Posts from April, 2011

Privacy Protection Online, and More from CRS

Some new or newly updated reports from the Congressional Research Service include the following (all pdf).

“Privacy Protections for Personal Information Online,” April 6, 2011.

“Department of Defense Contractors in Iraq and Afghanistan: Background and Analysis,” March 29, 2011.

“Iran Sanctions,” April 4, 2011.

“Asylum and ‘Credible Fear’ Issues in U.S. Immigration Policy,” April 6, 2011.

“The Changing Demographic Profile of the United States,” March 31, 2011.

Congress does not permit the public to gain direct access to reports of the Congressional Research Service online.

Secrecy of Cyber Threats Said to Cause Complacency

The American public does not have an accurate sense of the threat posed by attacks in cyberspace because most of the relevant threat information is classified, according to Sen. Sheldon Whitehouse (D-RI), who introduced legislation last week to raise public awareness of cyber security hazards.

“The damage caused by malicious activity in cyberspace is enormous and  unrelenting,” Sen. Whitehouse said on April 14. “Every year, cyber attacks inflict vast damage on our Nation’s consumers, businesses, and government agencies. This constant cyber assault has resulted in the theft of millions of Americans’ identities; exfiltration of billions of dollars of intellectual property; loss of countless American jobs; vulnerability of critical infrastructure to sabotage; and intrusions into sensitive government networks.”

“These massive attacks have not received the attention they deserve.  Instead, we as a nation remain woefully unaware of the risks that cyber attacks pose to our economy, our national security, and our privacy,” he said.

“This problem is caused in large part by the fact that cyber threat information ordinarily is classified when it is gathered by the government or held as proprietary when collected by a company that has been attacked. As a result, Americans do not have an appropriate sense of the threats that they face as individual Internet users, the damage inflicted on our businesses and the jobs they create, or the scale of the attacks undertaken by foreign agents against American interests.”

With Sen. Jon Kyl (R-AZ), Sen. Whitehouse introduced the “Cyber Security Public Awareness Act” to require government agencies to provide increased public reporting of cyber threat information.

“As of 2011, the level of public awareness of cyber security threats is unacceptably low. Only a tiny portion of relevant cyber security information is released to the public. Information about attacks on Federal Government systems is usually classified. Information about attacks on private systems is ordinarily kept confidential. Sufficient mechanisms do not exist to provide meaningful threat reports to the public in unclassified and anonymized form,” the bill stated.

Last year, Sen. Whitehouse chaired a bipartisan Senate Intelligence Committee task force on cyber security.

“The government keeps the damage we are sustaining from cyber attacks secret because it is classified,” he said last November. The private sector keeps the damage they are sustaining from cyber attacks secret so as not to look bad to customers, to regulators, and to investors. The net result of that is that the American public gets left in the dark.”

Online Security Tips from the National Security Agency

The National Security Agency published a brochure this month on “Best Practices for Keeping Your Home Network Secure” (pdf). Among other online security measures, the NSA suggested providing false answers to password recovery challenge questions.

“The cyber threat is no longer limited to your office network and work persona,” the NSA said. “Adversaries realize that targets are typically more vulnerable when operating from their home network since there is less rigor associated with the protection, monitoring, and maintenance of most home networks. Home users need to maintain a basic level of network defense and hygiene for both themselves and their family members when accessing the Internet.”

Obama Classification Reform Effort Fails to Take Hold

An Obama Administration initiative to curb overclassification of national security information that was announced in December 2009 has produced no known results to date.

The Fundamental Classification Guidance Review, which was mandated by President Obama’s executive order 13526 (section 1.9), requires each classifying agency to review all of its existing classification instructions prior to June 2012 and “to identify classified information that no longer requires protection and can be declassified.” While more than a year remains to complete the process, it is already behind schedule.

The Department of Defense, the most prolific classifying agency, failed to produce implementing regulations for the executive order in advance of the December 31, 2010 deadline for doing so set by the President.  As a result, most DoD components have not even started to review their classification guides, of which there are thousands.

Most recently, U.S. Central Command said that it had no records concerning the Fundamental Classification Guidance Review.  “We conducted a thorough and good faith search for responsive information,” CENTCOM told us in a March 28 letter (pdf). “Despite our extensive and careful search for documents pertaining to your request, we were unable to locate responsive information.”

U.S. European Command, on the other hand, said that it had already completed its Fundamental Review. But it concluded that its existing classification practices were already optimal, so no reductions in classification were required!

