Glenn Fine, a fellow at the Brookings Institution, is a former inspector general of the Justice Department and acting inspector general of the Defense Department.
The devastating leak of classified documents, allegedly by Jack Teixeira, a member of the Air National Guard, raises a host of troubling questions: How did a 21-year-old come to have seemingly unfettered access to so much top-secret information? Did he undergo a thorough background check? Did he have a need to know all that information? Was anyone monitoring whether he was inappropriately accessing, downloading or printing documents? How was he able to take so many documents from a classified facility without raising suspicion?
Teixeira’s case amply demonstrates the need for a probing review and reform of the federal government’s internal security practices. But we’ve been down a similar road before — in the case of Robert Hanssen, the most damaging spy in FBI history.
Hanssen was an FBI special agent who worked primarily on counterintelligence assignments. He spied for the Soviet Union and Russia for more than two decades before his espionage was finally uncovered in 2001. By then, he had compromised some of our country’s most important intelligence assets and military secrets, including the identities of dozens of human sources, at least three of whom were executed.
I was the inspector general of the Justice Department when Hanssen was arrested. The FBI established an internal review body, led by former FBI director William Webster, to study the bureau’s security programs. At the same time, Congress and the attorney general asked my office to conduct an independent investigation to determine why Hanssen had committed espionage, why the FBI had failed to detect his security breaches and spying for so many years, and whether changes in FBI internal security practices were needed.
After Hanssen’s arrest, some in the FBI initially claimed he was a master spy who was able to use his tradecraft to evade detection. Our review found that nothing could have been further from the truth. In our public report, we showed that Hanssen was reckless and escaped detection for so long not because he was clever and crafty, but because the FBI’s weak internal security practices essentially provided no deterrence or obstacles to his espionage.
Hanssen had spent hours reading classified files without any conceivable need to know. He exploited the FBI’s sorely lacking information security practices to conduct thousands of searches for highly sensitive information with no concern that an audit would reveal his queries. He delivered highly classified documents and dozens of computer disks to the Russians. Left largely unsupervised, he became increasingly brazen, depositing considerable amounts of the money he received as payment in a bank located a block from bureau headquarters.
The absence of deterrence played a significant role in Hanssen’s decision to spy for Moscow. During interviews after his arrest, he told our team, “If I had thought that the risk of detection was very great, I never would have done it.”
Instead of taking sufficient steps to deter security breaches and espionage, the FBI had trusted that its employees would remain loyal. But trust is not an effective internal security strategy.
During his 25-year career, Hanssen was never asked to submit to a polygraph examination. He underwent only one background reinvestigation, and the red flags that emerged during this perfunctory check were not resolved. He regularly exhibited a notable pattern of mishandling classified information, without significant consequences.
Our review determined that the FBI’s internal security program defects were the product of years of neglect. We recommended a wholesale change in mind-set and approach to internal security, noting that FBI employees had committed espionage in the past and would likely do so in the future.
Our report made 21 specific recommendations, including: creating a new unit to determine whether the bureau had been penetrated by espionage; employing stricter standards for handling and tracking sensitive information; instituting more meaningful background investigations; enhancing security measures for employees with broad access to sensitive information; implementing measures to detect improper computer use; tracking hard copy classified documents more effectively; requiring better security training; and improving security inspection programs.
Congress held hearings on both our report and the Webster report’s recommendations, and the high-profile attention helped pressure the FBI to improve its internal security. But this new case shows that constant attention and more work is needed.
The intelligence community and Defense Department should review document-handling practices and determine whether more stringent controls on hard-copy classified documents are warranted. Better audit trails on computer searches and more real-time computer monitoring should be considered. Security training and the quality of background investigations also should be reviewed.
Our government’s inability to prevent the terrorist attacks of Sept. 11, 2001, was partly caused by a failure to connect intelligence dots and a reluctance to share intelligence information. Afterward, the impetus swung from focusing on the “need to know” to emphasizing the “need to share.” Yet the pendulum might have swung too far, with too many people possessing high-level security clearances and gaining access to too much information. The risk and harm of disclosures is even greater in this digital age, when information can be disseminated more widely and quickly.
Teixeira would not be the first to disclose intelligence information, and he won’t be the last. Better internal security measures can’t eliminate all the risk of compromise, but they can make it more difficult, before further harm is done to our national security.