Michael Hayden and Samuel Visner have an open-ed in the Baltimore sun in which they defend wider information sharing, if aided by sound security practices and advanced technology to protect information
Vital information sharing need not be a victim of WikiLeaks.
The principle of “need to know” requires segmenting information according to sensitivity and topic. Sharing must strike a balance between protecting security and fostering collaboration across all levels of government and, often, the private sector.
Striking multiple balances is necessary to protect and share sensitive information. Tactical military field units have little need for diplomatic communications, but they do require real-time access to searchable data from multiple government agencies, such as to tell if someone at a road checkpoint is a person of interest. Sensitive information has long been shared among agencies based on “need to know” but without being dumped into vast, poorly monitored databases. Government data on American citizens merits strong privacy protection, but under proper authorities, information sharing with law enforcement makes sense — if this helps uncover foreign espionage or terrorist plans.
Balance is also required in security measures. Disabling thumb and DVD drives on computers averts some kinds of information theft, but on the battlefield it could harm operational effectiveness. Imposing administrative security requirements common to intelligence headquarters or national agencies, such as polygraph exams, on all personnel in military field units would prove unacceptably burdensome.In striking better balances, we cannot forget the post-Sept. 11 reasons why sharing became a higher priority. Uncovering and foiling terrorist threats requires that many entities work together and share information — often our best weapon.
Thus, policy on information sharing and security should improve along three paths:
•Personnel security. If Army Private Bradley Manning — suspected of leaking the WikiLeaks documents — had psychological problems, as alleged, should he have had access to sensitive information? When indications merit, personnel should undergo psychological testing to assess vulnerabilities that might raise security risks. Personnel clearances ought to be based on the type of information to which a person has access, not — as now — according to which agency employs someone.
•Security procedures. Although some “insider threats” arise from malicious intent, nearly all are abetted by sloppy execution of routine security procedures or perceptions that they are bothersome or unimportant. National security organizations should elevate security as a management priority, enforce rules more consistently and offer better training.
•Cyber tools. Cybersecurity techniques can detect much anomalous behavior, such as downloading, copying or printing numerous documents, seeking to access information in unusual ways or information not normally accessed, and transferring sensitive information to others. That such tools were not employed on the battlefield in Afghanistan is understandable but in retrospect imprudent.
More advanced cyber tools are being developed, such as to sift through huge volumes of seemingly disparate data and correlate findings. This need is a key lesson from the 2009 Christmas Day bombing attempt. New tools must address potential threats from mobile devices and social media and better detect and resolve suspicious exfiltrations. Improving analytic tools to better understand global information environments and characterize the behavior of systems remains a pressing challenge.
Reacting to the WikiLeaks disclosures by clamping down on information-sharing would risk failing to detect hard-to-predict or increasingly diverse threats. More prudent is to employ sound security practices and advanced technology while leveraging the advantages of information sharing and collaboration. National security and technology professionals have worked hard to gain these advantages, and they ought not to be hastily discarded.