Security Policy Board Logo

 

 

REDEFINING SECURITY

 

 

 

A Report to the

Secretary of Defense

and the

Director of Central Intelligence

 

 

 

 

 

February 28, 1994

 

Joint Security Commission

Washington, D.C. 20505

 

 

 

Joint Security Commission

Washington, D.C. 20505

 

 

February 28, 1994

 

The Honorable William J. Perry

Secretary of Defense

Pentagon

Washington, D. C. 20301

 

The Honorable R. James Woolsey

Director of Central Intelligence

Washington, D. C. 20505

 

Dear Sirs:

 

1. Pursuant to your request, the Joint Security Commission was convened on June 11, 1993. The Commission was guided by your direction to develop a new approach to security that would "assure the adequacy of protection within the contours of a security system that is simplified, more uniform, and more cost effective."

 

2. This report presents the recommendations of the Joint Security Commission to achieve these objectives and to redefine security policies, practices and procedures. The report describes the threats to our nation's security and lays out a vision the Commission believes will shift the course of security philosophy. We also propose a new policy structure and a classification system designed to manage risks better, and we outline methods of improving government and industry personnel security policies. We offer recommendations on developing new strategies for achieving security within our information systems, including protecting the integrity and availability of both classified and unclassified information assets, and we call for a new approach to capture security costs. We provide recommendations for linking traditional physical and technical countermeasures to threat. We believe that implementation of these recommendations will result in a security system that will meet the evolving threat while being fairer, more coherent, and more cost effective.

 

3. In reaching its conclusions and recommendations, the Commission drew upon the perspectives of policymakers, Congress, the military, industry, and public interest groups. Although our charter was limited to a review of the Intelligence and Defense Communities, we found that many of the problems and solutions have government-wide implications. In those instances where we believe that a government-wide solution is the best answer, we have offered recommendations to that effect.

 

4. This report represents months of work by the Commissioners, our staff, and a vast number of citizens both in and out of government, who graciously gave us their time and comments. On behalf of the Commission, I would like to thank all who contributed to this effort and to give special recognition to our superb staff, headed so ably by Dan Ryan. Ultimately, of course, the Commissioners bear full responsibility for the analysis and recommendations contained herein.

 

5. As you have directed, the Commission will remain in place until June 1, to assist in the implementation of our recommendations. We look forward to working with you to achieve the objectives you have laid before us.

 

 

Very respectfully,

 

Jeffrey H. Smith

Chairman

 

Attachment

 

 

EXECUTIVE SUMMARY

 

 

 

 

The world has changed dramatically during the last few years, with profound implications for our society, our government, and the Defense and Intelligence Communities. Our understanding of the range of issues that impact national security is evolving. Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention. Technologies, from those used to create nuclear weapons to those that interconnect our computers, are proliferating. The implications and impacts of these technologies must be assessed. There is wide recognition that the security policies, practices, and procedures developed during the Cold War must be changed. Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity, and cost. This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next.

 

With these imperatives in mind, the Joint Security Commission has focused its attention on the processes used to formulate and implement security policies in the Department of Defense and the Intelligence Community. In reviewing all aspects of security, the Commission has been guided by four principles:

 

o Our security policies and services must realistically match the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate change as the threat evolves.

 

o Our security policies and practices must be more consistent and coherent, thereby reducing inefficiencies and enabling us to allocate scarce resources effectively.

 

o Our security standards and procedures must result in the fair and equitable treatment of those upon whom we rely to guard the nation's security.

 

o Our security policies, practices, and procedures must provide the needed security at a price the nation can afford.

 

The recommendations of the Commission, presented in detail in this report, fall mainly into three categories:

 

(1) recommendations that will maintain and hopefully enhance security, but at a lower cost by avoiding duplication and increasing efficiency;

 

(2) recommendations that will reduce current levels of security but in accordance with risk management principles based on a changing threat; and

 

(3) recommendations that will create new processes to formulate and oversee security policy governmentwide.

 

In a very few cases-most notably concerning personnel security and information systems security-the Commission is recommending additional security requirements that will increase costs. The Commission's recommendations also include changes that are revenue neutral but will make the security system both more rational and inherently more fair. Although the Commission is recommending certain specific changes, the primary concern of the Commission is to create new and flexible processes that will adjust security policies, practices, and procedures to achieve our stated goals as the political, economic, and military realities evolve.

 

In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. Against this danger, we have striven to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Today's threats are more diffuse, multifaceted, and dynamic. We also know that some vulnerabilities can never be eliminated fully nor would the costs and benefits warrant trying. While the Commission recognizes that the consequences of some security failures are exceptionally dire and require exceptional protection measures, in most cases it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures. We can then select a mix that provides adequate protection without excessive cost in dollars and without impeding the efficient flow of information to those who require ready access to it. The Commission believes that the nation must develop a security framework that will provide a rational, cost-effective, flexible set of policies, practices, and procedures. This framework must use a risk management approach that considers actual threats, inherent vulnerabilities, and the availability and costs of countermeasures as the underlying basis for making security decisions.

 

Risk management requires evaluating the resource impact of proposed changes in security policies and standards. This is practically impossible with today's accounting systems because they are not designed to collect security cost data. The Commission believes that establishing a system to capture security costs is crucial to effective streamlining and cost reduction. Therefore, we have recommended the creation of a uniform cost-accounting methodology and tracking system for security resources expended by the Department of Defense, the Intelligence Community, and supporting industry.

 

The Commission believes two areas require particular attention. First, personnel security lies at the very heart of our security system. No amount of physical, information systems, or procedural security will be sufficient if we cannot ensure the trustworthiness of those who must deal with sensitive and classified information. Grave damage has been caused to the United States by current or former employees and contractors of the government who decided to become spies for our adversaries. Therefore, the Commission believes that renewed efforts must be made to strengthen our personnel security system. The Commission also recognizes the necessity for enhancing the training we provide security officers, managers, and workers in the importance of security and of their roles in protecting the nation's information assets.

 

The processes we use to clear personnel in the Defense and Intelligence Communities vary widely from agency to agency. Different standards are applied by different agencies; clearances are not readily transferable; and the time to grant a clearance ranges from a few weeks in one agency to months in others. Accordingly, we recommend common standards for adjudications and a joint investigative service to standardize background investigations and thus take advantage of economies of scale.

 

Second, information systems security requires increased attention. Productivity is, in today's world, directly related to information systems and their connectivity. The Defense and Intelligence Communities are increasingly dependent on information systems in performing their complex missions on behalf of the nation. Information systems technology is, however, evolving at a faster rate than information systems security technology. Overcoming the resulting gap will require careful threat assessments, well-thought-out investment strategies, sufficient funding, and management attention if our computers and networks are to protect the confidentiality, integrity, and availability of our classified and unclassified information assets.

 

The Commission believes that a systems approach is necessary in making decisions about the application of security countermeasures. By placing all the responsibility for security on each of the security disciplines, we have created requirements for multiple layers of security that add little value. This is particularly apparent in physical security, where classified documents may be stored in locked containers inside locked strong rooms within secure buildings in fenced facilities patrolled by armed guards-overkill even at the height of the Cold War, much less in today's security environment. A risk-managed systems approach would tailor countermeasures to threat and should result in significant savings that could be applied to improving personnel and information systems security, or to maintaining or improving other areas directly related to successful performance of defense and intelligence missions.

 

Nowhere will the payoff from improving our security policies, practices, and procedures be higher than in the industrial base supporting the Defense and Intelligence Communities. Our current practices subject industry to a bewildering array of requirements that are compliance-based, inconsistent, and often contradictory. Security requirements imposed on industry far exceed the requirements used by government agencies and organizations to protect the same information. While some budgetary and proprietary information must be withheld from some contractors in order to preserve competition, the Commission has found little reason to treat industry differently from government for security purposes. We must create a partnership between government and industry to enhance security, leaving adversarial roles behind. The Commission also believes that our security policies must not unnecessarily discourage foreign investment in American companies nor unduly burden our industrial base in competing for a larger share of the world's markets.

 

Central to the Commission's recommendations is the immediate formation of a single organization-a security executive committee chaired by the Secretary of Defense (or his designee) and the Director of Central Intelligence-responsible for the creation of security policies and overseeing the coherent implementation of those policies across the Defense and Intelligence Communities. This committee would not, of course, supplant the existing statutory authorities of the Secretary of Defense and the Director of Central Intelligence, including the latter's responsibility to protect sources and methods. This committee would, however, replace numerous existing fora that today independently develop security policies and procedures that are often inconsistent and are sometimes contradictory. A single source for security policies should result in reciprocity with consequential reductions in cost and improvements in efficiency. Although it is outside the scope of our charter, the Commission also believes that this committee should, in the very near future, be expanded by the addition of representatives from other government departments and agencies and given the responsibility to formulate governmentwide security policies. The committee, which should report to the National Security Council, should oversee the security system and have an outside advisory panel of distinguished Americans to ensure that industry, academia, and public interest groups have a voice in the formulation of security policies.

