A Conversation with the Director of the U.S. NBIB
Following a massive data breach at the U.S. Office of Personnel Management (OPM) in 2015, the Obama administration created the National Background Investigations Bureau (NBIB) in January 2016 to improve how the U.S. federal government conducts and delivers background investigations.
The NBIB, which became operational in October 2016, is the primary service provider for governmentwide background investigations for the U.S. federal government. It’s also responsible for providing investigative systems training and conducting oversight evaluations of other U.S. agencies to ensure compliance with U.S. security regulations.
“NBIB has the responsibility of conducting background investigations for over 100 federal agencies—approximately 95 percent of the total background investigations governmentwide,” according to the bureau’s website. “Subsuming the existing mission, authorities and staff of the former Federal Investigative Service, the NBIB was stood up without interruption to the crucially important investigative services OPM is tasked with providing.”
For further insight into the creation of NBIB and how it’s working to keep background investigations’ data secure, Security Management Associate Editor Megan Gates sat down with NBIB Director Charles Phalen, Jr. Phalen has spent 30 years in the federal service, most recently as the director of security for the CIA.
Their conversation has been edited for clarity.
Gates: The NBIB director position is an appointed one. When you got the phone call asking you to take the job, what made you say yes?
Phalen: I had retired not once—but twice—from the U.S. government. Northrup Grumman has a mandatory retirement age for vice presidents at 65, and I hit that magic number in 2016. So I’d retired from there and was available.
I got a call from some folks in the U.S. Department of Defense that I’ve known for a long time who said, ‘Would you consider this?’
The world knows that this is a program that has some significant challenges. When you couple that with the fact that I have been doing this for a long time, and I do feel very strongly about the need for trusted people in the business, I said, ‘Sure, I’ll be happy to talk.’
I spent probably three or four weeks talking to various folks in different parts of the government, including OPM, the Office of Management and Budget, and at the Pentagon. I asked more questions than they asked. And concluded at the end that this was an opportunity that may not occur again. Putting it more succinctly: In all those years that I have seen—not just in the classified world but in the whole world—things that a trusted workforce can accomplish, whether it’s a trusted workforce in government or a trusted workforce in industry. And the stuff we’re able to put out gives this country the edge that it needs.
I’ve also seen what happens when somebody betrays that trust—seen it upfront and personal. And I know that this is an impossible task—to stamp it out completely—but we have an opportunity to do better at it, and mitigate those opportunities, reduce those opportunities, and go at it in maybe a different way.
When’s the last time we had a big chance like this? Probably 1986, the Year of the Spy, when we had a lot of opportunities to change things. Whether we did it all right or not is for other people to look at and decide. But there’s enough momentum right now, with people interested, and enough driving force that this is an opportunity that won’t come around again anytime soon. I feel very strongly about the business, and this just seemed like a good thing.
Gates: You were appointed by U.S. President Barack Obama to lead the NBIB when it was created, and then asked to stay on by President Donald Trump. What were the main issues for you going into your role?
Phalen: There were two big main focuses. One is, there is this backlog of background investigations that everybody refers to—it’s significant. That number is interesting, but it’s not the real number. The real number is how long does it take us to turn out an investigation? If we had a backlog of 5 billion cases, nobody would care as long as we were turning out the investigations on a timely basis. We aren’t, so we have an immediate problem to deal with which is to reduce the time it takes to get somebody a national security clearance.
The other piece is, what does the future look like? We’re operating with legacy IT systems; we’re operating with a process that dates back to before I was born. We have a good chance to reexamine that process of how do you initially determine whether somebody is trustworthy and…how do you continue to maintain that trust? What can you do today that you couldn’t do 30, 40, or 50 years ago?
So that’s the other focus: how do we start the process of examining both the technology that will help us do those things, and what are those things we can do tomorrow that will help us maintain that trust throughout the lifetime of that individual?
Those are the two big challenges. And we can’t do one. We’ve got to do both.
