The WikiLeaks lesson? It’s classified.
To better protect important documents, start by classifying fewer of them
The White House has come out strongly for the need to protect its employees from the ill effects of looking at classified information on public websites — at least while they’re using government computers. Toward that end, a number of agencies have begun blocking access to WikiLeaks and the sites of perfectly legitimate news organizations that have posted leaked documents.
The Library of Congress blocked access to WikiLeaks on library computers for employees and patrons, and explained its reasons in a blog posting by Communications Director Matt Raymond: “The Library decided to block WikiLeaks because applicable law obligates federal agencies to protect classified information. Unauthorized disclosures of classified documents do not alter the documents’ classified status or automatically result in declassification of the documents.”
This puts the government in the ludicrous position of standing outside the barn, door wide open, and demanding, “Pay no attention to those horses running around out there!”
WikiWars: The face of future conflicts
WikiLeaks impels White House to order classified data security review
There's no question about it: The government needs to do a better job of protecting its information. The best way to start is to be more selective about what is classified.
Despite dire statements that the State Department communications leaked to WikiLeaks jeopardize American security and puts lives at risk, the reality is that the majority of the material published by WikiLeaks is merely embarrassing and should not have been classified.
Risk management is the foundation of any meaningful information security program, and an essential step in risk management is risk assessment. Ranking the significance of the WikiLeaks cables right up there with serious life-or-death information undermines the concept of risk management and damages information security.
Since the creation of e-mail, the best advice for handling sensitive information has been if you don’t want to see it published, don’t send it. That same advice applies to diplomats and other government employees. If they are embarrassed by the publication of personal assessments of Vladimir Putin or other leaders, they shouldn’t have sent them. If those assessments are accurate and appropriate and contribute to the conduct of U.S. foreign policy, there is no reason to be embarrassed by them.
There is government information that legitimately should be kept secret because lives really are at stake. But as the WikiLeaks kerfuffle shows, most government information doesn’t meet that criterion. There is no reason to assume that assessments made by public servants for the public’s business while on the public payroll should be hidden from the public by default. Classification should be the exception rather than the rule.
The time and effort spent ineffectively protecting the leaked documents and then responding to and investigating their leak have been wasted. That time could be much better spent protecting serious secrets. Reducing the volume of classified material by restricting classification to what is really important is a necessary first step.
This does not eliminate the need for protecting unclassified information. That information belongs to the public, and the government has a responsibility to ensure that it is available and can be relied on. But that information should be protected, not hidden.