The ongoing release of formerly secret U.S. government documents by WikiLeaks has hit home with me on multiple fronts: as a former military intelligence operative, a former investigative reporter and -- for the past 28 years -- as a crisis management PR professional.
In early 1973, while deployed as a young (22-year-old) military policeman in Stuttgart, Germany, a strange series of events led to my being co-opted to work undercover against a front group for the infamous Baader Meinhof Gang. That gang was believed to have been behind bombings at military bases and its front group was actively engaged in recruiting disaffected GI's to commit acts of treason against the military. They thought I was such a disaffected GI and, working with my handlers from the 66th Military Intelligence Group, I was quite successful in my mission -- until my cover was blown. It was blown by a military signals officer who, knowing only that there was a code-named American (me) regularly going from Stuttgart to the seemingly innocuous front group's offices in Heidelberg, thought that "oh, gosh, we're spying on a legitimate civilian organization and on GI's who just want to talk to them, that's wrong" and leaked the information to the front group. Since I was the only guy coming from Stuttgart, they knew who it was, and if my fast-acting handlers from the 66th MI hadn't intercepted me at the train station, I would have been heading into a trap. Even so, there were threats on my life. My wife and infant son were evacuated from Germany ahead of me, and I remained in an armed environment until my departure for formal military intelligence training.
Thereafter, while working for the US Army Intelligence Agency, I became aware of dozens of Iranian military officers killed after the overthrow of the Shah because they had agreed to be sources for the Agency -- and that information was leaked because the security officer at the US Embassy in Tehran hadn't destroyed secret documents when the Embassy was overthrown.
I also remember our frustration in MI when information we saw labeled as SECRET appeared on the front pages of the The Washington Post so, transitioning to civilian life in 1977, one of the first articles I worked on for my boss, investigative reporter/columnist Jack Anderson, was about the systemic failure of my former employer to account for hundreds of secret documents in audit after audit. My goal in doing so was to urge a much higher level of security and accountability in military intelligence; apparently, more than 30 years later, that level still hasn't been achieved.
As a crisis management professional, I have helped many clients deal with information leaks by well-meaning whistleblowers, by vengeful ex-employees, and even by Internet extortionists. With the exception of whistleblowers that, at one time, had legitimate access to confidential information, the leaks occurred because of inadequate security. The amount of damage incurred depended both on the nature of the information and on the organization's ability to rapidly engage in damage control.
At this juncture, I remain disgusted by the irresponsibility of WikiLeaks founder Julian Assange, because I have little doubt that innocent people have died and more are yet to die as a result of his actions, simply because they were being helpful to the United States. Others will have their careers and/or lives ruined in different ways. Do I think that our government should engage in a higher level of transparency? Absolutely. But not ever at the expense of lives.
At the same time, I am also dismayed that it was possible for so many documents to be compromised. I am guessing that those responsible for internal security at the affected agencies will lose their jobs -- but their replacements will do no better if they don't get support, at the highest level, for security changes that will, no doubt, be expensive.
Finally, I am not surprised, but saddened, that so many organizations worldwide continue to underestimate their vulnerability to information leaks that can have massive negative impact on their reputation, bottom line and ability to carry out their mission. Leaks that typically occur for one of more of these reasons:
- Failure to understand that information security is everyone's responsibility, not just an IT or HR matter, and should be practiced at the office, at home, at a restaurant, at an airport, etc. I have heard astoundingly confidential information being discussed at airports by executives using their Bluetooth device as if it surrounded them with a sound-deadening bubble.
- Lack of budgetary support to implement effective information security practices -- ignoring the reality that the cost of not doing so will ultimately be far higher.
- Lack of appropriate policies regarding computer use, use of mobile devices, use of storage devices, etc.
- Lack of training for said policies. Any policy without training and refresher training is useless.
- Lack of enforcement for said policies. If no one gets sanctioned for their violations, why should they comply?
- Lack of an anonymous system by which employees can report suspicious behavior by their peers. Employees will use a system like this when afraid to "snitch" in a more public manner.
- Lack of monitoring for leaks via all possible channels, online and offline. It's the 21st Century, folks, I can leak your information to YouTube, Facebook and Twitter -- from my Blackberry -- in seconds.