 

To facilitate the formulation, implementation, and oversight of security policies, practices, and procedures, the Commission proposes a radical new classification system that greatly simplifies the current system and eliminates the subjectivity inherent in it. The Commission worked closely with the Task Force revising Executive Order 12356 on National Security Information in analyzing possible changes and their impacts, and determined that a single level of classification with two degrees of protection should be adopted. Most classified information would be protected using a coherent set of personnel, physical, information systems, and procedural security standards and would be based on discretionary need-to-know as currently practiced for Confidential and Secret materials. Highly sensitive information, such as that protected at the Top Secret, Sensitive Compartmented Information, or Special Access Program levels today, would be protected by using a more stringent set of standards and would be based on centrally managed need-to-know determinations. Application of this system will be founded on risk management rather than complete avoidance of all risk and would concentrate on security as a service to our communities in place of the compliance-based, punitive approach in use today.

 

The Joint Security Commission is pleased to present its recommendations for the creation of an improved process for the formulation, management, and oversight of security policies, practices, and procedures. We believe that implementation of this process and the coherent application of its results should ensure that security countermeasures are chosen to match the evolving threat and that inefficiencies and costs are minimized. The resulting security system would treat people fairly and provide a balanced mix of security needed to protect our information assets, facilities, personnel, and our nation's interests.

 

 

 

JOINT SECURITY COMMISSION

 

 

 

 

Recommendations

 

 

 

 

At the request of the Security Policy Board Staff, this page has been inserted to provide for an easy method of locating the 76 recommendations offered by the commission. The recommendations have been numbered and are listed here with their location in this copy of the report. Due to different presentation methods, the total number of pages varies between the printed report and this electronic version. There is no loss of data between the two versions.

 

 

 

 

 

Table of Contents

 

 

 

 

Chapter 1. Approaching the Next Century 1

Implementing the New Paradigm-Risk Management 3

 

Chapter 2. Classification Management 6

Classification-Driving Security 6

The Current Classification System-Cumbersome and Confusing 6

Special Access Programs-Lacking Faith in the System 7

A New System-Streamlined and Straightforward 8

A Simplified Controlled Access System 10

Limiting Use of Special Access Controls 11

Uniform Risk Criteria for Secret Controlled Access Information 12

Increasing the Flow of Data 14

Special Cover Measures 16

Security Oversight of Compartmented Access Programs 17

Classification Management Practices 18

Dissemination Controls-Impediments to Getting Intelligence into

the Hands of Customers 18

Sharing Classified Information 20

Billet and Access Control Policies 20

Secrecy Agreements 21

Declassification 22

Making the Classification System Really Work-An Integrated Approach

with Appropriate Oversight 24

Dealing with Sensitive but Unclassified Information 25

 

Chapter 3. Threat Assessments-The Basis of Smart Security Decisions 27

Asleep at the Wheel 27

A Wake-Up Call 29

 

Chapter 4. Personnel Security-The First and Best Defense 31

The Process Begins 31

Requesting a Clearance 31

Prescreening and Fairness 33

Forms and Automation-Ending the Paper Trail 34

Investigations-Assessing Trustworthiness 35

Investigative Requirements-Streamlining the Process 35

Continuing Evaluation-Reinvestigations and Safety Nets 36

Clearance Processing-Time Is Money 37

Adjudication 39

Adjudicative Standards and Criteria 39

DoD Adjudicative Facilities 40

Reciprocity 40

Procedural Safeguards 41

DoD Contractor Personnel 42

DoD Civilian Personnel 43

Differences and Comparative Advantages 44

Military Personnel 48

Special Access Approvals 48

The Polygraph 49

Background 49

Applications of the Polygraph 50

Recommendations 53

Oversight 54

Standardization 55

Training, Research, and Development 56

 

Chapter 5. Physical, Technical, and Procedural Security 57

Physical Security Standards 58

Facility Certification 59

Facilities, Containers, and Locks 59

Industrial Security Inspections 60

TEMPEST 61

Technical Surveillance Countermeasures (TSCM) 62

Procedural Security 63

Central Clearance Verification 63

Certification of Contractor Visits 63

Communitywide Badge Systems 64

Document Tracking and Control 65

Document Destruction 66

Document Transmittal 66

Operations Security 67

 

Chapter 6. Protecting Advanced Technology 69

Foreign Ownership, Control, and Influence 70

Foreign Exchange Agreements-The Status Quo 71

Threat Analysis-Vital to Protecting Advanced Technology 72

The National Disclosure Policy 73

Recording Foreign Disclosure Decisions 73

 

Chapter 7. A Joint Investigative Service 75

Personnel Security Investigations 75

Industrial Security 76

Establishment of a Joint Investigative Service 77

 

Chapter 8. Information Systems Security 79

The Threat to Information and Information Systems 80

Dated Policies 81

Failed Strategies 82

The New Information Systems Security Reality 83

Information Systems Security Policy for Tomorrow 83

The Investment Strategy for Information Systems Security 84

Research and Development-A Need to Consolidate 85

Infrastructure Security Management 86

Auditing Infrastructure Utilization 87

Managing the Risk to Information Systems 87

Emergency Response-The Need for Help 88

Information Systems Security Professionals 88

 

Chapter 9. The Cost of Security-An Elusive Target 89

Understanding Security Costs 89

Costs in Black and White 90

Visible and Invisible Security Costs 90

"There's No Way to Know How Much We're Spending on Security!" 91

Work to Date in the DoD 91

Intelligence Community Efforts 92

Capturing Security Costs in Industry 92

Moving Towards Consistency 93

Getting to the Bottom Line-The Payoff Is Long Term… 94

…With Up-Front Costs in the Near Term 94

The Bottom Line 95

 

Chapter 10. Security Awareness, Training, and Education 96

The Present 96

Training for the Future 96

 

Chapter 11. A Security Architecture for the Future 99

The Present 99

The Future 100

 

Endnotes 102

 

Appendixes 105

A. Statement of Commissioner Lapham on Secrecy Agreements 105

B. Statement of Commissioner Chayes on Procedural Safeguards 106

C. Statement of Commissioner Lapham on Polygraph 107

D. Acronyms 116

E. Acknowledgments 120

CHAPTER 1:

 

 

 

 

APPROACHING THE NEXT CENTURY

 

 

 

 

The first duty of government is to provide security for its citizens. This security takes many forms, including a strong military, a robust economy, and mutually beneficial international relationships. In a democracy, the people's security also depends on the health of the democracy itself. This, in turn, depends on the protection of democracy's processes and the careful maintenance of the balance between the right of the public to know and the government's responsibility to provide for security.

 

As the twentieth century nears its end, events require that the United States assess the basic assumptions and goals that guide the protection of government information, facilities, and people. Our preoccupation with the specter of nuclear annihilation has been reduced; the resources for national security programs are declining sharply; and the information age has irrevocably altered the way we do business. Concurrently, the continued preeminent role of the United States in world political, military, and economic affairs makes our government and industrial activities of major interest to foreign powers. In this environment, the security practices and procedures that developed from World War II until the 1990s require fundamental reexamination.

 

For some time, it has been recognized that the security system is fragmented, complex, and costly. The Infrastructure Report of the Community Management Review requested by then Director of Central Intelligence (DCI) Robert Gates labeled current security policies and practices as the "greatest deterrents to major savings in infrastructure," and recommended the creation of a DCI security commission to design and implement a new security system. The DCI's Task Force on Standards of Classification and Control Report, commonly known as the "Gries Report," called for revision of the classification and control system on the grounds that it was "unsuited to the geopolitical and fiscal realities . . . in the 1990s." The Gulf War reinforced the military's need to analyze and move vast amounts of information to distant theaters of operation. Industry has been concerned about the inconsistency and cost of current security practices and procedures. Congress is convinced that change is necessary.

 

The Secretary of Defense and the Director of Central Intelligence acknowledged these concerns and established the Joint Security Commission in May 1993. The Commission's task was to review security policies and procedures with three simple goals: (1) find what works and keep it; (2) determine what no longer works and fix it; and (3) identify what the future demands and implement it.

