National Security Reform and Classification Policy
Dec 10
“The [U.S. national security] system fails to know what it knows, to make sense of information and trends in order to understand an increasingly complex global environment, to make effective and informed decisions, and to learn over time what works—and what does not work.”
In a blog posted to the FAS Project on Government Secrecy, Stephen Aftergood refers to the Project for National Security Reform (PNSR) – specifically the work conducted by my team, the Knowledge Management Working Group, in the area of classification reform. Mr. Aftergood raises some important points, and I will try to respond to them here.
It is important to make clear that I am not speaking on behalf of the Project, but instead clarifying and discussing the analysis my team has already completed. This is my personal blog, and not sponsored or sanctioned by the Project for National Security Reform.
I appreciate the opportunity to discuss our work, as we worked against a compressed timeline and the report would have benefited greatly from additional time and resources. My team’s sections on knowledge management probably need more explanation than most, and I hope to expand on the ideas we put in that paper soon. I am hopeful that through conversations such as these I can add detail – but also learn from all of you how to improve our thinking on this important topic.
From the Secrecy News blog:
“’Sharing information across organizational boundaries is difficult… [because] agency cultures discourage information sharing,’ the report states. But this is a restatement of the problem, not an explanation of it.”
If that were all we stated in our problem statement, Mr. Aftergood would have a more valid case in finding our work shallow. In addition to his reference regarding impediments to information sharing, however, we also discuss (pp. 331-362):
- Poor interoperability on the classified side
- Overclassification
- The proliferation of the “sensitive but unclassified” designation
- Confusing technical connections with collaboration
- Information systems are missing common data abstraction, protocols, and compatible business logic
- Inability of systems to understand business limitations and context of data
The recommendations we make in the report on this topic are likewise truncated in Mr. Aftergood’s treatment.
“And so the real upshot of the report’s argument is that the classification system cannot be fixed at all, at least not in isolation or on its own existing terms. ..
They vaguely advocate a “common [government-wide] approach for information classification [that] will increase transparency, improve accessibility, and reinforce the overall notion that personnel in the national security system are stewards of the nation’s information, not owners thereof.”
We didn’t intent to be vague, and apologize if the reader is left believing that we believed that the “teams” recommendation was sufficient to resolve classification issues. In fact, we recommend (p.450) the establishment of an Office for Decision Support within the NSC Executive Secretariat, which would include the functions within ODNI (Special Security Center) that are currently working to establish a common security classification across the national security system. We believe the work this office is already doing is valuable, and seek to give it budgetary and enforcement mechanisms to ensure they succeed. From our recommendations:
“[T]he Special Security Center within the Office of the Director of National Intelligence currently works to establish uniformity and reciprocity across the intelligence community, but this approach should be expanded to include the entire national security system.”
Mr. Aftergood is correct that we believe a systemic approach to resolving the problems of the national security system is appropriate. Hence, while we recommend the above for classification issues, we recognize that without the reforms mentioned in the human capital, strategy, and resources sections – the ‘knowledge management’ problems will not be resolved.
For example, the fact that information security professionals are free to assert controls that hamper information sharing and other business functions remains a problem.
“There is often a tension between information security and operational effectiveness. The latter is enabled by easy access to information and the free flow of information both within and across organizational boundaries. The former often requires tight controls on information access and sharing based on a wide range of parameters (e.g., classification level, organizational affiliation, ‘need to know’ requirements, etc.) in order to minimize risks such as unauthorized access to data, data theft, and data manipulation. Historically, national security organizations have placed more emphasis on information security requirements than on the imperatives of information access and sharing. The result has been a culture of ‘risk avoidance’ that has limited the ability of key people and organizations to work collaboratively.”
I appreciate the discussion and review of our work; which we view as the beginning of a conversation. My thanks to Mr. Aftergood for engaging with us.
Thanks. I think we probably agree more than we disagree, and the areas of disagreement seem to be shrinking as we go on.
But the January ODNI report you quote has not been approved for public release and was not provided to GPO. The link you cited goes to the 1997 report of the Moynihan Commission. The January ODNI report is here (pdf).
Anyway, the underlying point you make is important. Classification guides are the “software” of the classification system, and if there is to be reform of classification policy (including the improved public access to govt information that I am concerned about) it will have to occur in the guides. Right now, there is not only a lack of uniformity and consistency, but a general lack of quality control. Many classification guides have not been reviewed and updated for years.
