PIDB Posts Responses to Questionnaire from the Senate Select Committee on Intelligence

After PIDB Member John Tierney testified before the Senate Select Committee on Intelligence in an open hearing on September 9, 2020, Acting Chairman Marco Rubio and Vice Chairman Mark Warner sent the PIDB a list of questions regarding its Report to the President, A Vision for the Digital Age: Modernization of the U.S. Security Classification and Declassification System. The PIDB received this questionnaire in October and due to challenges related to the COVID-19 pandemic, received additional time to complete its response. Along with the other recommendations in its report, the PIDB continues to advocate for an Executive Agent as a necessity to oversee and lead modernization of the classification and declassification system

Public Interest Declassification Board

Responses to Questions from

Acting Chairman Marco Rubio and Vice Chairman Mark Warner

of the Senate Select Committee on Intelligence

[Senate Questions in bold]

Methodology used in the Public Interest Declassification Board’s June 2020 report to the President, titled A Vision for the Digital Age: Modernization of the U.S. National Security Classification and Declassification System.

1. Please explain the methodology that supported this report as it is not specifically outlined in the document.

The Public Interest Declassification Board’s (PIDB) report, A Vision for the Digital Age: Modernization of the U.S. National Security Classification and Declassification System, had its origins in an 18-months long interagency declassification working group. The PIDB staff invited experts from agencies to participate in this group along with members of the PIDB. It included information security, access, and declassification professionals, declassification program managers, archivists, and records managers from agencies.  There were representatives from the Department of Defense and its components, Intelligence Community (IC) agencies, and civilian agencies, including the Departments of Energy, Justice, and State, the National Archives and Records Administration (NARA), the Information Security Oversight Office (ISOO), the National Security Council (NSC), and the Federal Bureau of Investigation (FBI).

The PIDB gained extensive knowledge about the declassification programs at agencies, including volume and variety of records, work processes and policies, resources, and technology investments and use. The working group focused on the current “as is” declassification system and a “to be” system.   The discussion of the “as is” system focused on how agencies currently review their records, consisting mostly of paper, or electronic records converted to paper for review. The discussion of the “to be” system focused on how agencies envisioned reviewing born-digital data for public access.

The working group conducted a detailed survey to gather information about agency declassification management activities in the digital age.  The survey included questions concerning staff and contractor levels, scope of assignments (some agencies had dedicated staff to perform 25-year automatic declassification review while others included collateral duty to process Freedom of Information Act (FOIA) and Mandatory Declassification Review (MDR) requests and perform pre-publication review requests), review policies and processes, and technology availability and use. The survey also sought to learn more about the variety and volume of classified digital data agencies currently create. After completion, the survey was the focus of extended discussion in the working group as participants refined the “as is” current model, and then looked forward to future needs for declassification review in a “to be” model that includes large volumes and varieties of digital data.

As part of their research, the PIDB also visited agencies and met with classification and declassification experts to learn firsthand how their programs operate. Onsite visits included detailed briefings from project managers, original classification authorities, derivative classifiers, declassifiers, and subject matter experts. The PIDB members were particularly impressed with modernization efforts at the National Geospatial Intelligence Agency (NGA) where they saw how NGA developed, implemented, and now use its Consolidated Classification Guide (CoNGA).

2. Whom did the PIDB interview to gather information and relevant data for the report?

The PIDB met with a wide variety of stakeholders within the Executive and legislative branches, including the Executive Office of the President and the NSC staff, researchers and historians, representatives from industry and the private sector, academic think tanks, and members of civil society groups. As noted above, it invited and then led an interagency working group focused on declassification processes. The PIDB staff participated in Industry and Government-sponsored technology events and conveyed to the PIDB findings that they could apply to conceptualizing the modernization of the classification and declassification system.

The PIDB also learned how agencies are modernizing their Information Technology (IT) systems and operations and how the administration is developing and implementing IT modernization policies across agencies. They studied the President’s Management Agenda (PMA) and its objectives to modernize IT and focus on data, transparency, and accountability. The PIDB staff attended countless events with Government leaders and representatives from the IT industry discussing the PMA and its implementation, IT modernization at agencies and across the Executive branch; Machine-Learning, Artificial Intelligence, and the application of other advanced technologies; Enterprise systems management; E-Discovery, Cloud technologies and design; and other events related to managing data. Many of these events included Chief Data Officers, Chief Information Officers, Chief Technology Officers, Enterprise Systems Engineers, Chief Information Security Officers, and other senior officials from Executive branch agencies, including from the IC and the Department of Defense and its components.