 

In the nine months since its creation, the Joint Security Commission has attempted to fulfill this task by conducting an extensive security review within the Department of Defense and the Intelligence Community. In doing so, the Commission sought not only the perspectives of policymakers, the Congress, industrial leaders, the military, and public interest groups but also the technical expertise of government and industry security personnel. Many will recognize their words and opinions in the text of this report and we acknowledge a debt of gratitude for their contributions. We also commend the many initiatives already underway-such as those instituted by the National Industrial Security Program and the DCI's Security Forum-to streamline and modernize the government's security policies and practices and to incorporate risk management strategies.

 

The Commission's considered opinion, however, is that these changes alone are not enough. The security system must not only overcome the inefficiencies of the past but also rise to the challenges of the future. It must be dynamic, flexible, and forward looking.

 

Nowhere is this more apparent than in the area of information systems and networks. The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century and believes that there is insufficient awareness of the grave risks we face in this arena. The nation's increased dependence upon the reliable performance of the massive information systems and networks that control the basic functions of our infrastructure carries with it an increased security risk. Never has information been more accessible or more vulnerable. This vulnerability applies not only to government information but also to the information held by private citizens and institutions. We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully, much less rise to, the challenge. Fundamental and very tough questions are involved: What should the governmentUs role be in helping to protect information assets and intellectual capital that are in private hands? How should technology developed by the government to protect classified information be provided to the private sector for the protection of sensitive but unclassified information? Protecting the confidentiality, integrity, and availability of the nation's information systems and information assets-both public and private- must be among our highest national priorities.

 

The Commission believes that there are fundamental weaknesses in the security structure and culture that must be fixed. Security policy formulation is fragmented. Multiple groups with differing interests and authorities work independently of one another and with insufficient horizontal integration. Efforts are duplicated and coordination is arduous and slow. Each department or agency produces its own implementation rules that can introduce subtle changes or additions to the overall policy. There is no effective mechanism to ensure commonality.

 

The Commission believes that the complexity and cost of current security practices and procedures are symptoms of the underlying fragmentation and cannot be alleviated without addressing it. We, therefore, propose that a security executive committee be created to assume responsibility for the development and oversight of security policy for the US Government and to function as a continuing agent of change. We further propose that a security advisory board be constituted to interject a nongovernment and public interest perspective into government security policy. These proposals are described in detail in chapter 11.

 

Some other problems that we identify and discuss in this report are:

 

o Countermeasures are frequently out of balance with the threat. They have too often been based on worst-case scenarios rather than realistic assessments of threats and vulnerabilities.

 

o The classification system is cumbersome and classifies too much for too long. The zeal to protect information has sometimes inhibited the flow of information to those who need it.

 

o Personnel security is the centerpiece of the Federal security system, but current procedures are needlessly complex and costly. There are too many inconsistencies, too many forms, and too much delay.

 

o There are too many layers of physical security and they cost too much money. A facility's security may include multiple layers-fences, alarms, guards, security containers, access control devices, closed circuit television, locks, and special construction requirements-that are not necessarily needed.

 

o Large sums have been spent on technical security within the United States despite a minimal level of threat.

 

o Procedural security measures are not always effective. Elaborate record keeping procedures for document control are costly and can no longer be relied upon to deter compromise in the age of personal computers, facsimile machines, copier equipment, modems, and networks which offer ample opportunities to copy documents without detection. Procedural security that is still necessary, such as badges and visitor control, can be streamlined.

 

o Operations security (OPSEC) is important and sometimes critical in a military environment and for sensitive operations, but it has been extended to inappropriate situations and environments.

 

The problems are many and the mandate for change is strong, but change must be guided by clear goals and principles. We envision security as a dynamic and flexible system guided by four basic principles:

 

o Our security policies and services must be realistically matched to the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate their evolution as the threat changes.

 

o Our security policies and practices must be consistent and coherent across the Defense and Intelligence Communities, thereby reducing inefficiencies and enabling us to allocate scarce resources efficiently.

 

o Our security standards and procedures must result in the fair and equitable treatment of the members of our communities upon whom we rely to guard the nation's security.

 

o Our security policies, practices, and procedures must provide the security we need at a price we can afford.

 

The Commission believes that the application of these principles will make the security system less fragmented, less complex, and more cost effective. We also believe that the progress made will be eroded over time without a fundamental adjustment in the way security is viewed and practiced. Security can no longer be seen as an independent, external authority that rigidly imposes procedures and demands compliance. The Commission believes that it is time for a paradigm shift.

 

o Security is a service that should be based on an integrated assessment of threat, vulnerability, and customer needs. Conceptually, it should be the way that we think rather than a manual of rules. Security then becomes a more positive undertaking that values the spirit over the letter of the law, problem prevention over problem resolution, and individual responsibility over external oversight. It is a partnership between security and operations that balances the need to protect with the need to get the job done. Industry is a valuable partner and participant in this process.

 

o Security must come from an integrated system that recognizes the interdependence of the individual security disciplines and establishes a logical nexus between the sensitivity of information and the personnel, physical, information, and technical security countermeasures applied in protecting the information. In this model, the individual security disciplines are interlocking pieces of a puzzle, each critical to overall success but none sufficient by itself.

 

o Security is a shared responsibility. Each individual has a role to play in ensuring the best possible protection for our information, personnel, and assets. Individual and management accountability for security actions and decisions are prerequisites for dynamic and responsive security processes.

 

o Security is a balance between opposing equities. The imperative to protect cannot automatically be allowed to outweigh mission requirements or the public's fundamental right-to-know and it must never obscure the understanding that an informed public is the foundation of a democratic government.

 

Implementing the New Paradigm-Risk Management

 

 

 

 

In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. For the better part of the last half century, we viewed the Soviet Union and its allies as capable of exploiting our every weakness. Against this danger, we strove to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Since the future of the free world was considered highly dependent on how successfully we maintained our secrets, the costs of security programs, the constraints on needed information flow, and the negative impact on individuals and our economic competitiveness were all secondary considerations. We used worst case scenarios as the basis for most of our security planning.

 

The threats today are more diffuse, multifaceted, and dynamic. National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world. The possibility of failure of democratic reform in Russia poses a constant danger. Further, Russia's ability to maintain control of its special weapons, China's supplying of equipment and technology to unstable countries, and North Korea's, Iran's and Iraq's attempts to develop nuclear weapons, have serious and far-reaching implications for regional security and stability. Burgeoning ethnic and religious rivalries that cross traditional boundaries endanger both new and long-standing peace agreements, drawing the United States into an expanding role in peacekeeping and humanitarian missions. The bombing of the World Trade Center and the assassination of two CIA employees in Virginia heightened our sensitivity to the fact that terrorist activities against Americans can occur domestically as well as abroad. Violent crime and narcotics trafficking in our neighborhoods also continue to threaten American lives and values.

 

The Commission recognizes that the consequences of failures to protect against some of these threats are exceptionally dire. For instance, terrorists' use of weapons of mass destruction, or an adversary's foreknowledge of our battle plans, could have consequences so grave as to demand the highest reasonably attainable standard of security. This is true even if the probability of a successful attack is small and the cost of protection is high. Some inherent vulnerabilities can never be eliminated fully, nor would the cost and benefit warrant this risk avoidance approach. In most cases, however, it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We can and must provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making.

 

The Commission views the risk management process as a five-step procedure:

 

1. Asset valuation and judgment about consequence of loss. We determine what is to be protected and appraise its value. Part of asset valuation is understanding that assets may have a value to an adversary that is different from their value to us.

 

2. Identification and characterization of the threats to specific assets. Intelligence assessments must address threats to the asset in as much detail as possible, based on the needs of the customer. These assessments may be commissioned at the national level to feed the development of security policies and standards, at the program level to guide systems design, or in planning intelligence support for military or other operations.

 

3. Identification and characterization of the vulnerability of specific assets. Vulnerability assessments help us identify weaknesses in the asset that could be exploited. The manager may then be able to make design or operational changes to reduce risk levels by altering the nature of the asset itself. Cost is an important factor in these decisions, as design changes can be expensive and can impact other mission areas.

 

4. Identification of countermeasures, costs, and tradeoffs. There may be a number of different countermeasures available to protect an asset, each with varying costs and effectiveness. In many cases, there is a point beyond which adding countermeasures will raise costs without appreciably enhancing the protection afforded.

 

5. Risk assessment. Asset valuation, threat analysis, and vulnerability assessments are considered, along with the acceptable level of risk and any uncertainties, to decide how great is the risk and what countermeasures to apply.

