask you a question about how \nthis policy would be implemented in terms of social media. \nLet's say a Japanese American Federal employee has a Facebook \npage, and friends of this Federal employee living in Japan or \nrelatives post on that Facebook page. Does this Federal \nemployee become more suspicious because of that?\n    Mr. Evanina. Absolutely not. And the only issue would be if \non that public facing Facebook page there is derogatory or \nnegative information that's relevant to an adjudication of \ninvestigation, will result in a followup lead. But otherwise, \nit would not.\n    Mr. Lieu. Thank you. The U.S. Government, under the Obama \nadministration, runs something called the insider threat \nprogram, where Federal employees are asked to report on other \nFederal employees who may be suspicious. Is race or ethnicity \nallowed to be taken into account under that program?\n    Mr. Evanina. Sir, first of all, the National Insider Threat \nTask Force is housed within my shop, National \nCounterintelligence Security Center. And, again, unequivocally, \nrace or ethnicity has no part in the insider threat process or \nthe criticality that we have across the government.\n    Mr. Lieu. Are Federal employees, when they're given \ntraining on the insider threat program and how to report, are \nthey given that training about race and ethnicity playing no \npart?\n    Mr. Evanina. Well, I think the race--any fundamental \ntraining regarding race and ethnicity crosses all boundaries, \nnot just investigative. That's part of the Federal workforce \nand our fabric as Americans, number one.\n    But in terms of the Insider Threat Task Force, race, \nethnicity, or any other type of genre of covered classes is \nnever a part of the Insider Threat Task Force. We are--our \nnumber one mission is to identify potential insiders, spies, \nespionage matters, or those who seek to do harm to others.\n    Mr. Lieu. Could you provide my office with guidance in how \nyou train Federal employees?\n    Mr. Evanina. Absolutely, sir.\n    Mr. Lieu. Great. Thank you.\n    I've gone to a number of national security events and \nbriefings, and I think it's not a secret that our national \nsecurity establishment looks very nondiverse. And there's been \narticles about the State Department having trouble recruiting \npeople who are minorities. And I'm wondering if that has \nanything to do with security clearances and the inability of \nsome folks, who are minorities, who might not be able to get \nthem. Could you provide my office with some data or statistics \non who gets security clearances based on race and ethnicity?\n    Mr. Evanina. I'm sure we can, sir.\n    Mr. Lieu. Great. Thank you.\n    And with that, I yield back.\n    Mr. Meadows. I thank the gentleman.\n    The chair recognizes himself for a series of questions, and \nI'll be very brief.\n    Let me follow up on a couple of clarifying things. You have \nobviously put out this new policy, and we applaud that. We \nthank you for that.\n    Is there any particular legal reason or practical reason \nwhy we would not be asking them for their online identities?\n    Mr. Evanina. Well, sir, I think as part of the SF-86 \napplication, and when you write your name, Bill Evanina, it's \nasked, do I have any other names or aliases that I go by. So \nthat's the first----\n    Mr. Meadows. Yeah, but I'm talking about online identity. \nSo, I mean, you know, Twitter, Facebook, you know. Because I'm \nnot going to give it in a public forum, but I have actually \nTwitter accounts that don't actually have my name associated \nwith them, and yet I would tweet out things based on that. So \nis there any reason why we wouldn't ask for those types of \nthings, practical or legal?\n    Mr. Evanina. I don't believe it's a legal issue. I think \nit's a policy issue, and I think we have to have some clear \ndifferentiation between what is investigatively relevant. And \nwe can get to those areas of----\n    Mr. Meadows. But if we're talking about social media, that \nwould be relevant. I mean, there's no expectation of privacy, \nother than--well, you know, you could perhaps make the case if \nI'm wanting to be private about it, I'm not putting my name. \nBut if you just ask for those online identities, would the \nonline identities be synonymous with an alias?\n    Mr. Evanina. They could be, sir. There absolutely could be, \nbut we----\n    Mr. Meadows. So I guess if there's no legal or practical \nreason why we wouldn't do it, why would it not be part of your \nnew policy?\n    Mr. Evanina. Again, I will say that the policy is a start \nwhere we're going right now to get where we are.\n    Mr. Meadows. So are you willing to look at that particular \ncomponent about asking for other online identities and maybe \nreport back and your philosophy here within the next 60 days to \nthis committee?\n    Mr. Evanina. Sir, I think we're willing to look at all \nsuspects of social media and how it pertains to the background \ninvestigation process.\n    Mr. Meadows. But, specifically, with regards to that \nquestion, are you willing to look at it and just report back? \nI'm not asking----\n    Mr. Evanina. Yes, sir.\n    Mr. Meadows. --you to give me a definitive answer; just \nthat you get back to this committee on what your opinion is----\n    Mr. Evanina. Yes, sir.\n    Mr. Meadows. --on why you should or should not do that.\n    Mr. Evanina. Yes, sir.\n    Mr. Meadows. All right. Thank you.