Posts from May, 2008

Intel Agency Action Urged Against Space, Cyber Threats

U.S. defense intelligence agencies should aim to “eliminate” the capabilities of opponents to operate effectively against the United States from outer space or cyber space, according to a new Pentagon strategy for defense intelligence (pdf).

Defense intelligence shall “eliminate any advantage held by our adversaries to operate from and within the space and cyber domains,” says the new strategy document, “Defense Intelligence 2008″ (strategic objective IV).

“As stated in the U.S. National Space Policy, the focus of defense intelligence in space will be to ensure full situational awareness for military and civilian decision-makers, support military planning initiatives, and satisfy operational requirements. As addressed within the Comprehensive National Cybersecurity Initiative, cyberspace has become a vital national interest economically, militarily and culturally, and the current patchwork of passive defense is likely to fail in the face of greater vulnerabilities and more sophisticated threats.”

“Defense intelligence must do its part to defeat this critical threat.”

See “Defense Intelligence 2008″ (flagged by BeSpacific.com).

North Korea-Syria Contacts Viewed by Open Source Center

Intergovernmental contacts between North Korean and Syrian officials during the last two years were scrutinized by the DNI Open Source Center (pdf), but even in retrospect the available record presents no indication of joint work on a secret nuclear facility destroyed by Israel last September (large pdf).

“A review of available North Korean and Syrian print and online media in the period 2005-2007 has yielded the names of dozens of DPRK and Syrian officials involved in military, scientific, trade, and other aspects of bilateral relations,” the OSC analysis said.

However, “no obvious indications of covert military cooperation surfaced in the highly-censored media of North Korea or Syria in this period.”

In other words, assuming the allegations of clandestine nuclear cooperation are true, open source intelligence provided no clues concerning the activity.

Like most other OSC products, the new analysis has not been approved for public release. But a copy was obtained independently by Secrecy News. See “DPRK-Syria Bilateral Contacts, 2005-2007,” Open Source Center, May 2, 2008.

Better Secrecy for Open Source Intel Collectors Urged

U.S. intelligence employees who are collecting open source intelligence online should do more to ensure that they are not identified as intelligence personnel, the House Armed Services Committee said in its new report on the 2009 Defense Authorization Act.

Failure to conceal the identity of open source intelligence collectors could conceivably lead to spoofing, disinformation or other forms of compromise.

“Efforts in this area [i.e., open source intelligence] will require collectors to operate in benign cyberspace domains, such as media websites and academic databases, as well as more hostile areas, such as foreign language blogging websites and even websites maintained by terrorist or state-actors groups. The committee is concerned about the ability of our adversaries to be able to track and attribute collection activities to U.S. and allied forces. Technology exists to provide non-attribution services to protect identities, especially source country of origin.”

“The committee urges the Secretary of Defense to ensure, through the use of all reasonable means, protection of government investigators involved in gathering open source intelligence. These means should include proven non-attribution services, as well as development of appropriate tactics, techniques and procedures that are incorporated into manuals and training programs.”

The Committee generally welcomed the growing investment in open source intelligence.

“The committee recognizes that open source intelligence provides a critical complementary capability to traditional intelligence gathering and analysis. The committee is encouraged by the growing recognition within the military and intelligence communities of the value of open source intelligence which is punctuated by the establishment of the Open Source Center and the development of an Army field manual on open source intelligence.”

See “Non-attribution of open source intelligence research,” excerpted from House Report 110-652, May 16.

A copy of the Army field manual on open source intelligence, which has not been approved for public release, was obtained by Secrecy News and is available here (pdf).

Open Source Center Keeps Public in the Dark

The ODNI Open Source Center has imposed some rather ferocious controls on its unclassified products in order to shield them from public access.

Even when its publications are not copyrighted, they are to be “treated as copyrighted” and in any case they “must not be disseminated to the public.”

The following notice was recently posted on the password-protected OSC website:

“Content available via this website must not be disseminated to the public. All content available via this website is treated as copyrighted material and is provided for U.S. Government purposes only. Such purposes may include rebroadcast, redistribution, dissemination, copying, and hyper-linking provided it is for official U.S. Government purposes only. Any removal or redistribution of content outside of official U.S. Government channels requires the advance authorization of OSC. Information under the control of external websites to which OSC may provide hyperlinks may have separate restrictions and shall be accessed only in accordance with any usage policies and restrictions applicable to those sites.”

