Our podcast team is taking a break this week for the holidays. We’re revisiting some of our favorite interviews from 2016.
Tom Coale is an attorney with the law firm Talkin and Oh, in Maryland, where one of his specialties is representing people who have been denied security clearances. Previously, Mr. Coale was Department Counsel for the Department of Defense, representing the government in security clearance due process hearings. We spoke to Tom Coale back in July.
Dave Bittner: [00:00:03:15] I'm Dave Bittner in Baltimore. Our podcast team is taking a break this week for the holidays, but don't fret, we'll be back next week with all new episodes of our show. In the meantime, this week we are revisiting some of our favorite interviews from 2016. Stay with us.
Dave Bittner: [00:00:24:16] It's time to take a moment to tell you about today's sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyzes the entire web to give cyber security analysts unmatched insights into emerging threats. We read their dailies at the CyberWire, and you can too. Sign up for Recorded Future's Cyber Daily email to get the top trending technical indicators crossing the web: cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:27:13] Tom Coale is an attorney with the law firm Talkin and Oh, in Maryland, where one of his specialties is representing people who have been denied security clearances. Previously, Mr. Coale was Department Counsel for the Department of Defense, representing the government in security clearance due process hearings. We spoke with Tom Coale back in July.
Tom Coale: [00:01:47:08] So, the government does an evaluation to decide whether or not, and this is the standard that they use, "it is clearly consistent with the government interest to entrust an individual with the government's secrets". And there are different classifications from, you know, literally just personnel information, social security numbers and dates of birth and things of that nature, to the highest level, which is top secret SCI, which is a mechanism by which the government separates apart different pieces of protected information amongst different groups, so that one person may know one bit of that information, another person may know another part, but rarely does one individual know all of the different aspects of one aspect of a government program.
Dave Bittner: [00:02:38:18] So, what kind of circumstances does one find oneself needing a clearance?
Tom Coale: [00:02:44:06] You have government employees that have security clearances, but in the fastest growing area it's in the cleared contractor realm, where a company contracts with the government to either manipulate their data or use their data to run their programs, and in that circumstance they will be required to have a clearance. This is also interesting because, in some circumstances, that government contractor, within their own contract, will be creating classified information, because they're doing research on behalf of the government, and so the information that they have created becomes classified as well.
Dave Bittner: [00:03:25:20] And we've seen, in the past, I don't know, a decade or so, there's really been an explosion, I guess probably post-9/11 there's been an explosion in the number of people who hold clearances?
Tom Coale: [00:03:35:05] Absolutely, yes. And there has also been, particularly in the wake of Snowden and Wikileaks, a heightened standard and a heightened review of those that hold those clearances. So, you had the sort of boom in the government contracting national security industry, followed by a boom in the focus on security clearances subsequent to Snowden.
Dave Bittner: [00:04:02:02] So, take us through, what is the process that you have to go through to get a clearance?
Tom Coale: [00:04:07:24] There are different entities and agencies that have different processes, but the two that are the most frequently used, and the ones that government contractors will be the most familiar with, are either DoD or NSA. You'll complete a security clearance application, commonly, what's called a Security Form 86, SF86, and then you will submit that to your CFO, who is the one that collects all of that for the company, is sort of the focus for all cleared material and cleared contractors. That will be submitted to an agency. Again, depending on the level of clearance, whether that is top secret or secret or SCI, there will be different levels of investigation. The slightest will be an interview with a government investigator, who is actually another contractor, that is just there to interview you about certain questions and answers that you provided.
Tom Coale: [00:05:17:08] And then the most heightened level of clearance, you'll have a polygraph, and there are, within that, different levels of polygraph, whether it is full scope or lifestyle. And they'll ask you questions, you know, that they often start before they even hook you up to a machine, saying, "Tell me something that you are concerned about discussing with me today," and that is when people normally just say all of their life secrets all at once before they even get hooked up. Little do they know that, once they are hooked up, they're going to get follow-up questions about everything that they just said.
Tom Coale: [00:05:55:14] So that is the general application process, and then, from there, there is, you know, there may be more processes involved if the clearance is denied.
Dave Bittner: [00:06:03:23] So take us through, you know, what happens when things go wrong? What are the things that typically will trip up this process?
Tom Coale: [00:06:11:09] Well, let me start with the one that most people don't appreciate, and that is significant debt. Normally, if an individual has over $20,000 in delinquent debt, meaning over 90 days due, that will trigger a denial, and that can be in a circumstance where a credit card is shared with a spouse and they're not aware that they have this debt hanging out there. And I find it to be the most ironic and unfortunate clearance denials, because you're taking a job away from someone who obviously needs it the most. I won't say those are common, but they happen enough, and they are more often than not a surprise to the applicant when they happen.
Tom Coale: [00:06:55:06] What also happens is, a lot of people think that if they've ever used drugs, if they have any, you know, offense in their background, that they will disqualify themselves from a clearance, and I can tell you that more often than not, depending on the passage of time, past indiscretions will not disqualify someone from a clearance. So, those people that tell themselves, "Oh, I could never have a clearance because I smoked pot in college," that is just not the case.
