If you have a security clearance, you enjoy the trust and confidence of the U.S. government. As discussed in “Is my security clearance a secret?,” there is firm expectation that you will exercise discretion and fully engage in the need-to-know principle when it comes to your classified work. There is also the expectation you will self-report any anomalous event, breach of security protocol or miscue which may in any way deleteriously affect the classified activity. The concept of self-reporting is based on the expectation that one who has been adjudicated as trustworthy will embody the ethos required to do what is right.
Ethos
Aristotle noted three categories of ethos:
- Phronesis – practical skills and wisdom
- Arete – virtue and goodness
- Eunoia – goodwill towards the audience
Practical skills and wisdom
For example, you would expect that when an individual reaches the rank of general in the U.S. Army and then becomes director of the CIA that they will have been indoctrinated in the need-to-know principles and have had ample experience in compartmentalizing their personal and private lives. The adage, with age comes wisdom, should have reigned supreme. Such was not the case with respect to former CIA Director, General (ret) Petraus, who chose not to self-report sharing classified materials with an individual who neither had the authority or need-to-know. Petraeus recently pled guilty to “misdemeanor charge of unauthorized removal and retention of classified material” and now faces a maximum sentence of one year in prison. The Department of Justice prosecutors and his lawyers are recommending a $40,000 fine and two years of probation.
Virtue and goodness
In a piece crafted by John Moran, Deputy Chief of Staff Intelligence and Security for the Army Contracting Command, “Self-reporting derogatory information can save a job,” he calls out Executive Order 12968 (Access to Classified Information – August 2, 1995) for the standards of conduct upon which the expected conduct of an individual who enjoys the trust of the U.S. government will be measured. Moran goes on to pull the following quote from the Executive Order:
“whose personal and professional history affirmatively indicates loyalty to the United States, strength of character, trustworthiness, honesty, reliability, discretion, and sound judgment, as well as freedom from conflicting allegiances and potential for coercion, and willingness and ability to abide by regulations governing the use, handling, and protection of classified information.”
The expectation is, when an event occurs in your personal life, you will demonstrate the appropriate virtue and goodness and if warranted report the event to one’s Facility Security Officer and Cognizant Security Authority. In doing so, they are best able to determine if the change has a material effect on the classified engagement in which you are engaged.
Goodwill towards others
In every counterintelligence briefing, there is discussion of the hostile threat and the need to report all contact with foreign nationals, etc. Regardless of where you come down on the discussion on the appropriateness of the revelations made in 2013 by Edward Snowden, the fact remains he snowed his colleagues into providing their credentials in order to access information which his natural access did not permit. The DoD defines the CI insider threat as: “A person who uses their authorized access to DoD facilities, systems, equipment, information or infrastructure to damage, disrupt operations, compromise DoD information or commit espionage on behalf of an FIE (foreign intelligence entity).” When it comes to whistleblowers and data breaches, there may be a false assumption that it’s a victimless crime. Or that the failure falls on the back of the single individual who failed to report. The protection of classified information, and the requirement to self-report is both a personal and a group obligation of the cleared workforce.
ethos of self-reporting
The Defense Human Resources Activity (DHRA) highlights specifically the need to report events about which you become aware, not only those which affected you personally. In their piece concerning computer violations, they include:
- Excessive and abnormal intranet browsing, beyond the individual’s duties and responsibilities, of internal file servers or other networked file servers or other networked system contents.
- Any credible anomaly, finding, observation, or indicator associated with other activity or behavior that may also be an indicator of terrorism or espionage.
- Data exfiltrated to unauthorized domains.
- Unexplained storage of encrypted data.
- Unexplained user accounts.
- Hacking or cracking activities.
- Social engineering, electronic elicitation, email spoofing or spear phishing.
- Malicious codes or blended threats such as viruses, worms, trojans, logic bombs, malware, spyware, or browser hijackers, especially those used for clandestine data exfiltration.
The ethos of self-reporting embraces all three of Aristotle’s categories of ethos. The security of your classified engagement requires you to do so as well.