Why plugging leaks sometimes means protecting leakers

Cybersecurity breaches have become ubiquitous, almost as common as street crime (and almost as commonly perpetrated by such entities as criminal gangs, state actors, and everything in between). And sadly, most of the breaches that ensue are the result of social engineering. But the consequences really matter, and that is especially true if you’re a member of the U.S. military, a federal employee or a government contractor. 

If you’re one of those things, you possess valuable information (or access to it) and are part of what cybersecurity specialists call the ‘attack surface.’ So, chances are you’re a target, especially if a counterintelligence intrusion is perpetrated by the proxy of a nation-state with nefarious intentions. 

For example, who among us hasn’t unthinkingly connected with someone on Linked In or Facebook who we don’t know...and may not even exist as a real person. The CI experts call this a counterintelligence ‘dangle,’ and it can lead to all sorts of complications. Unfortunately, this happens all the time, in the spirit of information-sharing and collaboration with colleagues both known and unknown, and it is integral to the scientific process. 

But it is also risky from a CI and national security standpoint. And this excludes those individuals who are deliberately party to a cyber breach, like Edward Snowden or the young, naïve airman who revealed secret war plans simply to show off.

Congress must step into the breach (pun intended). It must provide a form of amnesty that, where appropriate, forgives these shadowy practices. Such a law would encourage the self-reporting of any potential foreign or domestic cyber/CI intrusion without disproportionate punishment to the self-reporter.  

In our view, it is better for CI professionals to know about these attempts than not. And it is better to encourage self-reporting than to drive victims ‘underground’ in efforts to hide what they did. That is especially true when a military member, federal employee or government contractor has access to what the ‘dangle’ seeks: protected, confidential, sensitive and/or classified information.

Such a law must also take the seriousness of a breach into account, with the ‘forgiveness’ proportional to potential damage. But in our view, it takes more than the admonition “See something, say something” to do so, especially if employees are punished if and when they do say something.  

At its most basic level, such legislation must protect employees from the suspension of a security clearance, their access to sensitive/classified information or even their performance rating, if they report suspected activity that may be suspicious but not yet criminal. 

Such ‘pre-crime’ activity may include receipt of a suspicious email, attachment, or online link (Freedom of Information Act requests are a favorite ‘attack vector’). Such voluntary self-reporting should receive full amnesty, at least in the first instance, as should any reporting of actual, observed activity, such as direct contact or other observed interaction by a suspicious person or organization. 

And of course, such protections should be afforded to anyone who unknowingly or unwittingly facilitates the release of protected information, and upon realizing it, reports it after the fact.  That’s bad, but it’s still not too late, because any CI professional will tell you that it’s better to know about a compromise — even after the fact, if immediate — than not. 

Amnesty should also be considered even for someone who self-reports an intentional release of protected information because they or a family member or relative were under duress. This too is a favorite of cyber spies who prey on U.S. citizens with vulnerable extended families or relatives overseas, particularly if the self-report provides valuable or actionable CI information.   

Of course, one must ask, “How many times should a person be forgiven?” That too depends on the gravity of the activity, as well as its frequency. Will more training help? Or is it time to come down hard on someone who commits too many mistakes? 

Each and every case is different. Thus, while legislation may establish the principle of amnesty under certain circumstances, as well as a general framework, in our view, implementation must be left up to individual agencies dealing with individual cases – by CI professionals where they exist, or inspectors general where they may not. 

And whenever a case has a critical national security impact, the agency should immediately bring in the FBI and the Intelligence Community.

The point is to avoid having agencies officially do or say things that no matter how well intentioned, inadvertently discourage self-disclosure. In extreme cases, termination and criminal prosecution may still be appropriate, but the counterintelligence value of a self-report must also be considered in any action against an individual. 

Here’s the bottom line: Military members, federal employees, and government contractors with access to sensitive information must be able to ‘say something’ without fear of reprisal or disproportionate impact on their jobs. Otherwise, they will hide, and we will read about the disclosure in the media. Better to prevent such disclosures in the first place.