, ,

What does the NSA leak mean for how we manage our people?

Last week’s revelation that the person behind the leaking of classified NSA information was a young government contractor got me thinking: Should we expect to see more whistleblowing and leaks in the future? And what does this mean for how we manage our people in organizations that handle sensitive information?

The individuals behind the the NSA leak and the Wikileaks disclosure were both 20-somethings in positions where they had access to significant amounts of classified information (perhaps too much). This, of course, does not constitute a trend necessarily–it’s not as if all Gen Y-ers are dishing out top secret information on a daily basis. There have always been whistleblowers. But the coincidence does raise interesting questions. A recent Pew study showed that young Americans are more likely than older generations to prioritize protecting personal privacy over terrorism investigations (although majorities of all age groups view the phone tracking as acceptable). We all know that Millennials also expect more transparency from government and other institutions than previous generations. So as more and more Gen Y-ers enter the workforce and assume positions of leadership and access to sensitive information, will this mean more whistleblowers?

Even if there is no generational trend, “big data” and the proliferation of technology certainly provide the tools for leakers to disclose information if they are so inclined.

How organizations respond to this risk from a personnel perspective will be interesting. I’m sure agencies and organizations have already sent around memos with security reminders reinforcing the need to protect classified information. “More ethics training, here we come!” was the response from a friend of mine who works for another contracting firm. This was said in a joking sense, but for some organizations this might be the response. However, these leaks were carried out in a very intentional way by people who expressed deep misgivings about what their organizations were doing; ethics training and agency memos wouldn’t have stopped this, and they will not prevent the next Wikileaks-esque disclosure. It seems to me the response needs to address much deeper aspects of an organization’s culture and management structures. This certainly involves aspects of hiring. Much is also being said about the need for managers and teammates to be watchful for colleagues that show signs that they might be handling sensitive information inappropriately. But how we do this–in a way that preserves trust among teammates–is a thorny question.

How has your agency responded to the NSA leak? What do you think would be an effective way for an organization to prevent these instances from happening?

Leave a Comment

29 Comments

Leave a Reply

Henry Brown

IMO we will attack the symptoms of the problem and not the problem.. Suspect that there will be another big push to limit everyones access to either the data or even worse in limiting the access to the means for getting the data to the public(ban Thumb Drives again ban access to social networks again…), regardless of how much pain and loss productivity these efforts will cause.

Again in my opinion, the ideal solution is to train everyone involved in not only ethics but in ways to prevent these kind of leaks.

Daniel Honker

Henry – That’s an interesting thought that there might be a renewed push to limit access at the cost of productivity. I agree with you — we often respond by taking action on the most concrete, tangible things, in this case web access, thumb drives, etc., because this action is the most visible and measurable. Solutions that try to address the culture of an organization are often criticized as “fluffy” or “soft” because there isn’t observable action.

Joe Flood

I think the leak was inevitable. If it wasn’t Snowden, it would’ve been someone else. The NSA data-mining program is so vast, so expensive and so invasive that it was impossible to keep secret. You’re building massive data centers in the desert, employing thousands of people, and spending billions of dollars and no one is going to talk? Absurd to think that they could keep it secret, especially if you create PowerPoint presentations describing the program.

Dannielle Blumenthal

There are a few different issues here and it is important to raise them.

1. Do employees understand the rules? (Training)
2. Do employees believe the rules are morally right? (Engagement)
3. Are we rushing to reward technical skill and ignoring emotional stability?
4. Are we giving people too much power?
5. How do we handle it when people morally disagree?

Daniel Honker

Your breakdown is right on, Danielle. The cross cutting question across much of this is how do we discover if employees do not believe the rules are morally right? The organization can only manage the situation if it is aware of it.

Megan

One issue that has been raised is that the internal processes for whistleblowing in government are very broken, and if employees use them, they will be mobbed out of government very quickly. This creates a conflict for those who witness corruption, rightly or not, and report it. Snowden clearly thought what he was exposed to was wrong. Had there been mechanisms for openly discussing these with higher ups or with Congress, he may not have felt inclined to blow the whistle in such a dramatic and public way. I’d start here if I were the clean up crew.

Carol Davison

To me the concept of NSA spying on Americans is repugnant violation of our civil liberties. By definition, intelligence informaiton is restricted to those who have a need to know it. However, from what I read Snowden had access to informaiton outside of his need to know. Does that demonstrate internal hacking on his part? Considering that he swore to protect these secrets, why didin’t he go to his Senator, Congressman, Governor, the Washington Post or Woodward and Bernstein? Why go public? Why flee to China where freedom is supressed? How many people and programs were damaged by his leaking? How did someone with a GED qualify for the special forces (where he received his clearance) in the first place? And why does a 29 year old with a few months experience make $122,000. I work in HR. We don’t pay contractors that well.

