Posts from August, 2013

Intelligence Agency Budgets Revealed in Washington Post

Secret intelligence agency budget information was abundantly detailed in the Washington Post yesterday based on Top Secret budget documents released by Edward Snowden.  See “U.S. spy network’s successes, failures and objectives detailed in ‘black budget’ summary” by Barton Gellman and Greg Miller, Washington Post, August 29.

The newly disclosed information includes individual agency budgets along with program area line items, as well as details regarding the size and structure of the intelligence workforce.  So one learns, for example, that the proposed budget for covert action in FY2013 was approximately $2.6 billion, while the total for open source intelligence was $387 million.

Some of the information only confirms what was already understood to be true. The budget for the National Security Agency was estimated to be about $10 billion, according to a recent story in CNN Money (“What the NSA Costs Taxpayers” by Jeanne Sahadi, June 7, 2013). The actual NSA budget figure, the Post reported, is $10.8 billion.

And the involuntary disclosure of classified intelligence budget information, while rare, is not unprecedented.  In 1994, the House Appropriations Committee inadvertently published budget data for national and military intelligence, the size of the CIA budget, and other details. (“$28 Billion Spying Budget is Made Public by Mistake” by Tim Weiner, New York Times, November 5, 1994)

But the current disclosure of intelligence budget information dwarfs all previous releases and provides unmatched depth and detail of spending over a course of several years, based on original documents.  The disclosure is doubly remarkable because the Post chastely refrained from releasing about 90% of the Congressional Budget Justification Book that it obtained.  “Sensitive details are so pervasive in the documents that The Post is publishing only summary tables and charts online,” Post reporters Gellman and Miller wrote.

This is not a whistleblower disclosure; it does not reveal any illegality or obvious wrongdoing. On the contrary, the underlying budget document is a formal request to Congress to authorize and appropriate funding for intelligence.

But the disclosure seems likely to be welcomed in many quarters (while scorned in others) both because of a generalized loss of confidence in the integrity of the classification system, and because of a more specific belief that the U.S. intelligence bureaucracy today requires increased public accountability.

Though it has never been embraced as official policy, the notion of public disclosure of individual intelligence agency budgets (above and beyond the release of aggregate totals) has an honorable pedigree.

In 1976, the U.S. Senate Church Committee advocated publication of the total intelligence budget and recommended that “any successor committees study the effects of publishing more detailed information on the budgets of the intelligence agencies.”

In a 1996 hearing of the Senate Intelligence Committee, then-Chair Sen. Arlen Specter badgered DCI John Deutch about the need for intelligence budget secrecy.

“I think that you and the Intelligence Community and this committee have got to do a much better job in coming to grips with the hard reasons for this [budget secrecy], if they exist. And if they exist, I’m prepared to help you defend them. But I don’t see that they exist. I don’t think that they have been articulated or explained,” the late Sen. Specter said then.

Committee Vice Chair Sen. Bob Kerrey added: “I would concur in much of what the Chairman has just said. I do, myself, believe not only the top line, but several of the other lines of the budget, not only could but should, for the purpose of giving taxpayer-citizens confidence that their money is being well spent.”

In 2004, the 9/11 Commission itself recommended disclosure of intelligence agency budgets: “Finally, to combat the secrecy and complexity we have described, the overall amounts of money being appropriated for national intelligence and to its component agencies should no longer be kept secret” (at page 416, emphasis added).

These are clearly minority views.  They could have been adopted at any time — as disclosure of the aggregate total was — but they haven’t been.  (And even these voices did not call for release of the more detailed budget line items that are now public.)  And yet they are not totally outlandish either.

The initial response of the executive branch to the Washington Post story will be to hunker down, to decline explicit comment, and to prohibit government employees from viewing classified budget documents that are in the public domain.  Damage assessments will be performed, and remedial security measures will be imposed.  These are understandable reflex responses.

But in a lucid moment, officials should ponder other questions.

How can public confidence in national security secrecy be bolstered?  Is it possible to imagine a national security secrecy system that the public would plausibly view not with suspicion but with support, much as the strict secrecy of IRS tax returns is broadly understood and supported?  What steps could be taken to reduce national security secrecy to the bare minimum?