And there’s a third piece that is part of both of those issues. One, the end of the contract that OPM had with a contractor, and it ended that contract fairly abruptly, reducing our capability to do investigations significantly. The contractor was doing more than half of the investigations, so the demise of that really hurt.
And those folks did not simply migrate to another contractor. Most of them went away and never got back in the business. That was a national level of capacity that was diminished almost overnight—a significant impact.
These problems were already there when the data breach was discovered. That resulted in a brief shutdown of all the intake processes, but was not the main contributor to the backlog. The demise of the contract is what did it.
The breach issue was trust, and trust in ourselves and in the American public as to whether we can protect this stuff, both now or in the future. So that takes us to another challenge, which is a partnership between me and our chief information officer (CIO) and the DoD CIO, and maintain our the current systems we have in as secure manner as possible. At the same time, we’re also investing in a future system that is probably two to three years in the offering that will give us greater capabilities, but still have that same level of security that we need to build into this to protect peoples’ information.
Gates: The Federal Investigative Service was doing the work that the NBIB is doing now. How has the transition worked?
Phalen: Essentially, all the assets of the Federal Investigative Service are now part of NBIB—they’re just merged over and it’s now under a single command.
What makes it different? It’s really a couple of things. One is the introduction of some capabilities and some organizational changes, additions, that will help us move into the future. The biggest one is the establishment of something called the Federal Investigative Records Enterprise—FIRE—their mission is to reach out and find those new data sources for us that we can get electronically, and to find ways—working with the CIO—to store and appropriately use this information as part of the investigative process.
This is a fairly significant investment, because right now there are so many data sources out there that are shoe-leather driven. We need to find ways to get that information more efficiently and more electronically, where possible.
But it does not eliminate the shoe leather piece, for a couple of reasons, not the least of which is not everybody posts their personal feelings online. And the second thing is electronically, there are a lot of places we need to get data from today that don’t have electronic interconnectivity.
We know that police records are a key piece of some things that we’re gathering. So we have identified a law enforcement liaison role to go out and draw more closely with that population.
And we have renewed a greater emphasis on both privacy laws and on network protection issues—a key piece of this thing.
Gates: The law enforcement liaison role—what will that look like and how will it benefit NBIB’s mission?
Phalen: One of the biggest sources, collectively, of adjudicatively significant information is law enforcement records. The absence of one is good; but having one is adjudicatively significant.
So, one might think that there’s a single repository for that stuff. If you think about shows like Criminal Minds or NCIS where there’s an analyst sitting in the basement and they say, ‘Go find everything you can about Charlie,’ and they (mimes typing on a keyboard) and up pops everything. It doesn’t work that way in real life.
We have a number of states that we work with that don’t share records electronically. There are a lot of places that don’t share electronically records within the state. What that means for an investigation is I need to know where you’ve been hanging out and then we have to put somebody on the street to go out and talk to a law enforcement agency that you lived in to get those records.
That’s what we’re trying to overcome [with the liaison] and develop our ability to reach out and establish a better relationship and talk about and explore ideas about how things can be interconnected. It’s going to be critical as we move on.
Gates: The NBIB is also referred to as semi-autonomous from OPM. What does that mean?
Phalen: We have our independent contracting authority, our own independent hiring authorities, and our own dedicated procurement staff—our own team of lawyers and a legislative liaison. We’re not independent from OPM, but we have a lot of autonomy from the main stream there, which will give us some ability to push out what we think is our key message.
We also have our own dedicated communications team. One of the byproducts of the security business is that we tend to keep things quiet. Maybe we can do a better job of communicating with what would be our client base—anybody trying to be hired by the government or get a clearance for the government—because right now, we’re doing 95 percent of all background investigations. We’re doing all or part of it.
Gates: Who’s doing the remaining 5 percent of the background investigations?
Phalen: Some of the intelligence agencies do it all themselves for some of their cases. But there’s a fair amount of them that do use some of our resources, as well, for part of their investigations.
