Posts from December, 2010

Shrink the Classification System

Faced with release of hundreds of thousands of classified records by Wikileaks in recent months, what should the government do?  The best answer might be to release hundreds of millions of such records!  By stripping away the accretions of decades of overclassification, a wholesale reduction in classified records would restore some integrity to the classification system, bolster public confidence in its legitimacy, and strengthen the security of residual classified secrets.

In a recent exchange with a National Security Council official who deals with information policy, we suggested that the optimal response to unauthorized disclosures would be an accelerated program of authorized disclosures, leading to a sharp reduction in the size and scope of the classification system.  He wasn’t buying it.

“Unfortunately, for reasons you can imagine, this is not a good time to promote that bit of common sense,” he replied.  To the contrary, however, we think this is the best time to shrink the classification system, before it sputters into incoherence and ultimate irrelevance.

It is true that the past year has seen significant breakthroughs in reducing nuclear stockpile secrecy and intelligence budget secrecy, among other notable achievements.  But it is also true that systemic secrecy reform is lagging.  There are many illustrative problems that tell the tale:

**  Last December President Obama called for recommendations on ways to achieve a “fundamental transformation” of the security classification system.  A year later, no such recommendations have been formulated or submitted to the President for action.  (The Public Interest Declassification Board will hold a public meeting on the subject on January 20, 2011.)  The process of transformation appears to be stillborn.

**  It so happens that President Obama has already ordered the declassification of hundreds of millions of records.  These are not contemporary records, but a backlog of historical records more than 25 years old.  Some 400 million pages of them are  supposed to be declassified and made public by the end of 2013, the President said in December 2009.  But to meet that goal, it will be necessary to declassify an average of 100 million pages per year.  In the first six months of this year, less than 8 million were declassified, according to a report (pdf) from the National Declassification Center.  This modest beginning will make it difficult if not impossible to fulfill the task assigned by the President.

**  In the Administration’s most direct response to the problem of overclassification, President Obama directed each classifying agency to perform a Fundamental Classification Guidance Review “to identify classified information that no longer requires protection and can be declassified.”  Agencies were given two years to complete the Review, from July 2010 to June 2012. Six months of that period have already elapsed.  But this week the Defense Department, the largest classifying agency, told Secrecy News that thus far it had no records concerning implementation of the Review.  In other words, it seems that no discernible progress has been made.

**  Meanwhile, it turns out that the Pentagon Papers that were famously leaked by Daniel Ellsberg in 1971 are still technically classified, observed historian John Prados of the National Security Archive this week.  The four volumes of diplomatic materials that Ellsberg withheld from release (because he considered them too sensitive) have been formally declassified.  But the forty-three volumes of leaked materials, though widely republished, have never undergone declassification review, Prados said.  This means that every public and private library that has a copy of the Papers is the unofficial (and unauthorized) custodian of Top Secret government records.  This is our classification system as it exists today.

**  And this week it emerged that zealous security officials had blocked Air Force computers from accessing the New York Times and other sites in order to prevent viewing of classified records.  This is the security policy equivalent of the gospel teaching “If thine eye offend thee, pluck it out.”  But presumably that biblical injunction was never meant to be taken literally.  Someone should tell the Air Force.

In short, national security classification policy is in a state of stagnation, confusion and disarray — and not because of leaks.  Bringing it to good order will require a clear statement of vision, some determined leadership, and concrete action.  An intensive declassification campaign that would slash the size of the classification system to manageable proportions would be the right move, now.

Classified Information Policy, and More from CRS

Noteworthy new reports from the Congressional Research Service that have not been made readily available to the public include the following (all pdf).

“Classified Information Policy and Executive Order 13526,” December 10, 2010.

“Screening and Securing Air Cargo: Background and Issues for Congress,” December 2, 2010.

“Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress,” November 15, 2010.

“Reorganization of the Minerals Management Service in the Aftermath of the Deepwater Horizon Oil Spill,” November 10, 2010.

Goodbye, Mr. Bond

Last year, Senator Christopher Bond (R-MO) told reporters that there is “a far Left-wing fringe group that wants to disclose all our vulnerabilities. I don’t know what their motives are but I think they are very dangerous to our security.”

More hating on Wikileaks?  No, Senator Bond was actually talking about the Federation of American Scientists, after we disclosed the inadvertent publication on the Government Printing Office website of a draft declaration on U.S. nuclear facilities.

Needless to say, we did not recognize ourselves in any part of Senator Bond’s confused comment.  But he reminds us that much of what passes for political discourse is little more than pigeonholing of others into friends and enemies, heroes and villains.  It is hard to learn much that way.

Somehow it comes as no surprise to discover that Senator Bond is the last Senator to have been “slugged” on the Senate floor, as Senate Minority Leader Mitch McConnell pointed out on Tuesday. It is maybe a little surprising that the person whom he drove to violence was none other than the late Sen. Daniel Patrick Moynihan.

