It's not them. It's us.Wikileaks' October publication of hundreds of thousands of classified Iraq war documents was followed in November by another massive leak, this time of hundreds of thousands of US diplomatic cables. In the wake of these hemorrhages of sensitive information, the US and its allies are faced with the question: What to do about it?
The first reaction - get tough with Wikileaks - is natural, but not the real solution.
First, there is the difficulty of shutting down anything on the Internet; slaying the Hydra was much easier in Hercules' time. An Internet Hydra such as Wikileaks can not only sprout new heads for each one cut off, it can replicate itself entirely in multiple new locations.
Representative Peter King's
inquiry into the possible designation of Wikileaks as a "terrorist organization" may sound like we are doing something, but it is a wrongheaded use of the terrorist label, and for the reasons noted above, will also be ineffective.
King's push to have the organization charged with espionage is more appropriate, and given the damage that Wikileaks has done to other countries, those governments may be willing, even eager, to cooperate in shutting down the site and detaining and charging the individuals involved.
But still, this will have little effect on the data which has already burst the gates, and does nothing to increase our guard against similar breaches in the future.
The real problem is that the US seems unable to keep its secrets.
Wikileaks and other ill-advised, crusading organizations are not the real problem here.
The real problem is the fact that they are able to obtain classified information in the first place.
There have always been leaks and spies, but with today's miniature electronic data storage devices and Internet transmissions, the damage can quickly become much more extensive than in the past.
Robert Hanssen's espionage for Russia has been
described as one of the worst intelligence disasters in US history; but even his misdeeds have been far surpassed by Wikileaks' sources, for two reasons.
First, the sheer volume of the compromised data:
Hanssen used the old-fashioned "dead drop" technique to pass bags or packages of paper documents or low-volume computer disks to his handlers, and the damage was inflicted over the course of 22 years.
In contrast, someone like
PFC Bradley Manning can quickly download tremendous amounts of current data onto USB drives, data cards,
CDs, or even an iPod, and walk out of a secure area with them in his pocket.
Second, there is the venue into which the classified information was passed. In past spy cases, the information was usually passed to a foreign government, which also had an interest in keeping it - and their possession of it - secret. As bad as this was for US national security, it was far better than having the documents blasted indiscriminately into the public view of every Internet user on the planet. And once information hits the Internet, it's nearly impossible to remove it.
It is for these reasons that it is more important than ever that we get serious about safeguarding our classified data.
Why do I say "get serious?"
Aren't we serious already?
Well, no, I personally don't
think so.
Over the 21 years of my Army career, I saw safeguards gradually eroded in favor of convenience and complacency.
And in the worst possible development to accompany a decline in safeguards,
the post-9/11 world has seen an explosion in the number of agencies handling classified data, the size of the intelligence apparatus within those agencies, and - most frightening - the number and size of private contracting companies engaging in classified activities and accessing classified data.
According to
The Washington Post, more than
850,000 people have Top Secret (TS) clearances.
As many well-publicized spy cases have shown over the years, a clearance is no guarantee that an individual is completely and unquestionably trustworthy; a clearance is only
a risk assessment that the government makes in deciding who should have access.
The sooner we get back to that mindset, the better.
Reinventing the wheel
As a young officer first exposed to TS data in the late 1980s, I can vouch for the far stricter rules of those days, compared to what we have now.
I think this was in part because of a DoD report published in 1985, "
Keeping the Nation's Secrets," which included some common-sense recommendations which had been put into practice by the time I started my career, but have since fallen by the wayside.
Examples:
no one was ever allowed to be alone in our TS facility; there was a "two-man rule" for handling TS materials.
Fast-forward to my later years in the Pentagon, and I was surprised to find that by then, it was commonplace for someone to work late - alone - in a TS facility, and lock up by themselves.
It was a matter of convenience:
why should a second person have to stay just because one of us has to work late?
Similarly, our increasing comfort with, dependence on, and complacency about technology has taken a toll in ways that the 1985 report could scarcely foresee.
As cell phones made their debut, so did rules that no cell phones were ever allowed in TS facilities.
Gradually, as the phones became ubiquitous, the rule shifted to allowing the phones only if the battery was separated from the phone; then they were fine if they were just turned off, despite the fact that this is a known TEMPEST hazard.
During my years in the Pentagon, no one ever even checked my phone to see if it was off.