“Authorized system users may use the content available via this website to support official U.S. Government business and may disseminate this information to other U.S. Government components. In disseminating this content for other U.S Government component use, U.S. Government personnel must use a password-protected email system. System users who are partners (e.g. those who have a formal relationship with OSC), may also use the content, as authorized by OSC, to support their official business and must use a password-protected email system. Contractors with access to this site may only have that access during the time period as required to fulfill their contract responsibilities.”

Meanwhile, the Office of the Director of National Intelligence has scheduled a conference on open source intelligence on September 11-12 in Washington, DC which will be open to the public (advance registration required).

The “Red-Dead” Canal, and More from CRS

Noteworthy new reports from the Congressional Research Service that have not been made readily available to the public include the following (all pdf).

“Defense Contracting in Iraq: Issues and Options for Congress,” updated May 6, 2008.

“The National Security Council: An Organizational Assessment,” updated April 21, 2008.

“Homeland Security Department: FY2009 Request for Appropriations,” May 6, 2008.

“Japan’s Nuclear Future: Policy Debate, Prospects, and U.S. Interests,” May 9, 2008.

“Does Price Transparency Improve Market Efficiency? Implications of Empirical Evidence in Other Markets for the Health Sector,” updated April 29, 2008.

“The “Red-Dead” Canal: Israeli-Arab Efforts to Restore the Dead Sea,” May 13, 2008.

Cyber Security Initiative is Too Secret, SASC Says

The new National Cyber Security Initiative that is intended to reduce the vulnerability of government information networks and to devise an information warfare doctrine is so highly classified that it is undermining the deterrent value of the project, the Senate Armed Services Committee (SASC) said in a new report.

“It is difficult to conceive how the United States could promulgate a meaningful [information warfare] deterrence doctrine if every aspect of our capabilities and operational concepts is classified,” the Senate report said.

During the cold war, “deterrence was not possible without letting friends and adversaries alike know what capabilities we possessed and the price that adversaries would pay in a real conflict. Some analogous level of disclosure is necessary in the cyber domain.”

(Or, as Dr. Strangelove put it 40 years ago, “The whole point of a Doomsday Machine is lost if you keep it a secret!”)

As things stand, the Senate report said, “virtually everything about the [cyber security] initiative is highly classified, and most of the information that is not classified is categorized as ‘For Official Use Only’.”

“These restrictions preclude public education, awareness, and debate about the policy and legal issues, real or imagined, that the initiative poses in the areas of privacy and civil liberties.”

“The committee strongly urges the administration to reconsider the necessity and wisdom of the blanket, indiscriminate classification levels established for the initiative.”

The committee’s remarks on the National Cyber Security Initiative were published in its report on the 2009 defense authorization act, excerpted here.

SASC Rebuffs Pentagon Secrecy Proposals

The Senate Armed Services Committee (SASC) rejected several legislative proposals submitted by the Department of Defense that would have increased the Department’s secrecy authority.

One proposal would have granted the Defense Intelligence Agency an extension of its “operational files” exemption from the Freedom of Information Act, which expired at the end of 2007. Such an exemption would permit the agency to dismiss FOIA requests for certain types of intelligence records without searching or reviewing the records.

Another proposal would have created new criminal penalties for the unauthorized disclosure or possession of maps and other geospatial products that have been marked for Limited Distribution (LIMDIS).

“For several years, products bearing the LIMDIS caveat have wrongfully been offered for sale to the public through a variety of means from surplus stores to on-line auctions,” the Pentagon said as justification for the proposal.

“Current protection efforts have been ineffective, at least in part, because of the lack of effective penalties for unauthorized possession, sale, and use.”

A third proposal would have expanded the government’s authority to withhold certain unclassified homeland security information from disclosure under the Freedom of Information Act.

The three proposals, all of which were excluded from the Senate Committee mark up of the 2009 defense authorization act, were presented earlier this year in the Pentagon’s own draft of the authorization bill and were described in detail here.

DoD Releases Directive on Information Operations

A 2006 Department of Defense directive on Information Operations (pdf), which had previously been withheld as “For Official Use Only,” was released last week in response to a Freedom of Information Act request from the Federation of American Scientists.

