If I have a meeting in a secured Sensitive Compartmented Information Facility (SCIF), then only authorized personnel can come in.
No exceptions.
If you are invited and your clearance is not available to the SCIF manager, it is your responsibility to send it in beforehand.
But why all the fuss? Why not let someone in if you know them and their clearance?
Espionage is why we must invoke what often seem to be pettifogging rules.
Consider this; it is believed ‘liaison’ visits by the notorious Soviet spy ‘Kim’ Philby with James Angleton, chief of counterintelligence at the CIA, resulted in hosts of secrets being shared. I can well imagine Philby not being allowed into a classified meeting, and yet getting all the ‘scoop’ in a pleasant, alcohol-soaked lunch with his counterparts later on. All of these concerns must be taken seriously.
Many ‘cleared’ activities happen in countries overseas.
Where are spies sought out for recruitment by our adversaries?
Adversarial spies start first with easy, low-hanging fruit possibilities. A security assistant at the Indian embassy in Moscow was recently arrested. He was charged with espionage on behalf of India’s adversary Pakistan.
Imagine how that recruitment went; was it a false flag? Did the recruiter say he worked for Russia or the United States? Whatever happened, the recruited spy was given money for his services, which are said to have included giving military plans to his Pakistani handlers.
What about this last statement? Does a security officer have access to military plans? It seems he was allowed to get information that most probably did not fall into his area of responsibility. This should raise more than simple concerns about a security officer being compromised.
When the damage assessment is accomplished, and we must trust that an investigation is happening, information about what was lost might lead to others who unwittingly helped this spy gather his information. He might have been given access well beyond his ‘need to know’. Incidentally, that is why the phrase ‘need to know’ is preached constantly.
How do you spot and stop insider threats?
In the lion’s share of such cases, poor practices are a result of misunderstandings, carelessness, complacency, or laziness. Yet as case after case of actual compromise demonstrates, it is in such a loose arena that spies flourish.
Consider the spy movie ‘The Falcon and the Snowman.’ In this film, practices were so lax in one SCIF that team members would smoke marijuana inside. Nobody checked, nobody cared. The later-spies-to-be knew this and found espionage was as simple as walking out of the SCIF with the secrets. So what should happen?
Government and contractors call it by different names, but the ‘chain of command’ is ultimately responsible for all that happens on their watch. Anyone can report a security violation, but how should someone do so to accomplish the best results?
To whom do you report?
If a door is left unlocked, contact the person whose office it is. Problems are generally best solved at the lowest possible level. This is true, provided it doesn’t become a habit. But let’s say we have worse problems. What if a classified document is left out, a safe is left open, or someone unauthorized is in a secure area? A simple solution is to contact the security office immediately. You may skip the entire chain of command to do so. Why? In one organization, the director of security, responsible for dozens of sub-offices, told people to tell him if they found a security violation. Sounds reasonable. But was it?
Most people would report an incident to their department chief, who would then take the report to the command staff call. At that large meeting of all department heads, he’d tell ‘the G-2’ (and the entire staff!) of the incident. It became the talk of the organization that day, and any hope of narrowing the problem was doomed. The worst case of such widespread knowledge of a security incident could be that actual spies would find out that their actions were under suspicion. They would either work feverishly to erase evidence or disappear.
The goal of all intelligence is to share only with those with a need to know and to keep faith with the practices that deny an adversary access. How this is best accomplished is demonstrated by a strong and functioning security program, practiced by the entire organization.
