Where was IT? On Saturday, April 30, the Pentagon released an unclassified version of its report on a March 4 incident in Baghdad, in which an Italian intelligence agent, Nicola Calipari, was shot and killed by U.S. troops at a checkpoint. The unclassified document was an Adobe Acrobat file, with sections containing classified information blacked out. But for anyone who downloaded the document, discovering what was behind that electronic black ink was trivial. If fact, it was practically unavoidable. And by Monday, that classified information was everywhere.
So where in blazes was IT?
Protecting confidential data in electronic form is certainly part of IT's job. The software that military censors used to black out those documents came from IT. IT should have made sure everything worked as planned. Instead, sensitive information such as military rules of engagement became public knowledge.
Let's be clear: Breaking through the black ink over that classified text didn't require hacking through encryption or using some special tool. If a reporter simply opened the file using the standard version of Acrobat Reader, then cut and pasted the text into any word processor, the blacked-out text would reappear.
And reporters don't like retyping if they can simply cut and paste. Besides, cutting and pasting guaranteed that the report would be quoted accurately. So of course many of them cut and pasted and saw the classified information; they'd have had to work hard to avoid it.
And so did anyone else -- friend or foe -- who downloaded the report.
So where was IT? Why didn't the military censors have the right tools to remove that classified information, not just cover it up? Why wasn't a standard process followed for confirming that the classified information was removed? Those are questions the Pentagon is asking now.
They're questions people in corporate IT should be asking, too.
How often do people in your company send out sensitive information, thinking it's not there because they can't see it? Every time they e-mail a Word document. Or an Excel spreadsheet, or PowerPoint presentation, or documents in any of a variety of other formats. Those users may have deleted that information from the visible document, but it might still be in the file.
It can't always be made visible with a simple cut and paste. But it's there. And with a little effort by an unfriendly party, it can be seen.
Maybe you knew that. But your users probably don't. So your company's salesmen, marketing people, lawyers and public relations reps may be revealing sales quotes, product plans, legal strategies and other information they don't intend to. Executives may be giving away business strategy or closely held financial data.
Where is IT in all this? Protecting this stuff is what we do. We should be front and center, helping users to avoid leaking secrets. Sure, we also have to deal with worms and hackers and other threats. But we can't let users fall through security cracks -- especially when that's exactly what users are trying hard not to do.
So talk to your users, especially the ones who send documents outside the organization. Explain the problem. Suggest work-arounds, such as converting documents to a different format and then back to the one they prefer. Listen to their objections. Work with them to find a practical way they can use to protect their confidential information.
This time, IT isn't the users' enemy, enforcing security rules they don't like. We can be their ally, helping users protect information they don't want to make public.
For once, we can stand shoulder to shoulder with users on the front lines of information security.
Which is right where IT should be.