World War II Slogan is Crucial to Preventing Unauthorized Disclosure in 2024 - DITMAC Team Working to Reduce Unauthorized Disclosures, Training DOD Workforce

Photo By Christopher Gillis | QUANTICO, Va. – DOD Unauthorized Disclosure Program Management Office (UDPMO) Chief...... read more read more

Photo By Christopher Gillis | QUANTICO, Va. – DOD Unauthorized Disclosure Program Management Office (UDPMO) Chief Andy Rovnak recounted the World War II “loose lips sink ships” campaign focused on preventing inadvertent disclosure of important information to the enemy. “It’s just as true and crucial today as it was throughout World War II,” said Rovnak, who leads the UDPMO team – one of several DCSA counter insider threat teams comprising the DOD Insider Threat Management and Analysis Center (DITMAC) – in their efforts to help prevent unauthorized disclosure or leaks of non-public information, crucial to maintaining the nation’s security, personnel safety and public trust. “Deterring, detecting and mitigating unauthorized disclosure is everyone’s responsibility – it’s our military, government and civic duty,” he said in a recent interview. “We've got to be very careful in what we say and do. We're not just talking on the phone – we’re on cyber while people are trying to compromise the integrity of our networks and our cyber capability. It's where we are right now in the state of the world, and we must avoid any release of classified or secure information which could damage our national security.”  see less | View Image Page

UNITED STATES

03.13.2024

Story by John Joyce 

Defense Counterintelligence and Security Agency

✔ ✗ Subscribe

70

It was World War II and the “loose lips sink ships” slogan sprang up throughout the United States from billboards and posters to Hollywood productions advising Americans in the military, government, industry and the public to prevent inadvertent disclosure of important information to the enemy.

“It’s just as true and crucial today as it was throughout World War II,” said Andy Rovnak, DOD Unauthorized Disclosure Program Management Office (UDPMO) chief. Rovnak was reflecting on how the U.S. Office of War Information’s campaign to protect critical information focused on specific rules of conduct established to protect strategic military plans, national security, the American people, and warfighters deployed on two fronts and around the globe.

“Deterring, detecting and mitigating unauthorized disclosure is everyone’s responsibility – it’s our military, government and civic duty,” said Rovnak in a February 2024 interview with DCSA Gatekeeper magazine. “We've got to be very careful in what we say and do. We're not just talking on the phone – we’re on cyber while people are trying to compromise the integrity of our networks and our cyber capability. It's where we are right now in the state of the world, and we must avoid any release of classified or secure information which could damage our national security.”

Rovnak leads the UDPMO team – one of several DCSA counter insider threat teams comprising the DOD Insider Threat Management and Analysis Center (DITMAC) – in their efforts to help prevent unauthorized disclosure or leaks of non-public information, crucial to maintaining the nation’s security, personnel safety and public trust.

“The ‘loose lips sink ships’ campaign also applies to the unauthorized disclosure of sensitive unclassified information,” he said. “Although unclassified, this sensitive material could enable our adversaries and any potential adversaries to identify and exploit vulnerabilities. It would allow them to steal and use our intellectual property and technology against us, leading to an increased risk of mission failure and potential loss of life.”

An unauthorized disclosure occurs when trusted individuals inside an organization communicates or physically transfers classified national security information or controlled unclassified information — including Operations Security critical information and indicators — to an unauthorized recipient.

“There are multiple threats out there and we’re losing intellectual property to unauthorized recipients,” said Rovnak, pointing out that recipients span external threats such as nation state actors to criminal entities who target the federal government, defense industrial base and American citizens. “If information in the care of government on behalf of its citizens to protect the nation is exposed – someone will take advantage of it. The same is true with personal information. The technological revolution and transformation into a digital society since the World War II era resulted in a fragility in how we operate from an information standpoint that didn't exist back then. Someone without nation-state capabilities can interfere and cause a significant amount of damage. They're able to get the information quicker now and turn it around faster against us. If someone knows about a vulnerability, that person can use ChatGPT and write code that may go out to exploit that vulnerability.”

