Today, The Intercept published a series of articles on the U.S. “drone wars”. The drone wars are the efforts by the U.S. to find and kill terrorists where ever they may be on the planet. Drones are far more effective and put less American lives at risk than conducting war and spying “the old fashioned way”. That being said, war is, as General Sherman is reported as having said during the Civil War, hell. There is no such thing as perfect intelligence, zero collateral damage or 100% success.
The purpose of this post is not to discuss the merits of the U.S. drone war. That conversation could go on for years.
The point is to show exactly how difficult it is to keep anything secret.
The documents that The Intercept claims to have, if real, are classified by the Department of Defense as Secret, Top Secret, Top Secret SCI and a variety of other classifications.
The Department of Defense has, in my opinion, one of the best information security programs on the planet. However, you are dealing with human beings. And digital information.
The person or persons who leaked this information to the press did so because they are morally against the actions of the drone program.
Like Edward Snowden before, it is very hard to stop a determined insider whom you trust.
All of the documents that were leaked would fit neatly on a very small flash drive. The drive, or more accurately, the chip, taken out of the case would be about the size of your fingernail.
So now you are trusting that a person whom you granted that trust via a background check and security clearance is not going to go rogue on you. Given there are several million people with security clearances, it is actually amazing that more information is not leaked.
Given the labels on some of the graphics, the pool of people who have a clearance that would grant them potential access to these documents is much smaller and then you have to filter that down to those people who have a “need to now” and the pool is even smaller -much smaller.
Now, lets translate this to your average business.
For access to information, there is no background check. No clearance. SOMETIMES there is a need to know. Often, there is no one watching. Or even looking at logs after the fact.
There is no virtually unlimited pot of money to fund information security programs, training programs, audits and policies.
And government personnel with clearances are used to a much more restrictive world – no flash drives, no phones, no CD or DVD writers, no Dropbox or GMail.
The people who work in business are sometimes much less “committed to the cause” than a soldier, sailor or airman who signs up for from 4-8 years of their life or even that of a civilian government employee who is willing to go through the background check process. I know, I did that and it is intensive. Not to mention the rights and privileges that you give up as a result.
The challenges that both business and the government have to protect sensitive information are enormous. And as more information goes digital and organizations become more connected, the problem increases. However, your responsibility to protect that information is not going away and the regulators are not saying “gee, that is a hard problem, don’t worry about it”.
Sorry, no silver bullets.
The Intercept article is available on their web site, TheIntercept.com.