Srinidhi Boray

There is a bigger problem wrt classified information. It is not in mere management of people working on several federal contracts. More importantly it also involves corporates to who the sensitive federal contracts are awarded. Several corporates with HQ outside of US are awarded contracts requiring high level of security clearances. There are many small businesses owned by people who might not yet be US Citizens, yet receiving federal contracts creating denials to legitimate ones. Large federal contract awards inherently allow for over corporatization and eventually most classified information are in the easy access of these corporates.

Mark Hammer

In the case of Ed Snowden, it’s not how we manage our people, but how we get contractors to manage theirs. Snowden apparently worked for a private contractor, and apparently much of the support for the PRISM initiative is provided by private contractors…big ones.

I’ve regularly pondered this particular challenge, with no particular solution coming to mind unfortunately. We regularly hear exhortations that “government should be run more like the private sector”. I don’t think any of us here would claim that every single public servant is an absolute winner as a hire, or always ethical beyond reproach, but there are many aspects of serving the public where our instinct would be that a person who knows they are working for the nation (or state, or municipality, etc.) would do a more conscientious, and law-abiding, job than might somebody who works for a company that has a contract with the nation/state/municipality.

Or would they? It’s not impossible for a contracted employee to keep the public interest in mind and do a fabulous job at their job. If I’m plowing highways for a company that contracts with the state, there is nothing that says I couldn’t or wouldn’t keep the safety of all travellers, and budget of the state, in mind when I’m plowing that snow off the road. Same way there is nothing to prevent me, as a public servant, from forgetting about all of that.

That doesn’t mean we can simply declare “No difference”, OR that we can make strong inferences about how the one is different than the other. So, for me, the challenge lies in identifying what it is about each sector, that brings out the conscientiousness and public-interest servitude, in employees. Some of it IS in the identity of the employer (as in “I work for the Federal/State/Provincial government, and my agency has been here since 18xx”). Some of it is in who is drawn to what work and for what reasons (and yet once again, I refer folks to the accumulating research literature on “public service motivation”), and the way people are hired. And some of it undoubtedly relates to how people are managed – the header of this thread.

Part of that can be the manner in which the mission and reasoning underlying the mission is conveyed to staff. Does the contractor have “the mission”, or do they simply have business lines, capacity, and a contract? If they have “the mission”, do they communicate it to staff in the same way? Did Ed Snowden have the pervasive sense of what ethical wrestling and soul-searching had been undergone, preparatory to what they were asking him to do, and if not, was its absence part of what allowed his moral outrage to bubble up into his actions?

Mark B. Mitchell

The question is almost the right one, but maybe it is not quite right. The question “how do we manage our people?” presupposes the issue is with our people. However, Ed Snowden said he raised his concerns internally, and those concerns were not taken seriously.

A better question is how do we manage effectively? It seems like this is an instance of an employee, formerly with the CIA, then with a government contractor, who confrronted and questioned the ethicial climate he was working in. This is not unlike the Challenger disaster that NASA encountered. After much study and analysis, the conclusion was that the accident was the result of deficiencies in NASA’s organization culture – its operating environment.

As I look at today’s operating environment it seems clear that there are some pockets of today’s governent culture that are broken. The IRS abuses of power is a significant, chilling example. And there are whispers of abuses of power at other Federal Departments, too. We have a whistleblower environment that does not protect whistleblowers, and those who tell the top what they want to hear are rewarded with promotions while those who point out genuine internal control weaknesses are scoffed at as not being team players.

I don’t have enough information to know for sure, but we should consider the possiblity that the NSA leak is a symptom of a cultural problem – the emergence of a survillance state without adequate controls in place to prevent, detect, and effectively manage the potential of abuse. Once the controls are in place, and the public is adequately informed, then government can, with public support, more effectively defend our nation from the bad guys.

Daniel Honker

Great discussion here. It’s clear there are so many dimensions to this issue that they make the head spin.

Carol – The question of “how did this guy get into this position?” is one everyone is wondering. I agree there’s something strange about this.