The PIDB met with senior leaders at the Departments of Defense and State, NARA, and with senior leaders at IC agencies. These engagements began in 2016 and continued into the Fall of 2018 before the Government shutdown occurred. The PIDB met several times with senior leaders and program managers at the Office of the Director of National Intelligence (ODNI) and also participated in a briefing with members of the IC Deputies Committee where they offered a preview of their recommendations.

The PIDB met with practitioners and information security professionals, original and derivative classifiers, declassifiers, archivists, records managers, and information management experts across Government, including several IC agencies. As time progressed and they refined their research into preliminary proposals, the PIDB requested new meetings with many stakeholders and senior leaders to learn their reactions and listen to their comments. For instance, the Members met with the Principal Deputy Director of National Intelligence (PDDNI) twice, once in 2016 and again in 2018. At the onset and in between, they met with the Director of Information Management at ODNI and invited her to participate in the working group. In the Fall of 2018, they were invited to present their proposed recommendations to the IC Deputies Executive Committee. Composed of Deputies from the sixteen IC agencies, the PIDB received feedback and answered questions. At the end of the presentation, the PDDNI who chaired the meeting tasked the Deputies with providing the PDDNI with their formal responses in December. The PDDNI indicated that that she would compile their responses and provide them to the PIDB by mid-December. Unfortunately, the PDDNI’s formal combined response arrived in January 2019 during the Government shutdown and after the legislation authorizing the PIDB had lapsed.

Once the PIDB was reauthorized, the members reviewed the PDDNI’s combined response. The 16 IC agency Deputies were unanimous and agreed that the current classification and declassification system was outdated and no longer operates effectively or efficiently with large volumes of digital data. However, within the combined response, agencies did not offer solutions for recommendations they disagreed with. Their responses were pro forma and focused solely on the lack of resources, including added costs. There were no specifics on what resources were lacking nor were there explanations of additional costs. Agencies were unwilling to cede any authority outside of their own agency as it related to declassification yet were unable to address questions on how their agency would review large volumes of digital data for declassification.

The ODNI in particular was opposed to serving as the Executive Agent, despite its success in developing and managing the Intelligence Community Information Technology Enterprise and leading other Government-wide information security policies. Although it serves as the security executive agent for adjudicating security clearance, suitability and credentialing across the Executive branch, it nevertheless indicated it only had authority over the IC on matters of classification and declassification. The PIDB recognizes that this response was aligned with the “as is” current model, but the recommendations were to develop an entirely new framework with new authorities and roles to lead modernization and reform.

The PIDB held public meetings and Executive sessions as they gathered information on how to modernize the classification and declassification system. They also engaged with stakeholders through their blog, Transforming Classification. They held a public meeting to discuss their White Paper, “The Importance of Technology in Classification and Declassification,” soliciting comments and feedback at that meeting and on their blog.  Blog posts solicited comments on administration efforts to modernize IT and data policies across government, develop AI and Machine Learning capabilities, and other IT efforts that relate to classification and declassification modernization.

3. What were the processes used to gather and analyze the data?

In addition to meetings with senior leaders from across the Executive Branch and stakeholders over a period of almost three years, the PIDB organized and participated in the interagency declassification working group highlighted earlier in this questionnaire. Over a period of 18-months, this group gathered information on agency classification and declassification programs as detailed earlier in this questionnaire.

The PIDB also convened an interagency Declassification Technology Working Group (DTWG) to complement the work of the declassification working group. The DTWG engaged the CIO community from across the Executive Branch agencies to discuss the current landscape at agencies regarding technology investments for automation, advanced search-and-retrieval, data standards progress on preserving historically significant digital records created  between 1990-2015, risk management practices, information management strategies to provide access to records, and connectivity, integration and communication capabilities.