Gates: You mentioned trust earlier, and getting to the point where people who apply for a job with the U.S. government, know that their info will be secure and safe. How do you see the NBIB building trust?
Phalen: The worst thing I could do is lose any more data. The second worst thing I could do is make promises I can’t keep, so we have worked extensively with the CIO and other outside organizations—including the U.S. Department of Defense—to look at our system as it is. A lot of work was done immediately after the breach; they did a lot of strengthening of the system, and I am comfortable that today it is protected to a fairly high degree.
But having said that, how do I convince the world? I don’t have a good answer for that right now other than we have to prove to them that we can protect it. We obviously don’t want to publish all the protections, because that would give somebody a sense of, ‘Where’s the backdoor?’
But, we worry incessantly about these things. In particular, the guy who feels most focused on it besides me and the folks at NBIB is the CIO at OPM. Between him and his chief information security officer, they have the responsibility to actually do those mechanical things on the system to protect it.
So, I don’t really have a good answer for how do I convince the American public that we can be trustworthy—putting out a poster that says, ‘Trust me,’ I don’t know that that works. Our record’s going to reflect that.
Gates: Looking into the future, what do you see in 2017 as being the major challenges and opportunities for NBIB?
Phalen: Related to the Trump administration, I don’t see any major challenges. There is a common thread that no administration wants people to betray trust, and administrations want us to have people who are cleared and trustworthy.
I don’t expect that there will be any change in requirements from any new administration in terms of producing that trustworthiness. We [NBIB] do the investigation. We don’t do the adjudication. So if somebody decides they’re going to clear you, it’s going to be somebody in an agency sponsoring you.
NBIB just gives them as much as we can find out about you to make that determination. That has its own particular sort of challenges, which are, if agency A adjudicates you and says, ‘Megan’s fine,’ agency B may say, ‘Yeah, except for there was that one traffic stop that she had that we didn’t like the way it turned out.’ You can actually get different answers for people from the same set of data. But our goal is to give them as much data as we can so they can make an informed decision on it.
The real issue with anything is are things funded? This has been a perennial issue in security in general, ensuring that the amount of funding is there to make sure that the investigations can be done and that [the government agencies] can fund them.
And again, not just what we’re trying to do at NBIB, but the whole issue of protecting information globally by the government is absolutely crucial. The last administration got it; I expect this one will get it. I don’t see any huge changes.
I also don’t see any roadblocks to us continuing the progress that we can make towards streamlining the background investigation process. I have every reason to believe, without anybody telling me this, the administration will follow suit like every other administration. They want us to do this right. And we’ll get an opportunity to do it right.
Gates: Many of our readers are interested in how you can have a successful career in security. How have you stayed employed and relevant in the industry?
Phalen: You’ve probably seen the Pink Panther movies. There’s one great line where somebody says to Peter Sellers, ‘How does an idiot like you get to be a police lieutenant?’ And he says, ‘I applied.’
I never really worried about where my career would go. I started out in 1973 and worked for a company where within the first 18 months I ended up with a management job—maybe they were desperate; I’m not exactly sure why.
But ultimately, about midway through, we as a team, with leadership from our director of security at the time, started working very heavily on a newfangled thing that would be a great deterrent to shop lifting. And it’s still here, because when you buy a garment and you take it home and it’s got that stupid tag on it, and you’re sitting there cursing the sales person for not having taken it off, you have to take it back to the store. The company was called Sensor-Matic, and we Sensor-Matic tagged everything in sight, and it turned out to be a pretty powerful deterrent.
And then I got a job at the CIA and spent 30 years there. The thing I like most about that—and other jobs like that in government—is that in 30 years, I had 17 jobs. In the last 10 years, I only had three jobs—so that means there were 14 in the first 20 because we were moving around and doing a lot of things.
What I liked about it was none of us thought we’d ever get to be in some of those leadership jobs; we moved laterally and then a little bit up, and laterally, and got really smart about the entirety of the business.
