Disruptive by Design: Some Leaks Can't Be Stopped. We Can Plug the Rest.
No one likes a snitch. Yet whistleblowers or leakers have been sharing sensitive national secrets and agitating government waters since the country’s founding, usually to the ire of those in power. Today, spilling secrets seems more pervasive than ever. Recent leaks radiating from the National Security Agency (NSA), the CIA, the U.S. Defense Department and the White House leave little doubt that investigators are poring over every detail.
Understanding why leakers leak is just as important as grasping how they do it. Determining the motives behind someone’s deliberate action to share government secrets requires concerted due diligence after the incident.
It also involves understanding that an individual’s objectivity—or lack thereof—fundamentally influences his or her loyalty, ethics and morals. In the national security realm, this means that handling internal politics is as crucial to organizational health as maintaining positive relationships with customers, clients and business partners.
Typically, leaks occur within agencies when an employee’s views no longer align with an agency’s direction or its leaders’ attitudes, whether those variances are legal or ethical. Often, changes trigger employees to doubt or question their employers. Compounding this problem, organizations all too often overlook employee attitudes and neglect to address anomalous behaviors appropriately. Dealing with troublesome attitudes and behaviors is no trivial task, but it is a must.
That said, no organization can be omnipresent—not even the NSA. (Wink, wink.) And gaining a foothold, vice a chokehold, on all employee stances covering a number of views presents a daunting managerial undertaking and, at times, a downright impossible task. An organization’s sense of “ambient belonging,” defined as how employees feel about the office environment, the people in it and the agency mission or even a specific project or a team goal, places a finger on the pulse of an office’s well-being. Some industries are more prone to judgment from their work forces than others, notably defense contractors, investigative news outlets, human resources firms, private investigators and private security companies. The mere nature of these businesses makes them likely to clash with an employee’s view at some point.
Strong leaders are wise to keep tabs on employee behavioral changes. Of utmost importance, employers must assess whether they are at risk of employees losing faith in their mission. Do employees no longer feel comfortable enough to perform their jobs without feeling guilty about crossing a moral barrier? Is the organization in jeopardy of losing employee loyalty?
Because no organization can possibly police behaviors 24/7, reinforcements are needed. Here are some recommendations to improve the status quo:
• Conduct anonymous surveys of employees involved in critical work, such as human resources investigations; offensive and defensive cyber missions; investigative news operations; and insurance and claims adjustment.
• Broadcast periodic corporate messages reminding employees of mission statements. Drive home points such as why employees are tasked to perform their duties, the effects of their performance, the sensitivity of their tasks and how public blame for a leak could affect organizational and national security.
• Provide consistently available employee counseling programs for confidential venting, advice or discussion, and make attendance obligatory. Reaching one of 10 or one of 100 employees is better than reaching no one. Ensure that program counselors are qualified.
Unfortunately, there is no foolproof method of reaching all employees. As in the cyber domain, reducing the attack surface by constantly assessing, probing and educating provides an effective approach. But corruption exists, and there will be instances where no matter how close upper management, counselors and colleagues are with someone, when malice is his or her intent, little can be done to stop a leak. Still, it is worth the effort.
Leaks will continue to happen. As security researchers, think tank members and security enthusiasts, our duty is to examine and attempt to overcome susceptibility. Leaks leave government agencies, organizations and private firms vulnerable. We must learn and implement corrective actions. Ignoring the problem is simply not a choice.
Orlando Padilla is the founder of San Antonio-based Nomotion Software, which delivers cyber and software development consulting services for public and private organizations. He has lectured at MIT Lincoln Laboratory and the Government Forum of Incident Response and Security Teams (GFIRST) and published several white papers. He is a member of AFCEA’s Alamo Chapter. The views expressed are his own.