Implementing a policy where need-to-know trumps security clearance would help avoid incidents like Cablegate.
Some experts say that restricting access to information based on need-to-know is better than providing access to everyone with the appropriate level of security clearances when it comes to sensitive intelligence. The comments were made at a panel during Shake It Up, a MeriTalk Innovation Nation Forum to discuss cybersecurity and cloud computing strategies for businesses, at the Walter E. Washington Convention Center.
Sensitive information should be looked at to determine what information is the most important and who it should be shared with, panelist Josh Sawislak, of CLIO Strategies LLC. “Once those [parameters] are defined, then we can define the technology [needed to provide security].”
Before 9-11, federal law limited the ability of intelligence officials to communicate with federal law enforcement and vice versa. The attacks on the World Trade Center led to provisions in the Patriot Act that allow information to flow more freely between law enforcement agencies and the intelligence community. The post-9-11 mantra was also to get rid of stove pipes that kept information from flowing freely among intelligence agencies.
This increased information sharing led to a record number of personnel with access to sensitive information which many say enabled the release of 250,000 embassy cables to Wikileaks, allegedly by a person who perhaps should never have had access to them.
Another issue is that in a short period of time, many new bureaucracies were created, Michael Howell, deputy program manager of the Office of the Program Manager said of his agency and others. Since then, agencies have been struggling to keep up with implementing data security to address constantly evolving threats.
“It was a wake up call,” Howell said of Cablegate. “It was a failure to protect. If you’re going to share information you need to know who you’re sharing with and what they’re doing with it and what they’re doing to protect it.”
Sawislak said another Cablegate could be prevented by establishing need-to-know only policies for sensitive information. In today’s information sharing environment, “need-to-know is more important than clearance,” Sawislak said.
screen grab of Wikileaks homepage after Cablegate from Sean MacEntee