Cameras were strictly controlled in TS facilities, too, unless, of course, the camera was integrated with your phone - isn't that just about everyone these days?
Employee convenience has trumped security in setting rules and policies.
Training on the handling of classified has declined, too. On more than one occasion during my Pentagon assignments, I stopped young new employees from walking out into the hallways with unprotected, uncovered classified documents in their hands. "But I'm not leaving the building," was a common excuse, with no thought given to the fact that the corridors are not a secure area, because they are filled with uncleared people, and even foreigners! And my favorite, "Oh, this isn't classified. It's only marked 'Confidential'." Here was a young lady who had free access to TS data, but apparently no one had told her about the other levels of classification or the need to protect them.
Steps to take
Right now, every office handling any kind of sensitive information needs to ramp up its physical security. Re-introduce and enforce the two-man rule for access to TS materials. Additionally, we need to return to another recommendation from "Keeping the Nation's Secrets": subjecting employees' belongings to a search upon entry to and exit from secure areas. This is not an insult; it's just good security. Prohibit the presence of any personal electronics of any kind. To achieve both of these ends, I would even go so far as to install employee lockers at facility access points and require all personal possessions to remain outside; you do not need your wallet, your car keys, your iPod, or your cell phone at your workstation. IT administrators should disable all floppy drives, USB drives, card readers, and tape drives on workstation computers and retain those capabilities on only a few, closely monitored stations. Does this make it harder to produce briefings or reports with a mix of classified and unclassified data? Yes. But the alternative to all of this is another PFC Manning crowing about how easily he downloaded reams of classified data while pretending to listen to Lady Gaga.
Right now, comprehensively train every individual who may have access to classified data, and I don't mean just flipping through the thick "read on/read off" binders and then signing a non-disclosure agreement. I mean familiarity with all levels of classification, all types of intelligence data, the use of cover sheets, wrapping, safes, and lock bags, and the inculcation of an absolute certainty that if you sell, give away, or negligently lose classified information, jail time is in your future.
The next step is the hardest and will require some tough decision-making and hard cutting, despite the inevitable bureaucratic and corporate resistance.
We must drastically reduce the number of billets for top-secret clearances.
The world has changed greatly since "Keeping the Nation's Secrets" was authored, but this lesson holds true:
"...the far greater challenge is people -- those who create and handle classified information, those who disseminate it, and those who oversee its protection... the current security system fails in limiting the opportunities for errors of omission or commission; in providing the means to identify those who transgress; and in dealing appropriately with the transgressors."
President Obama's announcement of "
zero tolerance" for those who leak classified data is not new, but his demand that all agencies crack down on their employees' access is a welcome return to a more compartmented age.
Our current billet system - in which TS clearances have to be justified by specific positions - grew out of a recommendation from the 1985 report, and was intended to reduce, control and limit the number of people with access to TS information.
Some of the new post-9/11 TS billets make great sense, as in the case of
local law enforcement operating on counter-terrorism information.
But many of the new billets are just as unnecessary and redundant as the positions they attach to, and with over 850,000 billets now in circulation, we can scarcely call that access "limited" anymore.
Worse, investigative backlogs combined with the pressure to fill all of those positions means that the US has become less selective in determining eligibility. Here are some real examples from my own experience: A young intelligence analyst, American-born, but whose Chinese parents still live in mainland China (do we really put it past the Chinese government to use her parents' well-being against her?); a retired 30-year veteran of the Indian navy, who became a US citizen specifically to be eligible for a TS clearance for his post-retirement US contractor job (are we not the least bit curious about where his loyalty really lies?); a middle-aged contractor who routinely failed to show up for work, and then was caught in lies about his whereabouts (is this really trustworthy enough for access to our highest secrets?). None of these people would have been even remotely eligible for a TS clearance twenty years ago.
Thanks to our post-9/11 atmosphere of counter-terrorism hyperactivity, combined with a political culture which accepts no physical risk, I am not the least bit hopeful that any of our new, redundant, and burgeoning intelligence apparatus will be reduced anytime soon. Too bad, since it would also help us out with our equally burgeoning deficit, another national security risk. But the other measures can be quickly and easily implemented. All we need is the willingness for our intelligence employees to be just as inconvenienced as they were a generation ago.
Copyright R.N. Phillips, November 2010
Posts
