The Wikileaks discussion in class got me thinking. I agree with the premise of operational security through classification expressed by our service member colleagues. The wikileak though, is more of a failure in oversight than a security crisis. Classification runs on a need-to-know system. Regardless of your clearance level, if you are snooping outside of your need-to-know purview, as the accused leaker did, a red flag should go up within the system. The fact that he was downloading so many documents over a short period of time should have shown up on the radar of his superiors –not to mention it should have activated any number of failsafe designed to prevent leaks…but enough about the BP spill…This got me to thinking about information security more broadly.
On to Farley’s favorite topic: CYBER SECURITY! There is a significant amount of PR surrounding cyber security. In fact, if you want to get a BS and MA on the government’s tab (and then some to spend) AND have a guaranteed job for 5+ years, it is the way to go. Additionally, ODNI has been working the last year or two with industry security leaders to create a Special Security Center Security Operations Curriculum at universities across the country focusing on cyber/information security (the pilot starts next year at universities yet to be announced). The purpose of the curriculum is to establish a specific degree program though which graduates are not only immediately ready to be put to work (without the lag of the industrial learning curve) by the likes of Rathyon and Northrop Grumman and government agencies, but also to engrain a single set of best practices across the public and private sectors as they relate to national security. Plus, the QDR and NSS are peppered with references to cyber security and the “cyber space.” Moral of the story is that Cyber Security is a big deal for the government and the anticipation is that the risk will only grow.
Anyone with a clearance remembers how complicated their life became when thumb drives became contraband in the workplace…especially for those deployed abroad. China is seen as the primary aggressor, hitting USG firewalls hundreds of times per day. However, the real successes China can claim (but wouldn’t) are far lower tech than hacking the cyber sphere. For the most part, the individuals transferring the proprietary information are not even aware of the espionage implications of their actions. Most of what makes it to the public is the cost of economic espionage to consumer industries but the cost of industrial espionage to the government and its contractors is enough that the FBI sends teams around to even the smallest contractor offices every year to remind them of how discrete and harmless espionage can seem.
Foreign nationals and expats, especially Chinese expatriates, are the most venerable. The most common situation is one where a foreign national working for a contractor shares unclassified but proprietary tidbits of their project in casual conversations with family or friends who work for similar companies at home, or for foreign intelligence services—unbeknownst to the target, not always, but often. For the most part, the target thinks they are talking shop with a confidant. Eventually the conversation touches on classified tidbits that are classified in whole, but maybe not in part, and then escalates to sharing documents which seem harmless to the target.
At best, the guilty individual has been had—divulging information that weakens competition in an internationally bided contract. At worst they share information knowing that it is against US law, but failing to understand the potential strategic value of information. The high context- community oriented nature of Asian cultures (often described as a lack of respect for intellectual property) and the lack of understanding for that type of culture by the low context-individualist American psyche together create a particular incompatibility in personnel security. The agent of espionage is likely to view the information sharing more as helping their “community” gain competitiveness with the US than to think of it as harmful to the national security of their host. This kind of thing slips thought because those responsible for personnel security are looking for malicious breaches and vulnerabilities of financial motivation or blackmail.
This is not to say that the classic idea of espionage and the new age cyber warfare are not still of concern. Those are the low-probability yet high-cost risks. But the more frequent instances of espionage are far more passive in nature. We are not talking the espionage of cold war spies, breaking into facilities and networks to steal highly classified government secrets. Most US secrets are compromised due to naivety and stupidity of both Americans and foreign nationals who just don’t understand how their little piece of the puzzle fits into the grand scheme of national security and American competitiveness in the global market. For this reason, it is quite difficult for the FBI to prosecute because they must prove intent and cognizance of wrongdoing.
Based on class discussion, it seems that this scenario would not be so farfetched for one of us to fall into. As I understand it, most of us do not understand let alone respect the US system of classification and thus could easily fall into saying something though to be harmless but is actually of value to another country.