Tightening Security in the “Post-WikiLeaks” Era

The Obama Administration is moving to increase the security of classified information in response to the massive leaks of classified documents to Wikileaks in recent months.  The White House Office of Management and Budget yesterday issued a detailed memorandum (pdf) elaborating on the requirement to conduct an initial assessment of agency information policies and to initiate remedial steps to tighten security.  Agency assessments are to be completed by January 28.

The Wikileaks model for receiving and publishing classified documents exploits gaps in information security and takes advantage of weaknesses in security discipline.  It therefore produces greater disclosure in open societies, where security is often lax and penalties for violations are relatively mild, than in closed societies.  Within the U.S., the Wikileaks approach yields greater disclosure from those agencies where security is comparatively poor, such as the Army, than from agencies with more rigorous security practices, such as the CIA.

What this means is that Wikileaks is exercising a kind of evolutionary pressure on government agencies, and on the government as a whole, to ratchet up security in order to prevent wholesale compromises of classified information.  If the Army becomes more like the CIA in its information security policies, or so the thinking goes, and if the U.S. becomes more like some foreign countries, then it should become less vulnerable to selective security breaches.

The government’s response to this pressure from Wikileaks, which was entirely predictable, is evident in the new memorandum circulated by OMB, which calls on agencies to address “any perceived vulnerabilities, weaknesses, or gaps in automated systems in the post-WikiLeaks environment.”  See “Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems,” Office of Management and Budget, January 3, 2011.

In an attachment to the OMB memo, the National Counterintelligence Executive and the Information Security Oversight Office provided an 11-page list of questions and requirements that agencies are supposed to use in preparing their security self-assessment.  “If your agency does not have any of the required programs/processes listed, you should establish them.”

Agencies are asked to “deter, detect, and defend against employee unauthorized disclosures” by gathering “early warning indicators of insider threats” and also by considering “behavioral changes in cleared employees.”

So, for example, agencies are asked “Do you capture evidence of pre-employment and/or post-employment activities or participation in on-line media data mining sites like WikiLeaks or Open Leaks?”  It is unclear how agencies might be expected to gather evidence of “post-employment” activities.

Among other troubling questions, agencies are asked:  “Are all employees required to report their contacts with the media?”  This question seems out of place since there is no existing government-wide security requirement to report “contacts with the media.”  Rather, this is a security policy that is unique to some intelligence agencies, and is not to be found in any other military or civilian agencies. Its presence here seems to reflect the new “evolutionary pressure” on the government to adopt the stricter security policies of intelligence.

“I am not aware of any such requirement” to report on media contacts, a senior government security official told Secrecy News.  But he noted that the DNI was designated as Security Executive Agent for personnel security matters in the 2008 executive order 13467.  As a result, “I suspect that an IC requirement crept in” to the OMB memo.

No Responses to “Tightening Security in the “Post-WikiLeaks” Era”

  1. Don Johnston February 16, 2011 at 9:50 PM #

    It’s interesting that one requirement was to check for “any perceived vulnerabilities, weaknesses, or gaps in automated systems”; i.e. controls of a “logical” nature (electronic or IT). At first I thought this missed the mark because the problem was with a human that leaked the information; something that would fall under the category of an “administrative” control. When I thought more about it however it crossed my mind that the amount of data this person had access to likely far exceeded what was necessary for them to “do their job”. So, what is needed from an automated system point of view is better control of access to information based on the user’s relationship to the data and/or need to know. One example of this that most people could relate to is patient information… if a user of a patient database isn’t listed as the attending physician or within the “circle of care” then they don’t get access to the data. People can still do their job but are shut out of the majority of a very sensitive database.