Posts from December, 2009

GAO: Release of Nuclear Document Caused No Damage

A five-month long investigation by the Government Accountability Office determined that the inadvertent publication of a 267 page document describing U.S. civilian nuclear research facilities caused no damage to national security and did not require any remedial security measures at the cited facilities.  Yet surprisingly, even though its publication had no adverse consequences at all, GAO endorsed the claim that the document was “sensitive” and recommended that rigorous new procedures be adopted to prevent public disclosure of such information in the future.

See “Managing Sensitive Information: Actions Needed to Prevent Unintended Public Disclosures of U.S. Nuclear Sites and Activities,” Government Accountability Office report GAO-10-251, December 2009.

The inadvertently disclosed document, a draft U.S. government declaration to the International Atomic Energy Agency (IAEA), was transmitted from the White House to Congress in May 2009.  Though it was identified in a cover letter as “sensitive but unclassified,” it was forwarded to the Government Printing Office for publication and was incorporated in an online GPO document database.  Secrecy News identified the document and republished it on June 1.  The New York Times, the Washington Post and other publications reported on it on June 3.  Concluding that a mistake had been made, the GPO removed the document from its public database and recalled the hardcopy editions.  But by that time, tens of thousands of copies had been downloaded around the world.  Speaker of the House Nancy Pelosi asked the GAO to investigate who was at fault, and what damage had been done.

Almost everyone involved was at fault, the GAO concluded.  But what is more remarkable is that the disclosure of the ostensibly “sensitive” document was found to have caused no damage to security at all.

GAO said that the agencies that prepared the unclassified compilation had carefully reviewed it prior to transmitting to Congress “to ensure that information of direct national security significance was not included.”  In cases where site-specific details were described in the draft declaration, such information “was publicly available on agency Web sites or other publicly available documents.”  Department of Energy officials told GAO that “no information detrimental to national security was included in the document.”

After the unintended disclosure of the draft declaration occurred, agencies once again reviewed facility security in light of the document’s public availability.  “Based on these assessments, DOE officials told us they did not increase security at any site,” the GAO said.  Operators of an NRC facility likewise “determined the procedures they had in place were sufficient, even with the release of the draft declaration.”

Unfortunately, instead of critically questioning the “sensitivity” of such a demonstrably innocuous document, the GAO report took for granted that it should never have been published.  Worse, GAO proposed strict new procedures to limit any future disclosures of this kind.

But if a document produces no detrimental effects when disclosed, then it is not sensitive in any meaningful sense of the word.  More rigorous procedures are needed to prevent the unnecessary protection of such material, not to enforce it.  Having missed that central point, the GAO report represents a lost opportunity to advance a more sensible information security policy.

*     *     *

The public disclosure of the draft declaration generated an unusual volume of confusion and misinformation.

“It is probably not that dangerous,” said David Albright of the Institute for Science and International Security in the Washington Post (6/3/09), “but it is a violation of the law.”  But that is not correct.  There is no law prohibiting disclosure of the information in the draft declaration, and so there was no violation of the law.

The document is “a one-stop shop for information on U.S. nuclear programs,” I found myself saying in the New York Times (6/3/09).  Besides being glib, that wasn’t correct either.  The draft declaration dealt only with civilian research programs and excluded U.S. military nuclear programs.

Sen. Christopher Bond (R-MO) said it was all FAS’s fault.  “There’s a group called the Federation of American Scientists – a far Left-wing fringe group that wants to disclose all our vulnerabilities,” he explained to reporters.  “I don’t know what their motives are but I think they are very dangerous to our security.” (“Senator Bond concerned by online posting of civilian nuke sites” by Steve Walsh, Missouri News, June 3, 2009.)

In fact, it is now clear from the GAO investigation that no vulnerabilities were disclosed, no damage to security resulted, and no corrective security measures were required.