 

This process is depicted in the following figure:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 1. The Risk Management Process

 

When any of these steps are left out, the result can either be inadequate protection or unnecessary and overly expensive protection. Frequently, the missing element is the incorporation of specific, up-to-date threat assessments in the development of security policies. With no documented threat information, countermeasures are often based on worst case scenarios.

 

The Commission stresses that managers must make tradeoffs during the decision phase between cost and risk, balancing the cost in dollars, manpower, and decreased flow of needed information against possible asset compromise or loss. Policy decisions resulting from the risk management process can then guide security planning. At the national level, these risk management decisions should form the backbone of, and provide the standards for, the security system. The resulting standards would promote consistency, coherence, and reciprocity across programs and agencies.

 

CHAPTER 2.

 

 

 

 

CLASSSIFICATION MANAGEMENT

 

 

 

 

Classification-Driving Security

 

 

 

 

The classification system is designed primarily to protect the confidentiality of certain military, foreign policy, and intelligence information. It deals with only a small slice of the government information that requires protection although it drives the government's security apparatus and most of its costs.

 

Despite the best of intentions, the classification system, largely unchanged since the Eisenhower administration, has grown out of control. More information is being classified and for extended periods of time. Security rules proliferate, becoming more complex yet remaining unrelated to the threat. Security costs increase as inconsistent requirements are imposed by different agencies or by different program managers within the same agency.

 

This accretion of security rules and requirements to protect classified information does not make the system work better. Indeed, the classification system is not trusted on the inside any more than it is trusted on the outside. Insiders do not trust it to protect information that needs protection. Outsiders do not trust it to release information that does not need protection.

 

This Cold War classification system can be simplified. In place of more than 12 levels of protection and widely differing and inconsistent security policies and practices, the Commission recommends a single, rational, governmentwide standard for the protection of classified information.

 

The Current Classification System-

Cumbersome and Confusing

 

 

 

 

The classification system is more complex than necessary. Classification is inherently subjective and the current system inappropriately links levels of classification with levels of protection.

 

The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral. Layered on top of these three levels are at least nine additional protection categories. These include Department of Defense Special Access Programs (DoD SAPs), Department of Energy Special Access Programs, Director of Central Intelligence Sensitive Compartmented Information Programs (DCI SCI), and other material controlled by special access or "bigot" lists (Footnote 1) such as the war plans of the Joint Chiefs of Staff and the operational files and source information of the CIA Operations Directorate. Further complicating the system are restrictive markings and dissemination controls such as ORCON (dissemination and extraction of information controlled by originator), NOFORN (not releasable to foreign nationals), and "Eyes Only."

 

Classification

Levels of Protection
    
TOP SECRET TS - BIGOT LIST TS - SCI TS - DoD SAP
SECRET S - BIGOT LIST S - SCI S - DoD SAP
CONFIDENTIAL C - BIGOT LIST C - SCI C - DoD SAP
UNCLASSIFIED      

 

 

 

 

Figure 2. The Current Classification System

 

Currently, proper classification depends on assessing the expected damage to national security caused by unauthorized disclosure of the information. Information is classified as Confidential if damage is expected to occur. Secret is used if serious damage will result. Information is Top Secret only if exceptionally grave damage will occur. However, because it is difficult to precisely define levels of damage, reasonable persons can and do differ in their evaluation. Yet, it is not even clear why the effort to assess damage should be made since the protection required is not dependent on the level of damage. For example, greater protection is provided for Secret information in SCI channels, disclosure of which would cause "serious damage" to national security, than for Top Secret information that is not within a special access program, disclosure of which would cause "exceptionally grave damage." Moreover, from a Freedom of Information Act or an Espionage Act standpoint, the significant issue is whether the information is classified, not the level at which it is classified.

 

We conclude that there is no need for levels of classification. Information is not more classified or less classified. It either is classified or it is not. Indeed, thinking about information as more or less classified has led to statements that information is "only Confidential" or "only Secret." This thinking also has led to efforts to link classification levels with the length of time protection is required. Yet we know that some Top Secret information, such as an invasion date, may need to be protected for days, while some Secret information, like the identity of a confidential source, may need to be protected for decades.

 

 

Special Access Programs-Lacking Faith in the System

 

 

 

 

Special access programs (Footnote 2) are used to compensate for the fact that the classification system is not trusted to protect information effectively and does not adequately enforce the "need to know" principle. For example, the Top Secret classification is supposed to protect information that, if improperly disclosed, would result in exceptionally grave damage to the national security. Yet, the perception is that the "regular" classification system cannot protect such information because it has no provision for limiting which cleared persons have access to the information.

 

In the 1980s, as confidence in the traditional classification system declined, more and more information was put into SAP and SCI compartments based on assertions that the regular classification system provided inadequate need-to-know restrictions. The special access system gave the program manager the ability to decide who had a need-to-know and thus to strictly control access to the information. But elaborate, costly, and largely separate structures emerged. According to some, the system has grown out of control with each SAP program manager able to set independent security rules.

 

The Department of Defense divides these programs into three categories: acquisition, intelligence, and operations and support. (Footnote 3) Programs in these categories are further defined as either acknowledged or unacknowledged. (Footnote 4) Some of the most sensitive DoD programs are "waived" or "carved out" from certain oversight and administrative requirements. There are over one hundred DoD SAPs, with many having numerous compartments and subcompartments, designed to further segregate and limit access to information. Each special access program manager is free to establish the security rules that will apply to his or her particular program.

 

Within the Intelligence Community, the term Sensitive Compartmented Information (SCI) refers to data about sophisticated technical collection systems, information collected by those systems, and information concerning or derived from particularly sensitive methods or analytical processes. Specific SCI control systems serve as umbrellas for protecting a type of collection effort or a type of information. Within each SCI system are compartments and within them, subcompartments, all designed to formally segregate data and restrict access to it to those with a need-to-know, as determined by a central authority for each system. There are over 300 SCI compartments (recently reduced from over 800) grouped into a dozen or so control channels. Special activities have their own non-SCI control channels. Rules relating to SCI programs are found in DCI Directives (DCIDs), but implementation is uneven and minimum standards are often exceeded.

 

In addition to the formal SAP, SCI, and covert action control channels, strict need-to-know access restrictions also are imposed for other types of information within the DoD and the Intelligence Community. These include information identifying intelligence sources and liaison relationships, as well as information about military plans, such as the Single Integrated Operations Plan (SIOP) for strategic nuclear war or the battle plan for the invasion of Iraq during the Gulf War. Access to such information is generally controlled by access or bigot lists.

 

The Commission agrees that some types of classified information, such as identities of intelligence sources, information about sensitive intelligence methods, plans for operations, and technological advances that provide our military forces unique advantages on the battlefield, may require more protection than others. However, we do not agree that each SAP manager needs to establish a unique set of security rules, or that SAP security rules and SCI security rules need to be different. Current practice has begun to recognize this fact and to coalesce around two standards: one for Confidential and Secret, the other for Top Secret and SAPs/SCI. In personnel security, for example, agencies do not have separate clearance standards for Confidential and Secret. And a single clearance standard for Top Secret and SCI is evolving with DoD SAPs beginning to follow this standard, even though program managers today have the authority to impose their own standards and many do so.

 

A New System-Streamlined and Straightforward

 

 

 

 

The opportunity to change the classification system comes at an important point in our history. In this post-Cold War period, we can move away from a strategy that has been characterized as something close to total risk avoidance and develop instead an approach more clearly based on risk management. We continue to recognize that there is information that needs the protection of the classification system and that there are costs associated with the unauthorized disclosure of information vital to the national security. But we also recognize that in a democracy the public needs access to information about what its government is doing and that there are significant costs associated with keeping information classified and tightly controlled. In sum, it is important to consider the political, economic, and opportunity costs of classifying information, as well as the costs of failing to classify information.

 

The Commission finds that the costly and complicated bureaucracy that provides security is a reflection of the underlying complexity of the classification management system. The Commission believes that a less complicated system can help correct the current approach that has led to classifying too much at too high a level and for too long. We propose a new one-level classification system. Under this system, information either is classified or it is not. There would be a single legal definition of classified information and no need to pretend that we can precisely measure the amount of damage to national security that would be caused by an unauthorized disclosure.

 

Two degrees of protection will be available, instead of the dozen or so now used. Information either will be generally protected (labeled SECRET) or specially protected (labeled SECRET COMPARTMENTED ACCESS). Each protection level would be defined both in terms of the type of information to be included and the type of protection. The protections available for each level will be standardized. Most special handling and dissemination markings will be unnecessary and special access controls will be integral to, rather than added onto, the classification system. In addition, only certain clearly defined categories of information will qualify for special protection and only in certain clearly defined circumstances.