Although the PIDB received extensive briefings on a Central Intelligence Agency (CIA)-sponsored Machine Learning pilot project led by the Applied Research Laboratories (APL) at the University of Texas at Austin between 2011 and 2015, this project continued to be of interest to the PIDB. In 2016, as part of a Congressionally Directed Action in section 321 of the FY 2015 Intelligence Authorization Act, they also participated in a briefing sponsored jointly by CIA and ODNI that featured project managers from ARL discussing “Decision Support Technology for Records Declassification Review and Release.” The PIDB also received briefings on projects related to content understanding and Machine Learning at the Intelligence Advanced Research Projects Activity and at the National Security Agency.

4. How were the recommendations developed? PIDB Recommendation of DNI as Declassification Executive Agent

As noted earlier, the recommendations in A Vision for the Digital Age: Modernization of the U.S. National Security Classification and Declassification System came out of extensive engagements with Executive branch agencies and stakeholders. The PIDB gathered information from its participation in two interagency declassification working groups, including one focused on technology. It gathered information on how agencies are using advanced technologies for mission purposes and had the PIDB staff attend and participate in industry and Government-sponsored information technology events where they learned about how the Executive branch and how agencies are using advanced IT to improve the efficiency and effectiveness in accomplishing their missions.

As the PIDB’s research and discussions progressed, it was apparent that there was a great disconnect between agencies efforts on IT modernization to support missions and the lack of investment and resources to aid support functions like classification and declassification. Onsite meetings with program managers and senior leaders as well as the discussion and responses from the IC Deputies Committee meeting confirmed this assessment. The PIDB also heard from agencies that the lack of data standards across agencies hindered information sharing and served to maintain silos.

The PIDB felt strongly that modernizing the practices and policies of the 80-year old classification and declassification system required leadership with authority to direct reform. Through conversations and discussions with stakeholders, learning about agency classification and declassification programs, and gaining insight into agency IT modernization efforts, the PIDB felt that the IC and the Director of National Intelligence (DNI) in particular was strategically empowered to take on this role. First, the PIDB felt that the Executive Agent had to be a Cabinet officer. The DNI serves as an influential member of the President’s Cabinet and can use the President’s direction to drive reform.

Second, the PIDB felt that the DNI had proven experience in driving reform. Not only did the ODNI overcome bureaucratic hurdles to integrate the sixteen agencies that now comprise the Intelligence Community, it also reformed work processes and policies across the IC. The DNI also developed, implemented, deployed the Intelligence Community Information Technology Enterprise (ICITE) and developed a new information strategy and policy across the IC. As it developed this federated information technology enterprise, it also led development of metadata standards across the IC to facilitate search and discovery across IC agencies.

The DNI has proven experience in developing and managing system architectures like the Joint Worldwide Intelligence Communication System (JWICS). The DNI established policies, requirements and standards for all agencies using JWICS to adhere to, including agencies outside the IC.

The DNI has the greatest knowledge and interest in protecting sensitive “sources and methods” used across the IC and also those shared outside the IC through JWICS and other classified means. This PIDB felt this cross-agency knowledge should aid in development of a federated system designed to better recognize these sensitive sources and methods – especially those that were shared and are found within the records of other agencies, including non-IC agencies. Agencies were largely in agreement that intelligence sources and methods are among our nation’s most important secrets and they most often need to remain secret for 50 years or longer. They were also in agreement that the DNI, already overseeing data and metadata standardization, was in the best position to ensure adequate and appropriate safeguarding of classified IC equity information, especially sources and methods.

As the PIDB met with IC agencies, they recognized the IC’s greatest concern was the ability of other agencies to recognize embedded “sources and methods” equities. As the PIDB discussed how to address this concern, they felt it made the most sense to have the DNI oversee and manage this sensitive issue. Executive Order 13526, “Classified National Security Information” already explicitly provides this authority to the DNI in section 3.1(c), section 3.5(f), section 3/7(f), section 5.1(c) and section 6.2(b).  For example, section 5.1(c) states:

“The Director of National Intelligence, after consultation with the heads of affected agencies and the Director of the Information Security Oversight Office, may issue directives to implement this order with respect to the protection of intelligence sources, methods, and activities. Such directives shall be consistent with this order and directives issued under paragraph.”