*     *     *

Although the International Atomic Energy Agency said in response to an inquiry from FAS that it had no objection to publication of the draft declaration (a fact not noted by the GAO), officials from several U.S. agencies months later remained adamantly opposed to continued public access to the document.

At an August meeting at the State Department, an NRC official told FAS’s Ivan Oelrich and me that the document contained information on the uranium enrichment capacity of certain U.S. companies, the disclosure of which could somehow put them at a commercial disadvantage with foreign uranium producers.  But there are no known indications that anything like that has come to pass.

Another official with the rank of Ambassador made the astonishing claim that if other countries saw just how cursory the U.S.’s reporting of its nuclear activities was, they would soon reduce their own cooperation with the IAEA to a similar, minimal level.

A senior State Department official therefore urged FAS to remove the draft declaration from our website.  The official acknowledged that the document had already been widely disseminated internationally, that it was still posted on several other websites, and that removing it from the FAS website would not make any practical difference of any kind.  But the official courteously requested that we do so, as a “favor.”  We agreed.

Some day, and that day may never come, we will call upon the State Department to do a favor for us.

New Executive Order Awaits Presidential Decision

A new draft executive order on national security classification and declassification policy is expected to be presented to President Obama this week for his personal resolution of issues which remain in dispute among policymakers and affected agencies, especially intelligence agencies.

This marks the first time since the first Bush Administration, nearly two decades ago, that a President has needed to make a final determination on the contents of an executive order because staffers and agencies were unable to reach a consensus view. (Correction: There is a more recent precedent for such presidential involvement. According to Morton Halperin, President Clinton was presented with a “split memo” in 1995 on the question of whether to include a public interest balancing test for declassification in executive order 12958. President Clinton decided against it.)

The currently disputed issues are believed to include the composition of the Interagency Security Classification Appeals Panel, including whether it should include representatives of ODNI or CIA or both, and whether the intelligence agencies should continue to have the veto over Panel declassification decisions that was granted by the George W. Bush Administration.

The final order, which is likely to be issued before the end of December, is expected among other things to direct agencies to conduct a Fundamental Classification Guidance Review in order to eliminate obsolete classification requirements, and to establish a National Declassification Center to coordinate and expedite declassification of historical records, as described in a previous draft dated August 4, 2009.

See “Obama Plan Could Limit Records Hidden From Public” by Pete Yost, Associated Press, December 20, 2009.

State Dept Series Falls Farther Behind Schedule

The U.S. State Department’s official Foreign Relations of the United States (FRUS) series had another disappointing year in 2009 with only two softcopy volumes published to date, including one released last week on “Global Issues, 1973-1976.”

The FRUS series is supposed to provide “comprehensive documentation of the major foreign policy decisions and actions of the United States Government” and it must must be “thorough, accurate, and reliable.”  As such, it is a potentially vital tool for advancing declassification of significant historical records and assuring government accountability, at least over the long run.

Publication of FRUS is not optional.  By statute, “The Secretary of State shall ensure that the FRUS series shall be published not more than 30 years after the events recorded.”  But that 30 year goal, which has rarely if ever been met, is now receding further and further from realization, leaving the Secretary of State in violation of the law.

State Department spokesman Ian C. Kelly did not respond to a request for comment on the Department’s continuing violation of the law on FRUS publication.

But William B. McAllister, the Acting General Editor of FRUS, expressed a hopeful view of the future despite recent turmoil, which included the last-minute withdrawal of person who was to become the new FRUS General Editor.  He said that a third FRUS volume on “Foreign Economic Policy, 1973-1976″ would appear before the end of the year, and at least one other in January 2010.

Likewise, Dr. Robert McMahon, who chairs the State Department’s Historical Advisory Committee, said “We continue to be optimistic about publication prospects for FRUS volumes in the near future despite the disappointing number of volumes that came out this year.  There are four Vietnam volumes alone that should be published in 2010.”