Tom Coale: [00:07:24:13] Now, the cases that I most often see are those who have some repeat behavior, such as DUIs, DWIs, drunk and disorderlies or drug offenses that show a pattern of behavior, because the government understands that people, that we're all flawed and we've all made mistakes in our past, and no clearance is likely to be denied for a one-off experience. But, if an individual shows a pattern of poor judgment and a pattern of substance abuse, that it seems to indicate, that they're not even in control of their own lives, well that is when the government is going to say, "You might be a perfectly fine individual, but we can't trust you with our secrets because we don't know if when you are inebriated or when you are exercising this pattern of bad judgment, that's going to then implicate the government's concerns."
Dave Bittner: [00:08:19:24] What about things like adultery?
Tom Coale: [00:08:22:13] So, adultery actually does come up, but normally only comes up in two circumstances. One is if the adultery is committed while the individual is in the armed services, because adultery is, actually, it's not necessarily a criminal offense, although it is identified in the Military Justice Code, but you can be written up and brought before a tribunal for adultery. And the government's concern is not so much the adultery itself but rather that you knew that this was a rule that you had to follow and yet you breached it anyway, and that is where the government's concern comes in. So, a tendency not to follow the rules.
Tom Coale: [00:09:02:10] The other circumstance where adultery may come into play is if the individual is susceptible to blackmail. So, the adultery itself, again, is not a concern, but if the individual, and I've seen this before, if the individual is making payments to someone to not disclose that adultery, or is under threat that will be disclosed, particularly if they are living a lifestyle, that they're prominent in their church, is an example, where that disclosure could have consequences outside of ruining their marriage.
Tom Coale: [00:09:36:14] The government is very concerned about those instances, because, one, that is a common area of compromise, to sort of trap someone in that way and then have that information and use that to extract information. And two, again, it goes back to that issue of judgment of, "What did you do to get yourself into this circumstance? And why weren't you thinking better about that when you did it?"
Dave Bittner: [00:10:01:19] When someone goes in for one of these interviews, whether it's a polygraph or just a regular, you know, sitting across the table from each other, is the best approach to take the lawyerly approach of only answer the question that was asked or nothing more, versus spew everything that they could possibly want to know about you?
Tom Coale: [00:10:23:07] Well, I always say that the best answer to any government investigator's question is the shortest possible truthful answer. So, the shortest possible truthful answer is often yes or no, and you can leave it to the investigator to ask a follow-up, but if the answer may be provided as yes or no, that is how it should be given. You need to have your wits about you. Never ever try to elude or deceive an investigator, because that's a disqualifier off the start too, but you also don't need to volunteer so much that you're going to put yourself in unnecessary jeopardy.
Dave Bittner: [00:11:05:02] And so, at what point do people get someone like you involved in this process?
Tom Coale: [00:11:10:21] Well, unfortunately, they normally bring me in later, while I would [LAUGHS] not just for business purpose but for helping the applicant, I'd rather be brought in when the application is being pulled together. Because there are many things an individual can do, such as running a credit report on themselves, looking up their criminal record on various databases, that they can do early in the process that make the rest of the process much more smooth. Because the number one trap people get into is the accusation that they've intended to deceive the investigator, either through their security clearance application or the failure to disclose something in an interview.
Tom Coale: [00:11:49:01] So I would love to come in earlier, but when I normally come in is when the government has contacted the applicant and said, "We're denying your clearance," and that will either come in the form, again talking about the Department of Defense and the NSA again, DoD has a Statement of Reasons where they'll explain, "This is why your clearance has been denied." The NSA will have a Clearance Decision Statement. NSA is usually much more detailed in their Clearance Decision Statement than the Statement of Reasons. So an applicant will get that and then they'll call me up to begin the appeal process.
Dave Bittner: [00:12:28:21] What's your advice to someone who's starting down this path? Someone perhaps has a job opportunity that will require this, what should they do?
Tom Coale: [00:12:37:19] I'd say the first thing is, is not to disqualify yourself. I think, unfortunately, so many people are just insecure about the process and concerned about being denied that they won't even begin the application process. The second most important piece of advice is to know yourself and to be truthful with yourself in terms of your background, because the more you understand about the areas of concern and the more forthright - again, without disclosing too much - you are about past offenses, past troubles, the better off you're going to be later in the process. Because the government investigator, at the very least, will say "This person is telling me the absolute truth to the extent that they know it."
Tom Coale: [00:13:20:02] So those would be the two core items. Just don't disqualify yourself and make sure you do a full investigation of yourself, because the worst scenario is when there's a surprise. Because, chances are, the applicant has not disclosed it, chances are it is much more serious than the applicant had originally considered, and also you have the shortest amount of time to mitigate against it.
Tom Coale: [00:13:43:20] If an applicant knows that they have a DUI, before they even submit the application they can go into AA and complete abstinence from alcohol, and by the time it eventually gets to an area where the clearance is at issue, they can say, "Look, I've done this to mitigate the government's concern, even before my clearance was denied."
Dave Bittner: [00:14:02:16] That's Attorney Tom Coale. He's with the law firm Talkin and Oh, in Maryland.
Dave Bittner: [00:14:09:15] And that's the CyberWire. And don't forget that while we're taking a break from the daily news on the podcast, our Daily News Brief is still available on our website, thecyberwire.com.
Dave Bittner: [00:14:19:18] Thanks to sponsor, Recorded Future, for making today's podcast possible. The CyberWire Podcast is produced by Pratt Street Media. Our Editor is John Petrik; our Social Media Editor is Jennifer Eiben; our Technical Editor is Chris Russell; our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.