Section 6.2(b) states:

“The Director of National Intelligence may, with respect to the Intelligence Community and after consultation with the heads of affected departments and agencies, issue such policy directives and guidelines as the Director of National Intelligence deems necessary to implement this order with respect to the classification and declassification of all intelligence and intelligence-related information…”

 The PIDB’s recommendation aligns closely with authority the DNI already possesses. It has not used this existing authority to reform the way this information is safeguarded and reviewed for declassification.  Finally, the DNI also serves as the IC Member of the Interagency Security Classification Appeals Panel and has authority to make declassification determinations of IC information as provided for in section 5.3(a)(1).

The DNI is a proven leader in overseeing and managing advanced information technology research, including Machine Learning, Artificial Intelligence, and content understanding. The PIDB was impressed by projects at IARPA that it believed could be useful in modernizing the classification and declassification system.  The PIDB felt the DNI was ideally placed and could use its leadership role in coordinating research among IC agencies, industry and other partners like In-Q-Tel.  To complement this coordinating role, the DNI has necessary and proven experience in the acquisition of large-scale IT projects and programs, overseeing implementation, and managing their operations once complete.

The 2019 IC National Intelligence Strategy pointedly focused on the DNI’s leadership role in reforming processes and policies “to do things differently.” It stressed the DNI’s overall role in increasing integration and coordination, aiding innovation, and increasing transparency. The PIDB, in evaluating its earlier recommendations after its reconstitution in 202, confirmed its recommendation to have the DNI serve as the Executive Agent. It felt that “doing things differently” was required to modernize the classification and declassification system, especially since the DNI already serves in an Executive Agent role in related areas and performs many of the operations and activities recommended by the PIDB.

While the PIDB received the ODNI’s objections, it nevertheless recommended that the DNI serve as the Executive Agent to drive reform and modernization of the classification and declassification system. The PIDB felt that the ODNI had far greater experience and had the authority to led reform and modernization efforts.

The 2020 PIDB report recommended an executive agent (EA) for declassification and that that EA be the Director of National Intelligence.

5. Why did the Board not also recommend an EA for classification?

The PIDB’s Vision for the Executive Agent would address modernization of both classification and declassification as integrated processes across the Government.  They envision that the DNI would develop metadata standards that would facilitate classification precision across Government, including information that is shared with agencies outside the IC. These agencies must already meet ODNI requirements for secure communications and requirements for safeguarding IC information. Having the DNI serve as Executive Agent is an extension of what this office already performs in managing JWICS, Security and Suitability Credentialing and directives regarding IC information. The DNI is also developing data standards for use within the IC that can be extended, initially as a pilot, to include those agencies outside the IC that receive and use IC information. This will ensure proper safeguarding and can then be used for declassification review at the appropriate time.  One of the challenges the PIDB learned from its engagements with stakeholders was he inability of Government to know what information it has declassified – especially information that multiple agencies either received or created. A second challenge they learned from IC agencies was their concern that agencies outside the IC who have previously received their information may not always recognize sensitive IC information and inadvertently do not refer it to the appropriate IC agency for review, or simply declassify it.

Modernization of the classification and declassification system will lead to more accurate and precise classification and declassification decisions. Reforming front-end classification policies and processes will support information sharing and security for current agency operations, but also reduce the volume and facilitate the automation of data requiring declassification in the future. 

A federated system-of-systems approach will support the entire lifecycle of a record from the point of classification, protecting the use of sensitive information from its inception, through archiving, declassification review, and ultimate release to the public.

6. What does the PIDB assess will be the annual costs of a declassification executive agent?

The PIDB does not have a cost estimate for its recommendation to have the DNI serve as the Executive Agent. However, the PIDB believe investments are both a national security necessity as well as a necessity for democratic discourse. They also believe that costs will not be prohibitive, especially since the ODNI already manages ICITE and already oversees JWICS. Additionally, many of the technologies the PIDB believes would aid improved classification and declassification are already in use for mission purposes and could be modified to support classification and declassification.