“The EUCOM Intelligence Office conducted a review as directed by E.O. 13526 for a Fundamental Classification Guidance Review,” EUCOM said (pdf) on January 18.  “No inefficiencies were found during the EUCOM review. No documents were produced during the review therefore, EUCOM reports a no records found in response to your FOIA request.”

Other agencies, including the Department of Energy, the Department of Homeland Security, and the Department of State seem to be taking a more diligent approach to the Fundamental Review, though even in those cases no specific elimination of any current classification instruction is known to have occurred thus far.

Some significant reductions in Obama Administration classification policy have occurred, including dramatic changes in intelligence budget secrecy and nuclear stockpile secrecy.  But these important developments emerged from issue-specific circumstances, and not from systematic classification reform efforts.

Last January, the director of the Information Security Oversight Office wrote to senior agency officials to emphasize the importance of the Fundamental Review and the need for rigorous implementation.

“The scope of this review needs to be systematic, comprehensive, and conducted with thoughtful scrutiny involving detailed data analysis,” wrote ISOO director William J. Bosanko.  But Mr. Bosanko has recently moved on from ISOO, which awaits appointment of a new director.  Meanwhile the Fundamental Review appears stalled and unproductive in much of the executive branch.

The Debt Limit: History and Recent Increases

A statutory limit on total federal debt has been in place since 1917.  In the past decade, Congress has voted to raise the debt limit ten times and it will now have to do so once again.

The history of the debt limit and its current implications were discussed in a recently updated report from the Congressional Research Service. See “The Debt Limit: History and Recent Increases” (pdf), March 7, 2011. And see, relatedly, “Reaching the Debt Limit: Background and Potential Effects on Government Operations,” February 11, 2011.

Reports from the Congressional Research Service have become such an integral part of the national policymaking process that two CRS reports were cited this month in an opinion (pdf) issued by the Justice Department Office of Legal Counsel concerning the President’s constitutional authority to use military force in Libya.

One of the reports addressed “Instances of Use of United States Armed Forces Abroad, 1798-2010″ and the other was on “Haiti: Developments and U.S. Policy Since 1991 and Current Congressional Concerns.

Remarkably, however, neither of the CRS reports that was cited in the OLC opinion is available on any congressional website, since Congress stubbornly opposes direct public access to CRS products.  To find them online, one must turn to non-congressional websites.

Presidential Directive on “National Preparedness”

The Obama Administration today released the text of Presidential Policy Directive (PPD) 8 (pdf) on “National Preparedness.”  The Directive, signed by President Obama on March 30, generally calls for development of systematic response plans for natural and manmade disasters, and seeks to enlist broad engagement in the process.

“This directive is aimed at strengthening the security and resilience of the United States through systematic preparation for the threats that pose the greatest risk to the security of the Nation, including acts of terrorism, cyber attacks, pandemics, and catastrophic natural disasters. Our national preparedness is the shared responsibility of all levels of government, the private and nonprofit sectors, and individual citizens. Everyone can contribute to safeguarding the Nation from harm . As such, while this directive is intended to galvanize action by the Federal Government, it is also aimed at facilitating an integrated, all-of-Nation, capabilities-based approach to preparedness.”

From a secrecy policy perspective, two points may be noted.

First, while presidential directives are fundamental instruments of national policy, the Obama White House does not make them available on the White House web site.  You can find the names of hundreds of thousands of tourists who visited the White House and other information of questionable value and utility, but you cannot find a collection of unclassified directives issued by President Obama.  This is incongruous.

Second, it is noteworthy that the new Presidential Policy Directive is only the eighth one to be issued by the Obama Administration.  At this point in the third year of the George W. Bush Administration, around 25 presidential directives (NSPDs) had been issued.  And in the Clinton Administration, there had been around 35 directives (PDDs).  So this Administration is using directives much more sparingly, for reasons that are hard to discern from a distance.

Court Hears Pre-Trial Motions in Thomas Drake Leak Case

A federal court heard pre-trial arguments last week in the case of former National Security Agency official Thomas A. Drake, who is charged with unlawful retention of NSA documents.  He allegedly relayed some of those documents to a Baltimore Sun reporter, who subsequently wrote stories about NSA waste and mismanagement.  At last week’s hearing (pdf), prosecutors and defense attorneys battled over the facts of the case, the scope of the charges, the constitutionality of the Espionage Act statutes, the nature of the evidence that may be presented at trial, and other matters.