“We anticipate being able to fill all [employment] vacancies in 2010, many of them rather early in the year,” Dr. McAllister wrote in an email message. “The Office of the Historian is … well on its way to resolving the multiple infrastructure, document handling, and archival access issues that impact FRUS production…. The Office of the Historian has launched several initiatives to address systemic impediments that slow the declassification process.”  And over time, “we anticipate returning to a more typical production cycle.”  But a typical production cycle has never yet meant regular compliance with the mandatory 30 year FRUS publication requirement.

The latest FRUS volume on “Global Issues, 1973-1976″ has a number of interesting features and a few peculiarities. Oddly, all of the documents were marked as declassified in December 2008, so this collection was apparently ready for publication online a year ago.  And unlike other contemporaneous FRUS volumes, audio tapes are not listed as a source and were apparently not used in the collection.  No explanation for this omission was offered.

Among the noteworthy records in the collection is a 1976 intelligence assessment (pdf) of the likelihood of terrorist acquisition of nuclear weapons, which is deemed “unlikely” in the following year or two.  In most respects, the assessment is no longer current or relevant, but it still includes some remarkable observations.  Thus, it notes that “The locations of most U.S. [nuclear weapons] storage sites abroad are locally known and could be ascertained by any terrorist group with a moderately good intelligence potential.  Detailed intelligence about the site could be fairly readily acquired in many cases….”  Despite this apparent fact, which is even more likely to be true today, the Department of Defense still insists that such information is classified.  By doing so, it disrupts routine declassification activities, forcing reviewers to search for and remove non-sensitive but technically classified information.

See “The Likelihood of the Acquisition of Nuclear Weapons by Foreign Terrorist Groups for Use Against the United States,” United States Intelligence Board, Interagency Intelligence Memorandum, 8 January 1976.

Another 1976 document on Naming the Space Shuttle sought President Ford’s approval of a request from hundreds of thousands of “Star Trek” fans that the first NASA space shuttle be named “Enterprise.”  Most of the White House staff, including Brent Scowcroft and others, concurred.  But presidential counselor Robert T. Hartmann contended that Enterprise is “an especially hallowed Naval name… I think the Navy should keep it.”  Presidential counselor John O. Marsh approved the choice of the name, but said he was “not enthusiastic about the [Star Trek] rationale for the selection,” which he disdained as “appealing to a TV fad.”  President Ford initialed his approval of the proposal.

As it turns out, it seems that the Star Trek “fad” is going to outlast the space shuttle itself.

FBI Linguist Leaked Classified Docs to Blogger

An Israeli-American attorney who worked for the FBI as a translator pled guilty yesterday to unlawfully disclosing five classified FBI documents to an unidentified blogger last April, who then published information from the documents on his blog, the Justice Department announced.

In a signed plea agreement, Shamai Leibowitz stipulated that he had “knowingly and willfully caused five documents, which were classified at the Secret level and contained classified information concerning the communication intelligence activities of the United States, to be communicated… to a person not entitled to receive classified information (‘Recipient A’).  Recipient A was the host of a public web log (‘blog’) available to anyone with access to the Internet.”

“Recipient A then published on the blog information derived from the classified documents provided to Recipient A by Leibowitz.  As a result of these disclosures, intelligence sources and methods related to these documents were compromised,” the plea agreement said.

Recipient A was not named, and has evidently not been charged with any misconduct.  Leibowitz was charged under 18 U.S.C. 798, which prohibits unauthorized disclosure of communications intelligence information.

“The willful disclosure of classified information to those not entitled to receive it is a serious crime,” said David Kris, Assistant Attorney General for National Security. “Today’s guilty plea should serve as a warning to anyone in government who would consider compromising our nation’s secrets.”

Prosecutors credited Mr. Leibowitz for his “apparent prompt recognition and affirmative acceptance of personal responsibility for his criminal conduct” as well as his “timely notification of his intention to plead guilty.” Based on those and other factors, they proposed a sentence of 20 months imprisonment.