Looking further ahead, is it possible to devise an information security policy that is based on “resilience” to the foreseeable disclosure of secrets rather than on the fervently pursued prevention of such disclosure?

Bee Health, Nanotechnology, and More from CRS

A comprehensive overview of the still-not-fully explained decline of honeybee and other bee populations is presented in a new report from the Congressional Research Service.

“To date, the precise reasons for bee colony losses are not yet known. Reasons cited for bee declines include a wide range of possible factors thought to be affecting pollinator species. These include bee pests and disease, diet and nutrition, genetics, habitat loss and other environmental stressors, agricultural pesticides, and beekeeping management issues, as well as the possibility that bees are being affected by cumulative, multiple exposures and/or the interactive effects of several of these factors,” the CRS report said.

The problem is not a trivial one particularly since, according to one estimate, “bee pollination of agricultural crops is said to account for about one-third of the U.S. diet.”  See Bee Health: Background and Issues for Congress, August 27, 2013.

Other new or newly updated CRS reports that Congress has withheld from online public distribution include the following.

The Debt Limit: History and Recent Increases, August 27, 2013

House Apportionment 2012: States Gaining, Losing, and on the Margin, August 23, 2013

Temporary Assistance for Needy Families (TANF): Characteristics of the Cash Assistance Caseload, August 21, 2013

Financing Natural Catastrophe Exposure: Issues and Options for Improving Risk Transfer Markets, August 15, 2013

The National Nanotechnology Initiative: Overview, Reauthorization, and Appropriations Issues, August 9, 2013

China/Taiwan: Evolution of the “One China” Policy — Key Statements from Washington, Beijing, and Taipei, August 26, 2013

European Union Wind and Solar Electricity Policies: Overview and Considerations, August 7, 2013

The National Defense Authorization Act for FY2012 and Beyond: Detainee Matters, August 27, 2013

National Security Strategy: Mandates, Execution to Date, and Issues for Congress, August 6, 2013

US Cyber Offense is “The Best in the World”

The subject of offensive cyber action by the U.S. government was classified for many years and was hardly discussed in public at all.  Then several years ago the possibility of U.S. cyber offense was formally acknowledged, though it was mostly discussed in the conditional mood, as a capability that might be developed and employed under certain hypothetical circumstances.

Today, however, U.S. offensive cyber warfare is treated as an established fact.  Not only that but, officials say, the U.S. military is pretty good at it.

“We believe our [cyber] offense is the best in the world,” said Gen. Keith B. Alexander, director of the National Security Agency and Commander of U.S. Cyber Command. His comments appeared in newly published answers to questions for the record from a March 2013 hearing of the House Armed Services Committee (at p. 87).

“Cyber offense requires a deep, persistent and pervasive presence on adversary networks in order to precisely deliver effects,” Gen. Alexander explained in response to a question from Rep. Trent Franks (R-AZ). “We maintain that access, gain deep understanding of the adversary, and develop offensive capabilities through the advanced skills and tradecraft of our analysts, operators and developers. When authorized to deliver offensive cyber effects, our technological and operational superiority delivers unparalleled effects against our adversaries’ systems.”

“Potential adversaries are demonstrating a rapidly increasing level of sophistication in their offensive cyber capabilities and tactics. In order for the Department of Defense to deny these adversaries an asymmetric advantage, it is essential that we continue the rapid development and resourcing of our Cyber Mission Forces.”

In response to another question for the record from Rep. James R. Langevin (D-RI), Gen. Alexander said that “Over the next three years we will train the Cyber Mission Forces that will perform world-class offensive and defensive cyber operations as part of our Cyber National Mission Teams, Cyber Combat Mission Teams and Cyber Protection Forces. We do not require additional authorities or resources to train the currently identified cyber professionals” (at page 85).

See Information Technology and Cyber Operations: Modernization and Policy Issues to Support the Future Force, hearing before the House Armed Services Committee, Subcommittee on Intelligence, Emerging Threats and Capabilities, March 13, 2013 (published July 2013).

At the time of his confirmation hearing before the Senate Armed Services Committee in 2010, Gen. Alexander was asked in a pre-hearing question, “Has the U.S. ever ‘demonstrated capabilities’ in cyberspace in a way that would lead to deterrence of potential adversaries?”  He replied (Question 15p):  “Not in any significant way.”