In the end, each side got a favorable ruling on the “must win” issues it needed in order to have a chance of success at the actual trial, which is scheduled for June.  Judge Richard D. Bennett of the Maryland District Court sided with prosecutors in affirming the constitutionality of both the Espionage Act and the Classified Information Procedures Act, and he declined to dismiss any of the multiple charges against Mr. Drake.  But he ruled for the defense in deciding that Mr. Drake could present evidence that he was acting as a whistleblower, and that he could also introduce newspaper articles from the Baltimore Sun reflecting his input.

The arguments themselves were at least as interesting as the resulting decisions, and they recapitulated many longstanding disagreements about using the espionage statutes to prosecute leaks.  “Both sides have presented excellent legal briefings…, and the quality of the legal argument is obvious for all to see,” said Judge Bennett.

The court rejected defense motions arguing that the espionage statutes were unconstitutionally vague or overbroad, and also refused to dismiss five counts against Mr. Drake charging him with unlawful retention of information protected by the Espionage Act.

But crucially for the defense, the court ruled that “the fact that your client was acting as a whistleblower” could be introduced at trial because it relates to the question of the defendant’s “intent.”  To gain a conviction, prosecutors must prove that the defendant acted with specific intent to violate the law. (The court also admitted an amicus brief [pdf] prepared by the Government Accountability Project which argued that Mr. Drake’s whistleblower role was entitled to First Amendment protection.)

And the court granted a defense motion to introduce certain newspaper articles, over prosecution objections.  “We need to be able to the show the jury that none of the classified information that the Government alleges they found in our client’s home is in the articles,” defense attorney James Wyda said.

However, Judge Bennett indicated that former Baltimore Sun reporter Siobhan Gorman, who wrote the news stories involving information she allegedly obtained from Mr. Drake, would not be called to testify.  “We’re not going down the path of having reporters called to the witness stand, because, you know, I’m not inclined to incarcerate a reporter who asserts a privilege,” the judge said.  “That’s the last thing we need right now…. To the extent that we even think about calling a reporter to the witness stand, I think we’re really going down a deep, dark hole here in terms of how this case would proceed and assertions of privilege and everything else.”

Prosecutors defended their proposal to employ the so-called “silent witness” rule, by which some evidence would be presented to a jury but not revealed in open court.  That would be tantamount to closing the trial, objected defense attorney Deborah L. Boardman, and would place the defense at a significant disadvantage.  “It is fraught with constitutional peril,” she said, “and the practical problems associated with it are incalculable.”  The court deferred a ruling on that question.

A copy of the transcript of the March 31 hearing on pre-trial motions in USA v. Thomas Drake was obtained by Secrecy News.

Before Mr. Drake’s trial begins, the court must hear arguments and issue rulings on the classified information (or agreed-upon substitutes for it) that may be introduced at trial under the provisions of the Classified Information Procedures Act.  The Congressional Research Service recently prepared an overview of that statute.  See “Protecting Classified Information and the Rights of Criminal Defendants: The Classified Information Procedures Act” (pdf), March 31, 2011.

Next week, Mr. Drake will be awarded the “Ridenhour Prize for Truth-Telling” from the Nation Institute and the Fertel Foundation.

The Whistleblower Protection Enhancement Act (S.743), which would extend whistleblower protection to intelligence community employees, was introduced in the Senate yesterday.

In Search of “Unfettered Access” to CRS Reports

Members of the public enjoy unrestricted access to all reports of the Congressional Research Service, according to the Librarian of Congress, Dr. James H. Billington.

“Though CRS has no direct public mission, at present the public has unfettered access to the full inventory of CRS Reports for the Congress at no cost through the office of any Member or committee,” he wrote in an April 4 letter (pdf) to Amy Bennett of Openthegovernment.org.

Unfortunately, that assertion is quite wrong.  The public does not have access to the full inventory of CRS Reports. There is not even a public index of CRS reports that would enable people to request specific reports by title.

No Member of Congress or committee permits unfettered public access to all CRS Reports, which are produced and updated at a rate of perhaps a dozen a day, although individual reports will often be released upon specific request.  (Some CRS Reports are prepared confidentially for individual Members and those are not available to others under any circumstances, except when the Member chooses to release them.)

Still, Dr. Billington’s mistaken belief that the public already has “unfettered access” to the entire CRS database is a hopeful sign, because it tends to confirm that providing such access to non-confidential CRS Reports is a sensible and achievable goal.  Indeed, otherwise well-informed people like the Librarian of Congress assume that it must already be true.

