
By Chuck Gallagher — Business Ethics Keynote Speaker and Trainer
TL;DR: In GAO report 26-107492 (October 2025), the Government Accountability Office found that Department of Defense components manage digital footprint risk through fragmented policies scattered across OPSEC, counterintelligence, cybersecurity, and mission assurance — with no single owner. Chuck Gallagher, business ethics keynote speaker, argues that policy fragmentation is an ethical leadership failure, not a bureaucratic one, because it lets every individual leader off the hook while the organization bleeds intelligence.
A contracts director I worked with last year told me something I have not been able to shake. His company had just discovered that a mid-level marketing manager had published a case study on the firm’s website that named a specific defense customer, described the technology delivered, and included a photograph of the installation team. Four internal groups had technically had the authority to stop it. None of them did. When I asked him who was accountable, he paused, then said, “Everybody and nobody. That is the whole problem.” That sentence is the entire GAO report, compressed.
GAO 26-107492, released in October 2025, examined ten DoD components and reached a finding that should have every defense contractor and federal program leader paying close attention. Most components manage public data risks primarily through OPSEC guidance, while counterintelligence, mission assurance, insider threat, and cybersecurity operate on separate tracks. Eight of the ten relied heavily on OPSEC assessments with minimal input from the other disciplines. The Defense Industrial Base — the contractor ecosystem — faces the same exposure with even fewer resources to address it.
Why shared responsibility collapses into nobody’s responsibility
As a business ethics keynote speaker, I have watched this exact pattern produce federal investigations, False Claims Act cases, and cultural collapses across industries. When responsibility is split across four groups and nobody owns the outcome, each group defaults to defending its own boundary. Counterintelligence says the posting decision is an OPSEC matter. OPSEC says the classification decision was a public affairs matter. Public affairs says the approval routing was a cybersecurity matter. Cybersecurity says the human judgment call was a counterintelligence matter. Meanwhile, the post goes live. Meanwhile, the contract award announcement lands on LinkedIn with specifications that used to require a clearance to know.
This is not a paperwork problem. This is a moral diffusion problem, and it has a name in behavioral ethics: the bystander effect. The presence of multiple potential responders reduces the likelihood that any one of them will act. Organizations solve that in every other domain through clear ownership. We do not run financial controls this way. We do not run safety programs this way. Yet the GAO is documenting, in 2025, that one of the fastest-growing attack surfaces in national defense is still being managed as if the bystander effect does not apply to institutions.
The contractor side of this equation is especially fragile. Defense Industrial Base companies face nearly identical exposure without the staffing depth of a federal component. Overly detailed job descriptions. Marketing case studies. Cloud-hosted collateral indexed by search engines. Founder LinkedIn activity. Photos from industry events. Contract award press releases that name the customer, the program, the technology, and the timeline. When I walk through a contractor’s full public surface area with their leadership team, the reaction is almost always the same: they had no idea how much they were broadcasting, because no single person in the company had ever been asked to look at the whole picture.
What the GAO is really asking leaders to change
The GAO report recommends seven operational steps — map your digital footprint, classify information at the point of creation, build governance workflows that route content through multi-disciplinary review, monitor endpoints, conduct cross-functional assessments, train personnel on the exploitation chain, and establish continuous monitoring. Those are useful. But every one of them assumes something the GAO does not state outright: that a single accountable leader exists to force the cross-functional conversation. Without that leader, the seven steps become seven more silos.
I have argued on ChuckGallagher.com that the most dangerous phrase in any defense contracting environment is not “we are fine.” It is “someone else is handling that.” Those five words have preceded every major ethical failure I have studied. They produce a kind of clean-handed comfort that feels like responsibility but functions as its opposite. When leaders permit that phrase to exist in the culture, they are not delegating. They are abdicating. And the moment that abdication meets an aggregated adversary intelligence picture, the consequences stop being internal.
There is a Public Affairs dimension to this that deserves specific attention. The GAO recommends integrating PA teams into security governance not as a final reviewer, but as an embedded participant in risk prevention. That is exactly right, and it is exactly what most organizations will get wrong. Embedding means PA is at the table when the decision is made, not after. It means PA professionals are trained to see their own content the way an adversary sees it. It means the photograph, the press release, and the installation video are evaluated as intelligence artifacts first and communications artifacts second. As a business ethics keynote speaker, I would put the strongest possible recommendation in front of every defense contractor leader reading this: the next person you promote into public affairs or marketing should be someone who thinks like a counterintelligence officer first and a storyteller second. Reverse that order, and you will find yourself on the next GAO report.
Frequently Asked Questions
What does the GAO mean by “policy fragmentation” in the digital footprint context? In GAO 26-107492, policy fragmentation refers to the finding that DoD components manage digital exposure through separate, uncoordinated tracks — OPSEC, counterintelligence, mission assurance, insider threat, and cybersecurity — with minimal cross-functional integration. Eight of the ten components examined relied heavily on OPSEC assessments alone, creating a false sense of confidence while leaving significant risks unmonitored by the other disciplines.
Why are defense contractors at higher risk than federal components? Defense Industrial Base contractors face the same adversary aggregation techniques but typically operate with smaller security staffs, fewer internal review functions, and more market-driven pressure to publish case studies, job listings, and marketing material. Chuck Gallagher, business ethics keynote speaker, notes that contractors often become the most efficient adversary entry point into the broader defense ecosystem because their public surface area is larger and their governance is thinner.
What is the single most important change a defense organization can make right now? Assign one accountable leader — by name, not by committee — for the organization’s total digital footprint, with authority to convene counterintelligence, cybersecurity, public affairs, OPSEC, and mission assurance around every major publishing decision. The GAO findings show that shared responsibility without a single owner reliably produces the bystander effect, where four teams assume a fifth team is watching and none actually are.
How should Public Affairs teams be integrated into security governance? The GAO recommends embedding Public Affairs as a participant in risk prevention, not as a final approver. In practice, that means PA professionals should be trained in adversary tradecraft, should sit at the table when publishing decisions are made, and should evaluate every photo, press release, and case study as an intelligence artifact before evaluating it as a communications artifact. Reversing that order is how most exposure incidents begin.
What ethical standard should contractors apply to marketing and recruiting content? Contractors should apply an aggregation test: assume an adversary will combine this content with every other public data point already available about the company, the customer, and the program. If that combined picture reveals capability, relationships, routines, or technology specifics beyond what was already public, the content should be revised or withheld, regardless of the marketing or recruiting benefit.
Your turn to weigh in
I would like you to tell me what you are seeing inside your own organization. Is there a single named human being accountable for your total digital footprint, or is it spread across four teams who each assume another team has it covered? Drop a comment below and describe the governance reality where you work — not the org chart, the reality. I read every comment and I reply personally. Before you do, here are five questions worth sitting with before you write.
Five Questions for Further Thought and Consideration
- Who in your organization has the authority and the accountability to stop any public content from being published — and do your teams actually know their name?
- When was the last time counterintelligence, cybersecurity, OPSEC, and public affairs sat in the same room to review a single piece of outbound content?
- If a contracts director told you today that “everybody and nobody” is responsible for your public exposure, what would your first action be tomorrow morning?
- Does your marketing and recruiting function understand adversary tradecraft, or are they operating on pure communications instincts?
- What would change in your governance if you treated every outbound post as an intelligence artifact first and a communications artifact second?
Related Articles:
The Ethics of Aggregation: Why Harmless Posts Become Intelligence
Defense Contractor Ethics: When Shared Responsibility Becomes No Responsibility
