Often, classified project defenders think that the piece of equipment being developed is all that needs to be protected. Not so. Here’s a practical exercise to consider to better protect your project.
Let’s say you are constructing a weapon system. Any type will do. When should protection begin? If you suggest the minute you win the contract, that’s right. Others, including adversaries from foreign countries, other companies, and even private intelligence brokers, are also aware of your contract. If they want what you’re making, they’ve already set out to work against you.
From the beginning, you would have been visited by a government contracting representative. They would have advised you who and where your security contacts are. This will include the FBI, computer security, Defense counterintelligence, and Homeland Security personnel who are at your disposal for assistance. They will also provide you your threat assessment.
Of course, the threat assessment will primarily cover classified dangers. You should also have an Operations Security evaluation performed. This will alert you to so much more you’ll need to take security countermeasures against.
Where do the components of your future classified weapon come from? Are the parts manufactured in the U.S., or abroad? How are they protected? Must they be, and at what level? If time is of the essence, how do your components reach you? We have only to look at the supply chain woes of the pandemic era to know we have to plan well to insure timely arrival of supplies. Consider too, if your components are unique to a given area, are they subject to unusual threats, such as piracy? What could preclude these parts arriving in time? How far out do you have to plan to insure their arrival?
Once on station at your plant, you face a host of new concerns. Who is responsible for protecting the components from arrival to dispersal? Where are these parts kept throughout the construction process? Note that these are physical security questions, which are supplemented by computer security. Who cares if you have protected a component well if you’ve lost ‘how to make it’ already on unsecured computers, that is to say, on the drawing board?
The highly classified Norden Bombsight of World War II was tremendously, some might say remarkably, well protected. The U.S. even required its verified destruction in the field if a bomber crashed. Sadly, the entire program was compromised from the very beginning. A German-American plant employee stole its designs and sent them to Nazi Germany. The episode makes us pause to consider what the Germans knew beforehand, and how they set about to recruit someone to steal the projected device.
Are you physically prepared to defend your classified project from intruders? Is your classified component under development so large you require massive hangars or bunkers? What if the only classified component is a sensitive piece of equipment on an aircraft or tank? What if all you want to protect is finely ground glass optics, or a night vision capability? Would you not better detach that part, and put it in a far less expensive, more easily protected, small safe?
As you can see from this exercise, we are only touching on parts of defensive measures security facility officers are responsible for. Yet, such exercises in ‘whole process’ review are valuable indeed. With all our appropriate personnel taking part, aspects never dreamed of by some of our experts can be introduced.
At what point is it necessary to protect our project? Let’s say much of what goes into making it is ‘off the shelf.’ This is a much-emphasized aspect of modern military construction. Why? Because the costs associated with buying off the shelf components, then adding secret components, is minimal compared to having to develop a whole product from scratch. What’s classified is the part that is added to the pre-existing product. Also, classification could depend on timing. If a product will be compromised the minute it is known in the press, then we know that a host of information security measures must be introduced. We need to know who will be allowed access. Which countries will be allowed access, either in part or in whole, to the project? By this I mean we can give some projects to some countries. We must, however, make sure the components are not reproducible technically. Such was a concept employed during the Soviet-Afghan War, when we gave anti-aircraft ‘Manpads’ to the Afghan rebel Mujahideen, but not the construction know-how.
Deployment of the project may not be the concern, as once released to the services it becomes theirs. But if not, security professionals are required to know how to deliver something safely, securely, and in a timely fashion. This might require additional liaison with foreign countries, for example. It could also require even the vehicle drivers be vetted to carry the project by land, sea, or air.
Such an exercise is always useful. ‘Follow’ your classified product from ‘awarded contract’ to final delivery. Repeat this exercise at periodic intervals, the better to determine how well the effort is going. With each relook, you’ll discover other areas where you can do better.