“It is time to reexamine the long-standing tension between secrecy and openness, and develop a new way of thinking about government secrecy as we move into the next century.” -Report of the Commission on Protecting and Reducing Government Secrecy, 1997, Senate Document 105-2, Public Law 236.
Document Courtesy of the National Security Agency
After extensive research and discussions with stakeholders in and outside Government, the Board has concluded that the current classification system is too antiquated to fully support today’s national security mission. The system keeps too many secrets, and keeps them too long. Its practices are overly complex, and serve to obstruct desirable information sharing inside of government and with the public. There are many explanations for over-classification: much classification occurs essentially automatically; criteria and agency guidance have not kept pace with the information explosion; and despite numerous Presidential orders to refrain from unwarranted classification, a culture persists that defaults to the avoidance of risk rather than its proper management.
To partially address the concerns of excessive classification, we recommend that classification be simplified and rationalized by placing national security information in only two categories. This would allow proper alignment with the actual two-tiered practices existing throughout most of government for information protection security clearances, physical safeguarding, and information system accreditation.
Top Secret would remain the Higher-Level category, retaining its current, high level of protection. All other classified information would be categorized at a Lower-Level, which would follow standards for a lower level of protection. Both categories would include compartmented and special access information, as they do today.
Newly established criteria for classifying information in the two tiers would identify the needed levels of protection against disclosure of the information. Identifiable risk should be the basis for determining if a level of protection is needed and if classification is warranted and, if so, at what level and duration.
The difficulty of applying the current concept of presumed “damage” during derivative classification would be replaced by a more concrete application of the level of protection necessary for sharing and protecting. This change in guidance would reflect how classification is actually practiced by derivative classifiers – deciding how much protection is needed based on the sensitivity of the information to both protect and share appropriately.
We understand that the adoption of a two-tiered model will pose greater challenges for those agencies whose internal practices are more dependent upon current distinctions between Secret and Confidential. We are not advocating for simply eliminating the Confidential category of classification, thereby exacerbating problems of over-classification in the system. Rather, we believe the adoption of a two-tiered model would align the classification system to what is actually occurring in practice throughout Government. Confidential information is safeguarded on Secret-level systems. The Lower-level of classification in the two-tiers will be defined by the appropriate levels of protection needed to ensure the classified information may be secured and shared appropriately. Guidance must be updated and longstanding practices of rote classification in the current system must be redesigned to make classifiers re-think deep-rooted cultural biases that favor classification and instead choose not to classify in the first instance unless a risk assessment proves protection is needed.
3 thoughts on “Recommendations 2 and 3: A Two-tiered Classification System and the Use of Identifiable Levels of Protection to Define Classification Level”
Some of us have defined these problem spaces and implemented available solutions but managing that change has hit brick walls. It is not just a cultural bias but mathematical and technical ones too. To think in terms of damage as tiered rather than infinitely or probabilistic is also rather limited. The combination of classified info with public source or even connecting the dots with open information allows for significant risk in combination. This latter is the scary concept for many in the Intel community and why they resist any and all change. This is a far more technical and operational issue that goes to the root of ownership and custodianship of information, in other words a definitive assessment of who owns information and can benefit from it and how to determine if it has been stolen. This issue overlaps the forthcoming legislation that will be required to address the exploitation of stolen secrets and corporate databases.
Mr. Faga’s summary of the findings of the PIDB is sound and reasonable. The current system of classification is out of date and those who classify have become complacent. Few people today understand the concepts that form the fundamental principles of classification (describable damage or harm to our country if such information is not protected by classification). Too often the decisions to classify information are rooted in folk lore rather than being a measured and risk-based approach to protecting vital information from adversaries.
In the report cited by Mr. Faga, (report of the 1997 Secrecy Commission) Sen. Daniel Patrick Moynihan said “when everything is classified, nothing is classified.” That is, perhaps, the phenomenon that has led to the kinds of leaks we have recently seen. When information that no reasonable person could claim is classified has been marked as classified, how do holders of that information determine what information is REALLY classified? Nothing excuses leaking information that is marked as classified, but overuse of classification or use where it is not warranted does nothing to help recipients to understand why some information must be protected.
A two-tiered system will be hard to implement and not without costs. But the way all federal employees view secrecy needs to be changed and the only effective way to initiate such change is with a complete revision of the system. For this change to be complete and effective, the Congress absolutely MUST identify funding sufficient to train employees, oversee and manage the new system, and configure all automated systems to facilitate appropriate classification. New tools are also available that can aid employees in making decisions about what information should be classified and more importantly what information should NOT be classified.
With support from Congress, this Administration could make the first fundamental change in classification since its establishment in 1940 by President Roosevelt.
“Accurate classifica¬tion most certainly aids future declassification activity, and we believe two-levels of classification may lead to less classification overall. There is a need to define more precisely and narrowly what types of information war¬rant security classification. The two-tiered system of classification will prod agencies to reexamine the cur¬rent broad definitions of information that qualifies for classification.”
Extracted from PIDB recommendation 2
National Security from Unclassified to Classified information
The classification system itself serves a government purpose to protect national security information and is merely a tool to do so. It is not the only system of control for information in government possession as agencies also identify and protect unclassified information related to national security. Such information is labeled in multiple ways and includes many security measures, guard forces schedules, facility security procedures and rules, export controls, special nuclear technology, critical infrastructure information, etc. In short, while classification clearly identifies information requiring protection, there is significant amounts of information not classified but nonetheless protected within the government.
The US has used three levels to denote classified information and in many instances especially today, the lowest level confidential is too restrictive for practical use. Other nations often use additional “classification” levels to denote information that have lower standards for control than what is prescribed by the US. While still technically classified, access to such information may not require a clearance or require any special protections beyond what the US currently uses for many types of controlled unclassified information. In recognition of this, the current US Executive order created a modified handling form of US Confidential information for lesser foreign information to reduce handling and control requirements.
Therefore when considering classification system reform, it would be appropriate to consider the perspective that information related to national security is a continuum of information ranging from unclassified to the highest forms of classified information, all withheld from public release. Many in the public misunderstand that a government decision to control less information as classified does not mean necessarily that more information will be available to the public and in fact could mean that more information will be labeled as controlled unclassified information. It is in this light that the PIDB recommendation to reduce the classification levels from three to two should be considered and in absolute sense whether the change would result in more information released to the public.
The change from three levels to two levels will be expensive. Certain agencies that have used all three levels will have considerable conversion costs in terms of their operations, types of communication channels, and clearances. To counterbalance those costs, the public should be assured that the change in classification levels will result in significantly more government information made public. For other agencies that have only used Top Secret and Secret levels for the vast majority of their information, there will be a strong incentive to leave the levels as named and therefore their classification practices as is.
Given the PIDB goal is to have the government classify less information such that it is releasable to the public, the recommendation have two levels is at best an indirect mechanism. If, in fact, the reduction of three levels to two simply moves classified information into the two new levels (or leaves the information as is) or if the information is no longer classified but still controlled within the government then it would seem the value of the change is greatly diminished. Clearly, serious discussion is needed here on what real costs and real benefits can be achieved and whether this recommendation is the best way for the government to achieve this goal.