Breach of information security is a cause for concern

Breach of information security is a cause for concern

By D.C. PATHAK | 30 May, 2015
All governmental supervisory officers need to be aware of the accountability they carry for the security of classified information.

Over the years an atmosphere of permissiveness was known to have prevailed across sensitive ministries of Government of India in the matter of access enjoyed by outsiders. The current investigations into the wide spread security breaches suffered by several of them has unravelled the contours of how "subverted insiders" were, in fact, engaging in a sustained operation that aimed at ferreting out secret information of the government for various end users outside.

It is good to know that the probe was the result of an alert from the National Security Adviser — this proving once again the importance of having a professional of intelligence background in that crucial position — and that the follow-up has been quick and competent. While the damage caused by the miscreants can perhaps be undone through appropriate "risk mitigation", it is more important to lay down stringent security dos and don'ts for the working of the ministries in the future.

The first step in this is to organise security orientation of all functionaries of the level of section officers and above. This can be done by the agencies over a short period of time. The basics of security have to be understood: the meanings of espionage, surveillance, access control, intrusion detection, classification of information, insider threat and "need to know" have to be grasped. Any supervisory officer must have the ability to provide security oversight to the personnel working for him or her.

The current investigations have reportedly brought out what the media refers to as "corporate espionage". It is useful to understand what this is about and whether this is any different from the compromise of secrets of the state that would affect national security itself.

Espionage is classically defined as "unauthorised access to protected information" and is a covert activity directed at passing on this information to an "enemy" of the nation. If information is not protected through "security classification", i.e., putting the label of Top Secret, Secret or Confidential on it, which limits access to it only to a certain number of authorised people, the charge of "espionage" would not hold. Unclassified information can be reached without taking a covert route. 

If information is not protected through ‘security classification’, i.e., putting the label of Top Secret, Secret or Confidential on it, which limits access to it only to a certain number of authorised people, the charge of ‘espionage’ would not hold. 

The probe currently on has reportedly brought out that some minions of corporate houses were not above the temptation of using illicit networks of information collectors to get at the confidential content of government files that would supposedly help their business plans. These peddlers of information, who, in turn, run a business of profit in collusion with government "insiders", take advantage of an environment of lack of fear of law, to fulfil their desire to make money by any means.

There are of course many corporate empires who invest a lot in creating an information gathering and business analysis centre, but stick to legal and ethical means of collecting information.

In the era of global competition, both domestic and foreign players in business seek information on the politico-legal regime and economic policies and regulations in the offing. These, if exclusively known in advance, would give the concerned entity an edge over its rivals. This quest for "competitive intelligence", however, permits only a legitimate use of "open" sources, to which all players in business are entitled. Making "unauthorised access to protected information" of the state would place serious accountability on the concerned individual. Today, national security is inseparable from economic security and this is reason enough to consider protected information on matters related to economy to be at par with national secrets of, say, defence or nuclear policy.

The investigations, as reported by the media, certainly give a wake-up call for reviewing the handling of classified information within the government and upgrading the security systems that also provide for monitoring arrangements to carry out random audits on their efficiency. In olden times, classified waste used to be destroyed by burning. Today, table-top shredder is supposed to be a part of office supply for all gazetted officers in sensitive ministries. The profession of security has evolved comprehensive measures on "insider threat management", which help to zero in on suspicious conduct of an employee.

By far the most important learning, however, is that all supervisory officers of the government must be made aware of the seriousness of the accountability they carry on them for the security of classified information put in their charge. With the advent of internet and computerisation, the safeguarding of information security extends to cyberspace as well. No security briefing of the supervisory officers would be complete without giving them a proper understanding of the nuances of cyber security.

All ministries and institutions handling protected information have to understand that security is not a standalone function assigned to a set of security personnel, but that it has to be integrated with the mainstream of the organisation, with all members consciously contributing to it by acting as the eyes and ears of the collective body.

D.C. Pathak is a former ­Director, Intelligence Bureau


Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.