This seems to have been an incomplete response. Committee Chairman Sen. Carl Levin noted in questions for the record of Gen. Alexander’s confirmation hearing in 2010 that in fact offensive cyber capabilities had already been demonstrated: “Unfortunately, we also learned, after asking a specific question following the appearance of a Washington Post article reporting on an apparent offensive cyber operation, that DOD has undertaken a number of offensive cyber operations in the last several years, none of which was reported to the Armed Services Committees….”

On the vital question of oversight, Senator Levin asked:  “Lieutenant General Alexander, do you agree that it is appropriate that the Armed Services Committees be informed of all U.S. offensive cyber operations?”

Gen. Alexander provided an affirmative response, but in a way that altered the terms of the question:  “Yes, I agree that in almost all circumstances the Armed Services Committees should be informed in a timely manner of significant offensive cyber operations conducted by CYBERCOM.”

 

IG Says Homeland Security Secrecy Program is in Good Shape

The Department of Homeland Security “is streamlining classification guidance and more clearly identifying categories of what can be released and what needs to remain classified,” according to a new report from the DHS Inspector General.

The Reducing Over-classification Act of 2010 required the Inspector General at each executive branch agency that classifies information to evaluate the agency’s classification practices and to report on the results by the end of September 2013.  The new DHS report is the first of the bunch to be published.  See Reducing Over-classification of DHS’ National Security Information, DHS Office of Inspector General Report OIG-13-106, August 2013.

The report sheds new light on DHS classification practices and provides some useful criticism, but it has a serious conceptual flaw.

The flaw lies in the report’s definition of the problem:  “Over-classification is defined as classifying information that does not meet one or more of the standards necessary for classification under Executive Order 13526.”

The problem is that this is a definition of misclassification, not over-classification.  If information does not meet the standards for classification — for example, if it is not government information — then its classification is simply a mistake, not an act of over-classification.  By using such a definition, the DHS IG fails to recognize the real dimensions of over-classification and overlooks its most vexing aspect:  the classification of information that arguably does meet the standards of the Executive Order but that need not or should not be classified.

Over-classification in this deeper sense is at the center of many current controversies over government secrecy policy.  Can the role of the CIA in targeted killing operations be acknowledged?  Should the fact of bulk collection of telephone metadata records by NSA have been admitted before it was leaked?  Though such information was eligible for classification under the Executive Order, the decision to classify it now appears questionable.

But such issues are unfortunately beyond the scope of the DHS IG report, which does not allow for the possibility that information could both “meet the standards necessary for classification under the Executive Order” and still be over-classified.  Not a single instance of such over-classification was identified.  Rather, the IG concluded that DHS has “successfully implemented all policies and procedures required” and thus “DHS has a strong [classification] program.”

Despite its limited conception of the problem, the IG report found some significant areas for improvement.  Notably, DHS classifiers have been using obsolete software to apply classification markings.  As a result, “59 of the 372 DHS we reviewed contained declassification, sourcing, and marking errors.”  A new Classification Marking Tool is currently being acquired by DHS.  Still, “eighty interviewees noted that they would like more hands-on training to ensure they could classify information properly.”

Curiously, the IG report found that DHS officials had an equivocal attitude towards efforts to challenge classification decisions.

“All persons interviewed knew and were trained on the process of formally or informally challenging a classification, but some stated that they would be reluctant to disagree with the originator’s classification.  They did not fear retribution from senior management, but they did not believe that they were experts in challenging classification” (p. 16).

However, DHS employees resisted the possibility of offering incentives to challenge classification decisions.  “When asked, 90 out of 100 DHS derivative classifier interviewees said that they believed offering incentives may lead to unnecessary challenges, and challenges will be raised not in the spirit of reducing classification but for incentive reasons” (p. 10).

Such skepticism is totally speculative, and ought to be tested in practice.  But instead of proposing a pilot program to validate or discredit the use of incentives for classification challenges, the DHS Inspector General unfortunately just dropped the subject.

The IG report found that DHS had successfully performed the Fundamental Classification Guidance Review, leading to a 39 percent reduction in the number of security classification guides.

The report also noted that the classification statistics reported by DHS to the Information Security Oversight Office “may not be accurate,” and DHS officials acknowledged that there are “long-standing issues associated with the reliability and accuracy” of the reported numbers.

