Posts from August, 2011

Navy: Excessive Security Can Degrade Effectiveness

There can be such a thing as too much security, the Navy said in a new Instruction on “Operations Security” (pdf) or OPSEC.

OPSEC refers to the control of unclassified indicators that an adversary could use to derive “critical information” (CI) concerning military or intelligence programs.

“Properly applied, OPSEC contributes directly to operational effectiveness by withholding CI from an adversary, thereby forcing an adversary’s decisions to be based on information friendly forces choose to release,” the new Navy Instruction said. “Inadequate OPSEC planning or poor execution degrades operational effectiveness by hindering the achievement of surprise.”

But even if adequately planned and executed, not all OPSEC is necessary or useful;  sometimes it is actually counterproductive.

“Excessive OPSEC countermeasures… can degrade operational effectiveness by interfering with the required activities such as coordination, training and logistical support,” the Instruction said.  See “Operations Security,” OPNAV Instruction 3432.1A, 4 August 2011.

Unfortunately, the Instruction does not and perhaps cannot provide criteria for distinguishing between proper OPSEC and excessive OPSEC.  Instead, it directs commanders and program managers to “evaluate” each operation and draw the appropriate conclusions.  What if the program manager is shortsighted or simply makes a mistake?  What if OPSEC is justified from a security perspective, but also undermines government accountability or public confidence in government integrity?  The Instruction has nothing to say about that.

Because of the subjective element in such decisions, the use of OPSEC (like the application of national security classification controls) is often arbitrary and disputed.

After 30 U.S. servicemen, including 17 Navy SEALs, were killed in Afghanistan on August 6 when their helicopter was shot down, U.S. Special Operations Command asked that the names of the SEALs not be disclosed for security reasons.  Secretary of Defense Leon Panetta rejected that view and the names were released by the Pentagon yesterday.

But in a questionable nod to OPSEC, the name of the unit to which the SEALs were attached — the Naval Special Warfare Development Group (DEVGRU) — was not cited by the Pentagon, Bloomberg News reported.  Instead, the DoD press release referred only to “an East Coast-based Naval Special Warfare unit.”  Yet the Navy itself has previously acknowledged and referred by name to the same SEAL unit.  See “Pentagon Releases Identities of SEALs Killed, Not Unit Name” by Tony Capaccio, Bloomberg News, August 11.

Information Sharing Still a Work in Progress

While information sharing among government agencies has increased dramatically over the past decade, it still falls short in some areas.

Due to “impediments to intelligence information sharing between U.S. forces and coalition partners,” information sharing with U.S. allies in Afghanistan has faltered to the detriment of the military mission, the Inspector General of the Department of Defense said in a mostly classified report last month.

Continuing impediments have “resulted in information not being tactically useful by the time it is authorized for release,” the Inspector General said.  See “Results in Brief: Improvements Needed in Sharing Tactical Intelligence with the International Security Assistance Force Afghanistan,” excerpted from DoD Inspector General Report 11-INTEL-13, July 18, 2011.

The 2011 Annual Report on the DNI Information Sharing Environment (pdf) said that “steady progress has been made” in information sharing, especially with respect to homeland security and law enforcement.

Among other things, the Report noted that the intelligence community intranet called Intelink “recently crossed the 100 million document threshold for records exposed to Intelink search services…. In one month alone this year, Intelink recorded over two million searches.”  Such datapoints “highlight the ability of IC personnel to acess more information quicker and more effectively, enabling them to better share information and thus perform their missions,” the Report said.

Another recent report from the Government Accountability Office said the Information Sharing Environment still had not identified its desired “end state.”  Six years after it was created, “there is not a clear definition of what the ISE is intended to achieve and include.”  See “Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments” (pdf), Government Accountability Office report GAO-11-455, July 2011.

It should be understood that “information sharing” is quite different from “information disclosure,” and the two practices are usually at odds.  In fact, the prerequisite for most so-called information sharing is an official assurance that the information to be shared will not be disclosed to unauthorized persons such as members of the general public.

Executive Order Responding to WikiLeaks Due Shortly

The Obama Administration is putting the finishing touches on a new executive order that is intended to improve the security of classified information in government computer networks as part of the government’s response to WikiLeaks.

The order is supposed to reduce the feasibility and the likelihood of the sort of unauthorized releases of classified U.S. government information that have been published by WikiLeaks in the past year.

According to an official who has reviewed recent drafts, the order addresses gaps in policy for information systems security, including characterization and detection of the insider threat to information security.  It does not define new security standards, nor does it impose the security practices of intelligence agencies on other agencies.  (“It doesn’t say, ‘go polygraph everybody’,” the official said.)