Though it has no bearing on the case, Mr. Leibowitz happens to be the grandson of Yeshayahu Leibowitz (1903-1994), a renowned Israeli scientist, orthodox Jewish philosopher, polemicist and political activist.

The case was first reported in “Israeli lawyer & peacenik guilty of leaking FBI secrets” by Josh Gerstein in Politico, December 17.  Laura Rozen, also writing in Politico, provided additional background and proposed speculatively that Leibowitz’s disclosures were behind an April 16, 2009 story in the New York Times on NSA’s “overcollection” of domestic intelligence.

TSA Cannot Order Sites to Take Down Sensitive Manual

After a Transportation Security Administration (TSA) manual containing “sensitive security information” was inadvertently disclosed on a government website, it was reposted on several non-governmental websites where it remains freely available.  Asked what TSA intends to do about that, Acting TSA Administrator Gale D. Rossides told Congress that her agency does not have the legal authority to compel members of the public to remove sensitive TSA documents from their websites, though she wished that they would do so.

“Do the current regulations provide you a mechanism to keep individuals from reposting this information on other web sites?” asked Rep. Charles W. Dent (R-PA), at a December 16 hearing of the House Homeland Security Subcommittee on Transportation Security.

“No, sir, they do not,” Ms. Rossides replied.  “We do not have any authority to ask non-government or non-DHS sites to take it down.”

“What action does TSA intend to take against those who are reposting this sensitive document that should not be in the public domain?” Rep. Dent persisted.

“Well, right now, there really isn’t any authoritative action we can take,” Ms. Rossides said.  “Honestly, persons that have posted it, I would, you know, hope that out of their patriotic sense of duty to, you know, their fellow countrymen, they would take it down.  But honestly, I have no authority to direct them and order them to take it down.”

But Rep. Dent expressed his own indignation at the web sites that ignored the official control markings on the TSA manual.  “To those who reposted this security information on the internet, you should share in the blame should security be breached as a result of this disclosure,” he said.

But the urgency of the need to restrict continued access to the leaked TSA manual seemed diminished by Ms. Rossides’ declared view that aviation security has not “been compromised or weakened because of this incident.”  Furthermore, she said, that manual was now obsolete because “very significant changes” have been made to airline security policy since the manual was issued.

Ms. Rossides added that in order to prevent further inadvertent disclosures of the newest security measures, she was refusing to provide a hardcopy of the latest edition of the TSA security manual to Congress.  “I just wanted to take the absolute measures to protect that information, and that’s why a hardcopy wouldn’t be presented,” she said.

Rep. Dent objected to this.  “By refusing to give a document to this committee because of concern about a public disclosure, that’s implying that this subcommittee would disclose the document.  And that’s what, I guess, troubles me the most.” He said he would press the issue.

Subcommittee chair Rep. Sheila Jackson-Lee (D-TX) said she would introduce legislation to bar contractors from access to “sensitive security information,” since contractors apparently were at fault in the inadvertent disclosure of the security manual.  “It’ll be my legislative initiative to insist that contract employees not be used to handle sensitive security information, period,” she said.

Rep. James Himes (D-CT) asked whether TSA was examining who had downloaded the security manual.

“I believe that is part of what [the TSA Inspector General] is looking at,” Ms. Rossides said.  “We do know — our CIO shop has done an initial review of who did download it and has it on their website — non-government, non-DHS websites.  We do know that.”

OSC Views Taliban Propaganda Video

A Taliban video distributed last month documented the purported seizure of an abandoned U.S. military base by Taliban forces in a remote province of Afghanistan.  The 7-minute video was analyzed in a recent report (pdf) from the DNI Open Source Center.

The video “glorifies the Taliban victory by highlighting the group’s triumphant entry into the ‘captured base,’ the symbolic burning of an American flag, and the [local Taliban governor] touring the area.”  A copy of the Taliban video (.wmv) and the OSC report, obtained by Secrecy News, may be found here.

