Still makes little sense to me how this happened. But there are the classic four reasons for security breaches - usually actual proper spying - but the reasons remain solid: money, ideology, coercion and ego.
One will note that sys-admin is a job where you have ridiculously uncontrolled access to stuff. Part of the job is that you don’t abuse that access. Sometimes your job requires you to access material that you would not be expected to have any reasonable reason to see. Email being probably the most common. Sorting out email issues used to take a lot of my time back when I fleetingly had sysop as part of my duties. In principle I could read any email on the system from anyone to anyone. One simply did not do so. (There is a scene in the original, British, House of Cards series (actually in The Final Cut) where it is becoming suspected that the PM (Francis Urquart) has a serious shadow hanging over his time serving in the army. Information about an event that is classified. The keeper of the files is quizzed about how he handles these files when they contain such potentially explosive information. “I avert my eyes.”)
Secure systems should provide significant controls over classified material. There are whole aspects of operating system design that provide for data diodes and partitioning of data. Auditing and traceability of material is critical. Just duplicating material should require clear and audit-able controls that maintain traceability to every copy. Top Secret tends to mean material that, if compromised, could lead to catastrophic consequences.
But eventually you need to trust. In the modern age it is trivial to remove information from secure sites if you really want to. It could be as simple as swallowing a memory card. TSA style security isn’t going to help. Trusting your people is eventually the only answer. That and a parallel security structure that makes it very very unwise to even think about doing something stupid. Ultimately this guy was stupid. Really stupid. To the point where it is hard to understand how he didn’t realise what was going to befall him with an iron clad inevitability.
You can set up a system where even the sysadmin can’t access certain pieces of information. To some extent, this is standard: On any competently-designed computer system, for instance, there is no person who can access anyone’s passwords. And it could be set up so that all classified information was similarly protected.
But verifying is better. Have a record of who sees what. Change the number of people who have full access to high level documents, not every IT needs to work for every Grand Panjandrum.
IIRC one of the lessons from 9/11 was that intelligence info was too compartmentalised, and people who could have joined the dots together couldn’t, because they didn’t have access to all the material.
There’s a tradeoff between limiting how many people have access (based on both clearance and need-to-know) and effective operations across the intelligence community. The 9/11 commission did indeed report that the agencies’ reluctance to share information with each other (aka ‘stovepiping’) contributed to the failure to detect the attacks.
Over the last several decades, there was a shift at the agency where I worked. Away from treating employees as low-level workers whose job was simply to follow directions. Leadership today recognises the need for independent professionals collaborating to solve the tough problems. To do that, you need to understand the big picture, and that requires access to more information than used to be allowed.
When I came on board in 1986, we were briefed by a guy who told us to be suspicious of colleagues who asked us questions about our jobs. Supposedly, the only reason anyone would do that was to sell it to the commies. Good luck collaborating in that environment.
How to ensure that IC employees can be trusted with this greater access? That’s out of my area of expertise.
But with increased access, does this really mean intelligence communities are now sharing information better? This is outside my seneschal, but my amateur impression is they tend to infight over prestige, protocol, parking, politics and policy details like new buildings and such (like many other bureaucracies)…. I am likely wrong, but…
It’s not a misunderstanding of the military, but a condemnation of the way things are done.
When you, e.g. throw away an important receipt and your spouse asks, the “why the hell did you throw away that receipt that I saved?” question is not necessarily a request for clarification of the procedures you have in place, to help explain why you did that, and more of a condemnation of your procedures and their results.
When the answer to “why did this guy have access to all this information” is a procedural “well tons of 18-year olds have access to tons of Top Secret information in the military”, that’s not a ding on the pubic for not knowing that, but a ding on the military for having that policy in place.
e.g. if someone asked “why was it so easy for that policeman to accept so many bribes” and the answer is “well, for efficiency of the police force, superiors look the other way regarding bribes, and that’s why it was easy for this guy. Your question shows a fundamental misunderstanding of the police”, that’s not a ding on the public for not knowing this (hypothetical) police culture, but a ding against the police for having this culture.
I don’t know how many are on major bases. Are there more people than go through Chicago O’Hare or Heathrow airport in a single day?
Even it’s more you don’t have to check everyone. You can (a) have random checks or (b) assuming not all spaces on a military base contain Top Secret documents, just check those people who are leaving rooms where they just accessed Top Secret documents.
To avoid compartmentalization, you don’t have to give Top Secret access to everyone. You can still have the various intelligence agencies collaborating at the highest level without giving every Tom, Dick, and Harry Top Secret access.
I think both are needed. Both trusting and verifying have their blind spots and failure modes, so just one of them is not sufficient.
Also, you can have strong data security checks in place at each step. At a major tech company I was at, if you tried to access some info in a sensitive database that wasn’t directly tied to what you’re working on at the moment, a big pop-up would ask “why are you asking for this info”, you would give a business justification, and it would route your request to some people in charge of those databases, and only after approval would you get access. It happened quickly (~minutes) but it was a good point of friction to have to prevent wholesale access to everything.
Ok. It’s a misunderstanding of how things have to be done.
Classified information doesn’t spontaneously come into existence in a vacuum. It is gathered and complied by the workers who are E3-E4 soldiers. It’s what the military is. It’s not a bunch of middle aged guys. By necessity the worker bees in the military are young. You don’t win wars with old men.
Right. There are simply some jobs that necessarily require it from the top to the bottom. It’s impossible to keep anyone below a certain age from obtaining a security clearance. I was able to get through a large portion of my career with just a Secret clearance but I did have to have a TS at a relatively low rank. Age is immaterial. The job is what is relevant. I’m not sure why so many (not just here) don’t understand the military needs to have young people with vast amounts of responsibility. Most of the worst leaks have come from older more experienced people anyway. You can even be 76 years old and leave classified documents laying around your resort.
I think that the biggest failure here was not in the level of clearance, but in need-to-know. OK, so a young man has Top Secret clearance. That’s how the system works. But most of what he leaked was material that he did Need to Know. Why was the system such that he was even able to access information that he didn’t Need to Know?
The uniform doesn’t say “National Guard”, it says “US Army” or “US Air Force”. I promise you that while the Guard can be mobilized for emergencies and civil unrest within the state they reside the focus of their duties is not domestic.
The perception that the Guard is lesser and/or somehow less worthy than the active duty components will never go away, I suppose. But the reality is that just like the active duty the average soldier/airman is told only what they need to know but the leadership and intelligence sections are fully informed and have access to all information they are cleared for.
Its not that I percieved him as lesser than active duty, its that I was unaware that his unit had been called to active duty last October. Also, what I could not believe was that a “weekend a month” guy could get ahold of that much information in such a short time. Thats all, no disrepect of the uniform or the guard intended.
I assume this is a side effect of the reduction of the actual army (etc.) - the same effect that led to civilian contractors doing mundane things like laundry in Iraq or Blackwater filling in for some security jobs. Instead of having sufficient manpower, it seems DoD uses the people who’ve signed up to be “weekend warriors” (i.e. a fallback force for emergency times) to be full time workers from time to time?
(again, no disrespect to NG - just, they did not enlist for full-time… why were they being used as such during normal times?)
Because in today’s military, the Guard is integrated into the operational commands even in “peacetime”. It’s not Dan Quayle’s Guard. The forces rely on short-time activated Guard and Reserve units and individuals to keep up operations.