 

 

Classification

Levels of Protection

  
Classified SECRET SECRET CONTROLLED ACCESS
Unclassified    

 

 

 

 

Figure 3. The Proposed Classification System

The vast majority of classified information would be generally protected to promote the availability and accessibility of the information. Baseline security protection standards will be established and discretionary need-to-know would apply; a cleared individual could determine whether to pass the information to another cleared individual. Generally protected information would incorporate current Confidential and Secret documents, which will not have to be remarked.

 

The Commission recognizes that most departments and agencies have, and will want to continue, procedures that govern the manner in which Secret information is disseminated within their organizations. Some may also wish to maintain limited control on their information that is passed to other agencies, such as a requirement that the recipient agency not pass the information on to a third agency without obtaining permission from the originating agency. Finally, there may be unique problems that arise in implementing this new approach that require an exemption from general rules, such as the manner in which CINCs communicate with Navy vessels. The Commission recognizes the need for flexibility, but does not want to lose the advantages of the new system through creating loopholes by, for example, permitting heads of departments and agencies to create "mini SAPs" by imposing dissemination controls. Therefore, the Commission recommends that heads of departments or agencies be permitted to establish dissemination controls on Secret information only upon approval of the security executive committee proposed in chapter 11.

 

As a result of risk analysis, a limited amount of information would be specially protected as Secret Compartmented Access information. Enhanced security protection standards would apply, requiring a higher clearance standard for access and a centralized need-to-know control structure provided by an access or bigot list. Compartmented access information would incorporate most current Top Secret, Special Access, and Sensitive Compartmented Information.

 

The Commission finds that classification management is the "operating system" of the security world. Classification drives the way much of security policies are implemented and security practices are carried out. Standards, organizations, procedures, and policies governing everything from the levels of security clearance, to procedures for processing information, to sentencing guidelines for individuals convicted of espionage are based on our existing classification structure. The complexity of the existing classification system is the root cause for much of the confusion of the existing security system. (Footnote 5) Simplify the classification system and simplification of the security system will follow.

 

The Commission notes that the existing classification management system is evolving naturally into a two-level system. Confidential and Secret information is handled using similar or identical standards. Top Secret, SCI, and SAP information is protected using more stringent and substantially common standards. The Commission believes that this natural occurring division forms an excellent basis for an improved classification system.

 

The proposed system will better relate needed asset protection to security countermeasures. In place of the myriad investigative and adjudicative requirements and the differing physical security standards, two security standards, based on analysis of risk, would be developed to guide application of the two degrees of protection for these security disciplines. Procedures for securing classified information would likewise have only two standards. Similar simplifications would follow throughout the rest of the security system.

 

 

A Simplified Controlled Access System

 

 

 

 

The Commission concludes that the current special access system needs to be simplified. Enhanced security protection can be achieved with less compartmentation and fewer barriers to the flow of information. Instead of the current complicated system with the multiple control officers and multiple control channels, information requiring special protection would be marked SECRET COMPARTMENTED ACCESS and would carry a designator, such as a codeword or number, identifying the relevant access list. A single specially protected information control officer and channel would replace the panoply of structures and systems for protecting SCI, SAPs, or bigot list controlled access information.

 

Thus, instead of the structure shown below in figure 4:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 4. Current Special Access Programs Structure

 

 

We propose the following structure:

 

 

 

 

 

 

Figure 5. Proposed Special Access Programs Structure

 

 

Limiting Use of Special Access Controls

 

 

 

 

The Commission concludes that simplifying the system will aid in identifying and better protecting information that really needs enhanced security protection. Viewing information as part of a special access program often meant that everything in the program had to be compartmented. Analyzing the impact of the loss of specific information focuses attention on what needs special protection and what does not, and would result in less information being placed at the compartmented access level.

 

Steps will be taken to limit the amount of information that is specially protected and to prevent the migration of information from the generally protected level to the specially protected level. A first step is to identify clearly in an executive order those limited categories of information qualifying for special protection.

 

The Commission suggests the following categories of information be considered for special protection:

 

o A technology application that provides a significant battlefield edge and that could be copied or countered if key information were disclosed to a potential adversary.

 

o A sensitive military operation or plans for the operation in circumstances in which disclosure might impair its current or future success.

 

o A fragile intelligence method when the opposition is not aware of either the fact, or special capabilities of the method and, were they to become aware of it, could employ countermeasures to deny us information or use deception to feed the US incorrect information.

 

o A human source in circumstances in which the US would lose its ability to use the source and/or the source or the source's family is likely to be harmed.

 

o A sensitive intelligence, counterintelligence, or special activity in circumstances in which disclosure would impair its success.

 

o Information that would impair US cryptologic systems or activities.

 

o Sensitive policy issues or relationships with a foreign government which, if revealed, would significantly harm foreign government cooperation with the US.

 

o A US negotiating position in circumstances in which such disclosure would cause us to lose a negotiating advantage.

 

o Scientific and technical information that describes the design of weapons of mass destruction that could significantly assist others to develop or to improve such weapons, or to significantly enhance their ability to circumvent the control features of such weapons.

 

 

Perhaps the greatest weakness in the entire system is that critical specially protected information within the various DoD and SCI compartments is not clearly identified. Individuals within government and industry are forced to protect everything within a particular compartment, rather than just the small amount of information that truly needs compartmented access status and need-to-know controls.

 

The Commission believes a rigorous review is needed to identify and separate the information that will continue to require special protection from that which does not. Such a review will allow many compartmented access compartments to be eliminated and will permit the consolidation of critical data within fewer remaining compartments.

 

 

Uniform Risk Criteria for Secret -

Compartmented Access Information

 

 

 

 

The Commission believes that decisions to require special protection for sensitive information and activities should be consistently made based on common risk management principles.

 

The Commission found that uniform risk assessment criteria do not exist for establishing, designating, managing, and disestablishing SAP and SCI compartments. Each component develops its own procedures for assessing the risks dictating compartmented access protection, often with little external guidance or oversight. Some elements place unclassified technologies and independent research and development efforts directly under special protection as soon as a promising military application is discovered. Others do not, and thus disparities exist among agencies in the way the same basic technology or application is classified, designated, and protected.

 

The decision to designate a DoD SAP as unacknowledged radically increases its cost and severely inhibits oversight, coordination, and integration with other similar programs. Critics advised the Commission that state of the art advances and efficiency gains may be sacrificed or significantly hindered once a technology-based program is brought under special controls. If an acquisition SAP is unacknowledged, others working in the same technology area may be unaware that another agency is developing a program. The government may pay several times over for the same technology or application developed under different special programs within different agencies.

 

Despite the fact that the Commission did find one or two examples of programs coordinating common technology or scientific issues, the potential still exists for disconnects in coordination and integration among various DoD SAPs and non-SAP programs. In the above example, the three government agency program managers are aware of the other programs, but refuse to devise a common protection standard. This problem is not uncommon. The strict SAP control inhibits the flow of information. One result is that comparable advances in state-of-the-art technology by related noncompartmented government research efforts are not readily accepted by some SAP managers as valid reasons to decompartment their programs. The government pays a high cost when this occurs. Continuing special security controls when they may not be necessary is expensive. But, the controls are probably much less costly than the lost opportunities caused by inhibiting non-governmental research initiatives with potential payoffs for the SAP itself.

 

The Commission applauds the DoD's action to establish joint coordination and review of Stealth and related low-observable technologies developed by numerous special programs. However, this effort should be expanded to achieve integration across the DoD components and non-DoD agencies in other areas of technology to reduce apparent gaps in the integration of SAP decisions with national-level science and technology intelligence, counterintelligence, and counterproliferation intelligence analysis. Again, using the example above, a common security standard is needed to reduce conflicting analyses regarding the true state-of-the-art or the actual threat to advanced technologies that in turn leads to the application of varying degrees of security and the resulting costs.

 

There also is the need for coordination of DoD special program issues and decisions with other governmental interests, such as foreign relations with the Department of State and national intelligence issues with the Director of Central Intelligence. In the past, decisions were made not to brief the Director of Central Intelligence on certain DoD programs that affected national intelligence interests. Such decisions can occur when senior-level personnel are not made aware of, for example, the existence of a subcompartment or the impact of certain activities under special programs.

