Does “Mission Critical” ever justify violating computer security rules?

Like clockwork, every two months my office receives a security clearance denial or revocation case for an individual accused of violating computer security rules. Breaches typically come in one of three forms: sharing computer passwords or security codes with a colleague; allow a colleague to perform work connected to a computer system as someone else; or temporarily disable or circumvent security features such as firewalls in order to accomplish an otherwise legitimate purpose.

Critical Password Sharing – Is It a Thing?

In the vast majority of these cases, the defense asserted by the individual is that their actions were “mission essential” and should therefore be excused. It sounds compelling in theory, but in practice it rarely ends well. Why? Because the mission critical objective the individual was trying to accomplish wasn’t so critical after all.

I say none of this to judge someone who acted in good faith, subjectively believing that their actions were reasonable and necessary in the circumstances. Unfortunately, the law most often assesses conduct using an objective standard: whether an ordinary, reasonable fictitious person would also have considered the conduct necessary in the circumstances.

What about an emergency?

There are certainly times of emergency when an ordinary, reasonable person may feel compelled to violate computer security rules to accomplish the mission. However, these are few and far between. In such a case, a security clearance holder who thinks they “have no choice” but to violate computer security rules to achieve an objective should first ask themselves this question: what’s the worst that will happen if I don’t?

If the worst that can happen is that someone suffers serious bodily injury or dies because of your inaction; there is a not remote probability of it actually happening that you can demonstrate retroactively; and the security breaches caused or threatened by your actions do not outweigh the benefits – so I dare say the conduct is probably forgivable as genuinely mission critical. Keep in mind, however, that these are very factual scenarios and no one – including your author – can promise or guarantee forgiveness. Generally speaking, think of “shooting down an incoming missile” or “giving vital intel to a unit trapped behind enemy lines”.

If, on the other hand, the worst that can happen is a delay, an upset supervisor, or literally just about anything else besides serious bodily injury or death, I box promise that a “mission-critical” evaluation right now is unlikely to age well.

Regardless of the situation, the bar is set very high to prove that breaching IT security rules was a forgivable transgression. It’s almost always better to find another way to achieve the goal, even if it takes longer or is less efficient.

This article is intended to provide general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the date of publication, no warranty is offered or implied. Laws and government policies are subject to change, and the information provided here may not provide a complete or up-to-date analysis of the subject or other relevant considerations. Consult an attorney regarding your particular situation.

Comments are closed.