CyberWire Daily - Best of: Tom Coale
Episode Date: December 29, 2016Our podcast team is taking a break this week for the holidays. We’re revisiting some of our favorite interviews from 2016. Tom Coale is an attorney with the law firm Talkin and Oh, in Maryland, ...where one of his specialties is representing people who have been denied security clearances. Previously, Mr. Coale was Department Counsel for the Department of Defense, representing the government in security clearance due process hearings. We spoke to Tom Coale back in July. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
I'm Dave Bittner in Baltimore.
Our podcast team is taking a break this week for the holidays,
but don't fret, we'll be back next week with all new episodes of our show.
In the meantime, this week we're revisiting some of our favorite interviews from 2016.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and compliant.
Tom Cole is an attorney with the law firm Talkin' N.O. in Maryland,
where one of his specialties is representing people who have been denied security clearances.
Previously, Mr. Cole was department counsel for the Department of Defense,
representing the government in security clearance due process hearings. We spoke with Tom Cole back in July. So the government does an evaluation to decide whether or not, and this is the standard that they use, it is clearly consistent with the
government interest to entrust an individual with the government's secrets. And there are
different classifications from, you know, literally just personnel information,
social security numbers and dates of birth and things of that nature to the highest level,
which is top secret SCI, which is a mechanism by which the government separates apart different
pieces of protected information amongst different groups,
so that one person may know one bit of that information, another person may know another part,
but rarely does one individual know all of the different aspects of one aspect of a government
program. So what kind of circumstances does one find oneself needing a clearance?
You have government employees that have security clearances, but in the
fastest growing area, it's in the cleared contractor realm where a company contracts
with the government to either manipulate their data or use their data to run their programs. And in that circumstance,
they will be required to have a clearance. This is also interesting because in some circumstances,
that government contractor within their own contract will be creating classified information
because they're doing research on behalf of the government. And so the information that they have created becomes classified as well.
And we've seen in the past, I don't know, decade or so, there's really been an explosion. I guess
probably post 9-11, there's been an explosion in the number of people who hold clearances?
Absolutely, yes. And there's also been, particularly in the wake of Snowden and WikiLeaks, a heightened standard and heightened review of
those that hold those clearances. So you had the sort of boom in the government contracting
national security industry, followed by a boom in the focus on security clearances,
subsequent to Snowden. So take us through, what is the process
that you have to go through to get a clearance? There are different entities and agencies that
have different processes, but the two that are the most frequently used and the ones that government
contractors will be the most familiar with are either DOD or NSA. You'll complete a security clearance application,
commonly what's called a security form 86, SF-86, and then you will submit that to your CFO,
who is the one that collects all of that for the company is sort of the focus point for all cleared material and cleared contractors.
That will be submitted to an agency.
Again, depending on the level of clearance, whether that is a top secret or secret or SCI,
there will be different levels of investigation. The slightest will be an interview
with a government investigator who is actually another contractor that is just there to interview
you about certain questions and answers that you provided. And then the most heightened level of
clearance, you'll have a polygraph. And there
within that different levels of polygraph, whether it is a full scope or a lifestyle,
and they'll ask you questions, you know, that they often start with before they even hook you up to
a machine saying, tell me something that you are concerned about discussing with me today.
And that is when people normally
just say all of their life secrets all at once before they even get hooked up. Little do they
know that once they are hooked up, they're going to get follow-up questions about everything that
they just said. So that is the general application process. And then from there, there may be more
processes involved if the clearance is denied.
So take us through, you know, what happens when things go wrong?
What are the things that typically will trip up this process?
The things that, well, let me start with the one that most people don't appreciate, and that is significant debt.
Normally, if an individual has over $20,000 in delinquent debt, meaning over 90 days due,
that will trigger a denial.
And that can be in a circumstance where a credit card is shared with a spouse and they're
not aware that they have this debt hanging out there.
And I find it to be the most ironic and unfortunate clearance denials because you're taking a
job away from someone who obviously needs be the most ironic and unfortunate clearance denials because you're taking a job
away from someone who obviously needs it the most. And I won't say those are common, but they happen
enough and they are more often than not a surprise to the applicant when they happen.
What also happens is a lot of people think that if they've ever used drugs, if they have any,
you know, offense in their background, that they will disqualify themselves
from a clearance. And I can tell you that more often than not, depending on the passage of time,
past indiscretions will not disqualify someone from a clearance. So those people that tell
themselves, oh, I could never have a clearance because I smoked pot in college. That is just not the case.
