See Something: Say Something…but to whom?
“Mannheim Military 2435,” stated the disembodied voice when the phone rang. “Is this counterintelligence?” asked the hapless caller. “Yes, how can I help you?”
This crazy exchange happened when I arrived in Europe for my first assignment during the Cold War. The phone number was listed as Military Intelligence, but when you called, no one identified themselves, ‘for security reasons.’ What security reasons? Vast amounts of effort had been expended to rally soldiers and their family members to call Military Intelligence if they had a concern about espionage, subversion, or terrorism. But once you called, no one identified themselves.
One of the first things any clearance facility should do is coordinate their efforts. If you give security briefings on counterintelligence, and want to have people report, make it easy for them. I mean, easy to the tune of speaking to one person. Give a direct phone number to the person to whom they should speak. That person, the counterintelligence point of contact, should have direct access to a private office in the general company area. He should not be located in a Sensitive Compartmented Information Facility (SCIF), or place where the entire company does not have access. The reason for a private office for counterintelligence interviews will become immediately apparent. Yes, private offices are scarce and prestigious, but absolutely essential for counterintelligence work. Such an office must be made available for any counterintelligence discussion.
Consider this. You, an employee, have thought long and hard. You finally determine you must report something you’ve seen. During your company’s counterintelligence presentation, you heard something briefed which made you think. After tossing and turning for a couple nights, you get up the courage to go to your company counterintelligence point of contact. You call the number he gave you in the briefing. He responds. You meet privately in a separate office, and tell him of your concerns. He takes action, and no one is the wiser. Or, he takes your call, hears your story in person (never, ever over the phone), decides it really is something for the FBI or Defense Security Service (DSS), and directs you to contact them. Again, no one is the wiser. See how different this is from the example at the beginning of this essay?
How to Ruin Your Threat Reporting Program
Don’t take a good program and ruin it. One security officer came up with an idea. He thought, “Gee, maybe we should reward these reporters?” He set about making coins which said, “Thanks for your report!” and gave them to each person who came to him, who placed the coin proudly on their desks. What could possibly go wrong? The confidentiality of the report was compromised. A spy, checking up on anyone who might suspect his activities, sees this coin on a colleague’s desk and thinks, “My game is up. I need to get out of here.” Or he might go silent for a while until he’s sure there is no one looking for him, since a colleague went to the company’s security office. Never formally recognize someone who reports to your counterintelligence officer. This is confidential information. It should never be broadcast. Perhaps a private recognition could be in order, if the tip leads to some significant investigative action.
I always recommend the direct contact numbers of the FBI and DSS be prominently posted in cleared facilities. These are the federal agencies chartered to investigate espionage and terrorism. Make your employees aware that they can call these agencies directly if they have a concern. Have you boss tell them they can contact them without notifying anyone else at all in the office.
Be the one point of entry for threat information. Having an accessible security office for counterintelligence concerns creates a more peaceful, pleasant and safe place to work. Make sure every member of your office knows not just how to spot an insider or outsider threat, but also how to report one.