Despite its limitations, the DHS IG review seems to have been a useful exercise that focused new attention on the Department’s classification activities.  Additional reports from other agencies that conduct much larger classification programs are expected shortly.

Financial Disclosure by Federal Officials, and More from CRS

New and updated reports from the Congressional Research Service that Congress has withheld from broad public distribution include the following.

Financial Disclosure by Federal Officials and Publication of Disclosure Reports, August 22, 2013

Defense Surplus Equipment Disposal: Background Information, August 22, 2013

Iraq: Politics, Governance, and Human Rights, August 22, 2013

The United Arab Emirates (UAE): Issues for U.S. Policy, August 20, 2013

Changing the Federal Reserve’s Mandate: An Economic Analysis, August 12, 2013

The Affordable Care Act and Small Business: Economic Issues, August 15, 2013

Financing Natural Catastrophe Exposure: Issues and Options for Improving Risk Transfer Markets, August 15, 2013

Reauthorizing the Office of National Drug Control Policy: Issues for Consideration, August 13, 2013

International Drug Control Policy: Background and U.S. Responses, August 13, 2013

Mexico’s Peña Nieto Administration: Priorities and Key Issues in U.S.-Mexican Relations, August 15, 2013

Latin America and the Caribbean: Key Issues for the 113th Congress, August 9, 2013

Uzbekistan: Recent Developments and U.S. Interests, August 21, 2013

Mental Health Problems Surge in the Military: CRS

Mental health problems in the military are on the rise and pose a growing challenge to active duty forces, the Congressional Research Service said in a major new report on the subject.

“Between 2001 and 2011, the rate of mental health diagnoses among active duty servicemembers increased approximately 65%. A total of 936,283 servicemembers, or former servicemembers during their period of service, have been diagnosed with at least one mental disorder over this time period. Nearly 49% of these servicemembers were diagnosed with more than one mental disorder,” the CRS report said.

“Overall, mental health disorders have significant impacts on servicemember health care utilization, disability, and attrition from service. In 2011, mental disorders accounted for more hospitalizations of servicemembers than any other illness and more outpatient care than all illnesses except musculoskeletal injuries and routine medical care.”

The CRS cautioned that the data should be kept in perspective, considering the prevalence of mental health concerns among the civilian population. “Research suggests that an estimated 26.2% of Americans ages 18 and older experience a diagnosable mental disorder in any given year.”  See Post-Traumatic Stress Disorder and Other Mental Health Problems in the Military: Oversight Issues for Congress, August 8, 2013.

Other noteworthy new or updated CRS reports that Congress has withheld from broad public release include the following.

Veterans’ Medical Care: FY2014 Appropriations, August 14, 2013

Military Justice: Courts-Martial, An Overview, August 12, 2013

In Brief: Assessing DOD’s New Strategic Guidance, August 13, 2013

FY2014 National Defense Authorization Act: Selected Military Personnel Issues, August 19, 2013

GAO Bid Protests: Trends and Analysis, August 9, 2013

Egypt in Crisis: Issues for Congress, August 19, 2013

Syria’s Chemical Weapons: Issues for Congress, August 20, 2013

Telecommunications and Media Convergence: Selected Issues for Consideration, August 14, 2013

The Warrior Ethos, and More Military Doctrine

“Modern combat is chaotic, intense, and shockingly destructive. In your first battle, you will experience the confusing and often terrifying sights, sounds, smells, and dangers of the battlefield–but you must learn to survive and win despite them…. You must keep faith with your fellow Soldiers, remember your training, and do your duty to the best of your ability. If you do, and you uphold your Warrior Ethos, you can win and return home with honor.”

So begins the Introduction to a newly updated US Army Training Circular on The Warrior Ethos and Soldier Combat Skills (TC 3-21.75, August 2013, very large PDF file), which aims to communicate and instill core military values.

Another newly updated Pentagon publication presents joint doctrine on Homeland Defense (HD). It “defines and clarifies the domestic use of rules of engagement and rules for the use of force in HD operations.”  And it “Clarifies and elaborates thoroughly the role of planning for cyberspace operations and the duties involved.”

