I was reminded of an editorial that I had done for InfraGard iGTV. The following excerpt seems both responsive and instructive.
.....government systematically over classifies, partly out of bureaucratic habit, sometimes for political reasons, partly because the cost of protection is born by the users and custodians, not the classifier, of the data. At least partly as a consequence, it under protects. Leaks are the inevitable consequence.
Note that while these leaked documents are embarrassing and while the leaks will inevitably make recruiting more difficult, few of them required or deserved exceptional protection
As much as some national security types resist the idea, classification is an economic decision. It may not be a decision about the value of the data, or even about the value of preserving its secrecy, but it is a decision about the cost that one is willing (for others) to incur to protect the data. It is a decision about how to allocate scarce, in some cases limited security resources. We protect data at the expense of data that we do not protect.
Finally, we are relying on the integrity of people because they are cleared instead of because they are monitored and supervised. According to the Times, only half of the computers in the SIPRNET are even equipped to monitor users for unusual access and far fewer than that are actually supervised.
The Bush administration abused intelligence sources and distorted the security culture. WikiLeaks is the inevitable result.
The pendulum must swing back but we have to both do the right thing and do things right. Since the alleged leaker is alleged to have copied the data to a CD that he pretended to be listening to, DoD has ordered the removal of CD drives and USB ports. This will prove to be about as effective forbidding the use of earphones.
The right direction is fundamental, if not obvious. We must classify fewer documents and limit access to those we do. We must limit the access that insiders have, hold them accountable for the access they use, and use them to protect us from the outsiders. We must clear fewer people and investigate, monitor, and supervise them better. We must do all this while reforming the culture that rewards, rather than punishes, over classification
There are no surprises in this list, no silver bullets, no magical expectations. Just hard work. Please do not whine about how hard this is. Do not complain because it is difficult. Do not even mention that there will still be leaks and that we will still be blamed. That is why we are called professionals and are paid the big bucks."
You may also want to check out my entry in this blog on the subject of Classification and Labeling