Preventing Intelligence Leaks: Let's Start Over

commentary

(Just Security)

An example of a cover sheet typically used to mark a folder as classified. This folder does not contain classified material and the cover sheet itself is unclassified, photo by C. Todd Lopez/U.S. Department of Defense

An example of a cover sheet typically used to mark a folder as classified. This folder does not contain classified material and the cover sheet itself is unclassified.

Photo by C. Todd Lopez/U.S. Department of Defense

by James B. Bruce

May 3, 2023

As a former CIA career officer, I wince learning about leaks of classified documents that produce sustained headlines. I know the damage such a debacle can wreak on intelligence-gathering and cooperation with U.S. allies. The hard-won intelligence that Jack Teixeira, the recently alleged Air National Guard leaker delivered via the internet to nations hostile to the United States, likely cost U.S. taxpayers billions of dollars to produce, and some of those sources and methods may never produce again.

Unauthorized Disclosures—Preventing Self-Inflicted Wounds

It is doubly painful to know that such illegal leaks can mostly be prevented. But that would require repudiating a business-as-usual approach, and a much more concerted way to thwart untrustworthy employees whose responsibilities exceed their judgment.

Ten years ago, I coauthored a think-tank study for the Department of Defense, recommending comprehensive measures to deter and prevent classified leaks. While we cannot know for certain how much these reforms might have helped, my understanding is that despite being officially endorsed, their full implementation, as some cynics had forewarned, has fallen short.

Serious unauthorized disclosures such as the documents stolen from the Air National Guard facility in Massachusetts, can damage U.S. national security. In this case, some of the leaked documents have reportedly spotlighted ways that shared intelligence has helped Ukraine defeat Russian attacks, which Russia may now be able to counter; how deeply U.S. intelligence has penetrated the Russian military, and where, by inference, such leakages may now be plugged; and how Ukraine's shortages of specific defenses will multiply its vulnerabilities, which Russia can now better exploit. Such foolishly squandered advantages will fuel Russia's offensive operations, increase casualties to Ukrainian forces and civilian population, and add pressures for U.S. and allied escalation.

The government's track record controlling classified leaks has been steadfastly poor. Its impotence in dealing effectively with this problem was well characterized 40 years ago by then–Deputy Assistant Attorney General Richard K. Willard (PDF): “The whole system has been so ineffectual as to perpetuate the notion that the Government can do nothing to stop the leaks.” This harsh judgment is even more true today than it was when Willard's stunning observation made no discernible difference.

Secrecy Paradigms—Old and New

The only approach that can ever hope to make a real difference is a transformational one. The United States badly needs a new secrecy paradigm to protect classified information, and one that also improves government transparency to enhance public understanding of issues customarily hidden in secrecy. As Ret. Gen. Barry McCaffrey recently and correctly urged, what the Pentagon needs to curtail leaks is a “zero-based review.” In plain language, that means let's start over.

The United States badly needs a new secrecy paradigm to protect classified information.

Share on Twitter

Our archaic system for keeping classified information secure is terminally flawed, and no amount of triage tinkering can hope to fix it. As the Discord leaker demonstrated once again, classified information held in a SCIF (sensitive compartmented information facility) is not always secure. A zero-based review will reveal that our inertia-shackled system for protecting official secrets (PDF) is just as broken as our system for declassifying them. Both parts of the classification equation now demand fundamental transformation.

Who Gets Cleared?

The government urgently needs to re-examine who genuinely requires classified information to conduct their work. And all who gain such access must be trustworthy. Huge numbers of people hold U.S. security clearances today—not just among intelligence agencies and senior government officials, but legions who work in the departments of Defense, State, Homeland Security, Energy, and Justice. According to a 2019 estimate, about 4.2 million Americans have security clearances, a number roughly equivalent to the population of Australia or Singapore. That is simply too many. And 1.3 million of those hold top secret clearances. Holders of these privileged accesses who do not need them should not have them.

What's more, vetting procedures for getting clearances—especially for top secret—must be significantly upgraded. In addition to much more rigorous background checks, these assessments cannot compromise on maturity, integrity, and trustworthiness of applicants. Many such checks do not dig deeply enough, and clearance adjudications may overlook red flags that should be disqualifying such as a penchant for violence, racism, and fascist ideologies. Through no-exception psychological testing, investigations must screen out narcissists who believe that rules don't apply to them. They show a proclivity to abuse their access, and this trait appears disproportionately among leakers and spies. (And, indeed, we need more empirical research on what characteristics correlate with leakers and apply such findings toward evidence-based vetting processes.) Finally, with rare exceptions, no candidate for top secret codeword clearances should escape the polygraph, both screening and lifestyle. Polygraphs are not perfect. But they generally get good marks in both screening and deterrence.

