Researching How to Bypass Internet Security Protocols and Passwords While at Work is Ill Advised
A recent Defense Office of Hearing and Appeals cases involving the misuse of information technology caught my eye because the applicant argued his former employer’s investigation had no merit because he had never been investigated by any law enforcement agency or charged with any offense, therefore it was not really proven that he had done anything wrong. This applicant was initially denied security clearance eligibility by the DoD after being issued a statement of reasons (SOR) for security concerns raised under Guideline M (Use of Information Technology) and Guideline E (Personal Conduct). Here are the highlights:
The applicant, who is in his 30s, has worked in the information technology (IT) field for a number of years and has been working for a defense contractor for the past two years. In late 2014 the applicant’s employer suspected him of suspicious computer activity involving attempts to initiate a peer-to-peer connection with a remote host outside his employer’s network as well as attempts to obscure Internet activity by using an anonymous proxy that would hide the destination from the employer’s IT security. Additionally, he visited websites that provided tutorials regarding how to crack passwords and conduct network attacks. He was eventually terminated for violation of his employer’s Internet use policy.
During the DOHA hearing the applicant contended that he visited hacking-related websites for educational and professional development and suggested this concept was “ethical hacking.” Despite the lack of a criminal investigation or charges as a basis to argue the former employer’s investigative report lacks merit, in an administrative hearing a judge may still find the applicant engaged in misconduct that raises security concerns. The DOHA judge in this case was of the opinion that although there was no evidence that applicant misused information technology in the past five years, his violations of his ex-employer’s Internet use policy were extremely serious and he attempted to conceal his conduct. Security clearance denied.