 

The Commission's recommendations on threat assessment and risk management should be followed in determining whether and how special protection is to be applied, especially with respect to unacknowledged programs. This criteria should form the basis for decisions made on special protection throughout the government.

 

 

Currently, SAP security policies are developed independently by individual program managers. Within the Intelligence Community, actual SCI program practices often exceed the DCID standard. The Commission found that many of the problems with the SAPs and the SCI programs are due to obsolete security standards and inconsistent, program-specific applications. The conflicting policies of the DoD and Intelligence Community elements add significant unnecessary expense to the system, with no appreciable increase in security. Common standards for special protection would bring coherence to the DoD and Intelligence Communities, and bridge the gap between the DoDs SAPs and the DCI's SCI programs.

 

Under the new classification scheme, the security executive committee, described in chapter 11, will work with security professionals and program managers to develop a single uniform security policy and set of standards adequate to protect all DoD and Intelligence Community special programs. As a consequence, there no longer would be the wide variances in security practices that significantly raise costs, particularly in industry. Managers of special programs would not be granted unbridled discretion in deciding which security measures to employ, but they would be allowed to waive down from the standard in circumstances in which reciprocity is not affected. In sum, reciprocity, integration, and the ability to control overall costs requires that a uniform standard be followed in most cases, but exceptions could be made in appropriate circumstances.

 

 

Increasing the Flow of Data

 

 

 

 

Many persons who spoke to the Commission were quite critical of the Intelligence Community's tendency to disseminate intelligence data within compartmented channels rather than at the generally protected level. Combatant commanders are adamant that intelligence must be released at the Secret level to be useful to them. Law enforcement agencies increasingly assert that most intelligence information passed to them is overclassified and therefore often unusable. Excessive compartmentation precludes the timely dissemination of intelligence pending completion of reviews to remove (or sanitize) source and method revealing information or until permission is granted for release of originator-controlled data. This has an adverse impact on the timeliness and specificity of intelligence. The impact is very serious to users of intelligence in the DoD, its agencies, and the military services.

 

All users made clear to the Commission that they want intelligence provided in a more timely manner, with as much specificity as possible, and with fewer dissemination restrictions. Currently compartmented data should be reviewed to remove source- or method-revealing information so that significantly more intelligence information can be made available as generally protected information. Those sanitizing intelligence should also ensure as much usable data remains as possible. Concerns have been raised that, at times, so much information is removed in order to protect sources and methods, the ability of users of the information to make critical decisions is undermined.

 

The Commission is encouraged by efforts under way to limit the amount of controlled access information within the Intelligence Community. Most intelligence reporting based on human sources is not compartmented because source-identifying information is deleted. Further, a significant amount of imagery is being released outside of compartmented channels. While the National Security Agency has made progress in decompartmenting its information, more can be done. Significant benefit would be gained if the National Security Agency were to form a task force, similar to the one formed by the Central Imagery Office, to drastically reduce the amount of compartmented information it produces, and to release more intelligence at the generally protected level.

 

The Commission believes that, as a general rule, only the limited amount of intelligence that would materially compromise sensitive sources and methods or collection strategies, as well as that which has exceptional political sensitivity due to the nature of the target, should remain within compartmented channels. The remaining vast majority of data should be routinely released as generally protected information. Where source-revealing information must necessarily be included, the Commission strongly recommends the use of a tear line. Those who need to know how the information was derived will have access to the information above the tear line, marked SECRET COMPARTMENTED ACCESS. Those who need to act on the information, but do not need to know the source of the information, will receive the generally protected information below the tear line, marked SECRET.

 

 

Advanced weapon systems and specialized intelligence capabilities are of little use to the military commander if he is unaware of them and unable to train warfighting elements in the use of the new capability. Briefing commanders when compartmented access programs are ready for use is not enough. Military elements must be kept aware of the program, its goals and objectives, and its potential employment well ahead of production and deployment in order to fully incorporate new capabilities into unit war plans.

 

Although many technologies, weapon systems, and intelligence capabilities are ultimately developed for use by the warfighter, no effective procedure exists to ensure that combatant commanders are briefed on all such systems, their capabilities, and projected availability for use. Moreover, the Commission found that even when military elements are briefed, they are put under such tight constraints that they are unable to use the compartmented access information in any practical way. This prohibits field elements from being able to incorporate these capabilities into war planning and other crisis activities.

 

The Commission believes that more needs to be done to keep combatant commanders informed of current and upcoming programs, capabilities, weapons, and operations that could potentially be used in a military venue. Accordingly, a separate, small entity should be established and given the responsibility to work with the owners of compartmented access information to disseminate it aggressively to combatant commanders. This entity, with full access to all compartmented access programs, would balance the perceived reluctance of special access program managers to share information against the perceived tendency of military entities to disseminate this information broadly within a command. The intent is to ensure that combatant commanders are more fully informed about compartmented access activities while taking into account the sensitivity and fragility of the information.

 

 

Special Cover Measures

 

 

 

 

There are many valid reasons for the special cover measures used by some military and intelligence organizations, such as potentially life-threatening, high-risk, covert operations and intelligence and counterintelligence investigations or operations. However, these techniques also have increasingly been used for major acquisition and technology-based contracts to conceal the fact of the existence of a facility or activity or to mask government-contractor affiliations.

 

The Commission found that the use of cover to conceal the existence of a government facility or the fact of government research and development interest in a particular technology is broader than necessary and significantly increases costs. For example, one military service routinely uses cover mechanisms for its acquisition controlled access programs without regard to individual threat or need. Another military organization uses cover to hide the existence of certain activities or facilities. Critics maintain that in many cases, cover is being used to hide what is already known and widely reported in the news media.

 

These cover mechanisms are expensive and the marginal security benefits gained by compartmenting knowledge of the existence of a government or contractor facility often are outweighed by the costs of concealment, including the costs to other programs that would benefit from sharing technical knowledge and sharing use of the facility. Special protection generally should focus on the most sensitive uses of a facility, rather than the fact of its existence.

 

Organizations with high-funding profiles and extensive contracts, such as the National Reconnaissance Office, have incorporated elaborate rules into their daily operations to conceal the fact of their existence and to hide the identity and affiliation of organization employees and contractors. Even though the NRO's existence was finally declassified in 1992, classification for most of its personnel and activities remains in place. We believe many NRO classification requirements currently imposed can be dropped without danger to essential NRO activities.

 

The Commission believes an overall review of the DoD and Intelligence Community organizations employing cover mechanisms is needed to determine whether such costly measures continue to be necessary.

 

 

Security Oversight of Compartmented Access Programs

 

 

 

 

The DoD management framework provides for oversight of all DoD compartmented access programs through reviews by the Deputy Secretary of Defense. Oversight is also provided by reports to Congress. The Commission has reviewed the reporting procedures that exist with respect to Congressional oversight of the DoD controlled access programs, including those for programs that are waived from certain requirements due to their extreme sensitivity. We see no need to modify existing reporting procedures and believe that the current system should continue without change.

 

Until recently there has been no procedure for centralized assessment of special program proposals submitted directly to the Deputy Secretary of Defense by the military departments. The recent formation of the DoD Special Access Program Oversight Committee, which the Commission fully supports, will ensure that every program is reviewed by a panel of senior officials prior to its establishment, and annually thereafter, to determine whether compartmentation for each program is still required. This new management structure is an important initiative to improve centralized review, cross-program integration, security policy guidance, and oversight of special programs.

 

The Commission suggests that the Oversight Committee expand this review to incorporate a separate evaluation of the proposed or actual security countermeasures for each special program. A separate review could yield alternate security countermeasures to replace the sometimes costly or inefficient countermeasures proposed by the sponsoring special program managers. For existing controlled access programs, the Committee should examine how previously-approved security countermeasures are actually implemented. This may reveal security practices that are no longer necessary and help to lessen the gap between actual practice and policies for controlled access programs. Finally, the Commission believes that security cost-drivers, such as unacknowledged special program status, imposition of cover, mandatory polygraphs for access, and waivers from Defense Investigative Service inspections of contractors, should be considered and approved separately by the DoD Special Access Program Oversight Committee before they are imposed. These steps will aid the Oversight Committee in eliminating unnecessary and costly security practices and in redirecting scarce protection resources to other program priorities.

 

The Commission believes that the DoD's new approach to overseeing controlled access programs is reasonable. However, the Commission believes the process could be strengthened by establishing a security oversight arm that is wholly independent from the everyday management and security of controlled access programs. An independent viewpoint is necessary to interject an unbiased, broader perspective on controlled access proposals and practices because many believe that SAPs are created not simply for security reasons, but to create a specialized cadre of experts, streamline procurement, limit oversight, and thus speed development. Others are concerned that fundamental questions about the propriety of controlled access activities may not be raised by those within the special program community, or be presented to senior policymakers outside of the sponsoring military service. This new oversight function would have to have up-front, across-the-board access to all special access programs.

