Skip Navigation
Analysis

Training to Fight in the Light

9/11 showed how overreliance on secrecy can be dangerous. That’s even more true today.

  • spalding Suzanne E. Spaulding
August 19, 2021
redactions
Eric Baradat/Getty
View the entire 9/11 at 20 series

Keep­ing secrets tradi­tion­ally has been considered an essen­tial element of national secur­ity. However, 9/11 showed us that secrecy also can under­mine our secur­ity by prevent­ing inform­a­tion from quickly getting to those who need it to keep us safe. In the 20 years since, another shift has occurred with the grow­ing recog­ni­tion that the shelf-life of secrets is vanish­ingly short.

At an Open Source Confer­ence in 2008 hosted by the director of national intel­li­gence, a CIA analyst predicted that “in 15 years, there will be no more secrets.” While he may have under­es­tim­ated the time frame, the trend line is undeni­able, with profound implic­a­tions for how we think about secrecy and national secur­ity. Our object­ive over the next 20 years — vital both to our national secur­ity and to the func­tion­ing of our demo­cracy — should be to adapt to the chal­lenge of oper­at­ing in a world without secrets.

The attacks of 9/11 taught us the oppor­tun­ity costs of trying to keep secrets. This insight promp­ted calls to move from “need to know” to “need to share.” Instead of assum­ing inform­a­tion should be held close absent an affirm­at­ive determ­in­a­tion that someone had a legit­im­ate need to know it, there was a push in govern­ment toward a presump­tion of shar­ing inform­a­tion that might be relev­ant to the wide range of actors now implic­ated in protect­ing our national secur­ity. State, local, tribal, and territ­orial offi­cials, private-sector owners and oper­at­ors of crit­ical infra­struc­ture, and even the general public all have import­ant roles to play in detect­ing and thwart­ing attemp­ted terror­ist attacks. There­fore, with­hold­ing inform­a­tion from them risks under­min­ing our secur­ity.

More recently, the grow­ing number, soph­ist­ic­a­tion, and impact of cyber incid­ents have provided further evid­ence of the costs of trying to keep secrets. Network defend­ers need detailed inform­a­tion about cyber threats and vulner­ab­il­it­ies in order to keep essen­tial func­tions oper­at­ing, most of which are in the hands of the private sector. When national secur­ity agen­cies decide to keep that inform­a­tion secret, it hampers the work of those on the front­lines.

Moreover, mali­cious cyber activ­ity by states and non-state actors is signi­fic­antly rais­ing the direct cost of trying to protect data. It has been repor­ted that in 2014, the global cyber­se­cur­ity market was worth $35 billion. By 2022, the inform­a­tion secur­ity market is fore­cas­ted to grow to over $170 billion. Imagine what the govern­ment is spend­ing in its effort to keep massive amounts of inform­a­tion secret. Yet, nearly every major national secur­ity depart­ment or agency has been hacked. Even the National Secur­ity Agency had to admit that cyber tools it had developed had been comprom­ised. Accord­ing to media reports, adversar­ies were able to use the comprom­ised tools to hack into U.S. targets. Mean­while, the targets did not have the inform­a­tion to protect them­selves.

Even if inform­a­tion is not stolen, the ubiquity of data means no one can hope to have a mono­poly on inform­a­tion for an exten­ded period of time. The assump­tion should be that whatever decisional advant­age is gained by having inform­a­tion that your adversary does not have will be short-lived.

Cyber­se­cur­ity experts know that you can never achieve 100 percent secur­ity. Smart entit­ies oper­ate in a way that is resi­li­ent, rather than becom­ing completely depend­ent upon the reli­ab­il­ity or secur­ity of the network. They take reas­on­able steps to protect their networks but then build plans to ensure continu­ity of oper­a­tions based on the assump­tion that a mali­cious cyber actor will succeed in breach­ing their network and caus­ing disrup­tion.

Simil­arly, the national secur­ity community should be oper­at­ing on the assump­tion that its most sens­it­ive inform­a­tion will be comprom­ised. In 2010, I convened a symposium co-sponsored by the Amer­ican Bar Asso­ci­ation’s Stand­ing Commit­tee on Law and National Secur­ity and the Office of the Director of National Intel­li­gence’s Coun­ter­in­tel­li­gence Exec­ut­ive. The report from this meet­ing of current and former national secur­ity profes­sion­als concluded that “[m]aintain­ing the current default that everything should be considered secret is becom­ing (if not already is) danger­ous and imprac­tical.” Like depend­ing upon 100 percent secur­ity in your network, a national secur­ity strategy that depends upon secrecy for success is brittle and unwise.

There is some inform­a­tion that will still merit efforts to protect it, at least in the near-term, includ­ing iden­tit­ies of human sources and perish­able intel­li­gence meth­ods. Even these, however, should be reas­sessed, consid­er­ing the like­li­hood that they will not stay secret. Human sources may become extremely rare and only used when the presumed bene­fit is worth the risk that the source will be discovered, for example. The strong presump­tion should be to try to shield as little inform­a­tion as possible for as short a period of time as possible. In all instances there should be plans in place to mitig­ate the risks should such inform­a­tion be comprom­ised.

Redu­cing secrecy in this way will strengthen our demo­cracy. Secrecy prevents members of the public from debat­ing and weigh­ing in on govern­ment policies and prac­tices. It can stymie account­ab­il­ity for miscon­duct. It also contrib­utes to the decline in public trust in demo­cracy and its insti­tu­tions, which plays into the hands of our adversar­ies and under­mines our abil­ity to compete with author­it­arian regimes for influ­ence around the world. Conspir­acy theor­ies thrive in a world of perceived secrets. These vulner­ab­il­it­ies are exploited by our adversar­ies push­ing one-sided narrat­ives of irre­voc­ably broken and corrupt insti­tu­tions.

We must fight back in a way that plays to our strength and our adversar­ies’ weak­ness. If you trained to fight in the dark, you could meet your adversary at night or turn off the lights and you would have the advant­age. Today, we must train to fight in the light, because a trans­par­ent world is coming at us full steam. Whoever can figure out how best to oper­ate in the light of that trans­par­ent world, to oper­ate with fewer secrets, will prevail.

The good news is that demo­cra­cies have a head start over their author­it­arian adversar­ies. Total­it­arian regimes cannot survive in sunlight. They need dark corners in which to hide their corrup­tion and dysfunc­tion from their popu­la­tions. Demo­cratic govern­ments have more exper­i­ence oper­at­ing openly. Trans­par­ency has always been an import­ant, if often aspir­a­tional, element of “govern­ment of, by, and for the people.” National secur­ity is one of the last areas of govern­ment still oper­at­ing almost entirely on the idea that inform­a­tion can and must be kept hidden. This must change if Amer­ica is to keep its edge over our adversar­ies and compet­it­ors — as well as its prom­ise of a demo­cracy in which an informed and engaged citizenry can exer­cise the right and respons­ib­il­ity of self-govern­ment.

Suzanne Spauld­ing leads the Defend­ing Demo­cratic Insti­tu­tions Project at the Center for Stra­tegic and Inter­na­tional Stud­ies. She has spent over 35 years work­ing on national secur­ity issues in the exec­ut­ive branch and Congress, on both sides of the aisle, and in the private sector. Most recently, she served as under secret­ary at DHS and is currently on the Cyber­space Solarium Commis­sion.