The Pentagon thinks this article is a threat

A little know task force monitors "unauthorized disclosure" of even unclassified information.

The little known Unauthorized Disclosure Program Management Office (UDPMO), created in the wake of leaks by Chelsea Manning and Edward Snowden, is trying to control everthing. The office now seems to think that it not only has the responsibility to thwrt unauthorized disclosure of classified information but also to monitor unclassified information in the news media or on the Internet. What is more, because it is newly focused on unclassified information, it now assert that former Pentagon officials, service members, civilians and contractors have an obligation to clear all their writings with officials (forever), a restriction previously only applied to the CIA and the intelligence agencies. Talk about mission creep, or just creep.

UPDMO is part of the Defense Counterintelligence and Security Agency (DCSA), under its Defense Insider Threat Management and Analysis Center. Its current chief Henry Nelson recently described his responsibilities in their internal magazine. The release of classified information and/or controlled unclassified information in the public domain, he says, constitutes a security breach. “Public domain includes and is not limited to podcast, print articles, internet-based articles, books, journals, speeches, television broadcasts, blogs, and postings.”

In reading the news or surfing the Internet, DOD personnel, he says, must immediately report unauthorized disclosures to their security manager. The security manager then forwards the discoveries to the regional “insider threat” office which then forwards it to UDPMO.

“When unauthorized disclosures and topics of concern are publicized in the media,” Nelson said, “we release alerts to UDPMO community program managers throughout DOD who are taking proactive steps to prevent unauthorized disclosures.”

Those proactive steps include spying on the 3-plus million DOD personnel and contractors to find the responsible individual who might be behind the leak (disclosure), either inadvertently or intentionally. Once a report is validated, UDPMO submits a crime report to the Department of Justice. According to the Office, included in the report “are findings from a preliminary inquiry conducted by the affected component; a damage and impact assessment; and a media leaks questionnaire for the unauthorized disclosures appearing in the media.”

What constitutes an unauthorized disclosure – what information is of danger – is vague beyond relevance. Executive Order 13556, signed by President Obama on November 4, 2010, after the Chelsea Manning leaks, established the category of “Controlled Unclassified Information (CUI)”. The Pentagon currently defines Controlled Unclassified Information as “Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure.” And just what is it? The 34 page Defense Department CUI Registry provides an official list of categories used to identify types of information. Suffice it to say that it’s everything and anything. Which means nothing.

After Edward Snowden leaked his many thousands of documents, the “insider threat” apparatus grew further. On December 16, 2016, the Pentagon realigned the Wikileaks oriented UDPMO under the investigative Defense Security Service, which is now DCSA. No longer just a task force assessing damage, UDPMO became an operational agency, finding new ways “to improve the identification, investigation, tracking, and reporting of UDs.” Its goal? “driving out anonymity and determining attribution of responsible parties, enhancing enterprise audit capabilities, strengthening access controls, and supporting insider threat mitigation monitoring activities.”

As UDPMO started to focus on unclassified information, the effects were electric. In the first year as Program Manager, UDPMO saw a 2100 percent increase in annual reporting of unauthorized disclosures. More than 99 percent of all reported disclosures were trivial or non-threatening, though the vague categories of what security monitors were looking at expanded to include not just classified and CUI disclosures, but also information relating to “topics of concern.” Manning and Snowden were firmly in the rear mirror, but a decade later, the mechanism of internal spying – and the supposed “threat” from unauthorized disclosures of unclassified information – has flourished.

Now, program manager Nelson thinks that Manning and Snowden are licenses to attempt to control even more. In June 2022, he said: “These cases are a reminder to all DOD civilians, contractors and military personnel of their lifelong responsibility to protect and safeguard information. Current and former government, military and contractor personnel with present or prior access to DoD information or facilities must submit materials intended for public release for review and clearance when those materials may contain classified or CUI information to include any work relating to military matters, national security issues or subjects of significant concern to DOD in general.”

What is Nelson saying? Evidently he is asserting that anyone who is or was associated with the military has a lifelong responsibility to submit their writings for pre-publication review. These are rules that previously only related to intelligence community personnel who had access to “sensitive compartmented information” and who had signed non-disclosure agreements.

Though the insider threat apparatus thrives (more about that later), “controlled unclassified information” as a marking on documents has still to catch on. (“For Official Use Only” and other restricted markings still dominate). Also, there’s no sign whatsoever that the pre-publication power grab has any teeth or relevance (not yet). But the mechanism of internal surveillance – better clearance processes and credentials, user activity monitoring on networks, cutting the ties for the ability of a miscreant to remove information from networks, and continuous vetting of employees – ever grows. Artificial intelligence is increasingly being applied to check on people’s lives and transactions looking for signs of nefarious activity or even discontent. It’s currently only intended for the three million but the methods and capabilities are coming to you and your company. It’s just a matter or when.