Like clockwork, every couple of months my office gets a security clearance denial or revocation case for someone accused of violating IT security rules. The violations typically come in one of three flavors: sharing computer passwords or security codes with a colleague; allowing a colleague to perform work logged into a computer system as someone else; or temporarily disabling or circumventing security features like firewalls in order to accomplish an otherwise legitimate objective.
Mission Critical Password Sharing – Is That a Thing?
In the vast majority of these cases, the individual’s claimed defense is that their actions were “mission critical” and therefore should be excused. That sounds compelling in theory, but practically-speaking this rarely ends well. Why? Because the mission critical objective the individual was trying to accomplish winds-up not being so mission critical after all.
I say none of this to judge someone who acted with a good faith, subjective belief that their actions were reasonable and necessary under the circumstances. Unfortunately, the law most often evaluates conduct using an objective standard: whether a fictional ordinary, reasonable person would have also considered the conduct necessary under the circumstances.
What about an Emergency?
There are certainly times of emergency when an ordinary, reasonable person might feel compelled to violate IT security rules to accomplish the mission. However, those are few and far between. In any such case, a security clearance-holder who thinks they “have no choice” but to violate IT security rules in order to accomplish an objective should ask him/herself this question first: what is the worst that will happen if I don’t do this?
If the worst that will happen is that someone suffers grievous bodily injury or death because of your inaction; there is a non-remote likelihood of that actually happening that you can demonstrate retroactively; and the damage to security caused by or risked by your actions doesn’t outweigh the benefits – then I dare say that the conduct is probably forgivable as truly mission critical. Keep in mind, however, that these are highly fact-specific scenarios and no one – including your author – can promise or guarantee you forgiveness. Generally-speaking, think “shooting down an incoming missile” or “getting vital intelligence to a unit trapped behind enemy lines” kind of situations.
If, on the other hand, the worst that will happen is a delay, an upset supervisor, or literally just about anything else short of grievous bodily injury or death, I can promise that a “mission critical” assessment in the moment probably isn’t going to age well.
Whatever the situation, it is a very high bar to prove that violating IT security rules was a forgivable transgression. It is almost always better to seek out an alternative means of accomplishing the objective, even if it is more time-consuming or less efficient.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.