Rather, the order establishes new mechanisms for “governance” and continuing development of security policies for information systems.  Among other things, it builds upon the framework established — but not fully implemented — by the 1990 National Security Directive 42 (pdf), the official said.

The order, developed on a relatively fast track over the past nine months, has already gone through two rounds of interagency coordination and is expected to be issued within a matter of weeks.

Offensive Cyber Tools to Get Legal Review, Air Force Says

Even the most highly classified offensive cyberwar capabilities that are acquired by the Air Force for use against enemy computer systems will be subject to “a thorough and accurate legal review,” the U.S. Air Force said in a new policy directive (pdf).

The directive assigns the Judge Advocate General to “ensure all cyber capabilities being developed, bought, built, modified or otherwise acquired by the Air Force that are not within a Special Access Program are reviewed for legality under LOAC [Law of Armed Conflict], domestic law and international law prior to their acquisition for use in a conflict or other military operation.”

In the case of cyber weapons developed in tightly secured Special Access Programs, the review is to be performed by the Air Force General Counsel, the directive said.  See “Legal Reviews of Weapons and Cyber Capabilities,” Air Force Instruction 51-402, 27 July 2011.

The Air Force directive is somewhat more candid than most other official publications on the subject of offensive cyber warfare.

Thus, “for the purposes of this Instruction, an Air Force cyber capability requiring a legal review prior to employment is any device or software payload intended to disrupt, deny, degrade, negate, impair or destroy adversarial computer systems, data, activities or capabilities.”

On the other hand, cyber capabilities requiring legal review “do not include a device or software that is solely intended to provide access to an adversarial computer system for data exploitation,” the directive said.

One challenge facing such legal reviews is that law and policy in the relatively new field of cyberwar are not fully articulated.  Another challenge is that where applicable law and policy do exist, they may be inconsistent with the use of offensive cyber tools.

In response to a question (pdf) on cyberwarfare from the Senate Armed Services Committee at his confirmation hearing last year, Lt. Gen. Keith Alexander of U.S. Cyber Command said: “President Obama’s cybersecurity sixty-day study highlighted the mismatch between our technical capabilities to conduct operations and the governing laws and policies, and our civilian leadership is working hard to resolve the mismatch.” (page 9)

But he added: “Given current operations, there are sufficient law, policy, and authorities to govern DOD cyberspace operations. If confirmed, I will operate within applicable laws, policies, and authorities. I will also identify any gaps in doctrine, policy and law that may prevent national objectives from being fully realized or executed to the Commander, U.S. Strategic Command and the Secretary of Defense.”

Asked whether DoD possesses “significant capabilities to conduct military operations in cyberspace,” Gen. Alexander would only provide an answer on a classified basis.

The Pentagon does not often acknowledge the existence of offensive cyber capabilities.  The “Department of Defense Strategy for Operating in Cyberspace” (pdf) that was released in unclassified form last month does not address offensive cyber warfare at all.

Some CRS Reports on Economic Policy

New reports from the Congressional Research Service on topics of economic policy include the following (all pdf).

“Boosting U.S. Exports: Selected Issues for Congress,” July 21, 2011

“Economic Recovery: Sustaining U.S. Economic Growth in a Post-Crisis Economy,” July 18, 2011

“Inflation: Causes, Costs, and Current Status,” July 26, 2011

“Treasury Securities and the U.S. Sovereign Credit Default Swap Market,” July 25, 2011

“The Unemployment Trust Fund (UTF): State Insolvency and Federal Loans to States,” July 8, 2011

“Can Contractionary Fiscal Policy Be Expansionary?,” June 6, 2011

“When Secrecy Gets Out of Hand”

The government’s relentless pursuit of people suspected of mishandling or leaking classified information underscores the need to combat the misuse of classification authority, wrote J. William Leonard, the former director of the Information Security Oversight Office (ISOO), in an op-ed in the Los Angeles Times today.

“The Obama administration, which has criminally prosecuted more leakers of purportedly classified information than all previous administrations combined, needs to stop and assess the way the government classifies information in the first place.”

“Classifying information that should not be kept secret can be just as harmful to the national interest as unauthorized disclosures of appropriately classified information,” he wrote.  See “When Secrecy Gets Out of Hand” by J. William Leonard, Los Angeles Times, August 10.

Mr. Leonard recently filed a complaint with the new ISOO director, John Fitzpatrick, based on his assessment that a document that served as a basis for criminal prosecution in the case of Thomas Drake should never have been classified at all.

Sunshine in Litigation Act Reported in Senate

A bill that would curb the ability of courts to impose secrecy orders on public health and safety information was favorably reported by the Senate Judiciary Committee last week.  See the report (pdf) on the Sunshine in Litigation Act of 2011, August 2, 2011.

