Even before our huge weapon losses in Afghanistan, our services were dealing with another significant weapon disappearance issue. Most of us who maintain clearances our entire working careers can empathize with the recent military lost weapons discovery. These vanishings occurred, however, not after massive war related disasters, but due to unknown causes both here and abroad. Reports of almost two thousand lost military grade weapons over the last decade are startling. Such a report was stunning enough to spur the Chairman of the Joint Chiefs to demand a thorough review and audit. He wanted to know what the problem is with the whole life cycle of a weapon. Audit is always a scary word.
How Classified Information Walks Out the Door
It doesn’t have to be. To make sure you don’t fall into such a pit, with your cleared information or sensitive materials ‘walking out the door’, there are simple practices you can put in place. Begin by asking your team members if the accountability measures you employ make sense. And, ask those who must enforce them. I remember having my suit festooned with an array of eight separate badges by the time I reached the office I needed to visit. Each separate entry required a badge, which was duly hung around my neck or clipped to my lapel. My previous credentials were never even checked as guards inspected the bizarre application of the next one. This was, in a word, stupid. The whole mad practice appeared to be based on the bogus belief that ‘action equals effect’. Even worse, it was a waste of time. No one checked that my clearance was sent ahead, because they trusted all these myriad measures, applied one by one to the exclusion of the previous confirmation.
A Personal Test
I recall a poster which showed a series of ‘acceptable badges’. The array of badges on that poster was each an exact copy of an actual access badge. Where the face should be on the poster’s badges, there was, in tiny letters, the word ‘sample’. The poster had been there so long no one even noticed when it was gone. I’d taken it to perform a test. I cut out one of the badges (which I was not authorized to have). I affixed a photo of my face to it, and laminated it with the expedient of a commercially available machine. I hung it on a neck lanyard and took off. No one ever challenged me. After I’d used it a while, I drew some conclusions, having previously advised the command of this potential compromise capability.
No one checks badges. Guards get bored, and get used to certain ‘truisms’. People walk right on past the checkpoints if they are ‘known’ and wearing something around their neck. Senior people can come and go as they like, often vouching for others, often because they forgot their badge and were not required to account for their presence in other ways. Without a double check system, such as a machine verification post where a badge is ‘swiped through’ after showing it to the guard, virtually anyone can get in your facility. If you have classified information, but you don’t control who comes and goes, that information might ‘take a walk’ out the door. Physical checks of briefcases, of hardware, even of trash are important. I hear the complaints. “But don’t the spies simply download it all on a usb device these days?” While true, a metal detector tuned to detect such devices going in or coming out would stop that. Be sure you aren’t so attuned to protecting your software and hardware from electronic intruders that you forget the tried and true physical security protections.
Study the Lifecycle
‘Walk’ a sensitive component through its life cycle. If you are developing a classified weapon, let’s say, you have a long trail to follow. Where is the design developed? How does this design travel? Electronically? Physically by hand? Across borders, electronic and real? How is the device constructed? What materials are included? Where do these come from? Where is it assembled, and how is it tested? What happens to discarded parts or materials? Julius Rosenberg, the atomic spy, stole classified components from trash cans he kindly offered to take out. Before you dispatch your classified component to its intended recipient, what measures are required to protect it? I remember inventorying weapons in a secured building. There was a regular check conducted, but so rarely that an item could have disappeared, and months go by, before its loss was reported. Likewise with bunkers holding sensitive items; their inventory should be conducted regularly. Luckily, the security managers were doing one thing correctly. They had an officer from another facility conduct the inventory. This way, a new person, who didn’t walk by such buildings’ inventory daily, could look upon them with ‘a new set of eyes’. That way, as Sherlock Holmes said so well, the viewer would ‘observe, and not just see’.
A review of your process for protecting a classified system from ‘design birth’ through disposal must be done. Change your practices and personnel now and then, too. Repetition leads to boredom and boredom to inattention. Then check how protective measures are implemented throughout the life cycle. Ask those responsible for protection at each stage of your cleared project’s lifecycle for their informed opinion. They will appreciate your asking, and you will have protected your classified program even better. Don’t lose accountability of those classified devices.