In his farewell remarks to the Senate, Sen. Bond briefly discussed the “little scuffle I had with Pat Moynihan. I never talked about it. We never said anything publicly until now. Later on, as we became fast friends, he used to  tease me about setting up boxing matches so we could raise money for charity. But when I looked at his height and his reach, I didn’t take him up on that.”

Support Secrecy News

Many thanks to those readers who have already made contributions to help support Secrecy News.  If you are able and willing to join them, tax-deductible contributions can be made here (select “Government Secrecy” from the drop-down menu to direct your donation to Secrecy News).

You can also write a check payable to Federation of American Scientists and mail it here:

Secrecy News
Federation of American Scientists
1725 DeSales Street NW, Suite 600
Washington, DC  20036

Unless inspiration strikes hard, today’s Secrecy News posts will be the last of 2010.  See you next year.

JASON: Science of Cyber Security Needs More Work

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.

How Many People Have Security Clearances?

How many government employees and contractors hold security clearances for access to classified information?  Remarkably, it is not possible to answer that question today with any precision. But it should be possible by next February, officials said at a House Intelligence Subcommittee hearing on December 1.

Currently there is no precise tally of the number of cleared persons, and there is no way to produce one, said John Fitzpatrick, Director of the ODNI Special Security Center.

“We can find definitively if any individual has a clearance at any one point in time,” he told Rep. Anna Eshoo, the subcommittee chair.  But “to take that point in time and define the number of all the people that do takes a manipulation of data in databases that weren’t intended to do that.”

“To give a precise [answer] requires, I think, due diligence in the way we collect that data and the way that data changes.”  And in fact, “we have a special data collection to provide a definitive answer on that in the February 2011 IRTPA report,” referring to an upcoming report required under the 2004 Intelligence Reform and Terrorism Prevention Act.

In the meantime, Mr. Fitzpatrick said, “To give a ballpark number [of total security clearances] is not difficult.”

Well then, Rep. Eshoo asked, “What would a ballpark figure today be?”

“Oh, I’d like to take that one for the record,” Mr. Fitzpatrick replied. “It’s — you know, I’d give you — I’d like to take that one for the record.”

Based on prior reporting by the Government Accountability Office, the ballpark figure that we use is 2.5 million cleared persons.  (“More Than 2.4 Million Hold Security Clearances,” Secrecy News, July 29, 2009).

Govt Response to Wikileaks Said to Cause More Damage

The U.S. Government insists that the classification markings on many of the leaked documents being published by Wikileaks and other organizations are still in force, even though the documents are effectively in the public domain, and it has directed federal employees and contractors not to access or read the records outside of a classified network.

But by strictly adhering to the letter of security policy and elevating security above mission performance, some say the government may be causing additional damage.

“At DHS we are getting regular messages [warning not to access classified records from Wikileaks],” one Department of Homeland Security official told us in an email message. “It has even been suggested that if it is discovered that we have accessed a classified Wikileaks cable on our personal computers, that will be a security violation. So, my grandmother would be allowed to access the cables, but not me. This seems ludicrous.”

“As someone who has spent many years with the USG dealing with senior officials of foreign governments, it seems to me that the problem faced by CRS researchers (and raised by you) is going to be widespread across our government if we follow this policy.”

“Part of making informed judgments about what a foreign government or leader will do or think about something is based on an understanding and analysis of what information has gone into their own deliberative processes. If foreign government workers know about something in the Wikileaks documents, which clearly originated with the U.S., then they will certainly (and reasonably) assume that their US counterparts will know about it too, including the staffers. If we don’t, they will assume that we simply do not care, are too arrogant, stupid or negligent to find and read the material, or are so unimportant that we’ve been intentionally left out of the information loop. In any such instance, senior staff will be handicapped in their preparation and in their inter-governmental relationships,” the DHS official said.

“I think more damage will be done by keeping the federal workforce largely in the dark about what other interested parties worldwide are going to be reading and analyzing. It does not solve the problem to let only a small coterie of analysts review documents that may be deemed relevant to their own particular ‘stovepiped’ subject area. Good analysis requires finding and putting together all the puzzle pieces.”

So far, however, this kind of thinking is not finding a receptive audience in government. There has been no sign of leadership from any Administration official who would stand up and say:  “National security classification is a means, and not an end in itself.  What any reader in the world can discover is no longer a national security secret. We should not pretend otherwise.”

Treasury Classification Guide, and Other Resources

The Department of the Treasury has recently produced a consolidated classification guide, detailing exactly what kinds of Treasury information may be classified at what level and for how long.  It is in such agency classification guides, not in high-level government-wide policy statements, that the nuts and bolts of government secrecy policy are to be found, and perhaps to be changed.  See “Security Classification Guide” (pdf), Department of the Treasury, December 2010.

