• United States



by Sandy Kendall

Can Too Much (Security) Knowledge Be a Dangerous Thing?

Jun 30, 20034 mins
CSO and CISOData and Information Security

The government seems to think so. Even though it was nondisclosure that inadvertently led to various intelligence agencies failure to connect the dots prior to 9/11, nondisclosure is now a cornerstone of the Department of Homeland Securitys strategy.

The Critical Infrastructure Information Act of 2002 is perhaps best known for giving corporations exemptions from Freedom of Information Act (FOIA) requests regarding vulnerabilities those corporations may report to the government. But the law also criminalizes intentional disclosure of such information by government employeesmeaning no talking to the press or any unauthorized person. Penalties include firing, fines and up to a year in prison. On top of that, the law creates a new but undefined category of restricted information: sensitive but unclassified.

Imagine that the FBI gets a tip that someone might be casing the joint at a chemical plant. An FBI agent (now exposed to this sensitive information and subject to the nondisclosure law) then informs the local police chief about it, who is likewise now bound by nondisclosure. The cop has to tell the sheriff though, who tells the mayor; nondisclosure kicks in for both of them. The sheriff contacts the chemical plants security manager; nondisclosure kicks in. The security manager tells selected security staff; their nondisclosure kicks in. Any of these people only know whos told them and whom theyve told. They cant talk to anybody else about it. But, say one of the security guards goes home and says, Honey, lets sell the house and move because the plant could be blown up. That security guard is liable for prosecution under homeland security law.

That scenario was painted by Paul McMasters, first amendment ombudsman at the Freedom Forum, a nonpartisan foundation for free press and free speech, during a conference of editors (who have their own interest in freedom of information). Worse than the personal woe for that security guard, McMasters points out, is that security-related information gets compartmentalized. The nation gets papered over with nondisclosure agreements. All of us know the danger, but we cant talk to each other about it, he said. With this rush to restrict access to information, our society will find itself in information lockdown.

In Mastering Psych-curity in the July issue of CSO magazine, Daintry Duffy writes, In order to get good feedback from employees about security, CSOs have to give good information, thereby creating a trusting relationship. Duffy quotes other experts saying, The best protection is community. The information lockdown McMasters mentions is a sure community killer.

It may be, however, that there are enough spirited, community-minded people to keep that from happening.

In Santa Cruz, Calif., and elsewhere, librarians have posted signs warning that records of the materials patrons borrow may end up in the hands of federal agents. According to a San Francisco Chronicle article in March, the Santa Cruz library signs also inform patrons that the USA Patriot Act prohibits library workers from informing you if federal agents have obtained records about you. They cant inform anyone else about it either, under nondisclosure requirements. Librarians around the country are outraged. The chief librarian in Santa Cruz told the Chronicle of her delicate way around the law. At each board meeting I tell them we have not been served by any [search warrants]. In any months that I dont tell them that, theyll know.

Where does all of this nondisclosure end? If you know, tell us now, before yet another nondisclosure amendment makes that a crime, too. If you were subject to nondisclosure restrictions (just hypothetically of course), would you feel the librarians outrage? Would you worry that nondisclosure might be more dangerous to security in the long run? What would you do?