The PIDB attempted to learn about the costs associated with declassification from its interagency working group. It was clear from these discussions that agency declassification programs are both underfunded and lack necessary resources needed to review born-digital data. Specifically, the PIDB highlighted the lack of technology that could be used to improve decision-making and aid declassification efficiency and effectiveness. Although several agencies indicated they used technology as part of their programs, all stated technology use was limited to workflow and case management. None used technology to review records or assist in the review of records. Additionally, not all programs had access to secure communications technology or sufficient secure communications technology, including the National Declassification Center.  This conclusion supported conclusions by the ODNI Inspector General who highlighted the lack of technology and secure communications methods in its 2018 audit of IC Freedom of Information Act programs.

The PIDB also believe that the adoption of technologies to aid classification and declassification will improve effectiveness and efficiency, including reducing unnecessary costs over time. For instance, when integrated with robust metadata standards, the use of technology could reduce over-classification. Technology could also automate some classification and declassification decisions.

The current declassification system is almost entirely manual, relying on staff to review each record – and often having multiple staff members review the same record. The PIDB learned that one agency has at least five staff members and contractors reviewing each of their records for automatic declassification. The workflow chart in the PIDB’s 2014 Report to the President, Setting Priorities: An Essential Step in Transforming Declassification detailed the complex process and the human resources involved in reviewing records for declassification. The PIDB believes that several of these processes could be improved – resulting in reduced costs and far fewer errors – through automation and use of advanced technologies like Artificial Intelligence, Machine Learning, or other content understanding technologies.

Automation will improve declassification and it will also scale to allow review of large volumes of digital data. None of the agencies are prepared or are preparing to address the coming deluge of electronic data needing a declassification review in the very near future. Automating some declassification decisions will also reduce secure storage costs. These records will no longer be required to be stored securely in secure vaults that are more costly to maintain. With the DNI serving as Executive Agent, declassification programs will also benefit from coordinated research and development, and acquisition, as well as benefitting from shared services where costs, applications, and IT services.

Executive Order 13526 requires agencies to annually report estimated costs regarding their programs to the Information Security Oversight Office (ISOO).  ISOO then reports these cost estimates and its analysis in its Annual Report to the President. In 2018, ISOO issued a memorandum to agencies waiving certain reporting requirements, including cost estimates. It determined that agencies were using their own definitions and accounting methods to provide ISOO with their cost estimates. In its 2018 Annual Report to the President, ISOO wrote that, after analyzing the data received from agencies, it determined that the submissions differed substantially. It highlighted the challenges of agencies using different methods to calculate their costs, resulting in inconsistencies. Additionally, the Office of Management and Budget (OMB) does not require a line-item accounting of these costs nor are there standards to define each cost item in agency programs. As a result, ISOO announced it was undertaking a multi-year project to modernize the oversight data and statistics it collects, including cost estimate methodologies and reporting processes across all agencies. 

In its 2017 Report to the President, ISOO indicated that declassification costs across agencies totaled $102 million, a 5% decrease from Fiscal Year 2016. This amount includes cost estimates from IC agencies. While the PIDB believes even this figure is wholly inadequate, they also note that this figure is and has been essentially stagnant for the past seventeen years. In 2003, ISOO reported an estimate of $54 million for declassification programs. However, this cost estimate figure does not include IC agencies.  Their cost estimates were classified and provided separately until Fiscal Year 2013. In Fiscal Year 2013, IC declassification costs were included in the total cost estimates for declassification programs across the Executive branch. In Fiscal Year 2013, the declassification cost estimate was $99.77 million.

7. What would be pros and cons of creating an independent agency to perform the EA function?

The PIDB recommended that the Executive Agent serve as a member of the President’s Cabinet.  They feel it is essential for the Executive Agent to receive direction from the President and have the President’s authority to drive reform. Additionally, they believe that the DNI has both the gravitas and the experience to lead classification and declassification modernization.

The PIDB does not believe a new stand-alone agency could lead modernization and reform. It would not only lack stature, but it would also not have the experience, resources, nor the authority that the DNI possesses.

8. Please describe the PIDB’s interactions with the DNI, especially with regard to discussing the recommendation that the DNI serve as the EA. Costs of Reform The scope of effort to reform the declassification effort is substantial.