The directive, issued by the Under Secretary of Defense (Intelligence), assigns baseline responsibilities for the conduct of information operations, an umbrella term that includes electronic warfare, computer network operations, psychological operations, military deception, and operations security.

Among related capabilities, the directive cites “public affairs,” the purpose of which is “to communicate military objectives, counter misinformation and disinformation, deter adversary actions, and maintain the trust and confidence of the U.S. population, as well as our friends and allies. Effective military operations shall be based on credibility and shall not focus on directing or manipulating U.S. public actions or opinion.”

The New York Times reported on April 20 that the Pentagon had mobilized numerous former military officials, some with unacknowledged financial interests in Department programs, to help generate favorable news coverage of the Bush Administration’s war policies. It is not clear (to me, at least) how this practice comports with the declared Pentagon policy on public affairs, i.e. whether it violates the policy, or implements it.

See “Information Operations,” Department of Defense Directive O-3600.1, August 14, 2006.

OLC Views the Office of Vice President, 1955-2007

The Office of Legal Counsel (OLC) at the Department of Justice has been pondering the peculiar status of the Office of Vice President for decades, and has recently released a collection of more than a dozen OLC opinions regarding the Vice President, dating back to the Eisenhower Administration.

“The Vice President, of course, occupies a unique position under the Constitution. For some purposes, he is an officer of the Legislative Branch, and his status in the Executive Branch is not altogether clear,” wrote William H. Rehnquist, the future Chief Justice, in a 1969 OLC opinion (pdf) that foreshadowed a similar argument offered last year by Vice President Cheney.

“With regard to the Vice President there is even a constitutional question whether the President can direct him to abide by prescribed standards of conduct,” asserted Antonin Scalia in a 1974 OLC opinion (pdf).

“The Vice Presidential Office is an independent constitutional office, and the Vice President is independently elected. Just as the President cannot remove the Vice President, it would seem he may not dictate his standards of conduct,” the future Justice Scalia wrote.

The OLC opinions concerning the Vice President, which were previously provided to the House Judiciary and Oversight Committees, were released by OLC in response to a Freedom of Information Act request from the Federation of American Scientists.

White House Issues Policy on “Controlled Unclassified Info”

The White House last week issued a long-awaited policy on “controlled unclassified information” (CUI) to provide a uniform government-wide system for safeguarding unclassified information that is deemed sensitive.

The CUI framework is supposed to replace the numerous individual agency control markings — “sensitive but unclassified,” “for official use only,” and over a hundred other designations — and thereby to overcome barriers to information sharing within the government.

But the new policy will do nothing to restore public access to government records that have been improperly withheld.

Development of the CUI policy began with a December 16, 2005 memo from the President directing agencies to “standardize procedures for sensitive but unclassified information.” Despite the passage of two and a half years, however, little progress has been made in defining the terms of the new policy.

It establishes a single CUI framework, with three graduated levels of sensitivity and security. But the definition of what information may qualify as CUI, which includes anything that “under law or policy” requires protection from unauthorized disclosure, is vague and expansive.

To put it another way, the CUI policy does not exclude anything that is currently controlled as Sensitive But Unclassified.

This is a disappointment in light of previous suggestions that wholesale disclosures of currently controlled unclassified information might ensue.

“The great majority of the information which is now controlled can be put in a simple unclassified, uncontrolled category, it seems to me,” said Amb. Thomas McNamara, program manage of the ODNI Information Sharing Environment, in 2006 testimony (pdf) before Congress.

But under the new Bush policy, “the great majority of the information” that Amb. McNamara said should be uncontrolled will remain controlled and unavailable to the public.

The CUI policy properly notes that the new policy does not modify the requirements of the Freedom of Information Act process: “CUI markings may inform but do not control the decision of whether to disclose or release the information to the public, such as in response to a request made pursuant to the Freedom of Information Act.”

But despite the passage of years since the policy was proposed, many of the hard decisions involved have been deferred to the implementation phase.

Which, if any, of the more than 100 existing control categories will be canceled, rather than absorbed into the new CUI category? The new policy does not say. At what point, if any, does the CUI designation expire? There’s no way to tell. What enforcement mechanisms are established to ensure compliance with the new policy? To be determined.

Update: Smintheus at Daily Kos has more.