The document also provides lots of incidental details of interest, such as a reference to a previously unheard-of Presidential Policy Directive 10 on US Ballistic Missile Defenses.  “PPD-10 acknowledges that ballistic missile systems present an increasingly important challenge and threat to the security of the US, its deployed forces, and its allies and partners. PPD-10 provides policy and guidelines for the development and deployment of US BMDs.” See Joint Publication 3-27, Homeland Defense, July 29, 2013.

The Navy has issued new guidance to combat the Insider Threat, as the Army did last month.

The insider threat program places unauthorized disclosures (or “leaks”) on a par with espionage or terrorism, and prior to either of them in the official definition.  Thus an insider threat, as defined by the Department of Defense, is “a person with authorized access, who uses that access, wittingly or unwittingly, to harm national security interests or national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities.”  See Department of the Navy Insider Threat Program, SECNAV Instruction 5510.37, August 8, 2013.

 

Leaks Inspire GAO Review of “Classification Inflation”

“The recent disclosure of classified information regarding U.S. national security programs requires a thorough assessment of the current classification system,” wrote Rep. Duncan Hunter in a letter to the Government Accountability Office, the investigative arm of Congress.

The leaks by Edward Snowden, in other words, are a sign that there are serious problems in government secrecy policy.

In his June 19, 2013 letter, Rep. Hunter asked GAO to perform the desired assessment, and his request was endorsed by Rep. Martha Roby, chair of the House Armed Services Committee Subcommittee on Oversight and Investigations.  In a July 30 reply, GAO accepted the request and said it would “begin the work shortly.”

For Rep. Hunter, the starting point is a concern that unnecessary secrecy may put legitimate secrets at risk.  Overclassification is bad security policy.

“With access to classified information contingent on the issuance of security clearances, overclassification stands to dangerously expand access to material that should ordinarily be limited,” he wrote.  He therefore posed a series of questions that cover a range of classification policy issues.

He asked GAO to determine “the degree to which material is classified that does not materially impact national security.”  This is one definition of overclassification, though it is not one that is used or recognized by the executive branch.

Under the executive order on classification, a national security secret need not “materially impact national security.”  It is enough if its unauthorized disclosure could reasonably be expected to cause damage to national security in the judgment of a person who is authorized to classify.  If the authorized classifier’s judgment reflects bias, inertia, erroneous or incomplete information– well, the executive order has nothing to say about that.

The result, Rep. Hunter said in a news release, is that “There’s real classification inflation going on, putting information that should be available to the public out of view and creating a degree of exposure by widening access to sensitive information that should be limited.”

Rep. Hunter also asked GAO to review “the degree to which material is classified in excess of current security procedures,” which is another form of overclassification.  It refers to information that is be classified Top Secret when it should only be classified Secret, for example.

Rep. Hunter asked “Whether narrowing classification requirements would reduce the need for nearly 5 million individuals to hold security clearances, and whether reducing that number would limit security disclosures.”

It stands to reason that less classification would likely entail the need for fewer clearances and that a leaner secrecy and security system would be easier to manage with improved quality control.  But there is no particular reason to suppose that the number of leakers is directly proportional to the number of clearances.

Crucially, Rep. Hunter asked GAO to investigate “if there are accountability systems in place to review agency and employee classification decisions to identify persistent instances of overclassification.”  There aren’t!

While classification guidance is supposed to be reviewed by the classifying agency itself every five years, and there are isolated mechanisms for challenging specific classification decisions, there is no systemic procedure for independent review and correction of classification judgments.  There should be.  (An extended argument for impartial review of classification decisions is here.)

For good measure, Rep. Hunter asked GAO to consider “the degree to which excessive classification harms information sharing” and “the effectiveness of the process to declassify information.”

Though his request letter was broadly framed with respect to classification policy generally, it appears that the GAO response will focus on classification activity within the Department of Defense.  Rep. Hunter is a member of the House Armed Services Committee and Rep. Roby is a HASC subcommittee chair, and so DoD secrecy policy is clearly within their jurisdiction.

The unauthorized disclosures of classified information by Edward Snowden have presented numerous important issues of public policy.  Is bulk collection of telephone and email records an acceptable practice, or should it be categorically proscribed?  How did congressional oversight fail to accurately gauge and to effectively represent conflicted public sentiment concerning domestic surveillance?  What is to be done with the Foreign Intelligence Surveillance Court?