Now, the cases that I most often see are those who have some repeat behavior, such as DUIs, DWIs,
drunken disorderlies, or drug offenses that show a pattern of behavior. Because the government understands that people, that we're all flawed and we've all made mistakes
in our past, and no clearance is likely to be denied for a one-off experience.
But if an individual shows a pattern of poor judgment and a pattern of substance abuse
that it seems to indicate they're not even in control of their own lives, well, that
is when the government's going to say, you might be a
perfectly fine individual, but we can't trust you with our secrets because we don't know if when you
are inebriated or when you are exercising this pattern of bad judgment, that's going to then
implicate the government's concerns. What about things like adultery?
So adultery actually does come up,
but normally only comes up in two circumstances. One is if the adultery is committed while the
individual is in the armed services, because adultery is actually a, it's not necessarily
a criminal offense, although it is identified in the military justice code, but you can be written up and
brought before a tribunal for adultery. And the government's concern is not so much the adultery
itself, but rather that you knew that this was a rule that you had to follow, and yet you breached
it anyway. And that is where the government's concern comes in. So a tendency not to follow
the rules. The other circumstance where adultery may come into play is if the individual is susceptible to blackmail.
So the adultery itself, under threat that that will be disclosed, particularly if they
are living a lifestyle that they're prominent in their church, as an example, where that disclosure
could have consequences outside of ruining their marriage. The government is very concerned about
those instances because, one, that is a common area of compromise to sort of trap
someone in that way and then have that information and use that to extract information. And two,
again, it goes back to that issue of judgment of what did you do to get yourself into this
circumstance and why weren't you thinking better about that when you did it?
When someone goes in for one of these interviews,
and let's, you know, whether it's a polygraph or just a regular, you know, sitting across the
table from each other, is the best approach to take sort of the, you know, the lawyerly approach
of, you know, only answer the question that was asked and nothing more versus, you know,
spew everything that they could possibly want to know about you?
spew everything that they could possibly want to know about you?
Well, I always say that the best answer to any government investigator's question is the shortest possible truthful answer. So the shortest possible truthful answer is often yes or no,
and you can leave it to the investigator to ask a follow-up. But if the answer may be
provided as yes or no, that is how it should be given.
You need to have your wits about you.
You never, ever try to elude or deceive an investigator because that's, that's a disqualifier
off the start too.
Um, but you, you also don't need to, uh, volunteer so much that you're going to, uh, put yourself
in unnecessary jeopardy.
And so at what point do people get someone like you involved in this process?
Well, unfortunately, they normally bring me in later while I would, not just for business
purposes, but for helping the applicant. I'd rather be brought in when the application is
being pulled together because there are many things an individual can do, such as running a credit report on themselves, looking up their criminal record on various databases that they can do early in the process that make the rest of the process much more smooth.
trap people get into is the accusation that they've intended to deceive the investigator,
either through their security clearance application or the failure to disclose something in an interview. So I would love to come in earlier. But when I normally come in is when
the government has contacted the applicant and said, we're denying your clearance. And that will
either come in the form, again, talking about the Department of Defense and the NSA again.
DOD has a statement of reasons where they'll explain this is why your clearance has been denied.
And the NSA will have a clearance decision statement where, again, and NSA is normally much more detailed in their clearance decision statement than the statement of reasons.
So an applicant will get that and then they'll call me up to begin the appeal process.
What's your advice to someone who's starting down this path? Someone perhaps has a
job opportunity that will require this. What should they do?
I'd say the first thing is, is not to disqualify yourself. I think, unfortunately, so many people
are just insecure about the process and concerned about being denied that they won't even begin the application
process. The second most important piece of advice is to know yourself and to be truthful with
yourself in terms of your background, because the more you understand about the areas of concern
and the more forthright, again, without disclosing too much, but the more forthright you are about past offenses, past troubles, the better off you're going to be later in the process.
Because the government investigator, at the very least, will say this person is telling me the absolute truth to the extent that they know it.
So those would be the two core items.
Just don't disqualify yourself and make sure you
do a full investigation of yourself because the worst scenario is when there's a surprise because
chances are the applicant has not disclosed it. Chances are it is much more serious than the
applicant had originally considered. And also you have the shortest amount of time to mitigate
against it. If an applicant knows that they have a DUI, before they even submit the application,
they can go into AA and complete abstinence from alcohol.
And by the time it eventually gets to an area where the clearance is at issue,
they can say, look, I've done this to mitigate the government's concern even before my clearance was denied.
That's attorney Tom Cole. He's with the law firm Talkin' N.O. in Maryland.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers.
I'm Dave Bittner.
Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.