The Department of Homeland Security suffered over 100 “spills” of classified information last year, 40 percent of which came from one office, according to a leaked internal document I obtained.
Officials and lawmakers told me that until the Department imposes stricter policies and sounder practices to better protect sensitive intelligence, the vulnerabilities there could be exploited. Not only does this raise the threat that hostile actors could get their hands on classified information, it may lead to other US agencies keeping DHS out of the loop on major security issues.
A spill is not the same as an unauthorized disclosure of classified information. A Homeland Security official explained that spills often include “the accidental, inadvertent, or intentional introduction of classified information into an unclassified information technology system, or higher-level classified information into a lower-level classified information technology system, to include non-government systems.”
Examples include: using a copier not approved for the level of classified information copied; failing to properly mark a classified product; transmitting classified information on an unclassified system like Gmail; or sending classified information to someone who, while having the proper level of clearance, is not authorized to read a section of information sent to them, the official said.
There were 119 of these classified spills reported throughout the Homeland Security Department in fiscal year 2015, according to the internal document, which itself is unclassified.
The section with the most spills by far was the Office of Intelligence and Analysis, led by retired Gen. Francis Taylor.
This office is composed mostly of intelligence analysts assigned to produce and review classified reports that are often the work of other intelligence agencies.
One senior Homeland Security official told me the intelligence and analysis office at DHS suffers from lax enforcement of the established policies and practices to protect classified information.
S.Y. Lee, a department spokesman, said DHS doesn’t comment on reports of leaked information, but that the department is currently having mandatory employee-training sessions on the handling of classified and sensitive information.
“We take any report of mishandling of information very seriously, and when violations are discovered, the department takes immediate, appropriate actions to address the situation,” he said.
Experts on government secrecy and classified information handling told me that the number of spills alone doesn’t directly prove there’s a larger cultural or policy problem at DHS.
But there’s a history of carelessness with e-mail at the department, and this new finding combined with anecdotal reports of bad practices indicate there should be more investigation.
“At a minimum, this raises a question about what’s going on at this corner of the agency,” said Steven Aftergood, director of the program on government secretary at the Federation of American Scientists.
“If it is happening disproportionally in one part of the agency, that may mean that remedial measures are needed there, including security training, better oversight and similar steps.”
Spillages are a normal part of the classification system at the DHS and elsewhere, and there are formal procedures for addressing them because it’s understood you can’t eliminate human error, he said. But if one intelligence shop is mishandling information from another part of the government, that could cause real problems in the interagency cooperation and intelligence-sharing.
Johannes B. Ullrich, dean of research for the SANS Technology Institute, said it’s probable most of the classified spills were unintentional and the result of sloppiness more than anything else.
But lax enforcement of policies meant to protect sensitive information also presents an opportunity for exploitation by malicious actors.
“If it’s accepted practice that you print documents and scan them in, for example, then it’s much easier for an insider to take advantage of that,” he said.
The House Homeland Security Committee is currently pushing DHS to implement new systems for monitoring employees who handle classified information.
Last November, the House passed the DHS Insider Threat and Mitigation Act, which was sponsored by Representative Peter King, chairman of the Homeland Security Committee’s subcommittee on counterterrorism and intelligence.
The bill would require Taylor, among other things, to develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns and education and training programs related to potential insider threats.
Classified spills are a government-wide problem, and there’s no way to know if the incidents at the DHS intelligence shop have been exploited.
But unless that office and the government as a whole does a better job of protecting classified information, it’s just a matter of time before real damage is done to US national security.