As noted earlier in this questionnaire, the PIDB met with ODNI senior-level officials, program managers, subject matter experts, technologists, information security professionals, classifiers and declassifiers, and information management experts over the course of almost three years. They invited ODNI to participate in its interagency working groups on declassification and on technology. After initial discussions with ODNI and discussions in the interagency working groups, the PIDB refined what it had learned into preliminary proposals. Next, the PIDB requested new meetings with many stakeholders and senior leaders to learn their reactions and listen to their comments, including ODNI. For instance, the Members met with the PDDNI twice, once in 2016 as it began its research, and again in 2018 to discuss its proposed recommendations. At the onset and in between, they met with the Director of Information Management at ODNI and invited her to participate in the working group.  

Their research was informed by the ODNI Inspector General’s 2018 assessment of IC FOIA programs, itself the subject of two IC Deputies Committee meetings. This assessment aligned with many of the PIDB’s proposed recommendations. They also were informed by both ODNI leadership participation in IT modernization, data strategy, and advanced technology events sponsored by non-profit organizations, IT media organizations (like FedScoop and 1105 Media Group), and Executive branch agencies. Lastly, their recommendations were also informed by ODNI and IC Reports and other published policy and strategy records.  These included:

• the 2019 National Intelligence Strategy;
• the 2019 Strategic Plan to Advance Cloud Computing in the Intelligence Community
• the Intelligence Advanced Research Projects Activity’s 2019 Better Extraction from Text Towards Enhanced Retrieval Program overview;
• the ICITE Data Strategy for 2017-2021;
• the 2017 ODNI Fundamental Classification Guidance Review;
• the 2017 Principles of Classification Management in the Intelligence Community
• the 2017 Improving the Intelligence Community’s Declassification Process and the Community’s Support for the National Declassification Center;
• the 2016 Principles in Intelligence Transparency Implementation Plan;
• the ICITE Strategy for 2016-2020, and
• multiple IT, Information Sharing, and Civil Liberties, Privacy and Transparency-related Intelligence Community Directives.

In the Fall of 2018, the PIDB was invited to present its proposed recommendations to the IC Deputies Executive Committee. Composed of Deputies from the sixteen IC agencies, the PIDB received feedback and answered questions. At the end of the presentation, the PDDNI who chaired the meeting tasked the Deputies with providing the PDDNI with their formal responses in December. The PDDNI indicated that that she would compile their responses and provide them to the PIDB by mid-December. Unfortunately, the PDDNI’s formal combined response arrived in January 2019 during the Government shutdown and after the legislation authorizing the PIDB had lapsed.

After the PIDB was reauthorized, the PIDB evaluated the combined response in early 2020. There were attempts to reengage with the senior leadership of ODNI in the Spring. However, staff turnover, reassignments, a reorganization, and leadership changes prevented the PIDB from formally reengaging with ODNI leadership. While the PIDB was unable to meet with ODNI senior leadership, they focused on how the various IC reports on technology modernization and integration supported the PIDB’s initial recommendation to have the DNI serve as the Executive Agent.  They decided, after careful consideration and deliberation, to retain the recommendations presented at the November 2018 IC Deputies Committee meeting. To be sure, they updated the report and decided to edit and change non-substantive parts, in part based on the feedback from the combined IC Deputies Committee’s response.

9. What does the PIDB assess to be the costs, in rough terms, to modernize the declassification system to implement your report’s recommended reforms?

As noted in question 6, agencies are responsible for reporting the annual estimated costs of their information security programs to ISOO. The PIDB highlighted that agency declassification costs have remained stagnant for almost two decades, and agencies collectively only spend approximately $100 million yearly. The PIDB listened as agency program managers described both their resource challenges and how they use their resources.  No funds are spent on technology to aid declassification review. Instead, agencies are using basic software and technology to simply manage review processes.

While the Executive branch’s actual declassification program costs are small, there are other hidden uncounted costs for agencies, including the cost of needlessly safeguarding records that are overclassified or remain classified for too long. Due to over-classification and siloed agency practices, there are also duplicative programs with duplicate procurement and acquisition costs. These costs can add tens of millions to hundreds of millions to agency budgets. There are added costs for security clearances and there are added costs for securely storing large volumes of digital data. There are added costs when decisions made by agency leaders, managers and the military are not as informed as they could be.

