RAND: What Should Be Classified?

What is the rationale for classifying information?  The RAND Corporation attempted to articulate an answer to that question and then to apply it in practice to a current national security issue.

In a new study prepared for the Pentagon’s Joint Staff, RAND researchers “developed a general framework for judging classification decisions” that, they suggested, might have broad use.  Their methodology depends on “the systematic application of common sense.”  If so, then it is a major breakthrough in classification policy, where common sense is often scarce.

“Apart from situations in which the security value of classification is obvious — e.g. protecting the identity of a clandestine source — how should decisions be made about what pieces of data should be classified?  Since classifying information creates costs, it should be approached as an explicit cost-benefit comparison (understood to include factors that cannot be monetized).”

“We defined four criteria that must be met even before a classification argument can even be considered: (1) classification must reduce information flow to the adversary, (2) the data obtained must change what the adversary knows, (3) the knowledge must affect the adversary’s decisions, and (4) the decisions must damage the United States in some way.”

“Only if the failure to classify a piece of information means that an adversary is more likely to get it and if having it changes the adversary’s estimate of a key piece of knowledge and if the change in knowledge alters a decision (or the probability of a decision) and if this decision is adverse to the United States would any case exist for classifying it — and then only if the costs of classification, broadly understood, are not greater.  If classification yields no measurable benefit, there is no justification for it even if the costs of classification are zero, which they never are,” the RAND study said.

More generally, “The public debate about classification policy does raise the question of whether the degree of damage [associated with release of a particular piece of information] is being estimated well. Put simply, just because a specific piece of information or a data set is useful in some way and relates to areas of security concern, it does not necessarily follow that the same information is useful to an adversary. Indeed, knowing that potential adversaries are interested in the information is no proof that their satisfaction would damage U.S. national security. If it is not damaging, restricting access to it will not, in fact, produce the expected security benefit.”

The RAND authors proceeded to apply their construct to the specific problem that the Joint Staff asked them to address, namely whether or not to classify the DoD’s “Global Force Management Data Initiative” (GFM DI), which is a set of protocols for information sharing.

“Having laid out a systematic process [for evaluating the question], we… found no good reason to classify GFM DI as a whole,” the study concluded.  (Some related subsets of data may require protection, the authors said.)  See “What Should Be Classified?” by Martin C. Libicki, et al, RAND National Defense Research Institute, 2010.

The RAND study was conducted independently of the the Obama Administration’s pending Fundamental Classification Guidance Review, but it exemplifies much of what the Review is supposed to achieve:  namely, a searching inquiry into the validity of specific classification decisions in light of their actual costs and benefits.

No Responses to “RAND: What Should Be Classified?”

  1. Daphine February 4, 2011 at 6:23 AM #

    This study encompasses far more than determining uniform classification criterion for triggering classification (or declassification) activity.

    It’s the basis of yet another “multi-billion dollar DoD proposal” aimed at integrating the notoriously disparate data elements in a patchwork of legacy databases.

    Surely, we can determine uniform classification criterion for triggering classification (or declassification) activity without incurring the costs for yet another multi-billion dollar “integration effort”?

    These “integration efforts” all too often do nothing more than demonstrate that obsolescence precedes deployment and usefulness, generating yet another follow-on “multi-billion dollar proposal”.

    One wonders whether these resources could be better utilized elsewhere?