The Chinese military philosopher, Sun Tzu, argued that the greatest victory is winning the battle without having to fight. What did he mean? Does this aphorism mean something to us? Those of us who seek to protect our classified information do so daily. We carefully follow the principles of traditional security, as well as operations security. We do all this with the intent not to have secrets compromised. But do we ever ask ourselves why we do this? What do we hope to achieve?
What Does Protecting Classified Information Achieve?
This last question is paramount. What goal do we hope to deliver as a result of all our care? Once we’ve identified our goal, we can work toward it. We might hope to deliver battlefield power, so great that an adversary would think twice before hitting us. Or, we might hope to corner the market, such as the United States has done with various computer construction technologies.
It’s not enough to develop the best technology, or to protect it once it has been developed. Achieving security success requires protecting information across its development lifecycle – regardless of if that technology is classified. The Germans devised some of the finest solar powered conductors in the world. But that market is now overcome by the Chinese who make solar panels cheaper, faster, and more efficiently than anywhere else on earth. America left the Panama Canal which is now virtually a Chinese-coordinated sea trade facility. The same can be said of several great harbors of the world. Other countries come to economically dominate a physical area, a technology, or a methodology. They do so without military conquest. How? Often they do so because they have developed, bought, or stolen the technology that makes fighting them unwinnable.
How much of this compromised development was classified? Little if any if you break down the subjects by cases. If the goal of our classified protective efforts is to maintain our advanced programs, it is best to first determine how they will be used. This requires knowing the origin of the parts we employ, the materials needed to maintain them, and the distribution system needed upon completion. Say, for example, you want to protect your component that will be affixed to a new military vehicle. How will you insure it is not compromised? Of course, you will do what it takes to protect the part when in your care. Yet how will it be delivered? Are your transmission methods secure? Let’s say you’ve protected it with a first-rate cybersecurity team. Your staff has been briefed on all the digital means of good cyber-hygiene. Are you fully prepared to begin work? Have you implemented artificial intelligence methods to check on those unexpected patterns that suggest hackers may be in your midst? Hackers your specialists might not be aware of? Even the best cybersecurity officers can’t keep up with all threats, and for this a good AI program can check what they can’t. Have you developed backup systems, in case something you make fails, or is compromised? Or what if you suspect someone is attempting to attack your systems, and you need to close shop to investigate? Have you got back-up plans that might allow even for manual adaptation? And who is following the business trends in your field? What if, as has happened in several cases, a formerly United States registered company becomes foreign owned? That’s not a place you want your product delivered to.
Key to Success: Find Your Internal Weaknesses
Your materials, as the world has seen as a result of COVID-19 supply chain difficulties, can be held up. Is your company prepared to implement temporary measures to preclude failure? Again, the critical question: What does success, or failure, look like? If you can’t get your component to the military which needs it, on time, then what value is all the protection of your classified product?
What this suggests is not only that we need to have a good, well-practiced, and sincerely well-supported protective apparatus to protect our classified information. We also have to be aware of areas, outside our traditional security disciplines, which guards against failure to complete the mission.
A tried-and-true method to know where weaknesses are is to test your system. What helps here is a ‘red team’ approach. Check with your supporting government intelligence agencies. Ask for a test of your systems, to see where your communications, say, or your ability to respond to interference, might need bolstering. A good test is the best way to learn what you need to do better.