Yet another leaker of national security secrets is headed to prison. Reality Winner (the name is weirdly ironic) will spend more than five years incarcerated. She sent the Intercept, a website, secret documents about how Russian hackers tried to work Florida election officials.
Telescoping the list of other people who’ve done this sort of thing — for example Edward Snowden, Chelsea Manning and Nghia Hoang Pho — creates an astonishing picture. Coupled with losses to the CIA and National Security Agency from unknown hackers, it’s a wonder they’re capable of anything covert.
A widely published photo shows Winner, having lost in court, emerging from a police car. She’s smiling impishly at the camera. To me the picture is sad. This woman served honorably in the Air Force. She won a commendation medal and was fluent in Middle Eastern languages. She earned security clearance and the trust of colleagues and her employer, Pluribus International Corp. Yet somewhere along the line she decided to betray her country.
I’m going to sound like a grumpy old man here. The charge may not be misplaced. But I wonder if the culture of sharing, and I’m putting it charitably, engendered by the internet and social media has blurred some people’s sense of propriety. That plus the rich possibilities for instant fame or aggrandizement. Winner’s postings contained intemperate language expressing her political opinions. Federal agents stated they believed she’s developed sympathy for the Taliban.
Someone from the Knight Center tried to paint the incident as having a chilling effect on whistleblowers. That’s incorrect. The damage from Winner’s leak is not the fact of Russian phishing attempts but rather in disclosing the means by which the NSA obtained the material. At least according to the government’s argument.
The incident proves, if it needs proving again, that insider threats are equally potent as external hackers. Often the threats coincide.
Which brings me to security clearances. A goal of security clearance reform is to transform it from a once-and-done process to one of continuous monitoring. That means a system that detects when people get into financial trouble. When they leave the country and where they go. If they’re in the midst of a nasty divorce. It’s a theory at this point, so we don’t know what all the parameters will be.
Continuous vetting will come at the cost of privacy. More thorny will be who decides when something warrants revocation of clearance, and by what metrics. If someone rants about the president, say in a vaguely threatening way, would that warrant revocation? If they declare personal bankruptcy? If they get too many speeding tickets?
Suppose Winner’s politics, the Taliban and Lord knows what else came to the attention of a future National Background Investigations Bureau. Then what? A stern talking to? Automatic loss of clearance after someone amasses too many points?
Corporations are increasingly getting into the people rating business. Facebook famously will create secret trustworthiness rankings. Airlines grant privileges based on ticket price and flyer history. Loan rates have long been based on individual financial factors.
In the public sector, agencies won’t be able to hide their rating criteria. On the other hand, security clearance has far more implication than whether you can post something on Facebook or get an airline seat upgrade. Continuous clearance in theory raises a lot of questions in detail. But they’re worth figuring out if they can prevent the next Reality Winner.