This knowledge released through an unauthorized disclosure of classified information or controlled unclassified information (CUI) can happen in various ways. It could be disclosed intentionally, negligently or inadvertently through leaks, data spills, espionage and improper safeguarding of national security information. When classified information is involved, unauthorized disclosure can be categorized as a type of threat or security incident, characterized as an infraction or violation depending on the seriousness of the incident.

“My UDPMO team coordinates the reporting of unauthorized disclosures within the Department of Defense to ensure prompt and complete delivery of case referrals to the Department of Justice and DOD senior officials for administrative action, civil remedies or criminal prosecution,” Rovnak explained. “We are also charged with promoting collaboration and information sharing of unauthorized disclosure information across DOD and the intelligence community.”

Since April 2023 when he arrived at DCSA, Rovnak carried out his UDPMO vision to provide continuous workforce engagement activities that reinforce the importance of protecting DOD information from unauthorized access or disclosure while providing it to those who need it, plus gaining efficiencies to deter, detect and mitigate instances of unauthorized disclosure.

“This requires a deliberate enterprise-wide effort to ensure everyone understands the importance of appropriate information sharing and safeguarding across the department and the role they have in providing protection of classified national security Information and CUI from those who don’t have an appropriate need to know,” said Rovnak. “Our goal for this year is to provide a measurable reduction of DOD unauthorized disclosures through focused security awareness training activities that change human behavior toward the direction of prevention. We are planning to increase collaboration and engagement with the workforce as key elements to improve the identification, investigation, tracking and reporting of unauthorized disclosures in 2024.”

The Unauthorized Disclosure of Classified Information and CUI course – available on the Center for Development of Security Excellence (CDSE) Security Awareness Hub – provides an overview of unauthorized disclosure, including specific types of unauthorized disclosure and some common misconceptions about unauthorized disclosure. The course also discusses the types of damage caused by unauthorized disclosure and the various sanctions one could face if caught engaging in unauthorized disclosure. CDSE also provides resources to bring security expertise straight to any organization, including those for unauthorized disclosure.

In support of the January 2024 OPSEC Awareness Month, the Unauthorized Disclosure Program Management Office held three ‘Unauthorized Disclosure 101’ briefs to the DOD workforce, attended by over 350 individuals.

The UDPMO team is immediately notified of all incidents involving the release of classified national security information and CUI in the public domain. Notifications to UDPMO include the release or enabled theft of information relating to any defense operation, system or technology determined to be classified national security information or CUI.

The team is also alerted to incidents of classified information or CUI disclosed to an unauthorized person or persons resulting in an individual’s administrative action, referral for criminal or counterintelligence investigation, or the suspension or revocation of a security clearance.

“Everyone has a civic duty to say something if they see an unauthorized disclosure,” said Rovnak. “If they report it to us, we can work to mitigate it, but I need to be informed. It’s crucial to report a potential unauthorized disclosure to the appropriate authorities.”

When UDPMO receives a confirmed report of unauthorized disclosure in the public domain, the team submits a crime report to the Department of Justice. Included in the report are findings from a preliminary inquiry conducted by the affected component; a damage and impact assessment; and a media leaks questionnaire for the unauthorized disclosures appearing in the media.

In terms of reporting unauthorized disclosures, the DOD Whistleblower Protection allows individuals to report information they reasonably believe provides evidence of a violation of any law, rule, or regulation, gross mismanagement, a gross waste of funds, abuse of authority, or a substantial danger to public health and safety to designated officials via specific channels.

Additional information regarding DoD Whistleblower Protection is available on the DoD Inspector General website at www.dodig.mil. Those making contractor disclosures in response to Federal Acquisition Regulation clause 52.203-13 – Contractor Business Ethics Compliance Program and Disclosure Requirements – can find relevant instructions at www.dodig.mil/Programs/Contractor-Disclosure-Program. The differences between unauthorized disclosure and protected whistleblowing are further clarified at https://www.cdse.edu/Training/Toolkits/Unauthorized-Disclosure-Toolkit/.