@amlove21
Gonna caveat that this information is available to anyone with web access, so it's nothing special.
The information must fall within one or more of the categories of information listed in E.O. 13526,Sec. 1.4. These are the eight categories of information eligible for classification:
(a) Military plans, weapons systems, or operations
(b) Foreign government information
(c) Intelligence activities (including covert action), intelligence sources or methods,
or cryptology
(d) Foreign relations or foreign activities of the United States, including confidential
sources
(e) Scientific, technological, or economic matters relating to national security
(f) U.S. Government programs for safeguarding nuclear materials or facilities
(g) Vulnerabilities or capabilities of systems, installations, infrastructures, projects,
plans, or protection services relating to national security
(h) The development, production, or use of weapons of mass destruction.
And if you click
here, page 16 and 17 are great reading for what information would qualify for classification.
As
@AWP pointed out, a system HAS to be accredited for CUI. For example, accessing OWA from your personal laptop and pulling up emails with PII is an absolute no-go. All that U//FOUO stuff everyone use to keep on their personal laptop...not authorized. Accessing SIGNAL from your government phone, also not authorized because SIGNAL isn't accredited. At worst, this whole issue is classified collateral secret, and at best, it's an unauthorized disclosure of CUI. You cannot convince me otherwise that this is unclassified information and fit for the public domain. Bottom line, it's a spill.
INFOSEC is a game of risk mitigation, and ultimately, risk acceptance. You brought up earlier the hypothetical operational environment overseas and the methods and resources you could be stuck with to get the mission done. If you don't figure out, you fail. Risk accepted. Got it. I 100% understand the circumstances and that the environment dictates the COA. The problem is this isn't that. If I was the security manager responsible for that office I would be throwing shit across the room right now. The response that SECDEF gave is absolutely not how you make this go away, now look where they're at.
The journalist, love him or hate him, held all of the cards. And continues to do so. So...SECDEF comes out, smirks on camera and begins to shit all over this dude's character, stating this was all fake news, he can’t be trusted, etc. After all of that, he simply ends it with "nobody was texting war plans". The WORST thing you could ever possibly say is "I can neither confirm nor deny" because all you're doing is confirming. You simply say, I know nothing about that. By ending that interview with that statement he confirmed the message chain existed. Good job. And then by shitting all over this guy, he’s angry. Then the administration starts to double down saying everyone was fine and that no classified information was released and OPSEC wasn't violated. And just so we’re clear, OPSEC is a method of analysis to identify critical information. You can't tell me with a straight face that hit times and operational resources on an upcoming strike aren't classified, or even OPSEC. Anyways, now they say the info was good for public release, because it wasn’t the above, he releases it…
The appropriate response to this shit is “hey, we know an individual might’ve made it into a chat thread where sensitive information may have been revealed. We’re looking into it and will conduct a full analysis. We will make a determination on how to move forward following the results of that analysis.”
AND THEN YOU FLY SOMEONE TO THE FUCKING JOURNALIST AND TAKE HIS PHONE and then you figure out how far it went. And then you slap an NDA in fucking front of him and say sign. And then we take a second, breath, and move on. You don’t make it a point to call this dude out so he doubles down on the story.
SECDEF is way out of his element and I think the mountain he needs to climb to get there is just too steep.
ETA: And do I think the conversation should've been had on Signal? No, I don't, but I get it. The risk of compromise to the mission was minimal, if not non-existent, and they accepted that risk. I believe they are in positions to do that. The introduction of extreme risk came when they introduced homeboy to the chat. The thing that pisses me off the most isn't what happened, but how it was handled, or rather, wasn't handled.
ETA2: This would've been over had this been the initial response.