Transparent.

Photographer: Paul J. Richards/AFP/Getty Images

Homeland Security Is Spilling a Lot of Secrets

Josh Rogin is a former Bloomberg View columnist.
Read More.
a | A

The Department of Homeland Security suffered over 100 "spills" of classified information last year, and 40 percent of those traced back to headquarters came from one office, according to a leaked internal document I obtained. Officials and lawmakers told me that until the Department imposes stricter policies and sounder practices to better protect sensitive intelligence, the vulnerabilities there could be exploited. Not only does this raise the threat that hostile actors could get their hands on classified information, but may lead to other U.S. agencies keeping DHS out of the loop on major security issues.

A spill is not the same as an unauthorized disclosure of classified information. A Homeland Security official explained that spills often include “the accidental, inadvertent, or intentional introduction of classified information into an unclassified information technology system, or higher-level classified information into a lower-level classified information technology system, to include non-government systems.”

Examples include: using a copier not approved for the level of classified information copied; failing to properly mark a classified product; transmitting classified information on an unclassified system like Gmail; or sending classified information to someone who, while having the proper level of clearance, is not authorized to read a section of information sent to them, the official said.

There were 119 of these classified spills reported throughout the Homeland Security Department in fiscal year 2015, according to the internal document, which itself is unclassified. The section with the most spills by far was the Office of Intelligence and Analysis, headquartered at building 19 of the Nebraska Avenue Complex in Washington, led by retired General Francis Taylor. This office is composed mostly of intelligence analysts assigned to produce and review classified reports that are often the work of other intelligence agencies, including the Central Intelligence Agency and the Office of the Director of National Intelligence.

One senior Homeland Security official told me that the intelligence and analysis office at DHS suffers from lax enforcement of the established policies and practices to protect classified information. This official said the numbers of classified spills in the internal report only represents those incidents that were officially reported, and the actual number is much higher.

S.Y. Lee, a department spokesman, told me that DHS does not comment on reports of leaked information, but that the department is currently having mandatory employee training sessions on the handling of classified and sensitive information.

“We take any report of mishandling of information very seriously, and when violations are discovered, the Department takes immediate, appropriate actions to address the situation,” he said. “DHS takes the protection of all our assets very seriously, and will continue to evolve our training and remediation efforts to address security needs and accountability to the American public.”

Experts on government secrecy and classified information handling told me that the number of spills alone does not directly prove that there is a larger cultural or policy problem at DHS. But there is a history of carelessness with e-mail at the department, and this new finding combined with anecdotal reports of bad practices indicate that there should be more investigation the intelligence and analysis division in particular.

“At a minimum, this raises a question about what’s going on at this corner of the agency,” said Steven Aftergood, director of the program on government secretary at the Federation of American Scientists. “If it is happening disproportionally in one part of the agency, that may mean that remedial measures are needed there, including security training, better oversight and similar steps.”

Spillages are a normal part of the classification system at the DHS and elsewhere, and there are formal procedures for addressing them because it's understood that you cannot eliminate human error, he said. But if one intelligence shop is mishandling information from another part of the government, that could cause real problems in the interagency cooperation and intelligence-sharing.

“If they have a reputation as a shop with unreliable security, other agencies are going to think twice about sharing their most valuable information with Homeland Security,” Aftergood said. “It can hurt other agencies and it can rebound on them. It’s bad all around and should be corrected.”

Johannes B. Ullrich, dean of research for the SANS Technology Institute, said that it’s probable most of the classified spills were unintentional and the result of sloppiness more than anything else. But lax enforcement of policies meant to protect sensitive information also presents an opportunity for exploitation by malicious actors.

“If it’s accepted practice that you print documents and scan them in, for example, then it's much easier for an insider to take advantage of that,” he said. “By reducing the unintentional spillage you make it easier to find the intentional ones.”

The House Homeland Security Committee is currently pushing DHS to implement new systems for monitoring employees who handle classified information. Last November, the House passed the DHS Insider Threat and Mitigation Act, which was sponsored by Representative Peter King, chairman of the Homeland Security Committee's subcommittee on counterterrorism and intelligence. The bill would require Taylor, among other things, to develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to potential insider threats to the department’s critical assets. The Senate Homeland Security Committee marked up a companion bill earlier this month.

“In recent years, the department has made progress installing limited monitoring technology, but much more needs to be done,” King said in a statement. “Results from the existing systems demonstrate the need for more auditing and education for DHS employees.”

Classified spills are a government-wide problem and there’s no way to know if the incidents at the DHS intelligence shop have been exploited. But unless that office and the government as a whole does a better job of protecting classified information, it’s just a matter of time before real damage is done to U.S. national security

(Updates statistic on leaked e-mails in first paragraph of article published Feb. 25.)

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

To contact the author of this story:
Josh Rogin at joshrogin@bloomberg.net

To contact the editor responsible for this story:
Tobin Harshaw at tharshaw@bloomberg.net