How We Got Here
In signing Executive Order 13526 – the 10th Executive Order on National Security Classification signed since Roosevelt’s Order in 1940 – President Obama also stated that he looks forward to “…reviewing recommendations from the study that the National Security Advisor will undertake in cooperation with the Public Interest Declassification Board to design a more fundamental transformation of the security classification system.”
Historians regard President Truman’s second Order, EO 10104, and President Clinton’s EO 12958 as sweeping changes to the national security classification system. Most significant of Truman’s changes was the indication that the Chief Executive was relying upon “authority vested in me by the Constitution and statutes, and as President of the United States.” Prior Orders had relied on statutes requiring the protection of military bases in the United States as the basis for classification. Also changed in Truman’s new Order was the first use of the term “national security” as the previous orders had been intended to protect only information related to “national defense.”
President Bill Clinton’s 1995 Order also included sweeping changes to classification. Most significantly it set a specific duration for classification allowing classification to expire, causing automatic declassification, rather than requiring that agencies conduct reviews to declassify information. Also included in this new order was reintroduction of the “balancing test” first introduced in EO 12065 by President Carter in 1978, a provision encouraging employees to challenge classification they believed inaccurate, and creation of the Interagency Security Classification Appeals Panel (ISCAP) as well as the Public Interest Declassification Board (PIDB). The Clinton Order also put tighter controls on the practice of reclassification of information that had been released to the public.
Much has changed in the years since the Roosevelt Order in 1940 issued during WW-II, but despite what has been regarded as “sweeping changes” the national security classification system in the US remains very much the same as it was in the 1950s.
A New Approach to Classified Information
I propose an approach where we start by defining the problem in the context of 2011 and write an entirely new solution without regard for any previous solutions or problems. We can’t continue to regard the world as paper created by typewriters. We also can’t view the world as two opposing sides in a conflict where there are only combatants and outsiders. Rigid conformance to standards based on military protocols and clearly defined roles and responsibilities must be exchanged for a system where essential elements of information are protected and other information is regarded as serving the purpose of our common defense.
No longer is our information structured along government organizational lines or pertaining to only governmental issues. The battles of the 21st Century are asymmetrical; the enemies are amorphous having no uniforms, no political boundaries, or common language. Our “side” of the battle is also not a uniformed army with trained, proven soldiers under the command of a single leader; instead we consist of military, government, private sector, state, local, tribal entities, foreign partners, and sometimes citizens. We simply can’t see classification as a tool to protect military secrets, intelligence and diplomatic affairs from everyone who is not part of the military, diplomatic or intelligence organizations. Our world has changed and we must change classification accordingly.
Terrorism is the result of extreme views manifested in violence with the intent of inflicting the greatest harm possible on every citizen of the United States and allied nations. These views are harbored by foreign citizens of a number of nations, by some American citizens, and by members of extremist factions of certain religions. Terrorists are not restrained behind international borders or organized in a recognizable fashion. They are free to move about the globe striking both our military and our citizens without any warning or notice.
Classified information prepared by the government for the government and distributed to only the government will not win the battles or serve the interests of our nation. At the same time our government has capabilities that can be lost in an instant if the information about those capabilities falls into the wrong hands. We are faced with a dilemma; do we hoard information that we painstakingly collected, knowing it will do no real good, or do we share the information knowing it will potentially be of only short term benefit as its eventual compromise means we will no longer obtain the same information without new techniques and means.
In 2011 we face challenges never envisioned in executive Orders since 1940. We’ve become increasingly aware of these challenges since 9/11/2001, but our framework for identifying information that requires protection and employing safeguards for that protection was designed during World War II and not changed fundamentally since then.
Current Classification Principles
A few core principles define the process for classification in the United States:
1) National Security: Although the definition has changed slightly over time, information subject to categorization and protection is limited to information pertaining to national defense, foreign relations, and since 2003 defense against transnational terrorism.
2) Vetting: Since at least the Eisenhower Order access to information that is marked as Confidential, Secret or Top Secret was restricted to individuals who have been vetted or “cleared” to one of those levels. Progressively more stringent investigation methods are used at each level with the intent of identifying any previous criminal behavior or other personality flaws that will potentially make the individual susceptible to coercion by foreign powers or prone to malfeasance or misfeasance leading to the compromise of the information the United States seeks to protect,
3) Levels: Information regarded as “classified” is placed in categories that are based on the sensitivity of that information. We have titled these categories “Confidential,” “Secret,” and “Top Secret” since the 1953 Eisenhower Order. We have never, however, defined clearly what damage, serious damage or exceptionally grave damage actually means. The lack of definition gives us the greatest flexibility in the current system and is also the single greatest flaw.
4) Safeguarding: For each of these levels of sensitivity a regimen of security safeguards is proscribed to help prevent individuals and adversaries who are not vetted from obtaining the categorized information. The required safeguards, like the vetting process, are progressively more stringent as the level of sensitivity increases. Other than provisions allowing waiver in the case of imminent loss of life, these standards must be firmly adhered to regardless of the volume of sensitive information.
Fundamental transformation may not be without significant wringing of hands by those accustomed to the system we’ve had since 1940, but we simply must change the way we protect and share information.
First, consider some core principles that may help define a new classification system:
Orders since 1953 have narrowly focused on information of military or foreign affairs significance as being classified. The current effort to define Controlled Unclassified Information is an attempt to embrace as important to the United States information about our infrastructure, vulnerabilities of our cities and our citizens, information that crosses the boundary between law enforcement and intelligence, and information that can be used to mount, or defend against, an attack in the United States. We are moving toward a standard our foreign allies have embraced many years ago for protection of information that is in the national interest.
