Retraction: White House Strategy to Prevent Leaks is Leaked
The document cited in this article, "M-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems", was in fact not "leaked", as the article states.
Credit for bringing the error to my attention goes to member Daniel Philpott, who noted the document was posted at the Office of Management and Budget site. I would like to personally extend my thanks and appreciation for his efforts to help get the facts straight.
I was completely erroneous in stating that the document had been leaked, and regret not confirming via other sources the assertions made in the article that was my original source for the assumption, "US Gov't Strategy To Prevent Leaks Is Leaked".
The main point of my article, that the government utilizes leaks to disperse information informally, is nonetheless valid. I did, though, choose the wrong document to build my argument around, and for this I error I am deeply regretful.
This was grave mistake on my part, and I wish to offer my sincerest apologies to the community, my colleagues, and the general public for the misinformation.
The original text for the article remains posted below.
* * *
A White House memo instructing Executive-level department heads on new procedures to identify potential leakers and prevent unauthorized leaks was itself leaked to the press.
The memo, titled "Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems" was dated January 3, 2011, and contained another memo as an attachment titled "Classified National Security Information".
Issues addressed in the memo include the use of psychological evaluations to determine the likelihood a staff member may be a leak threat, and the monitoring of activities after they leave the department or government employment entirely.
There is, of course, no absence of irony involved with a leaked memo about how the administration wants their directors to proceed with new strategies to prevent information leaks.
Though the memo does not appear to be classified, nonetheless it was quickly in the hands of the press, and was not issued by the office of the White House Press Secretary via sanctioned channels.
The leaked memo highlights serious problems the government faces in their efforts to secure classified information in the wake of the WikiLeaks disclosures.
One problem is the nature of classification of information. Many documents may be designated as "classified" even though they do not contain highly sensitive information or state secrets; the designation "classified" in many instances simply means do not disseminate.
Another issue is the long standing practice of purposely leaking information to the press in order to disseminate it without assigning the responsibility to any particular body of government, and sometimes the information intended to be leaked may in fact be classified.
Also in need of evaluation is the large number of personnel with access to classified information. Currently more than two million people have access to confidential materials, with nearly one million having access to documents with a "Top Secret" classification.
The designations allowing access to information concern the level of security assigned to the information, but have little or nothing to do with whether or not the personnel actually need or should have access to the information to perform their duties.
The government needs to add another level of authorization for position-specific designations, but this task is complicated by the fact that the government has been working to decrease the obstacles to inter-departmental information sharing in the post-911 environment.
The road ahead for the government is certainly complicated when it comes to securing sensitive information while preserving tactical access. To date, only sixty percent of the networks at the Department of Defense have even modest levels of security where personnel are concerned.
It would be advisable if they took some lessons from the private sector regarding data classification, authentication protocols, and the implementation of software to regulate access controls.