New and inexperienced employees with classified access also need much more intensive training—mandatory and graded—on how to handle classified materials, as well as meaningful education on their responsibilities for keeping national secrets, and a clear understanding of the penalties they might face for improperly handling such material.

Who Can See What?

The cold war “need-to-know” concept has, for years, remained an abstract principle. Not only does it have no precise definition, but there has also been essentially no practical way to enforce it. Worse, it has been mostly superseded by a post-9/11 concept of “need-to-share,” while powerful search engines can open the classified floodgates. True, wider distribution of classified information can reduce intelligence failures. But it also elevates the risk of unauthorized disclosures when sensitive information becomes available to the wrong people. These contradictory need vs. share tensions can and must be resolved.

A new access management system could, for instance, “bin” classified information into finite categories of substantive knowledge (e.g., Russia, China, terrorism, WMD, etc.) Controlled access to each category could then be enforced through strict need-to-know criteria, determined by supervisors held accountable for the compliance of each cleared employee they supervise. Unproven and junior employees would be granted access to fewer bins than more-senior employees. The most restrictive need-to-know standards would apply to access top secret codeword bins.

Confusing Rules Abound

Likewise, the disparate rules throughout the national security enterprise need to be more centralized and consistent, namely the laws, executive orders, classification guides, and related rules that regulate access and management of classified information. A wide disparity prevails in definitions and standards of classification; in hiring, vetting, and monitoring practices; in personnel, document, and physical security regulations, and in penalties, across the 17 intelligence agencies, the military services, and the numerous departments and organizations that use classified information.

The recent pioneering accomplishment of the National Geospatial-Intelligence Agency to consolidate its previous 65 classification guides into a single volume (PDF) showed that simplifying and standardizing is a viable approach: It yielded an 82-percent reduction in classified line items, made 45 classification downgrades, and eliminated the Confidential category altogether. This bold initiative to build “higher walls around fewer secrets” should serve as an exemplar for government-wide action.

Culture of Leaking

The government also needs to grapple with a lax culture surrounding leaks. One study found that the primary sources of serious leaks come from senior political appointees, policymakers, and senior executives from executive branch agencies, along with members of Congress and their staffs. Citing data from a Harvard survey of former federal policymaking officials, 42 percent of respondents acknowledged leaking classified information to the media. Agencies that use classified information must require training to develop a professional secrecy ethic for everyone cleared for classified information as a core competency spanning both protection and transparency goals, then vigorously investigate violations and apply severe administrative or criminal sanctions to transgressors.

Technology—Double-Edged Sword

Across government, there should be vigorous efforts to develop and integrate 21st-century technologies into secrecy management.

Share on Twitter

Technology has been the weak link—aiding tech-savvy leakers (e.g., IT administrators like Edward Snowden and now the alleged Jack Teixeira) as much as or more than protecting the information they can access. Damage to U.S. intelligence and national security interests by high-volume leakers Chelsey (Bradley) Manning and Snowden is inestimable, and the accused Teixeira may soon join their ranks. Across government, there should be vigorous efforts to develop and integrate 21st-century technologies into secrecy management, such as zero trust architecture for cybersecurity, especially those aimed at insider threats (PDF) such as enhanced monitoring of IT systems, and continuous evaluation of cleared personnel. Both will help deter and detect potential leakers and spies by tracking the classified documents they access, download, or print.

Laws That Don't Work Well

With disproportionate emphasis on the 1917 espionage statute (18 USC §§ 793 and 798), U.S. law is ill equipped for prosecuting damaging leakers. Comprehensive anti-leaks legislation can clarify legal boundaries and responsibilities, define legitimate whistleblower interests, and establish end-to-end accountability processes to identify and prosecute leakers responsible for their criminal conduct.

Overclassification and Transparency

As the Public Interest Declassification Board has made clear—and executive order 13526 has failed to correct—declassification processes are just as broken as protection measures. A new secrecy paradigm would also enhance government transparency by reducing the growing backlog of declassification releases, prioritizing historically significant information for declassification through a topic-based approach, and implementing cutting-edge technologies to reduce the labor-intensive declassification burdens that cannot possibly match the snowballing growth of newly classified documents.

Why Wait? Start Over Now

Combating leaks and foreign espionage shows that doing business-as-usual is a prescription for failure. Despite episodic tweaks, the presently decrepit, 75-year-old, pre-digital secrecy paradigm neither protects nor declassifies national security secrets consistently or well. If a full investigation and prosecution of the recent Discord leaker can prompt a zero-based review of the failed secrecy paradigm, it could make way for a new one, finally stimulating comprehensive reforms to implement long-overdue 21st century solutions to correct these persistent—but not intractable—failures.


James Bruce is a retired senior executive officer at CIA, an adjunct researcher at the RAND Corporation, and an adjunct professor at Georgetown and Florida Atlantic Universities.

This commentary originally appeared on Just Security on May 3, 2023. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.