This sort of approach is a thought process and methodology we have been training NGOs, journalists and human rights organisations in for years at Security First (http://www.secfirst.org). Though it is strange to think about it this way, the work of many NGOs and journalists is actually very similar to intelligence organisations (a cycle of planning requirements, collecting, processing, analysis/production, distribution to policy makers, collect, etc) and in many ways the threats/defence measures are similar (insider threats, digital penetration, disruption etc).
All too often organisations we work with focus on tools (encryption,etc) instead of beginning with processes (compartmentalisation, need to know, vetting etc), so usually we have to begin with them. For many reasons this can cause people and organisation'so discomfort ("We are a human rights org, we won't want to hide information from other staff.")
I could talk all day about the subject and have been meaning to write up or do a full public presentation about it somewhere about the methodology and how it applies to NGOs, media etc - I just need to find the right place to do that!
Just read a quote from "Secrets of Consulting" that's applicable, no matter how it may look at first, it's usually a people problem. We do like using tools instead of focusing on education and training.
Security is a mindset, not simply a process. This article goes a little into the mind of a Counterintelligence officer but when they talk of "paranoia" it has more of a negative connotation than I think is warranted.
I would offer that the way the CI officer approaches security along the spectrum (PERSEC, INFOSEC, OPSEC) is an extreme and fractal form of the "Front page rule." So the question is always: "How would this look on the [insert increasingly public channels]."
Compartmentalization and segmentation are really the underlying theories behind defense in depth and I think it is valuable for other people to look at how these principles should be applied.
The last thing I will say is that, it's probably best to ignore the "Well NSA does that but look at how that failed." In fact what you see with leaks and hacks etc...is a failure of the implementation - usually in the form of a person or persons who tried to make things easier or more user friendly. That should not indict the theory of compartmentalization, but rather prove that the human is the most important element in the security system.
I think there are also very different attitudes and thus implementations of Counter-Intelligence, at the tactical, operational and strategic levels.
-Tactical - "Doing this particular activity is a pain, I don't want to keep everything locked up, I don't want to report every little strange thing etc"
-Operational - "This organisation (and my job) is rewarded for running successful XYZ operations, Counter-Intelligence is just a money drain for little obvious results etc"
-Strategic or policy level - "Spying will always happen. If we do it, our enemies will do it. They will probably find out eventually. Ultimately if an enemy finds out our secret stealth space rocket is actually for new types of photos and not a sneaky nuclear strike, they are more likely to act in a rational and calm way."
This article is somewhat very lightweight on content, but it reminded me of a thing I'm looking for. Does anyone know of any resources that discuss in details how spymasters and intelligence agencies manage things in day-to-day pracitce?
My uncle was in the CIA. Before that he used his Yale psychology Ph.D to sneak into the OSS (20/200 vision and medical disqualification couldn't stop him). He wrote an excellent account of his time training spies in Britain then leading resistance movements in Vichy France. His book is titled "The O.S.S. And I" and his name was William Morgan.
I consider it an essential read for understanding group dynamics in unfamiliar territories. People tend to act in archetypes when put in controlled situations. For example, one of the training/vetting challenges was to cross a pool of water without touching it using supplies scattered around the site. It took three planks to do it properly, although two would work if you were extremely slow and careful. One plank was easy to find, one was hard, the third was extremely well-hidden. You can see from that example who will examine all of the options and who will get frustrated with 2/3 of the supplies and try to wing it.
Another interesting facet he brought up was how different tests could show aptitude in different people. For example, Polish recruits tended to be poor at individual tests but they excelled as a team because they were far less prone to bickering over who gets to lead.
I consider "The O.S.S. And I" to be a better guide to management than most white collar crap we see these days. One of the candidates who got impatient and failed the water-crossing test, by the way, was an American executive from a multimillion-dollar company.
I'll look for the book. Thanks for the recommendation! I'm Polish btw. and my impression of my own society is that while we may not be bickering over who gets to lead, we like to complain about the decisions that the leader makes :).
Hmm, I'm always a bit cynical of how deep you can really look into such "team based" tests. I've been on both sides of them in various environments, commerical and military - and I find their utility to be minimal at best. I think Daniel Kahneman probably does a much better job than I can do about explaining why they are flawed in "Thinking Fast and Slow." Summarised a bit here:
Ah! Good suggestion. I have read the book you referenced and it reminds me of a particular test in "The O.S.S. And I" where a trainee is led by a "hotel owner" in occupied territory to the attic to retrieve a list of co-conspirators before the police arrive, which is signaled by the hotelier shouting from the outside.
In one case, a French paratrooper heard the warning and immediately dashed past him and out of sight. It took two hours until his hiding spot was discovered. When asked why he ran away, he answered that by alerting his presence so loudly it implied the hotelier was in fact working with the police and couldn't be trusted.
Going back to Kahneman, I would interpret that as a System 1 reaction geared towards survival, rather than following the rules. There is a line in the book that says something to the effect of: "A spy must be a man of integrity, but he must also be willing at a moment's notice to act as a criminal by lying, cheating, or killing, to serve his country."
Any detailed information is going to be classified because details are useful to attackers. That said spy novels from "in the know" authors do a decent job of explaining some aspects.
The Manning / Snowdon revelations do plenty to expose the myriad problems the US have with secure systems. Lets just say that not every country has such a haphazard approach...
All too often organisations we work with focus on tools (encryption,etc) instead of beginning with processes (compartmentalisation, need to know, vetting etc), so usually we have to begin with them. For many reasons this can cause people and organisation'so discomfort ("We are a human rights org, we won't want to hide information from other staff.")
I could talk all day about the subject and have been meaning to write up or do a full public presentation about it somewhere about the methodology and how it applies to NGOs, media etc - I just need to find the right place to do that!