Consider this: You’re on your way into work. The radio news hums in the background. You hear your company’s name mentioned, and lean over to turn up the sound. A massive theft of your classified information just occurred. Are you prepared for the worst?
Step One: Know What You Need to Protect
A good place to begin to plan for a possible compromise is to know what you must protect. What is classified about your project and what is not? Who is out to steal your information? A lot of this information can be gathered from your threat assessment. This is the document of known threats to your classified program. These go from cyber threats to actual insider threat espionage. They include electronic compromises, and known collection directed against you on social media. And there’s more. I recall one of our worries during the Cold War in Europe was that there would be an invasion of seas by Soviet troops. Believe it or not, we had a thermite grenade on top of our classified safes! The ‘plan’ was that when the Red Hoards were sweeping in, we’d set off the grenade which would burn through the safe from top to bottom. Such were the plans of those days. Today, however, you must plan far more carefully.
Step Two: Who Has Access?
Who has access to your information? This is not a simple answer. Consider how Jonathan Pollard, who spied for Israel, used his general access badge to wander through the hallways of Washington. He could, with his access, visit virtually any site from the Pentagon to the State Department. He did not, however, have a need to know what was in all those buildings. He spoke to many, many people, few of whom were authorized to speak to him about projects. He collected reams of classified papers for his Israeli handler. Everyone allowed him in because, well, they’d seen him around. They figured ‘He must be ok, I’ve seen him around.’ This almost sounds like a set up for an Abbott and Costello skit. No question he posed was too out of bounds, since no one really knew his limits. Do you know the limits of those who come to visit? How do you verify their clearance and access?
Electronic concerns are even more devastating. Who is allowed access to your computer systems? Do you prepare for visitors who might need access? Surely you aren’t going to give them direct access to your computers, are you? In addition to those you give access, know that every day hackers are trying to breach your systems. Calling in the professionals from the FBI to check your computer systems demands they have access to your classified materials, too. Have you thought about that?
Step Three: Prepare for the unexpected
A fire could strike. Or a bomb go off. Examples of these pitfalls have occurred in U.S. companies around the world. In one case, someone burning classified information overcame the controls of the fireplace and secret documents were scattered up the chimney and all over the outside world! Or how about the cleared worker who didn’t think he had enough shredding capability to get rid of all the reams of documents which came in. He stuffed his materials under the floorboards!
We could scare ourselves to death, so make practical plans. Know who has access to which, or all, components of your project. Who from outside can communicate with your people, and what are their clearances and access? In an emergency, are your destruction machines capable of destroying your classified?
A friend overseas advised how a bomb went off near where he worked, and luckily he was not hurt. Damaged, however, was the safe they guarded. Secret papers flew all over the city, only to be recovered painstakingly. Or even worse, who cannot remember the failure to prepare when the Iranian radicals took over the American embassy in Tehran? Yes, the Americans prepared shredding plans for all their classified information, but the machines were so ancient they cut the top secret documents into strips. Enterprising Iranian revolutionaries put hundreds of children and women to work taping the easily reconstituted pages together, the better to compromise the American plans. Their handiwork was even published in National Geographic magazine. So much for protecting the secrets.
One of the mantras repeated after 9/11 was ‘if only we shared information better! We could have stopped this.’ Remember, though, they are referring primarily to investigative elements of the government. Better a company limits access, and knows who has it to begin with. This way, when someone asks, “We found this USB drive, one which contains your classified I believe, in a drawer in a town 1500 miles away. How do you think it got there?”
All you’ll need to do is check who has access to the information, and begin there.