We often watch events happening abroad with shock or disgust. We can’t imagine how people in this, our modern 21st century, have come to this impasse. Yet they do. In fact, we do. Our cleared programs are tested routinely around the world. They are tested for accuracy, capabilities, and adaptability. They are tested in places never made public, or if in the public domain, perhaps not completely. Those chartered to protect these programs must know their capabilities intimately, but also so much more. Protecting against everything an an adversary can collect requires a good, recurrent, and meaningful education about the threats to our classified projects.
Explain Why Security Measures Exist
When we devise security programs, they include many facets. How do we explain to our cleared personnel why we require the security measures we do? Do we look at all the collection capabilities the adversaries have to acquire (steal) our information? Can they access overhead national asset satellite collection to observe our field tests? How do we plan those tests? Do we announce them publicly? Is there a requirement to do so? Most who deal with aviation or nautical exercises know the navigation safety reports required to test at sea or in the air.
Create Plans for Disclosure and public release
What sort of requirements do we levy on public release of information? What can be released, and to whom? We have an array of measures to insure we control the information that goes into our project. The foreign disclosure officer controls, then monitors, disclosure of parts or perhaps all of a project to foreign governments. Our State and Commerce Departments organize what laws are pertinent to such international dealings. Even our own intelligence assessments offer ideas concerning disclosure which cannot be ignored.
The Freedom of Information Act creates specific guidelines around the release of government information. Indeed, government information is ‘ours’ as a nation. Under restrictions, it should be available to all. Those restrictions are clearly laid out in policy documents, and must be adhered to. Cleared personnel must be aware of this policy and the Privacy Act, the better to know what is releasable upon request, and why. Unlike information access which required spies in the past, much information is now available for the asking. FOIA information is available to anyone, or any entity or nation, under the same conditions for release. Businesses routinely ask for Requests for Proposals under this act. This way, they see what the government requires to accomplish something. Notice too, that such information would be of great interest to an adversary.
Before you release information to the public, consider how an adversary may access or use it, as well. The government’s focus on Controlled Unclassified Information (CUI) today signals the shift in the information domain. Our secrets – while still valuable – are no longer the only, or even primary way adversaries gather their intelligence.
Because the amount of publicly available information is always growing, educating the workforce on threats, risk, and information sharing programs is key. There is never an end, and so professional training for those who must monitor, and for those who are subject to the threats, are constant. They are constant because the adversary never sleeps. He’s always trying to find the weak link, the chink in our armor where he can insert the knife.