With the President’s signing of Executive Order 13549 on CUI, the distinction between CUI and NSI is no longer a legal distinction regarding the power of the Executive, but rather steeped in the way that the classification system has evolved over the past 70 years. The emerging standards for the administration of CUI will likely involve categories of CUI, standards for who can have access, physical and technical security standards for protection of CUI, and standards for duration of control and procedures for decontrol of CUI. We have created a system in almost perfect parallel to the national security classification system, absent only some of the vestiges of the Cold War that are outdated and present weaknesses in the national security system we use today.
We must consider as a fundamental principle of a transformed classification system the need to embrace all information that requires some protection from immediate public disclosure as part of a single system of protections and safeguards.
A fundamental error made in 1940 and not corrected since is the principle that the vetting process used to validate the trustworthiness of individuals who protect sensitive information must be linked to the sensitivity level of each piece of classified information.
People are cleared at the Confidential, Secret or Top Secret level today. In practice there are really only two methods for vetting the people who are trusted with classified information. We should consider moving from three levels of vetting to just two and the ability to list those individuals who do not meet the standard for trust and confidence by the US government:
Trusted: Individuals needing routine access to sensitive information must be determined to be Trusted. To be regarded as trusted, these individuals should be free of criminal convictions or warrants and have had their bona fides verified by a competent authority. The process for hiring all military personnel, all US government civilian personnel, police, fire fighters, first responders, and those in positions requiring the public trust including elected officials must be considered a level of vetting that demonstrates a fundamental level of trust.
Highly Trusted: Individuals who need routine access to highly sensitive information must be determined to be highly trusted. These individuals must meet the standards for Trusted individuals and in addition must undergo a background investigation similar to today’s SSBI used for TS clearance and SCI access. Although not limited to US Government officials.
Excluded: Individuals who have exhibited behaviors that suggest an unacceptable risk of compromise to sensitive information may be listed as excluded from an ability to receive protected information. Only excluded individuals would be precluded from receiving classified information that they may need to do a job unless the information is judged to protect their life or the lives of others under their responsibility.
A key concept in this new approach is “routine access.” Information should always go to individuals who need the information to do their job. Non-routine access to any level of information may be given to individuals who are not either Trusted or Highly Trusted provided they are not on an Excluded list. A transformed classification system must be predicated on identifying information that requires protection from disclosure to adversaries and providing that information to anyone who can reasonably be trusted to use that information and protect it in an appropriate way.
Levels of Classification
For practical purposes there are only two levels of classification now that are tied to two types of employee vetting used by the US Government. Little if any distinction really exists between Confidential and Secret. These levels can easily be combined to a single level.
Particularly sensitive information is now protected as Top Secret and requires a distinctively greater vetting process. In a new model where routine access requires a higher level of trust, a two classification level system for information that is currently in the National Security Classification system would work.
Including aspects of the current process to codify Controlled Unclassified Information (CUI) should also be a part of the new system, particularly with its redefinition of national security to national interest.
Without paying any attention to what any new categories would be named or called, the concept of simplifying classification and including information currently in the CUI domain would look something like the model below:
We are in an electronic age managed under rules developed for paper documents. Access to electronic systems containing classified information requires that users be cleared and read-in to every level of information stored or processed on the system. This has led to the need for clearances and access to Special Access Programs in some cases to actually do unclassified work on a classified system. As a result the number of people cleared/accessed has risen dramatically actually putting at risk the information the system was designed to protect.
Safeguarding rules must also be changed to allow risk management. Systems containing a few documents at the lower levels of classification should not need to meet the more rigorous standards of systems that routinely store and process classified information. Likewise, systems with reasonable safeguards to keep users from accessing data not intended for them must not require that all users have the highest levels of trust.
Similarly, physical security standards for facilities storing hard copy or electronic classified information should also be flexible depending on the volume of data or information in any facility. Facilities holding only small amounts of low level information should be considered a low risk and meet less stringent safeguarding standards than facilities holding vast quantities of paper or electronic records containing sensitive information.
At the top tier there is still a need to identify very sensitive information that can be disseminated to a large number of people with a specific need to have the information, and provisions for some material to have significantly reduced access and additional safeguards.
The current system for Sensitive Compartmented Information (SCI) and Special Access Programs (SAP) has gotten out of control with little formal guidance for most control systems on what aspects of a program are really SCI and what aspects can be protected appropriately as collateral classified information.
Compartmentation at its core is risk management. When classified information is so fragile that exposure to a large number of trusted individuals would still lead to likely compromise of the information, dissemination is restricted to far fewer individuals who are individually approved for access. Compartmentation can also be used to reduce the risk of exposure by simply taking elements of a sensitive program and only allowing a very few individuals to have the entire scope of information.
Like a jigsaw puzzle, compartmentation is a means of protecting individual pieces. It’s the reverse of mosaic or compilation where individual pieces are carved out and given to some people and other pieces are given to other people and virtually nobody gets the whole picture.
We’ve lost that concept in current implementation when hundreds of thousands of people are briefed into a compartment for access to an IT system or when virtually all information about a program is compartmented exactly the same way.
To transform national security classification we simply must look at compartmentation and produce a single set of standards for its use that make sense and are faithful to the purposes for which compartmentation was designed.
We need a bold new approach that starts with a clean piece of paper. Our world has changed and the way we need to protect and share information has also changed. We can no longer look at the protection of information to safeguard our nation as only related to diplomatic negotiation and military strategy and operations.
Similarly the rigid rules for access to information that work well in a military environment, no longer apply. We must separate the elements of trust, sensitivity of information and safeguarding. Each has a purpose, but when these separate sets of rules are tied inextricably to one another the system is bound in a way that makes use of the information ineffective.
I propose we convene a new kind of Continental Congress where those individuals most familiar with the needs to protect and share information can work together to chart a new course for information protection that will work well in the 21st century.