The OSC report was discussed by Bill Gertz of the Washington Times in his Inside the Ring column today (the second item).  Other aspects of the video were previously reported in Wired’s Danger Room and Al-Jazeera.

New Framework Proposed for “Sensitive” Govt Info

The government should replace the more than 100 different control markings that are now used to limit the distribution of sensitive but unclassified (SBU) information and should establish a single “controlled unclassified information” (CUI) policy for all such information in government, according to an interagency task force report (pdf) that was released by the Obama Administration today.

“The Task Force concluded that Executive Branch performance suffers immensely from interagency inconsistency in SBU policies, frequent uncertainty in interagency settings as to exactly what policies apply to given SBU information, and the inconsistent application of similar policies across agencies,” the report said.  “Additionally, the absence of effective training, oversight, and accountability at many agencies results in a tendency to over-protect information, greatly diminishing government transparency.”

The Task Force said that their proposal for a single “controlled unclassified information” (CUI) regime would not only facilitate information sharing among federal, state and local government agencies, it would also increase transparency and enhance public access to government information.

“Because of its uniformity, standardized training requirements, and the public availability of the registry [indicating what categories of information are controlled], the expanded scope of the CUI Framework can be expected to significantly increase the openness and transparency of government….”

Not only that, “It is foreseeable, based on the revised definition and scope of CUI recommended herein, that some information currently treated as ‘sensitive’ may be found not to warrant CUI designation.”

The Task Force presented 40 recommendations to the President on implementing the proposed CUI policy that could serve as the basis for an executive order on the subject.  It builds upon, and would expand the scope of, the CUI Framework that was established in a May 2008 memorandum issued by President Bush, which dealt with the control and sharing of terrorism-related information.  See the Report and Recommendations of the Presidential Task Force on Controlled Unclassified Information, transmitted August 25, 2009 and released December 15, 2009.

The Task Force proposal is an admirable effort to bring order to a chaotic information environment.  But it has some rough edges, and some unresolved internal contradictions.

The proposed definition of CUI seems disturbingly lax:  “All unclassified information for which, pursuant to statute, regulation, or departmental or agency policy, there is a compelling requirement for safeguarding and/or dissemination controls” (p.11).  Putting “departmental or agency policy” on a par with statutes or regulations could potentially open the door to all kinds of arbitrary or improvised controls on information.

More fundamentally, it is hard to see how the Task Force proposal could achieve its central goal of eliminating all non-CUI controls on unclassified information.  The Task Force report itself states (in Recommendation 20) that “decontrol of CUI” does not by itself authorize public disclosure; it only means removal from the CUI Framework.  But if information that has been removed from the CUI Framework does not necessarily have to be disclosed, this means that decontrolled information can still be controlled!

The report properly takes pains to distinguish information control under the CUI regime from the statutory disclosure requirements of the Freedom of Information Act, which cannot be altered by executive fiat.  “At no time, pre- or post-control, is a CUI marking itself determinative of whether it may be released,” the report stated (p. 21).  But this implies, oddly, that information marked as CUI may sometimes be released, while information that is no longer CUI may sometimes be withheld.  And if it is withheld, one must also expect it to be marked with a (non-CUI) control marking.

In short, the CUI concept still has some wrinkles that remain to be ironed out.

The Task Force recommended a ten-year life cycle for CUI that is not otherwise subject to defined disclosure deadlines.  It recommended a baseline assessment of the volume of current SBU activity, but this is probably unachievable or at least not worth the effort involved.  Staffing and resources for the “Executive Agent” that manages the whole enterprise are uncertain, but are likely to be crucial or even decisive in the success of the proposed policy.  An appendix to the Task Force report listed 117 different markings currently in use to protect SBU information (described as “a partial listing”).

The Task Force proposal is “a good foundation,” said one senior Administration official.  But before the subject is addressed in an executive order, the final policy “needs to be more forward-leaning,” he said.

Meanwhile, the Department of Defense, the intelligence agencies, and the Department of Homeland Security have already indicated that they plan to use the CUI Framework for all of their sensitive unclassified information, another official said.

