This spring, Americans have read leaked details from inside the Situation Room. We have read internal White House emails warning staff not to talk to reporters; emails that were themselves leaked. We have read about Signal threads containing operational plans, and about classified maps shown to unauthorized eyes. The Justice Department has issued subpoenas to reporters covering the war in Iran. Two intelligence officials have already been referred for criminal charges. A third referral is on the way.
You may read those headlines and share the president’s frustration. Leaks of national security information are not journalism; they are a breach of trust that can put service members, allies and intelligence sources in harm’s way. Pursuing the leaker is reasonable. So is asking why our most sensitive information seems to walk out the door faster than ever.
But before we settle on subpoenas and prosecutions as the only answer, it is worth stepping back and asking a different question.
One that does not depend on which party holds the White House.
Why does sensitive data keep escaping in the first place?
Every administration in recent memory has faced this problem. The Obama White House aggressively pursued leakers. So did the first Trump administration. So did the Biden administration. So is this one. Different presidents, different politics, but one identical outcome: classified and sensitive information ends up in the press, in foreign capitals, or in the wrong inbox — and our response is always reactive. Find the leaker. Punish them. Hope it deters the next one.
It rarely does.
This is not just a United States government problem. The Ponemon Institute’s most recent insider risk study found that North American companies now spend an average of $19.5 million a year cleaning up after insider incidents — and that 55% of those incidents trace not to malicious actors but to ordinary employees making ordinary mistakes: a careless forward, an attachment sent to the wrong distribution list, a file shared with a contractor who should never have had it. The remainder are deliberate, and they can be devastating.
Just days ago, the Securities and Exchange Commission unsealed charges in an alleged insider trading ring that ran for years inside a major U.S. law firm, where confidential deal files — draft merger agreements, board presentations, signing checklists — were accessed and tipped to traders ahead of more than a dozen pending transactions, including iRobot, Citrix, Qualtrics and NextGen Healthcare.
The United Kingdom’s Financial Conduct Authority recently found that nearly 40% of takeovers of U.K.-listed companies were reported in the press before the deal was announced. A single FCA review found that on a typical large bank transaction, between 250 and 450 people had access to material non-public information. The corporate sector has spent decades building access controls, signing non-disclosure agreements and training employees, and yet the leaks keep coming.
The pattern is the same in both worlds. We protect the perimeter. We trust the people inside it. And we hope for the best.
When the leak happens (and, eventually, it always does) we are left chasing it after the fact. Forensic teams conduct internal investigations; grand juries pore over the evidence; subpoenas are issued to reporters who, in a free society, should be the absolute last resort. By then, the damage is done. The story has run. The deal has moved. The source has been compromised. We spend enormous resources determining who leaked, when the better question is why the data was leakable in the first place.
Here is the simple thought experiment I have been putting to colleagues on both sides of the aisle: What if sensitive data could protect itself?
What if the cable from the Situation Room could only be opened by the eight people cleared to see it — and would refuse to open for anyone else, on any device, in any inbox, anywhere in the world? What if access could be revoked instantly, after the fact, the moment a leak was suspected? What if every attempted open were logged automatically, so investigators did not need to subpoena reporters’ phone records to find a source — the data itself would tell them who tried to read it?
This isn’t a future we have to wait around for. It is already possible today, with open standards.
The Trusted Data Format (TDF) is one such standard. It originated in the U.S. intelligence community, was published as an open specification, and is now being adopted by the U.S. DoD, allied governments, and by commercial enterprises that have grown tired of being one careless forward away from a front-page story. The premise is straightforward: protect the data itself, not just the network it sits on. Wrap policy directly around the file, the email, the message. Let the data carry its own rules wherever it goes.
I deliberately say “open standard” rather than name any particular company. The case for this approach is not about a product. It is about a principle: sensitive data belongs to the institution that created it, and the owner — not the network, recipient or platform — should decide who can read it, for how long and under what conditions. That is the principle of sovereignty applied to information, and it should be uncontroversial.
It is also good policy. An administration that took data-centric security seriously could prevent the next Situation Room story before it was written, without subpoenaing a single reporter or testing the First Amendment. The leaked document would simply not have been accessible by the leaker.
Republicans and Democrats alike should embrace this approach because it reduces the attack surface of every agency we run, every classified program we oversee, every diplomatic conversation we hold. Corporate boards should also embrace it because the alternative — perimeter security plus litigation — is not working. Forty percent of U.K. deals leaking before announcement is a trend that requires a re-examination of data security architecture.
The technology is not the hard part. It exists today, in off-the-shelf software. It runs in Outlook and Gmail and on every major cloud. The hard part is admitting that the way we have protected our most sensitive information for the last 40 years — by trusting the perimeter and prosecuting the leaker after the fact — is a strategy that, by its own metrics, is failing.
The president is right to be angry about leaks. Every president before him has been. But prosecuting leakers is the wrong answer to the right problem. The leaker was never the vulnerability. The architecture was. And unlike a leaker, architecture can be fixed.
The Trump administration did not create this problem. It inherited forty years of it. But it does have something no previous administration has had: a solution, sitting right in front of it.
This administration has the rare opportunity to be the last one that ever has to chase a leaker, because it can choose to be the first one that makes it impossible for a leaker to hide.
Angel Smith is president of global public sector at Virtru.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
