We who hold clearances live in dread that someday, something might be compromised. What to do? Consider cases where it’s happened, then ask yourself, is my company ready?
Once I got a call from a major metropolitan area’s police department. “Do these documents belong to your organization?” they asked. “Yes,” we responded, based upon their description. “Can you have someone come here and retrieve them?” They’d been found as part of an investigation, and they needed someone who could identify them properly, and determine if they had been leaked, or used for unofficial or inappropriate purposes. We needed to send someone to advise how they got there, who brought them, and what the proper distribution was supposed to be.
Our employee visited the police unit and determined there was no compromise. It would have been easy to assume that when official documents appear at a police station, a leak must have occurred, and there’s a major problem. In reality, there may be no issue at all.
What do you do if you think classified information is compromised?
First, don’t discuss it over an open line. Secondly, don’t discuss it with anyone but your chain of command or to investigators. Why? No one wants to create a crisis when there is no real evidence something even happened. One bright spark told a journalist he believed information had been compromised from his booth at a military exhibition. His command read about it the next day in a newspaper before they heard of it from anyone else.
Have a written plan in place. Know who has access to know about a compromise on any given project. Know how to contact the authorized investigative agencies. Every year your company should give a briefing so everyone knows what to do in case there is a compromise. Then, there must be a written document that serves as a standard operating procedure on what to do, who to call, and where to respond. Note emphasis on ‘in case’. All too often people react to the appearance of a problem when through careful, patient, professional investigation, there might not be a problem at all.
While leaks remain unlikely, names like Chelsea Manning, Edward Snowden and Reality Winner offer a stark reminder – every organization needs a plan to address suspicious behavior. Insider threat programs have paved the way to let employees know how to spot potential issues in fellow employees. Don’t forget to go the next step and make sure they know the proper way to report any leak – whether from inside or outside of the organization.