opinion | I was the general counsel of the N.S.A. America has a problem with secrets. (2023)

America's secrets are not sufficiently protected. The recent posting of apparently secret government documents in online chat rooms, allegedly by National Air Guard Jack Teixeira, reminds us that intelligence reporting faces a dilemma: either we restrict it to prevent leaks, or we share information widely within the government. to prevent harm to our people and our troops.

There is a way out of this situation, but it involves fundamental and costly changes.

The first step in this effort will require us to admit that we are not investing adequately in leak prevention. This is not the fault of any administration. When Congress allocates funds to spy agencies, they are more likely to spend them on new spying techniques that can provide richer intelligence than on safeguards that reduce the risk of compromise.

Still, we spendbillion for protection, but it's heavily geared toward stopping potentially devastating invasions from another country, like China or Russia, and is less geared toward insiders. It's the right choice: imagine the consequences ifSolarWinds hacked in 2019in federal civilian departments, they instead took place in secret Pentagon networks. while they existembarrassing appointmentspart of the military network, it appears that we have at least managed to keep foreign adversaries out of our secret defense and intelligence systems.

However, we still have a problem: the most serious breaches of document security over the last decade have been caused by employees with authorized access, such as Chelsea Manning, Edward Snowden, Reality Winner and apparently Jack Teixeira. It's a disturbing pattern of leaks from 20-year-old contractors or members of the military — not longtime CIA employees. or N.S.A. Perhaps the vulnerability is greater in the armed forces, whose recruitment is less selective than in intelligence agencies. Perhaps the problems are most prevalent among members of Generation Z and millennials - especially theseobsessed with online games— because they may be more discouraged, less likely to follow the rules, and more interested in building social media traction.

When insider leaks occur, the typical and understandable response from the intelligence and military communities is:restrict access in some way. However, stricter procedures are implemented only theninevitably erosionbecause the evolving nature of threats and technology requires new information and wider sharing. Another answer, withMoynihan Commissionin 1997 forcurrent studyDirector of National Intelligence Avril Haines is said to be struggling with the problem of overclassification, based on the theory that the more classified documents there are, the harder it will be to manage them. There's some truth to that, but the reclassification itself doesn't cause leaks. To combat leaks, we must focus on disclosure and protection.

Determined individuals will inevitably find a way around any defensive measures. But rather than taking one-time, retroactive steps to prevent another leak, we need an integrated approach to disseminating and protecting national security information. Fortunately, both the government and the private sector have potential solutions.

The government can create a sense of mission and public service, and it can verify and monitor, as legally appropriate, the behavior of officials. Even with the best policies and procedures for our classified records system, we must ultimately rely on a culture of trust and compliance. Most people with top secret privileges know that the lives of their military, intelligence and diplomatic colleagues could be at risk due to unauthorized disclosure. However, a much greater effort is needed to restore a sense of public mission and instill an awareness that our national security is at stake. This may be even more relevant for Gen Z military recruits and intelligence agencies.

Currently, the primary way we train employees on security clearances is through periodic online courses on how to properly handle confidential documents. This mechanical approach will not produce a workforce that truly appreciates the need for security, especially among the younger generation. Requiring all candidates to submit to a psychological and polygraph test (now only for some agency employees) would not only weed out troublesome candidates, but also create cohesion among employees who feel part of a select group. This type of verification must be done on an ongoing basis and not just at the time of hiring. Again, this can be a more serious problem among, say, vulnerable 18-year-old military recruits whose opinions can change in just a few years.

Obviously, just a reliable workforce is not enough; there will always be temptations and a certain percentage of people will deviate from it. Technology needs to fill that gap, and there the government can learn a lot from private sector innovation. From pharmaceutical companies to defense contractors working at the forefront of the digital revolution, private companies are deploying technology to keep trade secrets from being stolen so samples, models and blueprints don't go out the door. The government could emulate the private sector in selecting the most effective solutions – perhaps installing R.F.I.D. tags on documents and binders (triggering an exit alarm, similar to the system used in retail stores to protect against theft) or leveraging the use of artificial intelligence to detect unusual behavior (such as printing an unusual document). If every ATM can have a camera, why not every secret printer? The government has been reluctant to adopt robust techniques from the private sector because they are expensive and time-consuming to implement, and Congress is demanding quick fixes.

A critical private sector concept that the government could adapt to deal with sensitive material is following an increasingly popular business model for dealing with cybersecurity threats. The private sector is moving from a system dependent on a network firewall to one based on independent verification of every cyber transaction. The federal government is also joining this callzero trust architecturewith the intelligence community andDepartment of Defenseconcept adoption for cyber security purposes. The new idea would be to apply the same concept to our system for handling classified documents: it would clearly implement the principle - which we profess to respect but which we do not practice - that access to information is only granted when necessary - learn the basis if relevant to your specific job.

Asreformist group appointed by the presidentsuggested after the Snowden leaks ten years ago, a tech support person (like you. We currently have a perimeter-based system: if you pass a security test, you generally have access to classified documents, although some categories of documents are in special "tracks" that require additional approvals. But it is far from a zero trust system, with layers of automated controls applicable to access to all documents. This could also be associated with a system where levels of trust report details were shared only when necessary, moving away from our binary all-or-nothing approach.

There are many other techniques and innovations from the private sector that government could use, but we need to adopt and implement them in an integrated and coherent way. This will not happen through individual government procurement of solutions. Instead, Congress or the Biden administration should appoint a small task force of government officials and the private sector's best and brightest to overhaul our systems for dissemination and protection. We need to start treating the protective end of the intelligence process as if it were just as important as part of the collection.

Implementing this will be costly. The alternative, however, is to take chaotic, incremental action - but one day this could result in even more expensive intelligence or military losses.

Glenn S. Gerstell served as General Counsel for the National Security Agency from 2015 to 2020 and is Senior Counsel for the Center for Strategic and International Studies.

The Times is committed to publishingvariety of lettersTo the editor. We would like to know your opinion about this or any of our articles. here are someadvice. And here is our email:listy@nytimes.com.

Follow The New York Times opinion section onFacebook,Twitter (@NYTopinion)EUInstagram.