Mark – Motivation, ethics, and interpersonal communication absolutely play into this… very complex issues. Security boils down to control, and that is difficult when talking about people. Subjectivity and a lack of control are inherent when talking about people. Even if we had the most sophisticated, rigorous, and fault-free management processes for granting security clearances, hiring personnel, instilling ethical principles, and monitoring for suspicious behavior, there’s nothing we can do if someone simply has a change of heart one day and wants to do the organization harm. There may be things we can do to spot this behavior before it happens, but some aspects are outside of our control.

David B. Grinberg

Find Snowden and bring him before a U.S. court to render full Justice — which, most likely, would result in some jail time. This would serve as a strong deterrent to other would-be leakers, especially if the amount of jail time was significant (as legally applicable).

Also the gov should do a top-down review of all top-secret security clearances, especially for federal contractors, and significantly reduce the number of people granted such high-level access to classified national security into/intel.

For more, check out:

Snowden Deserves Avalanche of Justice

Megan

Snowden said he raised his concerns internally and was ignored. I don’t know what mechanisms are in place for contractors, but for civil servants, this is what a whistleblower can expect if they use internal processes. http://www.psychologytoday.com/blog/beyond-bullying/201304/surviving-workplace-mobbing-seeking-support

Finding Snowden and bringing him before a US court will not solve the problem at the root level. The problem is that government (worldwide) is rife with corruption and poor judgment by higher-ups. Cover-ups are the default strategy for internal complaints. It is a catch-22 situation for those who witness and report wrongdoing of any kind.

Daniel Honker

FYI, Pew just released some survey results showing that 60% of young people think Snowden’s leak was in the public interest, compared to 49% of the general population. I continue to wonder whether our generation’s expectations of personal privacy and government transparency are youthful idealism or values that will continue as we get older…

http://www.people-press.org/2013/06/17/public-split-over-impact-of-nsa-leak-but-most-want-snowden-prosecuted/

Henry Brown

@Daniel Amazing read this survey! Would like to see a survey that broke out the mindset on these issues of technical people vs. non-technical and Active and less active social media users and different employer types.

Earl Rice

There is talk here about climate and about management, and how the security system failed. Well, some look at the situation as a whistle blower and others that of a traitor. But, we are really dancing around the topic. Snowden firmly believed that he was upholding the Constitution. He reported what he thought were violations of the Constitution to his superiors, and from what has come out so far just blew him off. He tried several other avenues, and was stone walled. So he grabbed his passport and got out of Country and released what he thought were blatant violations of the Constitution. Whether he serves life in prison or not a day, he will firmly believe that he did the right thing IAW the Constitution. To some he is a martyr and to others he is a traitor. And, talking about how to detect such? It would be rather hard to ask the question “would you violate the Constitution to protect the United States?”. Now, for those that are Federal Employees, this really creates a quandary, for we are sworn to uphold and defend the Constitution. As far as the NSA, well I am not too worried about them as long as they have Military Personnel all through their ranks. The Military in NSA will keep things in line, and they will uphold and defend the Constitution, and will not put up with petty political games. As one of them told me once, we have much bigger fish to fry than e-mails and phone calls to a mistress, or whatever. And, for those that are old enough to remember President Richard Nixon as an example, he started calling military Commanders in the field, and asking for their support. When this got back to the Joint Chiefs of Staff, well Nixon resigned shortly thereafter. The Military will not play those games.

Dannielle Blumenthal

“Patriotism is supporting your country all the time, and your government when it deserves it” said Mark Twain — but not by leaking classified information. We operate according to the rule of law. Snowden should be put on trial.

Earl Rice

Danielle,

“We operate according to the rules of law”

Like the exuberance and idealism of youth, if somewhat naive at times. I have seen so many things in my life, I have to ask: Do we, really do we? I also learned a long time ago that there is a difference between Justice and Law. Does our government operate by rules of law, or does our government operate by what it can get by with, without getting caught? Personally, I believe that is why there is the intentional division of power built into our government. It prevents one person or group taking control and becoming despots and ruling by absolutism. And, “according to the rules of law”, I ask according to which interpretation of the law. There is a whole career field devoted to interpretation of the law (Lawyers, Judges, etc.), and interpretations abound. I guess that is why there is a Supreme Court, to make the final interpretations.

Imagine trying to get together the participants for a Snowden trial. Everyone would have to have way way beyond a Top Secret clearance, and then all the special access programs involved.

Dannielle Blumenthal

Perhaps it is naive to believe Snowden’s case is what it seems.

That said I am naive certainly. Naive enough to believe in democracy, freedom, human rights and the rule of law. That is what it means to be American.

If the system is flawed, we work to make it better.

