Sometimes we marvel at how much is classified. Should it all really be formally protected? We’ve had periods when serious consideration was given to how long a document or program could be protected. Policies change. Let’s face it, protection costs money. From documentation systems to proper storage, every step of the classification journey – from DD254 to the end of the program – costs money.
While we need to physically keep classified programs secure, security requires huge storage areas, or warehouses. So, declassification saves money, but is it smart? No matter whether a document is classified or not, we should always report anytime a possible compromise occurs. It is not up to the employee to determine when a document can finally be declassified. Often employees see something they know to be classified online, but remember that doesn’t declassify the information. It’s hard to know when possible compromise should be reported, and sometimes, you’ll find the answer is not what you expect.
Working with Your Security OFficer
If I’m the security manager, I request my fellow employees to report directly to me if they have security related concerns. Why? First, if the issue might be a compromise, I want to limit knowledge of the incident. I want to know who might be aware of the incident and keep the vulnerability from spreading. After all, the water cooler break area is the ‘virus spreader’ of common colds and news, no? Investigations are dangerously hampered when everyone in town knows or suspects what’s going on. I might be able to determine if the issue is even classified or not, a violation or not, if I can take the appropriate time to deduce what the actual issue is. Is the report a compromise, another type violation, or nothing at all?
So, how do you keep something that must be reported private? Give your security officer responsible for taking such reports a private office. This way, he or she can close the door and discuss whatever issue is at hand. Or, have a phone number for this person prominently available everywhere. If the person reporting is afraid to come physically to the office, have a place elsewhere identified where they can speak confidentially. So when they call, you can say, “Let’s meet over at the cafeteria on post, or down on the picnic table at the park, or at the investigative agency’s office. Then, without telling anyone, your officer meets the reluctant reporter of the incident. The same can be said of emails. If someone sends the security manger an email expressing an interest in discussing a security matter, then the next step is meeting somewhere out of the office, just like with the phone call. All of this is to remind possible reporters that we will keep what they say to us private, and not a matter for command gossip. They will be immediately reassured when you insist they not talk about the incident over the phone or on email, but only in person.
Bright Idea Fairy Isn’t Always Best
The chain of command is perhaps the hardest road bump. Here is where your skill and reputation as a security officer comes in. Don’t make your security briefing the first time your command, or company president, hears that employees can report outside their chain of command. Explain why this is necessary to your supervisors ahead of time. Show cases where had the chain been used, the spy would never have been caught. Illustrate how the official investigative elements, either the FBI or your military intelligence officers, will first ask, “How many know about this?” Explain why you want to limit knowledgeability. That is, if more know of the compromise, or attempted espionage, in a command, the perpetrators might find out you are on to them, too. They will stop, or suspend their action and get away with what they have already. You’ll never know whether you stopped them or not. (A tragic/comical side story might shed light here: One command said they’d give a polished wooden desk- set ‘Security Reporting Award’ for reporting possible espionage. The Award would commend the recipient for ‘Subversion Awareness and Reporting’. The security staff went pale with panic at the very thought! Imagine a spy seeing that someone they just tried to recruit got a desk set for ‘reporting possible espionage’. The spy would go silent, or disappear. The attempt would be cancelled, but the spy would also get clean away. That ‘good idea’ was shot down.)
Make REporting Easy
Your security office must be located outside your controlled, Secret Compartmented Information Facility (SCIF). This way, you don’t need a specialized clearance to report. Remember, spies like to recruit even the lowliest cleaning staff if they can access your information through them. You, of course, like to brief that same cleaning staff that they might be recruited! Make it easy for anyone to come render a report to you.
Classification will always be with us. We need to keep avenues for reporting possible compromises open, easy of access, and confidential. Advise your chain of command. Advise your fellow employees. Above all, keep reports confidential, and report what you learn immediately to your supporting investigative agencies.