Our traditional intelligence security practices are well known. Once you enter the cleared personnel community, the guidance to share only on a ‘need to know’ basis is supreme. If the person has no reason to know, don’t you be the one to tell him a secret he has no authority to hear. It’s like ‘loose lips sink ships’. This expression, which adorned a poster in the early war years of the 1940’s, showed a cartoon blabbermouth with an art deco sinking ship in the background. He talked; people died. As the war years dragged on, designs for security awareness posters gradually became more realistic. No longer did cartoons stand as abstract warnings to protect classified information. Actual war changed all that, for now compromise of secrets could cause genuine deaths of soldiers and sailors. As bodies of American dead mounted, families grieved. Thus, the mornings became more realistic. A painting of an American paratrooper landing, dead in his harness, with the bold letters, “Someone talked!” slashed across the poster became the new warning. 

Today, those of us with clearances are in similar danger. Often, however, the threat doesn’t seem real, as evidenced by that early poster from long ago. We can’t imagine anyone really stealing our information, causing someone to die because of something we did here, at home, in America. This dread situation is even worse because we don’t see the consequences of our ‘talking’ out of turn to the wrong person.

This still happens. Recently, a colleague was standing in a long COVID ‘social-distanced’ line at a pharmacy, He was six feet from the nearest customer. He watched as a clerk, followed by a new hire, went to enter the key pad accessed pharmacy door. “Oh, the number to get in is **** said the clerk.” Duly noted by the new hire, they went in. The line remained static until the two employees exited the pharmacy a couple minutes later. Then, the clerk re-entered the pharmacy again, this time using the key pad which was literally visible by my colleague. He now observed the employee type in the last number, which he’d missed hearing earlier. The pharmacy access was compromised. 

What just happened? The clerk was used to coming and going. He was so accommodated to the practice that he no longer thought about why they needed an access code to begin with. By constant repetition, he simply forgot that he needed to protect the code, and thus the room it protected.

We all have access codes. Also, closing the safe by signature on cards is a tedious practice. Locking the safe is a pain, if you come and go all day. Leaving your classified computer on while you run down to the restroom should be all right, shouldn’t it? You know the answer is no. 

Consider another real case. A manager would leave his safe open throughout the day. His office was tiny, so anyone could enter, secure something from his safe, and leave. Due to the location of the safe, within a foot of the door, his room was a compromise in waiting. When this was pointed out to him, he objected that he ‘didn’t have time for this’. What ‘this’ was, which he had no time for, happened to be security. Ensuring security was part of why he went to work and got paid. 

Inspections of security practices always reveal suspect ‘signatures’ on double-check (closing safe) forms. They look as if they were signed all in one day, by one person, initialing each day’s block over and over, changing only the supposed time of closure. This falsification of the ‘closed safe’ document is, regrettably, a common practice. Those who do so claim it is a waste of time because ‘no spy was ever caught by double checking a safe’. Maybe. But evidence of who really last had access to an open safe, and when, is certainly evidence lost. If someone who ‘doesn’t have time’ to sign the double check blocks fills them all in at once, we never know when the safe was actually compromised; which documents were present to be copied. This leaves investigators guessing, when searching for a spy, what he might have stolen when he spirited the safe’s documents away by copying them. This is a variation in fact on what recently happened when a nuclear technician stole physical documents concerning an American submarine. Imagine the panic and finger pointing going on now among those who might have been tangentially involved in this incident. They now have plenty of time to contemplate poor security practices. I doubt dismissive comments like ‘I don’t have time for that’ are gaining traction. 

Yes, our world has become more and more technologically sophisticated. And yet, what can we do about it? ‘Don’t ruin something that works’ might be a good principle to start with. Change the security posters that have been hanging so long they are part of the background, unnoticed by anyone. If you post security reminders on line every time your colleagues open their computer, change them now and then. Make them interesting, funny, but above all memorable. Yes, it is difficult to change pass codes regularly, but do so. If I steal your code today, don’t make that code readily usable a week later. Change it. But not on a regular basis. When ‘The Falcon’, Christopher Boyce, stole from his security vault, he already knew all the pass codes, and what was and wasn’t checked. He had access to the vault. No one person should have access to everything, alone. Remember that other old security adage: The two person rule. Even the general or CEO should have someone who can ‘double check’ him; even the general or CEO should not have personal access to everything.

 

Related News

John William Davis was commissioned an artillery officer and served as a counterintelligence officer and linguist. Thereafter he was counterintelligence officer for Space and Missile Defense Command, instructing the threat portion of the Department of the Army's Operations Security Course. Upon retirement, he wrote of his experiences in Rainy Street Stories.