“Court secrecy prevents the public from learning about public health and safety dangers,” the Committee report said.  “Over the past 20 years, we have learned about numerous cases where court-approved secrecy, in the form of protective orders and sealed settlements, has kept the public in the dark about serious public health and safety dangers.”

Such cases, many of which are cataloged in the report, have included “complications from silicone breast implants, adverse reactions to a prescription pain killer, ‘park to reverse’ problems in pick-up trucks, and defective heart valves.”

“This problem most often arises in product liability cases,” the report said. “In exchange for  monetary damages, the victim is often forced to agree to a provision that prohibits him or her from revealing information disclosed during the case.”  As a result, “the public remains unaware of critical health and safety information that could potentially save lives.”

To address the problem, the bill would require judges to consider the public’s interest in disclosure health and safety information before issuing a protective order prohibiting its disclosure.

The bill, which has been introduced repeatedly without success since 1994, was opposed by most Committee Republicans.  (Senators Grassley and Graham supported it.)

In a minority statement appended to the report, the Republican Senators said the bill was unnecessary and would be counterproductive.

“Without the certainty that a protective order will be upheld, litigants will raise significantly more objections to litigation discovery in order to protect confidential information.  Parties will be less willing to submit to discovery if they believe information will be disclosed to the public,” the dissenting Senators wrote.

“This bill would simply provide a tool to trial lawyers to conduct fishing expeditions and file frivolous lawsuits with impunity,” they said.

The bill was also opposed by the American Bar Association, who said the proposal was unwarranted and burdensome.

New Edition of Richelson’s “U.S. Intelligence Community”

A new edition of Jeffrey Richelson’s encyclopedic work on “The U.S. Intelligence Community” (Westview Press, July 2011) has just been published.

The book provides a uniquely synoptic view of the structure and functions of the massive U.S. intelligence bureaucracy.  Descriptive rather than prescriptive, the book serves best as a guide to some of the more obscure details of intelligence organizations, code names and procedures.

I provided a blurb for the book, which I have regularly found useful.  But it may be pointed out that the original edition of this work pre-dated the World Wide Web, and the latest (sixth) edition retains something of a pre-web sensibility.  If, for some reason, you wanted to know when the now-defunct National Imagery and Mapping Agency was established, Richelson could tell you.  But so could Wikipedia.  And while the new volume includes a list of Intelligence Community Directives, a directive (ICD 114) on GAO access to intelligence information that took effect June 30, 2011 was too recent to be included.

On the whole, however, “The U.S. Intelligence Community” benefits from Richelson’s meticulous research, his dispassionate presentation, and his robust sourcing, all of which make it an invaluable reference.

Update: It may be an error on my part to refer to the National Imagery and Mapping Agency as “defunct.” Although there is no longer an organization by that name, the former NIMA was redesignated in FY2004 as the National Geospatial-Intelligence Agency (NGA), which of course remains fully functional.

Wanted: A New CRS Director

Four months after the retirement of the previous director of the Congressional Research Service (CRS), Daniel Mulhollan, no successor has been named.  Today, the Library of Congress posted a solicitation on USA Jobs seeking applicants for the position of CRS Director.

“A successful candidate for this position should have thorough, substantive knowledge of the Congress as an institution and its operations.  The candidate should have experience interacting with Members of Congress and their staffs, and should possess first-hand knowledge of congressional decision-making, processes, and procedures,” the job announcement said.

Anyone with ideas of opening up CRS to interactions with the larger world would not be welcome.

Applicants “should have a strong desire to work exclusively for Congress,” the announcement said, reflecting the legacy view that CRS should not be responsive to anyone but Congress, and should not even make non-confidential CRS publications available to the public.

Recent CRS reports that are not publicly available from CRS include the following (all pdf).

“Suicide, PTSD, and Substance Use Among OEF/OIF Veterans Using VA Health Care: Facts and Figures,” July 18, 2011

“The State of Campaign Finance Policy: Recent Developments and Issues for Congress,” July 18, 2011

“Fairness Doctrine: History and Constitutional Issues,” July 13, 2011

“Chinese Tire Imports: Section 421 Safeguards and the World Trade Organization (WTO),” July 12, 2011

“State, Foreign Operations, and Related Programs: FY2012 Budget and Appropriations,” July 22, 2011

“The Republic of South Sudan: Opportunities and Challenges for Africa’s Newest Country,” July 25, 2011

“Critical Infrastructures: Background, Policy and Implementation,” July 11, 2011

“National Security Letters: Proposals in the 112th Congress,” June 30, 2011