It happens every time there’s a major espionage scandal. The intelligence community, the sitting administration and the Congress roll out the platitudes and the boilerplate: “We must ensure this sort of thing never happens again”, and “New, tougher measures to protect America’s most vital secrets are needed”, and, ultimately the claim, “Weaknesses have been eliminated.” It’s all a farce.
You can look it up. Remember the Walker spy ring in the 1960s, 1970s and 1980s? Chief Warrant Officer John Walker, members of his family and a friend passed cryptographic codes and other sensitive material to the Soviets for 17 years. How did they get the material? Walker and others walked out of the controlled spaces where it was kept carrying the material in briefcases or folders. How was the case broken? Walker’s ex-wife ratted him out. Oh, there was much wailing and gnashing of teeth in the intelligence community that day!
Fast-forward to 2010. PFC Bradley Manning (allegedly) downloaded 250,000 State Department cables to writeable compact discs labeled “Lady Gaga” and walked out of the controlled space where he accessed them. No one stopped him to examine the disks. How was the case broken? Adrian Lamo, “grey hat” hacker extraordinaire, convicted felon and self-ordained minister of the Universal Life Church, turned him in after Manning admitted the crime in an email exchange. Lamo, no stranger to stealing secrets himself, evidently had pangs of conscience: He thought what Manning had done might jeopardize lives.
Walker demonstrated during nearly a generation of treachery what he later claimed from his prison cell in a video produced expressly for the intelligence community: Wal-Mart guards its toothpaste better than America guards its secrets. Manning proved we haven’t learned much in the quarter-century since Walker was busted.
It’s worth highlighting four similarities in these two cases. First, the material walked out of controlled spaces under the control of someone with a Top Secret clearance and code-word access. Second, the perpetrators were breaking rules and procedures that everyone around them knew about and must have witnessed but didn’t react to. Third, outsiders, not counterintelligence operators, broke the cases by simply pointing out what had happened. Fourth, the leakers were volunteers, or what we call walk-ins; they weren’t coerced or recruited by other governments or by anyone else.
To be sure, the rules changed after the Walker case. Two-hand control of cryptographic material replaced single-hand control. Every one of us in the intelligence community received annual counterintelligence briefings about unauthorized contacts with anyone from hostile intelligence services. But we also watched as Jonathan Pollard and Aldrich Ames, Robert Hanssen and Kendall Myers proved again and again that whether for ideology, greed or zealotry, human beings are the weakest link in the secrecy system. Should Manning be convicted, it will simply be further proof of the point. What can be done about this, since we can’t remove humans from the equation?
Let’s look more closely at the Manning case. Why was Bradley Manning, a tactical intelligence analyst in an infantry division, given access to State Department cables? The principal question, really, is what was his need to know? What value would the records of sensitive discussions or personal observations by American diplomats in countries on different continents be to a tactical intel analyst in Iraq? The answer is unarguable: none.
Manning had access to that material through classified internet portals and networks (SIPRnet and JWICS). The material was available to him most likely through a simple Google-like search engine. It was available because the intelligence community has been instructed, post-9/11, to reduce the number of stovepipes and firewalls surrounding and protecting information. Obviously, then—and keeping in mind the need to share information across the IC, and to some degree across the national security agencies of the government—one way to limit the opportunity for Manning-like leaks is to restrict access to those with a genuine need to know. We can do this.
Many, perhaps most, State Department cables are classified at the “confidential” level, which means they are low on the scale of potential damage to American security. But even those at the “secret” level are also further caveated using standardized IC language (for example, NOFORN, for no foreign dissemination, or PROPIN, for proprietary information). They are also categorized using State Department TAGS (Traffic Analysis by Geography and Subject) like PGOV, for politics and government, MOPS, for military operations, or KICR, for the Coral Reef Initiative. Limiting access to sensitive cables through the expanded and better targeted use of caveats or TAGS would significantly reduce the opportunity for unauthorized releases like those of which Manning is accused.
We can also make better use of the various psychological and other tests that all would-be IC members must take. It is unlikely that we can ever wholly eliminate the Pollards, Hanssens, Walkers, Ames or Myers from the system. There is simply no way to know what’s really inside a person’s head or heart, and it would be unwise in the extreme to change the culture of the intelligence community from one of general trust among colleagues to one of default suspicion of treason. But we can limit the number of opportunities any one person might have to give away the crown jewels through the better use of examinations.
The CIA uses a lifestyle polygraph examination to determine who can join and who can’t. While most of the community relies on a simple counterintelligence scope polygraph based on questions about unauthorized contacts and disclosures, the Agency delves into the subject’s personal life. These questions ensure that the person with the squeaky clean background is selected rather than the person with the best skill set. One might question the wisdom of this tradeoff, and one might also note that the lifestyle poly didn’t exclude a bad seed like Ames. Nevertheless, if better information security is what one seeks, annual full counterintelligence scope polygraphs of all those with access to what are called Secure Compartmented Information (SCI) Facilities would help, as would better screening of personal finances.
The most important thing we need to do is to enforce the rules already in place. Manning and Walker both worked in Secure Compartmented Information Facilities—SCIFs. The rules for operating in these environments are pretty simple and known by all. They certainly exclude the presence of data-capture devices like portable hard drives, CD-RWs, flash drives, cameras on cell phones and such. Manning allegedly walked in and out of the SCIF with CD-RWs. His co-workers and supervisors saw him do it. But no one stopped him. Why?
I can only speculate, and I might as well, because this sort of information will likely never enter public record from a court case. Manning was working in the SCIF because he had a clearance and a presumed need to know. People around him assumed that the system worked, that Manning was safe because he had been granted that clearance. In fact, Manning’s supervisors knew he was not safe. Manning was diagnosed with an adjustment disorder and had multiple violent outbursts before deploying to Iraq. He shouldn’t have deployed to Iraq at all. Once there, he punched a female soldier in the face, and his condition degraded to the point that his supervisors took the bolt from his weapon, rendering it (and him) useless in combat.
No one bothered to enforce the SCIF rules because if security is everyone’s job, like many units ritually proclaim, then it’s actually no one’s job. Someone actually has to stop and question and investigate those who are breaking the rules. No one did. This is probably because everyone was breaking the rules in one way or another, perhaps keeping an mp3 player at their desks, or carrying a cell phone in their pockets. A security guard accountable for actively checking every package, envelope, pocket and bag entering the facility is likely the best way to enforce this.
This is a very simple, low-tech approach, and it is very inexpensive as well—which is why, these days, it is so hard to think of inside the IC. We can reduce our exposure to classified information loss simply by using common sense, enforcing the rules, and avoiding forms of IC groupthink.