But Rep. Hunter identified secrecy policy as a deeper systemic problem that also requires a constructive response.  With the GAO’s new engagement, and with the ongoing work of agency Inspectors General under the Reducing Over-classification Act, secrecy policy is now receiving some long overdue attention that may yet yield corrective action.

The pending GAO review of secrecy policy was previously reported in “Manning, Snowden Trigger First-of-its-Kind Secrecy Review” by Shane Harris, Foreign Policy, July 31;  “‘Classification inflation’ at Pentagon under investigation: GAO” by Shaun Waterman, Washington Times, July 31;  “Too many classified papers at Pentagon? Time for a secrecy audit” by Anna Mulrine, Christian Science Monitor, August 2.

When Can the Military Support Civil Authorities?

The Posse Comitatus Act of 1878 generally prohibits military forces from performing ordinary civilian law enforcement functions such as arrest, surveillance, interdiction, search and seizure.

But a newly updated Department of Defense doctrinal publication notes that, despite this prohibition, “There are several forms of direct assistance to civilian law enforcement by military personnel that are permitted under the Military Purpose Doctrine. The Military Purpose Doctrine provides that law enforcement actions that are performed primarily for a military purpose, even when incidentally assisting civil authorities, will not violate the PCA [Posse Comitatus Act].”

These may include investigations related to the Uniform Code of Military Justice, enforcement actions on a military installation, and measures to protect classified military information or equipment, among others identified by the DoD document.

The publication broadly addresses crisis response, support to law enforcement, and other forms of assistance. See “Defense Support of Civil Authorities,” Joint Publication 3-28, July 31, 2013.

The publication introduces a new addition to the DoD lexicon: “complex catastrophe.”

A complex catastrophe (which may “magnify requirements for defense support of civil authorities”) is defined as:  “Any natural or man-made incident, including cyberspace attack, power grid failure, and terrorism, which results in cascading failures of multiple, interdependent, critical, life-sustaining infrastructure sectors and causes extraordinary levels of mass casualties, damage or disruption severely affecting the population, environment, economy, public health, national morale, response efforts, and/or government functions.”

Army Establishes Insider Threat Program

On July 30, a military judge found Army Pfc. Bradley Manning guilty of multiple violations of the Espionage Act and other laws because of his unauthorized disclosure of restricted government records to the WikiLeaks website.

On July 31, the Secretary of the Army formally established the Army Insider Threat Program. Remarkably, this is still a pending initiative rather than an accomplished fact.

The program “will ensure the security and safety of Army computer networks by establishing an integrated capability to monitor and audit user activity across all domains to detect and mitigate activity indicative of insider threat behavior,” wrote Army Secretary John M. McHugh in Army Directive 2013-18.

The directive requires development and implementation of “a technical capability to monitor user activity on the Secure Internet Protocol Router Network” used by Manning as well as on the Joint World Intelligence Communication System.

In order to facilitate the identification of insider threats, the directive authorizes the sharing of counterintelligence and a variety of other sensitive information, including personal medical information.  (“The Surgeon General will provide information from medical sources, consistent with privacy laws and regulations, to authorized personnel to help them recognize the presence of an insider threat.”)

The new Army directive was issued in response to a November 21, 2012 Obama White House memorandum on “National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.”

Some government insider threat programs go beyond encouraging sensible security practices, and seem to promote free-ranging suspicion in the workplace.

A slide prepared by the Defense Information Systems Agency for an online training module on insider threats suggests that an employee who “speaks openly of unhappiness with U.S. foreign policy” may represent a risk.  (The only thing more troubling might be someone who speaks openly of happiness with U.S. foreign policy.)  See “Unhappy With U.S. Foreign Policy? Pentagon Says You Might Be A ‘High Threat’” by Matt Sledge, Huffington Post, August 7.

On June 21, 2013 the Director of National Intelligence issued Intelligence Community Directive 703 on “Protection of Classified National Intelligence, Including Sensitive Compartmented Information.”

The directive summarizes and re-states classified information security policy, including little-known facts such as: “The Director of the Central Intelligence Agency (CIA) provides SCI access determinations and Sensitive Compartmented Information Facility (SCIF) accreditation for the legislative and judicial branches of the U.S. Government.”