Dannielle Blumenthal

And so the premise of internal communications is that questions are welcome. Reports of misconduct are valued. We rely on employees to keep the system honest. Punishing whistleblowers who do things the roght way (and more benignly, encouraging groupthink) is extremely scarring.

Henry Brown

Other than the fact that Mr. Snowden apparently believed that he didn’t have the resources to fight the system individually This sure sounds like the Pentagon Papers and the battle Daniel Ellsberg fought

a quote from the NY timesdemonstrated, among other things, that the Lyndon Baines Johnson Administration had systematically lied, not only to the public but also to Congress, about a subject of transcendent national interest and significance

One (at least I) has to wonder if Mr. Snowden had the same credentials as Daniel Ellsberg and the war on terror was as popular as the Vietnam war if there would be as much “noise” over this leaking of information.

And as the survey sited by Mr. Honker indicates it truly is not unanimous that Mr. Snowden should be treated as a whistle blower or a criminal.

Earl Rice

Danielle,

I hope you are not questioning my loyalty to the United States and the Constitution. I spent over 28 years sacrificing to defend your right to express your opinions as guaranteed under the Constitution. Been shot once, seen friends die, and have all the scars from 2 or 3 wars depending on how you want to count them, 3 expeditions, and a bunch of deployments to places nobody should ever be sent. And, I firmly believe in defending and supporting the Constitution against all enemies, foreign and domestic. And…..I was an idealist when I was your age.

Snowden was also an idealist, though I will reserve judgment on his actions, because nothing is ever as it seems.

And, I keep remembering the recent study that stated 29% of the American people believe there will be some sort of an armed revolt needed to prevent an escalating war against constitutional liberties. I don’t subscribe to this, and hope that it will be avoided. But, there’s still 29% that believe a revolution isn’t just imminent but imperative. These are people that have given up trying to fix the system from within the system. To me, something just isn’t quite right if over 1 in 4 Americans are thinking this way. And recently, our Government had taken some pretty major hits in the freedoms and liberty areas.

I have asked some folks how to stop another incident like Snowden’s from happening. And, basically it was you can’t except for one way, and this is to not engage in such activity to start with. But can we do that?

Dannielle Blumenthal

Earl, I apologize if I seemed to question your patriotism – not my intent! You make a lot of good points. These are difficult issues and we all care. I also want to say that I appreciate your service to our nation.

Dannielle Blumenthal

I want to go back to the point about how we manage employees. What concerns me generally is that we treat people as an afterthought instead of investing in them upfront. It is almost as if they are interchangeable. And then we wonder when they cause a crisis.

Srinidhi Boray

“”How “we” manage employees””

Who is “We”? That is the very question raised, are “we” in an inclusive system. Does we mean “we”? Is the concern shared for national security and the approach resorted same with all “we”.

Henry Brown

According to Steven Aftergood on the FAS blog here is how DOD is manage its people regarding the Snowden leakage …..

As a new wave of classified documents published by news organizations appeared online over the past week, the Department of Defense instructed employees and contractors that they must neither seek out nor download classified material that is in the public domain.

“Classified information, whether or not already posted on public websites, disclosed to the media, or otherwise in the public domain remains classified and must be treated as such until it is declassified by an appropriate U.S. government authority,” wrote Timothy A. Davis, Director of Security in the Office of the Under Secretary of Defense (Intelligence), in a June 7 memorandum.

“DoD employees and contractors shall not, while accessing the web on unclassified government systems, access or download documents that are known or suspected to contain classified information.”

“DoD employees or contractors who seek out classified information in the public domain, acknowledge its accuracy or existence, or proliferate the information in any way will be subject to sanctions,” the memorandum said.

Download PDF file from FAS:

Henry Brown

How it is being implemented with the US Army:

from Naked Security Blog:

July 1 2013

The US Army has been blocking access to the The Guardian’s ongoing coverage of data surveillance by the National Security Agency (NSA) ever since the publication broke the story in early June.

The Monterey County Herald, in California, reported on Thursday that the Army has confirmed that it’s censoring coverage of the topic throughout the entire Army.

The newspaper quoted a spokesman for the Army Network Enterprise Technology Command (NETCOM), who said that the Army is filtering “some access to press coverage and online content about the NSA leaks.”

The spokesman said that it’s routine for the Department of Defense (DoD) to take preventative “network hygiene” measures to mitigate unauthorized disclosures of classified information:

The Herald’s sources said that their local information assurance security officer sent an email to employees early Thursday saying that The Guardian’s website was blocked by Army Cyber Command “in order to prevent an unauthorized disclosure of classified information.”