Training to Fight in the Light

Keeping secrets traditionally has been considered an essential element of national security. However, 9/11 showed us that secrecy also can undermine our security by preventing information from quickly getting to those who need it to keep us safe. In the 20 years since, another shift has occurred with the growing recognition that the shelf-life of secrets is vanishingly short.

At an Open Source Conference in 2008 hosted by the director of national intelligence, a CIA analyst predicted that “in 15 years, there will be no more secrets.” While he may have underestimated the time frame, the trend line is undeniable, with profound implications for how we think about secrecy and national security. Our objective over the next 20 years — vital both to our national security and to the functioning of our democracy — should be to adapt to the challenge of operating in a world without secrets.

The attacks of 9/11 taught us the opportunity costs of trying to keep secrets. This insight prompted calls to move from “need to know” to “need to share.” Instead of assuming information should be held close absent an affirmative determination that someone had a legitimate need to know it, there was a push in government toward a presumption of sharing information that might be relevant to the wide range of actors now implicated in protecting our national security. State, local, tribal, and territorial officials, private-sector owners and operators of critical infrastructure, and even the general public all have important roles to play in detecting and thwarting attempted terrorist attacks. Therefore, withholding information from them risks undermining our security.

More recently, the growing number, sophistication, and impact of cyber incidents have provided further evidence of the costs of trying to keep secrets. Network defenders need detailed information about cyber threats and vulnerabilities in order to keep essential functions operating, most of which are in the hands of the private sector. When national security agencies decide to keep that information secret, it hampers the work of those on the frontlines.

Moreover, malicious cyber activity by states and non-state actors is significantly raising the direct cost of trying to protect data. It has been reported that in 2014, the global cybersecurity market was worth $35 billion. By 2022, the information security market is forecasted to grow to over $170 billion. Imagine what the government is spending in its effort to keep massive amounts of information secret. Yet, nearly every major national security department or agency has been hacked. Even the National Security Agency had to admit that cyber tools it had developed had been compromised. According to media reports, adversaries were able to use the compromised tools to hack into U.S. targets. Meanwhile, the targets did not have the information to protect themselves.

Even if information is not stolen, the ubiquity of data means no one can hope to have a monopoly on information for an extended period of time. The assumption should be that whatever decisional advantage is gained by having information that your adversary does not have will be short-lived.

Cybersecurity experts know that you can never achieve 100 percent security. Smart entities operate in a way that is resilient, rather than becoming completely dependent upon the reliability or security of the network. They take reasonable steps to protect their networks but then build plans to ensure continuity of operations based on the assumption that a malicious cyber actor will succeed in breaching their network and causing disruption.

Similarly, the national security community should be operating on the assumption that its most sensitive information will be compromised. In 2010, I convened a symposium co-sponsored by the American Bar Association’s Standing Committee on Law and National Security and the Office of the Director of National Intelligence’s Counterintelligence Executive. The report from this meeting of current and former national security professionals concluded that “[m]aintaining the current default that everything should be considered secret is becoming (if not already is) dangerous and impractical.” Like depending upon 100 percent security in your network, a national security strategy that depends upon secrecy for success is brittle and unwise.

There is some information that will still merit efforts to protect it, at least in the near-term, including identities of human sources and perishable intelligence methods. Even these, however, should be reassessed, considering the likelihood that they will not stay secret. Human sources may become extremely rare and only used when the presumed benefit is worth the risk that the source will be discovered, for example. The strong presumption should be to try to shield as little information as possible for as short a period of time as possible. In all instances there should be plans in place to mitigate the risks should such information be compromised.

Reducing secrecy in this way will strengthen our democracy. Secrecy prevents members of the public from debating and weighing in on government policies and practices. It can stymie accountability for misconduct. It also contributes to the decline in public trust in democracy and its institutions, which plays into the hands of our adversaries and undermines our ability to compete with authoritarian regimes for influence around the world. Conspiracy theories thrive in a world of perceived secrets. These vulnerabilities are exploited by our adversaries pushing one-sided narratives of irrevocably broken and corrupt institutions.

We must fight back in a way that plays to our strength and our adversaries’ weakness. If you trained to fight in the dark, you could meet your adversary at night or turn off the lights and you would have the advantage. Today, we must train to fight in the light, because a transparent world is coming at us full steam. Whoever can figure out how best to operate in the light of that transparent world, to operate with fewer secrets, will prevail.

The good news is that democracies have a head start over their authoritarian adversaries. Totalitarian regimes cannot survive in sunlight. They need dark corners in which to hide their corruption and dysfunction from their populations. Democratic governments have more experience operating openly. Transparency has always been an important, if often aspirational, element of “government of, by, and for the people.” National security is one of the last areas of government still operating almost entirely on the idea that information can and must be kept hidden. This must change if America is to keep its edge over our adversaries and competitors — as well as its promise of a democracy in which an informed and engaged citizenry can exercise the right and responsibility of self-government.

Suzanne Spaulding leads the Defending Democratic Institutions Project at the Center for Strategic and International Studies. She has spent over 35 years working on national security issues in the executive branch and Congress, on both sides of the aisle, and in the private sector. Most recently, she served as under secretary at DHS and is currently on the Cyberspace Solarium Commission.