Security is a state of mind and apparently that state of mind isn’t very prevalent in the U.S. Government, nor is it that common in business. Back when I was an Internal Auditor specializing in security audits, I often found that the people most outspoken on their security knowledge and practices were the least secure. For instance, one time I found the keys to the most secure document repository in a company in a secretary’s unlocked drawer.
Of the two scandals, the Biden scandal is the bigger issue for the government because it did not seem to know that Biden had the documents. This suggests that document tracking was not functioning and that there are likely far more classified documents in places where they shouldn’t be. If classified documents made their way into Biden’s garage, how many documents have made their way into the personal files of other politicians who had access to them that the government doesn’t know about? This is often the problem with audits and security issues. The folks doing the work seem to assume that what they discovered is the entire population of what has been misplaced or stolen without thinking of the fact they have never reviewed the entire population of documents to assure no others have gone missing at the same time and remain undiscovered.
Let’s talk about that this week.
The blame problem
The issue with both the Trump and Biden discoveries is that the entire focus of both was on blaming the person, and little focus has been put on the failed practices that allowed the problem to occur in the first place. Trump should have been prevented from taking the documents, and the National Archives should have known Biden’s team still had documents that had not been returned and attempted to get them back.
But it is not at all uncommon for agencies to first focus on blame and punishment as that deflects the failure of those responsible to secure the documents in the first place. These people are often a core part of directing the initial blame. This is a huge mistake because, instead of determining why Biden’s documents weren’t known and moving to identify other lost documents (which could now be in an enemy’s hands) so that National Security can be adjusted to address any related threat, we are focused on punishing Trump and Biden, neither of which represent an ongoing threat. However, a security practice that didn’t work, and likely continues not to work, is an ongoing threat that should have the higher priority. It is like a ship hitting a rock and taking on water. You don’t stop once you discover the leak, and you don’t initially focus on punishing the captain. You focus on patching the leak. Otherwise, the ship will sink.
Document control and classification problems
Document control and classification has several historical endemic problems. One is that you can copy a document without creating a record of making that copy. While there are papers that make copying harder, the better practice is to make sure observed control by a trustworthy operator remains with the document if it’s highly classified.
But classifications can also be a problem. Sometimes people overclassify in either an abundance of caution or because classifying something highly, in their mind, conveys a higher level of status. On the other hand, they may under classify a document to get around the annoying policies that surround highly classified documents. Moving to a digital form of document management can automate much of this and you can restrict the system so that the files are only allowed on secured and monitored systems that have no access to printers by policy. Digital files can be encrypted which, while not perfect, is still more secure than words on paper, and you can enact protocols to delete the files and overwrite their memory locations if one of the systems becomes compromised. As we move to quantum technology, you can even be made aware of digital documents that have been intercepted in transport, something that isn’t possible with non-quantum technology and certainly not possible with paper.
And with digital repositories, you can implement detailed tracking that auto-records who attempts to gain access to them, and reports on both people who try and fail to gain access as well as those that do gain access. Again, this isn’t available with paper documents.
The twin Trump/Biden scandals obfuscate a much larger problem: the lack of effective control over confidential government documents. This suggests there are likely large numbers of missing or compromised but unreported documents out there. Fixing the underlying problem requires a deep review of how the documents were removed from the system (which, I expect, will be part of the Biden investigation) and then should be followed by extensive policy and system changes to not only find, report, or recover the lost documents but assure these losses are better prevented in the future.
Focusing on blame early on weakens the effort to fix the underlying problem. Much like putting the captain of a sinking ship in the brig, blame and punishment does very little to fix a sinking ship. The Biden discovery suggests the U.S. government is leaking secrets. Stopping that leak should be a far higher priority than punishment. I’m not saying there shouldn’t be punishment, but that we should first understand and fix the problem so that the bigger issue is addressed. That should allow us to focus on the right remediation which would include both policy and system changes as well as the punishment most seem to want. But it would also help to ensure that those punished were at fault.
- HP and Weathering a Market Downturn - June 6, 2023
- NVIDIA’s Success Showcases Tech’s Multiple-Choice and Focus Problem - May 31, 2023
- Bear Systems: The Best Security Company You’ve Never Heard Of - May 23, 2023