Although actual funding for declassification programs across the Executive branch is a negligent amount, even some of this spending is duplicative. For instance, several agencies purchased and use the same case management software. Under a shared services model in a federated enterprise system – like ICITE – these duplicative costs would end. The PIDB also learned that some agencies can have five staff and/or contractors review the same record, performing multiple Quality Assurance/Quality Review (QA/QC) functions. The NDC likewise relies on a significant number of staff to participate in its QA/QC and workflow processes.

Artificial Intelligence, Machine Learning, Content Understanding and other advanced technologies could be used to support automating some or all of QA/QC processes, or aid in identifying particularly sensitive records or in differentiating and segregating low-level or no longer sensitive records from ones that require a closer (human) review. Interestingly, as noted earlier in this questionnaire, the Applied Research Laboratory at the University of Texas at Austin conducted a pilot project using advanced technology to decipher classified digital data from a legacy electronic system from the Reagan administration. In this instance, the content understanding technology performed superior and made fewer errors than multiple staff with expertise in reviewing information from this era. The technology did a better job in identifying still sensitive information, including information that remains highly classified.

The IC IG indicated in its assessment of IC FOIA programs that other declassification and review spending is not used efficiently nor effectively. For instance, it highlighted the fact that not all IC agency FOIA programs have secure communications methods. As a result, those staff that do not have secure communications must often hand-carry or mail classified records for other agencies to review. It also highlighted that not all IC FOIA offices have Top Secret systems nor do staff possess the necessary clearances, so processing is both lengthy and inefficient. Reviewing Top Secret historical records and using JWICS and Top Secret systems requires travel, coordination, and additional time.  The NDC also lacks adequate JWICS communications. It refers records requested under FOIA or Mandatory Declassification Review to agencies by burning CDs and hand-carrying them. Once received, those agencies must first perform all necessary security protocols before using the CDs.

As Executive Agent, the DNI can drive reform and coordinate research, acquisitions, technology deployment, and expenditures so that they are effective and efficient.

Costs of Classification The Information Security Oversight Office’s 2017 annual report estimated that the current classification system cost the government $18.4 billion. It has not subsequently included a total cost in its annual reports.

10.What do you believe was the accuracy and utility of this estimate?

Please refer to the responses above and earlier in this questionnaire. The PIDB notes that ISOO’s annual report uses the word ‘estimate’ when addressing costs, as the Executive Order requires cost estimates. There are challenges with identifying costs across agencies for a few reasons, as ISOO’s last two Annual Reports indicated. First, there is no line item in agency budgets, or in OMB budget guidance, for declassification and classification costs. A budgetary line-item would allow for more precise accounting. Second, there are rarely common definitions across agencies for how to account for costs. Each uses its own method and definition. ISOO indicated that it is working with agencies, industry, and stakeholders to modernize its data call, including attempting to standardize terminology and definitions where they can.

11.What are the associated categories and costs of each category that are aggregated in the estimate?

 Until 2018, ISOO used the Standard Form 716 for agencies to use in estimating costs. This form was divided into nine subcategories: Personnel Security, Physical Security, Classification Management, Declassification, Protection and Maintenance of Classified Systems, Operations Security and Technical Surveillance Countermeasures, Professional Education, Training and Awareness, Security Oversight, Management, and Programing, and unique Items.  Agencies used this form in 2017 and ISOO determined that the overall cost of Executive branch information security programs was $18.4 billion and, of that figure, only $102 million was spent on declassification. As noted earlier in this questionnaire, ISOO waived use of this form in FY 2019 and 2020 as it works with stakeholders on a multi-year project to modernize data submissions.

12.Does the $18.4 billion estimate only include the cost associated with evaluating documents for public release, or does that number reflect the cost of maintaining current classified systems?

ISOO’s Annual Report for fiscal year 2017 indicates that $18.4 billion is the estimated costs for all Executive branch information security programs, including classification, declassification, and safeguarding.  While the overall information security program costs have doubled over the past decade, from $8.6 billion in FY 2007 to $18.4 billion in FY 2017, declassification costs have remained wholly stagnant. In FY 2017, the entire Executive branch only spent $100 million on declassification – .005% of the overall Executive branch information security estimated costs.