\n    Ms. Cobert, I'm going to finish with you, and it's really \nsomething from in the past. And I just would like to ask you, \nwith regards to the CIO and IG relationship, how would you \ncharacterize that from where it has been and where it is today? \nAnd if you can speak to that.\n    Ms. Cobert. Thank you, Congressman. Let me turn it on. \nThank you, Congressman. We have been working across the agency \nto strengthen our effectiveness of our dialogue with the CIO, \nand I believe we've made real progress in a number of different \nareas.\n    We've set up a cadence of regular communications at my \nlevel with the inspector general, currently acting inspector \ngeneral. On a biweekly basis we meet and get an overview of the \nissues. We have specific working teams that meet on a periodic \nbasis as well, both around the CIO, around procurement. We set \nup that same kind of mechanism around the standup of the NBIB, \ngiven the oversight issues there and making--wanting to make \nsure we get those right.\n    So I think we've made considerable progress in terms of the \ndialogue, the clarity of the communications. We welcome their \ninput on what we could be doing as better, as we welcome input \nfrom our colleagues here and elsewhere.\n    Mr. Meadows. So you would characterize it as much improved \nunder your leadership?\n    Ms. Cobert. I would characterize it as much improved, yes, \nsir.\n    Mr. Meadows. All right. Thank you.\n    The chair recognizes Mr. Lynch for a closing question or \nstatement.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    And, again, I want to thank you for being here. I want to \nask you a question sort of off the grid here. I appreciate that \nyou're making progress, and that's a good thing, and we're \nworking together with DOD to secure our systems.\n    There's another issue. You know, these hackers have become \nso proficient. You know, this morning we got news that the \nSWIFT, you know, commercial bank system--I think it's 11,000 \nbanks and companies that handle international banking \ntransactions, they were hacked again. They were just hacked \nthrough Bangladesh and the New York Fed, which is troubling, to \nthe tune of about $81 million. Now we find out there's another \nhack going on similar to that one. So they are being breached.\n    The FDIC, Chinese hackers, news, again, this morning, that \nthe FDIC has been hacked. And these are entities that have \nfairly robust, you know, protections. And we're about to enter \ninto this--well, we're about to debate the Trans-Pacific \nPartnership, and one of the provisions in that Trans-Pacific \nPartnership requires U.S. companies to establish databases in \nthe foreign countries. There's about 12 countries. But, you \nknow, one of them is Vietnam, a Communist country.\n    So we would have to--the U.S. companies will have to \nestablish, physically, databases in those countries, Malaysia, \nVietnam. And a lot of the banks and companies involved here are \nvery concerned about the security aspect of this overseas.\n    And I just wonder, especially, Mr. Evanina, you know, I \nknow you worry about this stuff all the time; as well, you \nknow, Ms. Cobert, you are dealing with; Mr. Scott, you as well. \nWhat about that dimension of this? I know it's not--you know, \nyou weren't prepared this morning to address this question, and \nI appreciate it if you want to take a pass, but I'm just \nworried about that, about it's tough enough to protect the data \nwhen it's in the United States. And now we're being asked to \nforce our companies, if they're dealing in international trade, \nto actually deposit their data in these foreign countries that \ndon't have the security protections that even we have.\n    Mr. Evanina?\n    Mr. Evanina. Sir, I concur with your concern for \ncybersecurity and the need for us to be prepared to at least \nmeet where we are in the global economy. I'm not particularly \nfamiliar with the requirements contained within this policy, so \nI can't speak to that. But under the purview of national \nsecurity, the cyber threat is real. And I think we have to take \nthat into consideration for anything we do moving forward, \nwhether here domestically in the United States or any of our \nbusinesses and government operations overseas.\n    Mr. Lynch. Okay. Thank you.\n    Ms. Cobert, Mr. Scott, you want to take a bite at that, or \nyou all set?\n    Mr. Scott. Well, I would just say, one of the lessons \nlearned, I think, worldwide has been that cybersecurity knows \nno national boundaries and, you know, concerns about \ncybersecurity are, you know, global. Physical location is one \nelement, but probably in the case of cybersecurity, not the \nmost dispositive in terms of the concerns I would have. It's \nmore about the secure-by-design sort of notion, you know, what \nhave you put in place and how well is it implemented, and so \non. So those would be more my primary concerns.\n    Mr. Lynch. Yeah, my----\n    Mr. Scott. In some cases, the physical location.\n    Mr. Lynch. Right. My concern is obviously the Communist \ngovernment in Vietnam is going to require access. So that was \nmy concern. You have suffered enough.\n    I want to yield back. Thank you.\n    Mr. Meadows. I thank you.\n    And I want to thank all the witnesses for being here today. \nAnd if there's no further business before the subcommittees, \nthe subcommittees stand adjourned.\n    [Whereupon, at 10:15 a.m., the subcommittees were \nadjourned.]\n\n                                 [all]\n\n\n\n</pre></body></html>\n"