All the engines of investigation were geared up to catch a spy. Apparently, American documents had fallen into the hands of foreigners, and we were tasked to discover how that happened. Time passed. In the end, there were no spies caught, because there never were any spies. What was finally revealed was a sordid, tawdry kickback scheme which happened to involve some foreign players.
Was this a colossal waste of time for intelligence personnel? No. The mechanisms of oversight had come into play and worked tremendously well. A cleared facility was alerted to the illicit movement of their money, which in turn revealed participants of another country in the as-yet foggy affair. The fact there were foreigners involved switched on the call to counterintelligence, and we were summoned to assist the FBI.
The same programs within your company designed to root out security threats and policy violations can be used to discover much more. Why? Because good oversight doesn’t just prevent a breach of classified information, it can identify criminal activity.
For clearance holders, oversight is a shining lighthouse for your peace of mind. It was not for nothing that James Madison, one of our revered Founding Fathers, said, “In framing a government, which is to be administered by men over men, the great difficulty is this: You must first enable the government to control the governed; and in the next place, oblige it to control itself.”
So, too, in any business requiring cleared personnel who handle classified government information.
Oversight Extends to all Employees
If you have classified information, it should only be used on cleared computers, purpose-made for such use. All computers have ‘glitches’. Who checks them? Normally some computer type from the help desk. They whisk to correct something, and go on their way. You continue working. But who guards the guard? Are they properly cleared to the level at which what they are correcting is classified? How much of an issue should they be briefed on? Should you tell them the name of the project you’re working on at the same time you are discussing the technical problem?
Before you roll your eyes and say “Of course not!” be aware of this. I passed a senior officer’s room one day. There was a regular bacchanal of bonhomie, laughing and feigned lamenting going on. Seems this officer’s computer was down. A host of young and not so young wanderers came in to help out. His desk was covered in documents relating to…what? Did those visiting his office have the need-to-know? If this seems overly cautious, keep in mind there are many, many people who rack their brains trying to remember what casual conversations they had with Edward Snowden before he vanished, only to reappear in Russia where he passed along a panoply of American secrets.
Make sure everyone is cleared, and that those cleared are overseen. If there is someone whose activities are too ‘sensitive’ to be double-checked, then you are obligated to identify who can oversee them.
So what can you do if you don’t have the requisite clearances? The time to discover this is not, say, wartime. Just such an event happened. Panic ensued when a foreign investigator, who should have been issued a ‘foreign limited access authority’, was not. Fingers of ‘It wasn’t me’ began to fly, and his years long investigation came front and center. Without the LAA, the young investigator was found ineligible to investigate a matter at hand. Calls went out to all the land, and sure enough, his LAA was granted. Oversight would have prevented such a problem. Someone whose job it was to determine what responsibilities such a job entailed should have ridden this requirement like a horse. Instead, it took a war to get the case resolved.
Who is authorized to back up, check, or double check your cleared personnel? Do you have a single point of failure? By that I mean, is there someone who, because no one else can do what he does, or understand what he does, can cause your whole mission to fail? Can he cause it to fail because he calls in sick? Because he can authorize something which no one else can check? Can he act unilaterally because there is no one ‘authorized’ to know his mission? No one should be put in this situation, not for his good, nor for that of the company. Always have backup. As the Great Communicator once said, “No job is over until the boss checks.” If the boss can’t check, if not personally then through intermediaries with proper clearances, then he’s not really in charge.
And so to the first story. Without oversight, criminals were able to conspire to steal from the cleared facility. No one, the final evaluation read, checked what they did.