 

The Commission's proposed independent oversight arm also would provide valuable guidance with respect to access control practices applied to programs other than recognized SAPs. In the past, certain DoD components have limited the distribution of particular types of classified information, such as military plans, without formally designating the program as a SAP, because SAPs require high-level approval and oversight. These programs use labels such as LIMDIS (limited distribution), SPECAT (special category), or other less formal designations. The Commission views these programs as "SAP-like" in that aspects of approved specially protected programs, such as multiple compartments and nondisclosure agreements, often are imposed upon those given access to the information. However, DoD officials have taken the position that compartmentation to protect military plans should not be considered a "program" within the meaning of Special Access Program regulations, but simply a "planning document." As a result, military plans currently are not included in senior-level special program reviews.

 

In the future, none of these "plans versus program" distinctions should matter under the Commission's proposed new classification structure. However, independent oversight will continue to be necessary for controlled access programs to ensure that security issues are fully aired to senior management. Assigning independent responsibility for conducting inquiries regarding activities protected by special programs and similar compartments, will give the Secretary of Defense a valuable check and serve as a safety valve in ensuring that security protections are not misused, and that questionable practices are brought to light and resolved within the Department.

 

 

CLASSIFICATION MANAGEMENT PRACTICES

 

 

 

 

There are a number of additional areas dealing with the implementation and management of the classification system, whether the current or the proposed system, that require consideration and improvement.

 

Dissemination Controls-Impediments to

Getting Intelligence into the Hands of Customers

 

 

 

 

A senior intelligence official stated that "the day-to-day most serious problem is that we don't get intelligence to the policymakers in a way that they can use it." The issue is not merely that too much information is compartmented, but that intelligence users may be denied timely access to intelligence data and other classified information due to an originator's tendency to include unnecessary control markings.

 

Four of the standard control markings (Footnote 6) established by the Director of Central Intelligence for the Intelligence Community are security controls; two are not. (Footnote 7) The Commission recommends that three of the four security control markings be eliminated. They are duplicative, unnecessary, and impede the timely transfer of intelligence to those who need it. WNINTEL (Warning Notice - Intelligence Sources and Methods Involved) is implicit in the specially protected category, ORCON ( Dissemination and Extraction of Information Controlled by Originator) is viewed as more of an impediment to intelligence users than a protection for intelligence producers, and all US classified information is NOFORN (not releasable to foreign nationals), unless a decision is made to release such information. Accordingly, the REL TO (authorized for release to . . . ) control should suffice.

 

Under the new classification system, security control markings, apart from REL TO, will not be needed or desirable for generally protected information labeled SECRET, because such information will be under a discretionary need-to-know regime. Similarly, security control markings will not be needed or desirable for specially protected information labeled SECRET COMPARTMENTED ACCESS because such information incorporates centralized access controls that already specify the personnel (government, contractor, foreign government) who are to receive the information.

 

The Commission recommends that the two remaining control markings: PROPIN (PROPRIETARY INFORMATION), and NOCONTRACT (not releasable to contractors or consultants) be combined into a single marking: government-industry-restricted information (GOVIND). The NOCONTRACT marking, as currently used, often prevents contractors from obtaining the information they need to do their job. This is particularly inappropriate in the case of Federally Funded Research and Development Centers (FFRDCs). These are non-profit institutions with no production facilities, no products or services to sell in commercial markets, and that are not supposed to compete with non-FFRDCs. Accordingly, procedures should be developed to routinely obtain advance agreement that corporate proprietary information is given to the government with the express understanding that such information can be shared with FFRDCs as required by the government.

 

In the system we propose, government employees and contractors will be cleared to the same standard and appropriately indoctrinated. Consequently, there will be no need to restrict information from contractors with a need to know, other than to protect two types of information. The first is information that is provided to the government by a commercial firm or private source under an express or implied understanding that the information will be protected as a trade secret or proprietary data and will not be disseminated to a potential competitor. The second is government information, for example budgetary information, that could give the contractor an unfair competitive advantage. A new marking, GOVIND, would restrict both types of information.

 

Agency-specific dissemination controls such as "Exclusive For," "Secret/Sensitive," or "Eyes Only" add to the confusion, and are rarely enforced. We recommend that no agency-specific, dissemination-control markings be used for security purposes. There is no consistency between agencies in the terms used. Whatever unique handling restrictions they imply usually are not understood by the recipient agencies and are improperly applied.

 

 

Sharing Classified Information

 

 

 

 

The world is changing and US classified information not only is provided to close allies, but also to coalition partners, some of whom normally have interests quite divergent from ours. The US also finds it necessary to provide classified information to the NATO and the United Nations in circumstances where such information, once provided, may be broadly distributed.

 

It is not possible to anticipate every situation, and flexibility must be preserved so that military commanders and foreign policy officials are able to meet the special needs and requirements of each situation. Nevertheless, it is helpful to have general governmentwide guidance as to the types of information that readily can be shared or that pose particular problems. This reduces the amount of information that must be assimilated and the number of decisions that must be made on an ad hoc basis in the heat of a crisis.

 

The security executive committee should review information sharing requirements and ensure that guidance and expertise is readily available to inform and assist officials who must make release decisions.

 

 

Billet and Access Control Policies

 

 

 

 

One of the most frustrating features of many current SAP and SCI systems is the resource-intensive, bureaucratic procedure for authorizing access. Military commanders and senior managers confront cumbersome approval requirements, often including arbitrary numerical ceilings and rigid billet structures, if they wish to bring another person with a legitimate reason for access into the compartment.

 

Program managers try to limit the number of people allowed access to many special programs by imposing an arbitrary ceiling on the number of individual billets (spaces) authorized for a particular organization or facility. Both government and industry organizations are forced to resort to inefficient and costly practices to get around the access restrictions to get the job done. The Commission found that the imposition of these numerical ceilings and rigid billet structures does not reduce the actual number of persons accessed nor enhance the security of a controlled access program. Instead, these practices add unnecessary complexity and confusion.

 

These controls only give the illusion of security while adding excessive cost and inefficiency to the access approval process. The Commission, therefore, recommends an end to the practice of limiting access to specially protected information based on the number of authorized billets or imposed numerical ceilings. The Commission believes that, to permit more effective accomplishment of mission tasks, a zero-based review and update of controlled access rosters in concert with using elements is necessary to determine the personnel who truly have a bona fide contractual or job-related requirement for controlled access information. The results of the review should form the backbone of new access management processes that should eventually feed into a data base system. Quite simply, the number of persons accessed to specially protected information should be based on the number necessary to accomplish the job.

 

 

Secrecy Agreements

 

 

 

 

At present, most US Government employees and contractors granted access to classified information sign a Classified Information Nondisclosure Agreement (Secrecy Agreement) in which they agree never to divulge classified information to an unauthorized person. While this agreement does not contain a prepublication review provision, the individual agrees that, if there is uncertainty about the classification status of information, he will confirm with an authorized official that the information is unclassified before he discloses it.

 

Recipients of access to Sensitive Compartmented Information (SCI) and DoD Special Access Programs (SAPs) sign a nondisclosure agreement or indoctrination statement with a prepublication requirement each time that they are admitted to a compartment, program, or category of information within a program.

 

The SCI agreement obligates the signer not to disclose anything marked as SCI or that they know to be SCI, and to submit for review any material that "contains or purports to contain any SCI or description of activities that produce or relate to SCI, or that they have reason to believe are derived from SCI." Recipients of National Security Agency information agree to submit for review all information that contains or purports to contain, refers to, or is based upon "Protected Information," essentially defined as classified information obtained as a result of their relationship with the NSA.

 

Recipients of DoD SAP information sign a similar agreement that indoctrinates them into the program and obligates them to submit for review all information which contains or purports to contain any "Designated Classified Information," (essentially defined as SAP information) or description of activities that produce or relate to Designated Classified Information.

 

Central Intelligence Agency employees sign a secrecy agreement that contains a significantly broader prepublication agreement that obligates them to submit for review any material they contemplate disclosing that contains any mention of intelligence data or activities or contains any other information or material that might be based upon classified information. There are strong arguments for this expansive language. It has more teeth and gives broader legal protection. Because the obligation is not limited to classified information, the government can proceed against the individual simply for failing to submit for prior review information that mentioned or was based on intelligence without having to prove classification.