In a situation like that, you have to understand how important it is to have trusted people, how important it is to make sure that people are operating out of secure facilities and trusted facilities. The physics of how to protect a building are largely the same. And certainly, the physics of moving things electronically is the same, but how all that works together has changed incredibly.
I mean, I tell folks that when I was in college, the cyber threat pretty much was me dropping punch cards at the University of Maryland. Cyber has changed, and I’m probably on my fifth iteration of trying to learn what it’s about. I will by no means claim to be an expert, but I’m at least reasonably conversational in the concepts.
But it has changed immeasurably, and keeping up with it is really, really hard. As people are moving up through careers, that’s the kind of stuff they’ve got to latch on to—find those things that are going to change and those that remain the same, and certainly that IT piece is the most dynamic.
The other thing that is most unpredictable is the humans because everything we do—almost everything we do today about human trust—is based on prospectively deciding whether or not we trust you. Not did you do something bad. Because I don’t want to get to that point. I want to decide you’re okay to start, and then if I see things starting to go south, be able to deal with it before it goes really badly south.
So, that then sort of takes you to, what does the next version of a background investigation look like? And I’m sure you’ve heard the phrase continuous evaluation bounced around…at the front end I don’t know anything about you, I’m going to do a pretty healthy examination of what we can find out about you.
Once you’re inside, it doesn’t make any sense to wait five years to ask again if you’re still okay, because you can do a lot of damage in five years—or just be dumb in five years. Because a lot of our problems are just people doing stupid things, not just evil things.
The range of human behavior is so wide and trying to predict who in that universe is going to go bad in advance is really difficult.
Gates: Do you think we’ll ever get to the point where we can predict who is going to harm the organization?
Phalen: 100 percent? No, and that’s even if you put every full court press you can on it, which includes polygraphs, and looking over your shoulder.
I think the bigger problem, although insider threat tends to focus on evil people, the bigger problem is people that are careless. People that aren’t necessarily trying to commit espionage, but speaking out of school or metaphorically leaving an email on a park bench somewhere.
The other sort of change in perception is the, traditional security program starts with, can you work here? Somebody does some sort of a background investigation, whether you’re a company or an industry, or something, and they decide whether you can work here—the company has made a trust determination.
When you get to the door, there’s a guard there of some sort, some badge system or security that the company is controlling your access. And you get to the keyboard and you login and you’ve got to use your password and it’s got to be a strong password, and if you’re not fast enough, it logs you out in five seconds and you’ve got to redo it again and you’ve got to change it every 30 days and all that kind of stuff.
But now you’re in. and if you’re in a system that is an Internet based system, you’ve just become the access control officer for the company. And your decisions to open that email or send something someplace else, have just made access control decisions for the company that are out of the bounds and purview and a lot of times observation of any oversight security organization.
And that’s the real change with the introduction of these kinds of things and the proliferation of networks, is that every employee has a responsibility they didn’t have before because their mistake can cause a huge problem.
Gates: That’s something I’ve seen while covering the cyber beat. I’m hearing more and more that people are having the realization that what my employees do on their computer and their habits online at home translate into the office. If they don’t have good habits, they’re impacting my organization’s security.
Phalen: There’s a cartoon out there somewhere…it’s a woman sitting at a keyboard and she’s dressed in Greek robes and everything, and she’s going, oh just one little thing. And the caption is “Pandora’s inbox.”
But going back to discussing careers in security… I seriously believe that for somebody in the security business, they should get as broad as they can. Don’t do the same job forever. Move laterally and get to understand the entirety of the business, because they’re all interconnected. And if one of them is not working, the others have to compensate for it but the others have to understand where the issues are.
I think the linchpin in security is that trusted people piece; if we don’t get that part right, the rest almost doesn’t matter because we have all those barriers and everything up, but every day we invite thousands—millions—of people in whatever venue it is, and we’ve got to trust them to do the right thing.
And if we don’t get that right, then again, that front stuff doesn’t matter.