How much security should you have? Better said, how much do you pay for security of your classified information? Start at the basics. Know what is critical to protect. Is it information? A classified item? Or is it a process, a process which makes an otherwise unclassified piece of equipment a possible surprise on the battlefield which will save the lives of our soldiers? In short, don’t let cost drive your decisions. While no one in the C-suite wants to hear this, they also don’t want to read about one of their programs being compromised either.
Start With The Right Decisions To Fund Your Security
Make the right decisions to keep your information or classified items safe, then work on cost effectiveness adjustments afterward. Security is not a goal to be worked toward, but to be fine-tuned once you know all is secured. That is to say, once you’ve identified how your whole program might be compromised, and then those weak points protected, you can consider ways to save on expenses. After all, if your program is compromised, cost savings means nothing anymore, because the payment is in lost programs, and military lives.
Let’s look at how decisions like this are made. What worked and what didn’t? This might help to get a handle on how such decisions on how proper security measures should be reached. In fact, let’s begin with the biggest secret of World War II, the atomic bomb development program, The Manhattan Project.
All these years after dropping two atomic bombs on Japan in 1945, we stand amazed that the secret development of the “Manhattan Project” was protected so well. A wartime project which brought thousands of people to work in a remote New Mexican desert to construct this titanic weapon was never exposed in the press. Yes, the press was fairly easy to ‘enlist’ in those hyper-patriotic days. Journalists were reluctant to write about goings-on which might help end the war.
All the physical security measures, guards, signs, and roving patrols kept out wanderers. Information security made sure the story never leaked, and personnel security was tight. Or was it? We now know that a Soviet spy, a refugee from Hitler’s Germany, Dr. Klaus Fuchs, did indeed betray the secret to Stalin’s espionage ring in the United States. That chink in the armor of security cost the United States its sole possession of the bomb.
Or consider this. In response to concerns about apparent foreknowledge by the North Vietnamese of American attacks in Vietnam, a major U.S. study was conducted to determine one of two things. Were there spies in our system betraying our attacks? That is, was it true, as the then Joint Chief of Staff General Wheeler put it upon hearing this, “We’ve been penetrated!” Was it really spies, or something else altogether? Were we somehow betraying ourselves by unwittingly leaking information about our own activities?
it’s All Pieces of the Larger Security Puzzle
It all works together. Determine what you need to protect. Employ all aspects of traditional security. Be sure you have (or have access to) all the security disciplines covered. Have all the information, personnel, physical, and industrial security personnel you need. Then have a complete Operations Security plan. That is, develop a plan that will tell you how your whole system works to protect your classified information. Start from the beginning. How do you get your classified information? Go step by step to identify everything. Trace all the unclassified aspects, about how your classified information comes to be yours, what you do with it, how it is deployed, and what happens to it after that. Ask all the right questions. Who has ‘need to know’? Know who has access, and limit that as best you can. Then compartmentalize what you can among those with a ‘need to know’. That means, you need a way to track who knows what about your program. Is it a thing you are protecting? Don’t build giant secluded and hidden hangars for an airplane if all you need to protect is a component for a component of its machinery. Throw that part in a safe after use!
In this our modern age of computers and cell phones, get the best available computer security guidance. Be like the wise observer who suggested, “Think like your adversary.” Test your system from beginning to end. Is there somewhere you can be compromised? Where are you unprepared? Best advice of all? Ask your federal support agencies to evaluate your security plans. Ask them to provide threat assessments and Operations Security assessments. They will find out where your weaknesses are, and advise you how to correct those. Know ahead of time where you are vulnerable, and pay for protection for that. Know that adversaries are watching, watching as you prepare your defenses.
As the Chinese general and philosopher Sun Tzu, writing in the fifth century B.C.E., advised anyone trying to overcome defenses, “Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.” Your enemy is doing this. What are you doing to make sure he doesn’t win? Oh, and most important of all, have a good counterintelligence capability. Work with your federal support elements to make sure you not only protect your information, but know the means to investigate any potential problems. After all, counterintelligence is there to deter, detect, and defeat such problems. Remember. You are not preparing to protect the company’s bottom line. You are protecting your secrets because lives are in the balance.