 

Most of the Commissioners are not persuaded that persons with access to the same classified information should have differing obligations. Most Commissioners also are not persuaded that intelligence professionals at the CIA should be held to a higher standard than that applied to others in government who receive CIA information. These Commissioners do, however, acknowledge that it is not unreasonable for a Director of Central Intelligence to conclude that CIA employees should be held to a higher standard because, for example, CIA employees are more likely to be exposed to sensitive sources and methods information over their career than many employees in other agencies.

 

Prepublication review is designed to guard against the malicious and the uncertain. Those with malicious intent will not submit material for review no matter how broad the standard. The conscientious employee or retiree, uncertain as to whether information is classified, will submit material even with a narrow standard. The Commission is concerned about the chilling affect of any prepublication review, but particularly the broad standards in the current CIA secrecy agreement. Government employees should not forfeit the ability to participate in public policy debates merely because they have, or had, access to highly classified information. Indeed, their participation in the debate should be encouraged. On balance, the majority of the Commissioners concluded that there should be one standard secrecy agreement for government and contractor employees with access to compartmented information that does not incorporate the higher review standard in the current CIA version. However, the Commission also recognizes that the Director of Central Intelligence may conclude that his statutory responsibility to protect sources and methods requires that he maintain the stricter version.

 

Regardless of the prepublication review standard, the Commission believes that it is neither legally required nor desirable, with respect to SCI and SAP material, for the individual to sign a separate nondisclosure agreement for each compartment, subcompartment, program and category of information within a program. A single secrecy agreement obligates the individual not to disclose classified information. A single prepublication provision obligates the individual to submit specially protected material for review. Although there is no harm in reminding an individual of his obligation to protect the information, the multiple forms may in fact create the erroneous impression that unless a new form is signed for each type of information or for each compartment, the obligation to protect the information and submit it for prepublication review is somehow not present. Moreover, there are costs involved in producing, using, and storing the plethora of forms, particularly in an environment in which many individuals have multiple accesses. These costs can and should be avoided.

 

The Commission believes that standardization of secrecy or nondisclosure agreements and of prepublication review requirements is needed. (Footnote 8) Two agreement forms should suffice: one agreement for generally protected information, and one for specially protected information. If an individual signs the agreement for specially protected information, it will be the only agreement required.

 

 

Declassification

 

 

 

 

Simply put, the current system for declassification does not work. Much of the information that is classified does not have a declassification date. Generally it is marked OADR (Originating Agency's Determination Required) and remains classified indefinitely. Detailed review of these documents is not feasible, and arbitrary bulk or automatic declassification schemes are perceived as risking the loss of information that still requires protection.

 

The Cold War period produced a huge amount of classified information, and thus, an enormous backlog of potentially declassifiable information. In addition to information held by individual agencies, there are an estimated 300-400 million pages of classified information in the National Archives. Millions of additional documents are classified each year. The Information Security Oversight Office reports between 6-7 million original and derivative classification actions per year in Fiscal Years 1990 to 1992.

 

Agencies generally are not willing to declassify information without review, yet as the mountain of classified information grows, it is clear that a line-by-line and document-by-document review of this information would be extremely expensive and time consuming. (Footnote 9) Moreover, given public and congressional concern today that sufficient resources are not being devoted to current FOIA, Privacy Act, and mandatory review requesters, diverting limited available resources to a time-consuming review process that is not driven by customer demand is unacceptable.

 

Any declassification regime, therefore, must be examined to ensure that it does not create a significant burden for government agencies without providing any great advantage to the public. Put more positively, a new classification system should maintain classification for the shortest possible time and make the declassification system more efficient rather than more costly.

 

We believe that a great deal of information can be automatically released in ten years and that most information can be released in 25 years. What is necessary, however, is to distinguish those categories of information that are good candidates for declassification after 10, 15, or 20 years from categories of information, such as human-source information, that may require protection for longer periods of time. By correctly categorizing classified information, we can reduce the number of times that the government needs to review documents and develop a strategy that will allow release of information without the need for line-by-line review.

 

We recommend that a new Executive order on classification specify certain categories of information that can be exempted from automatic declassification at the end of 10 years, and also permit agency heads to nominate, and the security executive committee to approve additional limited categories of information that may require protection longer than 10 but fewer than 25 years. Information could then be marked at the time of its creation to reflect a date upon which it would be automatically declassified.

 

For example, if it were believed, with respect to a particular category of information that, at the end of 10 years, classification would have to be extended for the majority of information in that category, a longer time period would be selected. Otherwise, when the 10-year, automatic-declassification date arrived, the agency would feel compelled to do a line-by-line review of the information, most of the information probably would remain classified, a great deal of cost would be incurred, and little advantage would be derived by the public.

 

On the other hand, if it were believed that most of the information in that category could be released at the end of 15 years, then it would be expected that when the automatic declassification date arrived, the agency would feel more comfortable adopting a risk management rather than a risk avoidance approach to the material. The agency would be far less likely to see the need for line-by-line review of the information and far more willing to release the information with little or no review. For example, if it were believed that finished intelligence could be released in 15 years, then it could be expected that at the end of that period reviewers might conclude that the release of 15-year-old political intelligence would not result in significant harm, that the release of 15-year-old economic intelligence would not do significant harm, but that there were a couple of weapon systems still in use and still of continued interest. In such a scenario, reviewers might look to see if 15-year-old military intelligence written on these two weapon systems still should remain classified, but would not undertake a line-by-line review of the rest of the 15-year-old finished intelligence.

 

We are keenly aware that an important underpinning of our system of government is an informed citizenry and that without the prompt release of pertinent information, intelligent public policy debate, academic discussion, and historical research is handicapped. Nevertheless, there are clear examples where the American people are better served by continued protection of certain classified information. For example, the revelation of the identity of a confidential intelligence source, even after the passage of years, can have a serious negative impact on that individual and would not serve US interests. Similarly, release of information about a previous generation of US weapons can still have a significant negative impact on the safety of US forces.

 

o We believe the proper balance can be struck in the Executive order by allowing agency heads to exempt, at the time of its creation, specific information from the 25 year automatic declassification. This information would be within the following categories:

 

o Information that would jeopardize a human intelligence source or impair use of an intelligence method.

 

o Information that would compromise sensitive military operations.

 

o Information that would impair US cryptologic systems or activities.

 

o Information about weapons technology that provides the US with a battlefield advantage or would assist in the development or use of weapons of mass destruction.

 

 

Making the Classification System Really Work-

An Integrated Approach with Appropriate Oversight

 

 

 

 

The one-level classification system with two degrees of protection is designed to provide a framework that will support a coherent and consistent governmentwide approach to both classification and security. It recognizes that classification drives security costs and that security practices are evolving naturally, albeit slowly, around two levels of protection. It and the other classification management recommendations build upon steps already taken by, and borrow from the ideas of, thoughtful security professionals.

 

Nevertheless, no system can be expected to work very well if there is no one in charge. Today, there are few governmentwide standards and, even when standards are supposed to have general applicability, they often are translated and interpreted in ways that do violence to the concept of standardization. Often there is no penalty for noncompliance. Moreover, we conclude that the Information Security Oversight Office (ISOO) simply is not positioned to ensure compliance. Without an effective policy and oversight structure, no coherent security policy is likely to evolve. Instead, inconsistent rules will continue to be formulated, and disputes will continue to impede the development of a uniform policy.

 

The proposed security executive committee, on the other hand, would be positioned to provide effective centralized oversight. Its staff could include a strengthened ISOO, headed by a security ombudsman, with a broader security oversight role. In addition, the outside security advisory board we propose would provide a mechanism for nongovernment and public interest concerns about the system to be raised to the committee.

 

Although centralized oversight is a necessary and important innovation, effective oversight must begin at the agency level. We recommend, therefore, that each agency appoint a classification ombudsman whose mission is to encourage and act on complaints about over-classification. The ombudsman also will be required to routinely review a representative sample of the agency's classified material. This individual would have the authority to ask why a particular piece of information was classified and to order it declassified if no persuasive reason is forthcoming. Real-time review of employee complaints, cable traffic, and other documents; real-time identification of categories of information subject to misclassification; and real-time identification of the individuals responsible for classification errors would add management oversight of classification decisions and attach penalties to what too often can be characterized as classification by rote. The system outlined above, in its broad contours, has been in place in the Department of State for the past two years, and we are told that over the past six months noticeable progress has been made. Information that previously had been classified is no longer classified and greater