13.Do you believe there is a more accurate way to report total annual costs?

 As previously outlined above in our responses, the lack of an OMB line item that articulates how agencies should calculate costs, and the alignment of that line item with the form that ISOO uses to collect cost data from agencies reporting it to ISOO has contributed to differing standards, methods, and understandings of how these costs should be accounted for. The PIDB supports a new methodology for determining cost estimates associated with security classification and believes the ODNI, OMB, ISOO, and the interagency should work collaboratively to determine those costs.

Measuring Volume of Material for Declassification ISOO’s annual reports until 2017 included data on number of pages declassified by declassification category pursuant to Executive Order 13526.

14. Is counting the number of pages the best way of assessing how much is being declassified in a digital era? Extent of Confederated Classification System The classification system envisioned under Executive Order 13526 is heavily confederated, leaving great discretion to the agencies to develop their own classification guides, train their employees, and declassify materials.

Traditionally, the Executive branch has measured the volume of classified records in pages.  This is also true for measuring the yearly results of agency declassification programs, including automatic declassification, Mandatory Declassification Review (MDR), systematic declassification review, and discretionary declassification review. To date, this practice of measuring declassification has worked fairly well, although ISOO identified differences in how agencies account for the number of MDR requests they receive and process. There is also more significant volumes of historical non-textual classified information, such as audio, video, and film. Along with older classified media (like microfilm), this media is broken down into “page-equivalents” for the purpose of declassification.

The PIDB believes that Executive Order 13526 is wholly outdated and requires replacement with a new order focused solely on managing digital data. It is the reason behind all of their Reports to the President, from the issuance of their first report in 2008 to their most recent report issued earlier this year in June. Although there has been some progress in reforming classification and declassification policies, none have focused on the impact of technology – how the Government creates, uses, shares, stores, and safeguards classified information. Since the current Executive order was signed in 2008, IC agencies developed and now use ICITE, CIA and other agencies contracted to store their classified data in secure Clouds, and soldiers on the battlefield have hand-held devices where they can quickly transmit and receive classified data. There are far more methods for agencies to create, use and disseminate classified data.  Agencies have also developed joint classification guides to more seamlessly create and share information.

Managing the classification and declassification systems through an integrated enterprise approach, classified data will be able to be quantified in a common methodology.

15.What aspects do you believe should remain confederated?

and

16.What aspects do you believe should be centralized?

The PIDB recommended a federated system, led by an Executive Agent, and guided by an Executive Committee composed of senior leaders from agencies and departments with interest in this area. It should include, at a minimum, senior level representatives from the Departments of Defense, Energy, Justice, and State, and NARA.  The current classification and declassification system is outdated and from a different era.  It does not operate efficiently or effectively in the digital age. As Government modernizes its operations to make best use of technology and support new national security missions, it is hamstrung by an obsolete classification and declassification system. 

The benefits of a federated system are many. They include sharing technologies and applications; coordinating research and development and acquisitions; developing metadata standards that both eases sharing, allows for precise and uniform classification across agencies and aids declassification; reducing duplicative spending; increasing interagency coordination and cooperation; increasing the efficiency and effectiveness of classification and declassification decisions across the Executive branch, especially in instances where records from different agencies classify the same information and where records contain classified information from multiple agencies; and increasing Government transparency.

Executive Order 13526 established the National Declassification Center “to streamline declassification processes, facilitate quality-assurance measures, and implement standardized training regarding the declassification of records determined to have permanent historical value.” The NDC has proven largely successful, including eliminating a 400-million page backlog of records that were awaiting declassification review. However, its successes remain limited due to the lack of technology to communicate with agencies securely. Its processes are also focused solely on paper and require multiple reviews by staff from agencies and the NDC to review each page. It does not use any advanced technology to automate any part of these reviews.

To be successful in reviewing born digital records, the NDC will require modernization – with new policies and processes and the use of advanced technologies. It will need new technologies to assist in identifying digital data for declassification or exemption from declassification.  Modernizing the NDC is only possible by modernizing the entire classification and declassification system. The PIDB believes that it is best accomplished through a federated system led by an Executive Agent.