Dr. Bruce Ivins committed suicide earlier this week as the government was about to charge him with killing five people through anthrax-tainted letters in 2001. More than 30 years ago, he was hired to study anthrax vaccines at the Army's Institute of Infectious Diseases in Fort Detrick, Maryland.
David Danley used to work with Ivins and other scientists at Fort Detrick. He says the place was wide open back then.
"There were no locks on the doors, and you could pretty much wander the building without a lot of interference," he says.
It was an academic place, where researchers happened to be studying deadly material.
It wasn't until 1997 that the Centers for Disease Control and Prevention established what it called a select-agent program to regulate "toxins that have the potential to pose a severe threat to public health and safety."
"There was a requirement to register the laboratory, not the individual," says Dave Franz, who was the commander of the research center then.
Labs had to register only if they wanted to transfer something like anthrax from one facility to another. Labs keeping the material in one place didn't have to register at all.
Franz says people studying the disease didn't need clearances in order to work with the agents. Some people had clearances to access sensitive intelligence, but in general, the country was more concerned with protecting secret information than dangerous material.
Danley says things changed at the lab only after five people died from anthrax-laced letters in 2001.
"That's when locks went on doors and armed guards and the whole nine yards," he says.
After that, everyone needed security clearances.
By that point, Ivins had been working at the lab for decades. Even then, a background check apparently failed to catch what his therapist has called "a history dating to his graduate days of homicidal threats, actions, and plans."
Everyone who gets a security clearance has to fill out the same form, called an SF-86. The form asks whether the applicant has ever been treated for a mental illness and requires the person to let investigators view private medical records.
"I don't believe that reviewing a person's medical record is part of a typical security investigation unless there is an indication that there's a concern there," says Michael Woods, who used to be chief of national security law at the FBI.
Woods says investigators only find what they look for. And what they look for depends on what the applicant reports and what other people say about that person.
"Any system will miss someone somewhere," he says. "And the alternative here is to have a much higher level of scrutiny for everybody in the system. I don't particularly want investigators going through my medical records if there's not a reason, a security-related reason to do that."
Security investigations already can take as long as 18 months. Reviewing everyone's medical records would make it take even longer. Woods says there's no good way to overcome the human factor either.
People generally don't want to volunteer damning information about themselves, or about others. The result, Woods says, is a system that will always have flaws.
Copyright 2023 NPR. To see more, visit https://www.npr.org.