Few know that today’s safety in aviation has measurably increased after a disaster in 1935. A gigantic prototype bomber crashed at Wright Patterson Field in Ohio. It was determined that a simple check of the safety lock was not done. The idea of creating a checklist was instituted, so that future pilots would not forget to do all the necessary pre-flight checks.
A lesson to be learned
Can we in security for cleared personnel learn something from this? It seems we are part way there already. Most military and civilian cleared facilities have annual inspections. These inspections cover a host of areas in all security disciplines. Industrial security, personnel, computers, foreign disclosure, and other security measures are all covered. Rational, clearly answerable questions are arrayed and checked off once the inspectors are satisfied. In preparation for these visits, there are long hours devoted to answering the questions that will be asked. Did you brief 100% of your staff on espionage and sabotage threats over the past year? Yes. Show sign-in sheets of all who attended. Yes. The point is that standard operating procedures exist to verify all security areas are covered appropriately. Or are they?
a checklist is more than accountability
We all need checklists. They give a general awareness of how well we have covered the measurable security disciplines with our employees. But admittedly, that’s all they do. Have we made security awareness second nature for our employees? Or, have we only created colleagues who are checklist-conscious whenever the inspection comes about once a year? What about those incidents that might be counterintelligence related, but not fit snugly into a checklist? A retired foreign spy, operating under diplomatic cover, observed three events in this regard. He said a man approached him at a fine restaurant and offered to spy for his government. The spy, without hesitation, got up and left. Next, a charming young lady who spoke the spy’s language fluently met him at a reception. He directed her to meet his wife. After a couple of nice meetings, the young woman disappeared from the city, with no forwarding address. Lastly, a man approached him, declaring himself to be a Sikh. His purpose was dubious, and his apparent absence of Sikh personal protocol and accessories was unexplained. The spy dropped this man as well. His philosophy was, “…you must assume everyone you meet —every foreigner who contacts you—is probably a counterintelligence officer.” This intense awareness is not an extreme case, only a realistic one.
Ask the right questions
Why would we even want to ask our employees to internalize what seems to be almost a form of paranoia? What we are asking our colleagues is to simply be aware of their surroundings. The higher they go in rank, the more opportunity they have to meet others. The threat is arguably much greater today than even in the last century. Note the spy said ‘every foreigner’ might be a threat’. Today, everyone could be perilous. Now, so much more than in former times, information brokers, journalists on the make, and of course the ever-present online scams to elicit information, are everywhere. Few believe a man could fall for a charming disembodied voice over email, but they do. What does your organization do to properly prepare your team members to first be aware of, secondly, counteract, and lastly report any such incidents that might occur to them? One method a wise briefer once offered was this. At the end of every interview, every briefing he ever gave he’d ask, “Is there anything I’m not asking that I should be asking?” Ingenious. The briefing now took on a personal dimension. All the listeners were asked to respond on any topic they might feel appropriate to the security mission. Equally wise, once the question was asked, he’d solicit responses from those in the audience. From simple questions such as ‘Why do I need a bring up clearance?’ to ‘Who can we report computer security problems to?’ we who brief others must be prepared to answer. Of course, if we don’t know, we need to know where to direct the questioner to someone who can answer his or her question. Indeed, future briefing points could be noted for later, and then included in future briefings.
Add time to your checklist
Always set aside private time, and private places for interviews after any briefing you give. Having a name on a checklist of listeners to your briefings means nothing if you don’t avail yourself of the opportunity to listen to any reports that might be generated after hearing what you have to say. Make time, private time, for anyone who might have something, a question, or a serious incident, to report. Be sure they know the timeliness of reporting is important. The Navy is dealing with several recent possible espionage cases now. Each of the sailors was somehow contacted, recruited, revealed information, and was paid by a secret collector. In the two recent cases, the collectors were presumably Chinese. Be sure your briefings are not reduced to canned information and a mere checklist of names. Make the broader engagement. Make your briefings new, with current information, and always include a way to answer any question the listeners might have. You could just reveal a spy.