The Congressional Research Service yesterday offered its assessment of the Stuxnet worm, which was evidently designed to damage industrial control systems such as those used in Iran’s nuclear program.  See “The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability” (pdf), December 9, 2010.

Intelligence historian Jeffrey Richelson has written what must be the definitive account of the rise and fall of the National Applications Office, the aborted Department of Homeland Security entity that was supposed to harness intelligence capabilities for domestic security and law enforcement applications. The article, which is not freely available online, is entitled “The Office That Never Was: The Failed Creation of the National Applications Office.”  It appears in the International Journal of Intelligence and Counter Intelligence, vol. 24, no. 1, pp. 65-118 (2011).

The latest issue of the Journal of National Security Law & Policy (vol. 4, no. 2) is now available online.  Entitled “Liberty, terrorism and the laws of war,” it includes several noteworthy and informative papers on intelligence and security policy.

Publishing Classified Info: A Review of Relevant Statutes

“There appears to be no statute that generally proscribes the acquisition or publication of diplomatic cables,” according to a newly updated report (pdf) from the Congressional Research Service, “although government employees who disclose such information without proper authority may be subject to prosecution.”

But there is a thicket of statutes, most notably including the Espionage Act, that could conceivably be used to punish unauthorized publication of classified information, such as the massive releases made available by Wikileaks.  See “Criminal Prohibitions on the Publication of Classified Defense Information”, December 6, 2010.

The updated CRS report sorts through those statutes, provides an account of recent events, presents a new discussion of extradition of foreign nationals who are implicated by U.S. law, and summarizes new legislation introduced in the Senate (S. 4004).

A previous version (pdf) of the CRS report, issued in October, was cited by Sen. Dianne Feinstein in a Wall Street Journal op-ed yesterday in support of prosecuting Wikileaks, though the report did not specifically advise such a course of action.  Sen. Feinstein also seemed to endorse the view that the State Department cables being released by Wikileaks are categorically protected by the Espionage Act and should give rise to a prosecution under the Act.

But the Espionage Act only pertains to information “relating to the national defense,” and only a minority of the diplomatic cables could possibly fit that description.

The new CRS report put it somewhat differently: “It seems likely that most of the information disclosed by WikiLeaks that was obtained from Department of Defense databases [and released earlier in the year] falls under the general rubric of information related to the national defense. The diplomatic cables obtained from State Department channels may also contain information relating to the national defense and thus be covered under the Espionage Act, but otherwise its disclosure by persons who are not government employees does not appear to be directly proscribed. It is possible that some of the government information disclosed in any of the three releases does not fall under the express protection of any statute, despite its classified status.”

Incredibly, CRS was unable to meaningfully analyze for Congress the significance of the newest releases because of a self-defeating security policy that prohibits CRS access to the leaked documents.

The CRS report concludes that any prosecution of Wikileaks would be unprecedented and challenging, both legally and politically.  “We are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it. There may be First Amendment implications that would make such a prosecution difficult, not to mention political ramifications based on concerns about government censorship.”

For our part, we would oppose a criminal prosecution of Wikileaks under the Espionage Act.

CRS Seeks Guidance on Using Leaked Docs

After its access to the Wikileaks web site was blocked by the Library of Congress, the Congressional Research Service this week asked Congress for guidance on whether and how it should make use of the leaked records that are being published by Wikileaks, noting that they could “shed important light” on topics of CRS interest.

CRS “has informed our House and Senate oversight committees, and solicited their guidance, regarding the complexities that the recent leaks of classified information present for CRS,” wrote CRS Director Daniel Mulhollan in a December 6 email message (pdf) to all CRS staff.  “I have also contacted the majority and minority counsels of select committees in the House and Senate requesting guidance on the appropriate boundaries that CRS should recognize and adhere to in summarizing, restating or characterizing open source materials of uncertain classification status in unclassified CRS reports and memoranda for Congress.”

“Our challenge is how to balance the need to provide the best analysis possible to the Congress on current legislative issues against the legal imperative to protect classified national security information. This is especially a problem in light of the massive volume of recently released documents, which may shed important light on research and analysis done by the Service,” Mr. Mulhollan wrote.

“As guidance becomes available from Congress, I will follow-up with additional information.  At present, it seems clear that the republication of known classified information by CRS in an unclassified format (e.g., CRS reports or congressional distribution memoranda) is prohibited. We believe this prohibition against the further dissemination of classified information in an unclassified setting applies even if a secondary source (e,g., a newspaper, journal, or website) has reprinted the classified document. The laws and applicable regulations are decidedly less clear, however, when it comes to referencing and citing secondary sources that refer to, summarize, or restate classified information.”

A copy of Mr. Mulhollan’s email message was obtained by Secrecy News.