Some Recent Congressional Publications

Noteworthy new congressional reports and hearing volumes include the following:

“Report on Whistleblower Protection Enhancement Act of 2009,” Senate Homeland Security and Governmental Affairs Committee, Report No. 111-101, December 3, 2009.

“Report on the USA PATRIOT Act Sunset Extension Act of 2009,” Senate Judiciary Committee report 111-92, October 28, 2009.

“National Industrial Security Program: Addressing the Implications of Globalization and Foreign Ownership for the Defense Industrial Base” (pdf), House Armed Services Committee, April 16, 2008 (published November 2009).

“Upholding the Principle of Habeas Corpus for Detainees” (large pdf), House Armed Services Committee, July 26, 2007 (published November 2009).

IC “Scrambles” To Comply with Open Govt Directive

The U.S. intelligence community is not exempt from the requirements of the Obama Administration’s December 8 Open Government Directive, and agency officials are now trying to figure out how to comply with it.

“As you can imagine, there is some scrambling going on,” one official said.  “I think it’s a good sign.”

See “Open government could present a challenge to intelligence agencies” by Aliya Sternstein, NextGov, December 11, 2009.

CRS: “Not a Happy Place”

The Congressional Research Service, which performs policy research and analysis for Congress, is “not a happy place these days,” said a CRS staffer.

The staffer was referring to the fact that a respected CRS division chief, Morris Davis, had been abruptly fired from his position for publicly expressing some of his private opinions.  (“CRS Fires a Division Chief,” Secrecy News, December 4, 2009).  CRS Director Daniel Mulhollan, the man who fired Mr. Davis (it’s Colonel Davis, actually), evidently believes that CRS employees must have no independent public persona and must not express private opinions in public, even when such opinions are unrelated to their work at CRS, as in Davis’ case.  In short, CRS employees are expected to surrender their First Amendment rights.  Who could be happy with that?

The American Civil Liberties Union has taken up Col. Davis’ cause and in a December 4 letter (pdf), ACLU attorneys Aden Fine and Jameel Jaffer asked the Library of Congress (CRS’ parent organization) to reconsider its position by today, or else risk litigation seeking Davis’ reinstatement.  But it takes a special kind of integrity to admit error and to change course, and that is not the anticipated scenario in this case.

(Update: As expected, the Library of Congress refused to reconsider its position, setting the stage for a lawsuit. See the ACLU news release and the Library response here.)

“In spite of all that, I still believe we do excellent research,” the CRS staffer told Secrecy News.  Yet that research is still not made directly accessible to the public.

In the 2010 Legislative Branch Appropriations Act, Congress once again mandated that “no part of [the CRS budget] may be used to pay any salary or expense” to make CRS research reports available to the public without prior authorization.  This was obviously intended to block direct public access to CRS reports.  But it could also be read more satisfactorily to permit CRS employees to freely distribute CRS reports as long as they incur no additional expense when doing so.

Some notable new CRS reports obtained by Secrecy News include the following (all pdf).

“Privacy: An Overview of Federal Statutes Governing Wiretapping and Electronic Eavesdropping,” updated December 3, 2009.

“U.S. Arms Sales: Agreements with and Deliveries to Major Clients, 2001-2008,” December 2, 2009.

“War in Afghanistan: Strategy, Military Operations, and Issues for Congress,” December 3, 2009.

“The German Economy and U.S.-German Economic Relations,” November 30, 2009.

“Sexual Violence in African Conflicts,” November 25, 2009.

“Traumatic Brain Injury: Care and Treatment of Operation Enduring Freedom and Operation Iraqi Freedom Veterans,” November 25, 2009.

“Key Issues in Derivatives Reform,” December 1, 2009.

“U.S. Aerospace Manufacturing: Industry Overview and Prospects,” December 3, 2009.

“High Speed Rail (HSR) in the United States,” December 8, 2009.