In 2004, the 9/11 commission faulted the U.S. intelligence community for failing to “connect the dots.” Agencies need to do a better job of sharing information, the commission wrote in its report. Now, with the release of more than 250,000 diplomatic cables sent by the State Department, some of the dots are all too visible.
After 9/11, “information sharing” was the new byword. Intelligence analysts blamed the “stovepiping” of information that kept important data from reaching the proper people. The 9/11 Commission Report slammed an intelligence system that disseminated information on a “need-to-know” basis. After all, the person who needs to know may not know he needs to know. “Such a system implicitly assumes that the risk of inadvertent disclosure outweighs the benefits of wider sharing,” the commission wrote. “These Cold War assumptions are no longer appropriate.”
The government learned to share. The intelligence community integrated under the new director of national intelligence. The Department of Homeland Security was created to oversee and coordinate more than 20 agencies. Most important, agencies and departments gained access to one another’s databases. One of the biggest databases is the Secret Internet Protocol Router Network, or SIPRNet (pronounced “sipper-net”), a computer network created in the 1990s and used by the State and Defense departments to share reports—including diplomatic cables—classified as “secret” or below. (“Secret” is a medium level of classification, between “confidential” and “top secret,” that is defined as information that would cause “serious damage” to national security.) Over the last decade, access to SIPRNet has expanded. In 2002, 125 embassies were on the network. In 2005, the number was up to 180. Now about 250 embassies and consulates—almost all of them—can access SIPRNet. The network was also opened up to low-level military personnel—including Pfc. Bradley Manning, the Army intelligence analyst charged with leaking the documents.
At first blush, SIPRNet is a cautionary tale of how information sharing can go awry. In the past, whenever a diplomat cabled the State Department, that cable was kept classified for years. Now it’s immediately added to the SIPRNet database, where it remains classified but becomes accessible to the millions of military and civilian personnel with clearance to read “secret” reports. A 1993 study found that about 3 million people have “secret” clearance—that number is almost certainly much larger today. “If you can get a credit card, you can get a ‘secret’ clearance,” says John Pike of GlobalSecurity.org. The more eyeballs that can see a report, the more likely the wrong eyeballs will see it.
Can the government fix its information-sharing problem without risking more disclosures? Yes. But the solution isn’t to backtrack. If the intelligence community simply made information sharing more difficult, we’d be back to square one. Nor is the answer to raise the classification levels on diplomatic reports and other documents. Say the report that describes Afghan power broker Ahmed Wali Karzai as “corrupt” were labeled “top secret” instead of merely “confidential.” Everyone who needed to see that report would then have to be given “top secret” clearance, which would allow them to access other sensitive information, which would require yet more reclassification, and so on.
The only way to preserve information security without sacrificing information sharing is to limit—or at least track—any individual’s access to it. Normally, a database like SIPRNet can flag unusual activity, the same way a credit-card company alerts your bank if you suddenly spend $10,000 in Tijuana. Manning’s decision to download a few hundred thousand files should therefore have set off some alarms. That didn’t happen. (Manning was caught only after he bragged about his exploits to a hacker who turned him in.) There may have been good reason to waive the normal security measures where Manning was stationed in Iraq. For example, military personnel may have needed quick access to the latest diplomatic and battlefield information. But downloading 1.6 gigabytes worth of files on a wide range of subjects should have tripped even the most basic security system.
The WikiLeaks fiasco is not an inevitable consequence of information sharing. It’s an inevitable consequence of information sharing done wrong. The scandal will probably have all kinds of chilling effects. Diplomats will be more careful about what they put in writing. Agencies will err on the side of overclassification instead of underclassification. But the only real solution is to enforce information security on the ground level—to make sure that whoever sees the dots is actually trying to connect them.