A former engineer with Boeing Company has pleaded guilty to possessing classified information in an unauthorized location. Does anyone want to guess where? Yes, that’s right, his house. He thought he could take the information home with him and work on it there. You can read more about the information in the article Boeing Engineer is found guilty.
While many security managers are focused on good training and may think that they have it all under control, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.
Let’s break this case down. Engineer has access to computer processing. He then downloads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it. This is an example of an insider threat with out malicious intent. Regardless of intent, his actions caused a lot of harm.
Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The FSO probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.
This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?
Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. FSOs could return to policies of two person rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.
CDCs have the tough job of protecting classified material while under their control. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets.
Update: More recently a former military officer and Pentagon employee has been sentenced for providing classified information to a Chinese national. Though this happened in a U.S. Government facility, lessons can apply to FSOs. For example, how do you control the movement of classified information? Establishing an Information Management System as required by NISPOM plays a big role. With an established IMS, the CDC can help control the duplication, removal, destruction and any status of classified information. An effective IMS coupled with limiting removable data recorders and providing random searches makes unauthorized use of classified information very difficult.
Take time to train cleared employees, not only on how to perform specifically on the contract, but how to do so while protecting the classified information. A focus on the right type of performance training plus the insider threat, security awareness and derivative classifier training should provide the perfect package to help counter the insider threat to classified information.