It remains to be seen, though, whether uniformity is the solution. (The guides could end up being uniformly bad.) For now, the ODNI/SSC has not yet proven the idea can work even within the IC with a community-wide classification guide. So talk of a government-wide classification guide seems premature.
To conclude on a positive note, I was impressed by the PNSR emphasis on pilot projects and small-scale experiments in innovation. I think this is essential.
I appreciate the conversation, thanks for hanging in there. Yes, the language I cited referred to personnel security, not classification. You’ll forgive me, it was the EO closest at hand – I tried to be specific in my comment as to its application.
However, the PNSR report speaks to BOTH security clearances and security classification as areas in need of reform. I don’t think we misused terms, but perhaps could have been clearer – I’m sorry to give the impression that I confused the issue in my prior comment.
As for a single classification system, it all depends on what you mean by the word “system.” Yes, we have a single POLICY. However, in practice, it is a fragmented and unevenly applied policy that results in a system that lacks unity.
A January ODNI report (a copy can be found on the FAS website, but the GPO link is http://www.gpo.gov/congress/commissions/secrecy/pdf/03sum.pdf) said this: “The team found that the reviewed classification guides often provided little insight into the reasons for setting classification and limited guidance for discriminating between classification levels. Most of the guides were agency- or program-specific.”
***Please note the above sentence, the system is fragmented in practice because agencies and programs write their own guidance.***
“In situations where users perceived conflicting guidance, they found it difficult to discern which classification guide or level should take precedence, leading to over-classification in many cases.”
Our solution, again, to what ails classification policy AND PRACTICE, is embodied in our recommendation that the ODNI SSC be given teeth (and whatever other body parts will help them succeed). In practice, the system does not behave as a single system – this was true across PNSR findings. The noble intent of many laws and EOs nevertheless failed to ensure coherent behavior across the national security system.
Yes, in fact we do have a single classification system, established by executive order 12958, as amended.
The PNSR report commits an avoidable error and generates unnecessary confusion by, forgive me, misusing the term “classification system.” Classification refers to the identification and designation of national security information (as confidential, secret or top secret). PNSR uses the term as if it also included personnel security, which deals with the process of adjudicating approval for access to classified information. Personnel security policy is indeed fragmented and inconsistent, as you say– but that is not a problem of classification policy per se.
The language you cite from executive order 13467 (not 13267) likewise deals with personnel security, not with classification. The very same order states that classified information is defined by executive order 12958, as amended.
I have no disagreement with the PNSR recommendations concerning personnel security policy. But as I wrote, they do not provide a solution to what ails classification policy.
We have a single classification system?
The lack of clarity is my fault entirely, and I so stipulate. However, my team did review the EOs – which fall short of success because they don’t address fundamental issues.
For example, regarding security clearances: EO 13267 says, in part, “approval to establish additional requirements shall be limited to circumstances where additional requirements are necessary to address significant needs unique to the agency involved or to protect national security.”
This ensures failure. There are similar holes in the ODNI authorizing legislation (section 10.18) and like directives. We continue to grant authorities to Agencies that thwart the establishment of an effective national security system. An EO does not make for a “single” national security system when it allows for broadly-worded waivers. We need to eliminate waivers or we will never truly have a “single classification system.” Or much of a system at all.
And yes, the Report focused on fixing a broken national security system. Public access to government information was not addressed as part of the core issues regarding national security reform. I’m confident the “public” has many priorities that weren’t addressed in our work.
I appreciate the feedback, and acknowledge the truncation on my part. I believe we agree on the importance and centrality of the issue. I think there is a certain lack of clarity in the report’s recommendation for a “single” national security classification system– since there already is a single classification system defined by the Executive Order (never mind the parallel system created by the Atomic Energy Act). (While topical classification guides are generated by the lead agencies for each topic, that is to be expected and they do not constitute a separate classification system.) I also note that the Report focuses exclusively on the government interest in classification reform, and it does not address questions of public access to government information, which is an equal or greater priority for many members of the public. But that’s another conversation, which I hope will occur another time.
One can only wonder why this isn’t being discussed on the PNSR blog? Perhaps because the technical administrators don’t enable comments?
A discussion with citizens, how quaint. ;-]