Postponed: I will be participating in a panel discussion on “The Future of CRS” on Monday, April 11, sponsored by the Sunlight Foundation’s Advisory Committee on Transparency, which will address the issue of public access to CRS products and related issues. Update: This event has been postponed.

Military Justice, State Secrets, and More from CRS

Noteworthy new reports from the Congressional Research Service that have not been made readily available to the public include the following (all pdf).

“Military Justice: Courts-Martial, An Overview,” March 31, 2011.

“The State Secrets Privilege: Preventing the Disclosure of Sensitive National Security Information During Civil Litigation,” March 28, 2011.

“Rare Earth Elements in National Defense:  Background, Oversight Issues, and Options for Congress,” March 31, 2011.

“Government Shutdown: Operations of the Department of Defense During a Lapse in Appropriations,” April 1, 2011.

New Leak Penalties Proposed in Senate Intel Bill

The Senate Intelligence Committee is proposing to punish leaks of classified information by authorizing intelligence agencies to seize the pension benefits of current or former employees who are believed to have committed an unauthorized disclosure of classified information.

The pending proposal would “provide an additional administrative option for the Intelligence Community to deter leakers who violate the prepublication review requirements of their non-disclosure agreements,” the Committee said in its new report (pdf) on the FY2011 Intelligence Authorization Act.

“This option may require individuals to surrender their current and future federal government pension benefits if they knowingly violate the prepublication review requirements in their non-disclosure agreements in a manner that discloses classified information to an unauthorized person or entity,” the report said.

But the premises of the new proposal are questionable and it has generated some controversy even within the Senate Committee itself.

The starting point of the Committee proposal is that leakers are rarely if ever punished.  “A particular source of frustration has been that leakers are rarely seen to suffer consequences for leaking classified information.”  In fact, however, the number of ongoing leak-related prosecutions is currently at an all-time high.

Secondly, the Committee believes that existing administrative sanctions that stop short of criminal prosecution — including “security clearance revocation, suspension, or termination” — are inadequate and incomplete because they cannot reach persons who are no longer government employees.  “Unfortunately, these sanctions are not generally available for use against a key source of leaks, former Intelligence Community employees.”  But it is not at all clear, and the Committee does not attempt to demonstrate, that former Intelligence Community employees are “a key source of leaks.”  In practice, the government already has strong legal authority to enforce prepublication review requirements, and the CIA is currently engaged in suing at least one of its former employees (“Ishmael Jones”) for an alleged violation of those requirements.

Perhaps for those reasons and others, the Intelligence Community itself did not request the pension seizure authority that the Senate Intelligence Committee now proposes to bestow on it.

But the pending proposal may be worse than unnecessary, said Sen. Ron Wyden in a dissenting statement attached to the new Intelligence Committee report. He said it could discourage whistleblowers and impede congressional access to information.

“My concern is that giving intelligence agency heads the authority to take away the pensions of individuals who haven’t been formally convicted of any wrongdoing could pose serious problems for the due process rights of intelligence professionals, and particularly the rights of whistleblowers who report waste, fraud and abuse to Congress or Inspectors General,” Sen. Wyden wrote.

“It is unfortunately entirely plausible to me that a given intelligence agency could conclude that a written submission to the congressional intelligence committees or an agency Inspector General is an ‘unauthorized publication,’ and that the whistleblower who submitted it is thereby subject to punishment under [this provision], especially since there is no explicit language in the bill that contradicts this conclusion.”

“Withholding pension benefits from a legitimate whistleblower would be highly inappropriate, but overzealous and even unscrupulous individuals have served in senior government positions in the past, and will undoubtedly do so again in the future. This is why it is essential to have strong protections for whistleblowers enshrined in law, and this is particularly true for intelligence whistleblowers, since, given the covert nature of intelligence operations and activities, there are limited opportunities for public oversight. But reporting fraud and abuse by one’s own colleagues takes courage, and no whistleblowers will come forward if they do not believe that they will be protected from retaliation,” wrote Sen. Wyden, who voted against the pending bill (pdf).

Another provision of the bill calls for establishment of “an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information.”

Setting aside the specifics of the proposals, the underlying message from the Senate Committee is that agencies should do even more, not anything less or different, to combat leaks of classified information.  The Senate Committee was silent on other aspects of classification policy.  In particular, it had no guidance to offer concerning the halting efforts in the Intelligence Community to reduce overclassification.

Update: Senator Wyden said that he would object to any attempt to pass the FY2011 Intelligence Authorization bill by unanimous consent because of his opposition to the pension forfeiture provision.