Glenn S. Gerstell

How to Prevent the Next Intelligence Leak

America’s secrets aren’t sufficiently protected. The recent posting of apparently classified government documents to internet chat rooms allegedly by the Air National Guardsman Jack Teixeira reminds us that intelligence reporting is subject to a dilemma: Either we clamp down to prevent leaks, or we share information broadly within government to prevent harm to our nation and our troops. There is a way out of this predicament, but it entails fundamental and expensive changes. The first step in this effort will require us to admit that we aren’t investing the right way in preventing leaks. This isn’t any one administration’s failure. When Congress allocates funds to spy agencies, they are more likely to spend them on new spying techniques that might produce richer intelligence, rather than on protective measures that lower the risk of compromise. Even so, we do spend billions on protection, but it’s heavily geared toward stopping potentially devastating intrusions by another country, such as China or Russia, and less aimed at insiders. That’s the right choice: Imagine the consequences if the 2019 SolarWinds intrusion into federal civilian departments had instead occurred in the Pentagon’s classified networks. While there have been embarrassing compromises of parts of the military’s network, we appear to have been successful at keeping foreign adversaries out of our top-secret defense and intelligence systems, at least. Yet we still have a problem: The most serious document compromises of the past decade or so have been caused by employees with authorized access, such as Chelsea Manning, Edward Snowden, Reality Winner and, apparently, Jack Teixeira. That’s a disturbing pattern of leaks by 20-something contractors or members of the military — not longtime employees of the CIA or the NSA. Perhaps the vulnerability is greater in the military, whose recruiting is less selective than that of the intelligence agencies. Maybe the problems are more prevalent among members of Generation Z and millennials — especially those obsessed with online gaming — as they might be more disaffected, less inclined to follow rules and more interested in building clout on social media. When inside leaks occur, the typical and understandable response of the intelligence and military communities is to cut back on access in some way. But no sooner are stricter procedures implemented than they inevitably erode because the evolving nature of threats and technology demands new intelligence and greater sharing. Another response, from the Moynihan Commission in 1997 to the current examination by the director of National Intelligence, Avril Haines, is to wrestle with the problem of overclassification, on the theory that the larger the number of classified documents, the more difficult they are to manage. There’s some truth to that, but overclassification doesn’t itself cause leaks. To combat leaks, we instead must focus on dissemination and protection. Determined individuals will inevitably find a way to get around any defensive measures. But rather than adopting one-off, backward-looking solutions aimed at preventing another leak, we need an integrated approach to disseminating and protecting national security information. Fortunately, both the government and the private sector have potential solutions in hand. The government can create a sense of mission and public service, and it can vet and monitor, in a legally appropriate way, employee behavior. Even with the best policies and procedures for our system of handling classified documents, we must ultimately rely on a culture of trust and compliance. Most of the individuals with top-secret clearances know that the lives of their fellow members of the military, intelligence and diplomatic communities could be endangered by an unauthorized disclosure. Nonetheless, we need a greatly reinforced effort to restore a sense of public mission and inculcate the appreciation of the fact that our national security is at stake. This might be even more essential in the case of recruits for the military and intelligence agencies coming from Generation Z. The principal way we currently train employees with security clearances is by making them periodically take an online course on the proper handling of classified documents. This mechanical approach won’t yield a work force that truly appreciates the need for security, especially in the younger generation. Requiring everyone applying for a top-secret clearance to undergo a psychological exam and polygraph (now done only for employees of certain agencies) would not only weed out problematic candidates but might also build cohesion among employees who feel they are part of a select group. And that type of vetting needs to be done continuously, not just at the time of hiring. Again, this could be a more acute issue among, say, impressionable 18-year-old military recruits whose views might well change in just a few years. Of course, a trusted work force isn’t itself sufficient; there will always be temptations, and a certain percentage of people will deviate. Technology must fill the gap, and there, the government has much to learn from the private sector’s innovation. From pharmaceutical companies to defense contractors working on the cutting edge of the digital revolution, private companies deploy technology in an effort to prevent theft of industrial secrets so that samples, models and blueprints don’t walk out the door. The government could emulate the private sector, picking out the most effective solutions — perhaps installing paper-thin RFID tags on documents and binders (triggering an alarm on exit, much like the system retail stores use to protect against shoplifting) or stepping up the use of artificial intelligence to catch anomalous behavior (such as someone printing out an atypical document). If every ATM can have a camera, why not every top-secret printer? The government has been slow to adopt robust private sector techniques because they are costly and time-consuming to implement, and Congress demands quick fixes. One critical private sector concept that the government could adapt to the handling of classified materials is to follow an increasingly popular business model to deal with cybersecurity risks. The private sector is shifting from a system dependent on a network firewall to one based on independently verifying every cybertransaction. The federal government is also moving to this so-called zero trust architecture, with both the intelligence community and the Defense Department embracing the concept for cybersecurity purposes. The new idea would be to apply the same concept to our system of handling classified documents: It would explicitly implement the principle — to which we claim adherence but don’t apply in practice — that access to information is afforded only on a need-to-know basis if it’s relevant to your particular job. As a presidentially appointed reform group suggested after the Snowden leaks a decade ago, shouldn’t a tech support worker (like Mr. Teixeira) merely have administrative access to the network, but not the right to see or print out substantive intelligence reports? Today, we have a perimeter-based system: If you pass a security test, then you are mostly allowed access to classified documents, albeit with some categories of documents being in special “compartments” requiring additional approvals. But that’s far from a zero trust system, with layers of automated controls applicable to the access of each document. This could also be combined with a system where levels of details of a report were made available only as necessary, moving away from our binary, all-or-nothing approach. There are many other private sector techniques and innovations the government could exploit, but we need to adopt and implement them in an integrated and coherent way. That’s not going to come about through the government awarding individual contracts for solutions. Instead, Congress or the Biden administration should appoint a small task force of government officials and the best and brightest from the private sector to overhaul our dissemination and protection systems. We need to start treating the protective end of the intelligence process like it’s as important as the collection part. Implementing that will be expensive. The alternative, however, is to keep taking disjointed and incremental steps — but one day, that might yield even more costly intelligence or military losses. The New York Times