Rechanneling security toward changing threats.
THE FEDERAL GOVERNMENT REquires agencies and contractors working with classified projects to spend too much money on physical protection against unlikely threats and not enough on personnel and information security. So says the Joint Security Commission, comprised of private citizens and representatives of various government agencies.
The commission was formed in June 1993, at the request of the Director of the CIA CIA: see Central Intelligence Agency.
(1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). . It was charged with reexamining the government's security policies in light of post-Cold-War threats. The White House recently released the commission's report outlining a new organizational approach to government security programs. Accompanying the commission report, though not released to the public, was a White House draft executive order on classified documents.
The report describes the evolving threats to national security and how they affect security philosophy at the highest levels of government. It is similar in scope to the operating manual expected to be issued later this year by the National Industrial Security Program (NISP NISP National Industrial Symbiosis Programme (UK)
NISP National Industrial Security Program
NISP Neutron Instrument Simulation Package
NISP National Individual Security Program
NISP Nutrition Services Incentive Program ), which was established by President Bush.
Physical security. The commission found that the amount of physical security provided to protect classified information in facilities within the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. is excessive. At the same time, information security may be lacking. The report recommends that priorities be reevaluated.
Modern threats call for increased spending on information systems security, says Joint Security Commission Chairman Jeffrey Smith, a lawyer with Arnold & Porter of Washington, D.C. Protecting the information in computer systems should not be limited to classified information, but should include unclassified un·clas·si·fied
1. Not placed or included in a class or category: unclassified mail.
2. but crucial elements of government, such as air traffic control information, he says.
According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. Smith, the focus needs to be shifted in other ways, as well. "There is far too much time, money, and effort spent on physical security and not enough on personnel security," he says. Smith says the report's most urgent recommendation is that the government should not require contractors or agencies to defend against remote threats, such as spies scaling twelve-foot walls. Resources should, instead, be focused on more probable risks, such as disgruntled dis·grun·tle
tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles
To make discontented.
[dis- + gruntle, to grumble (from Middle English gruntelen; see employees and computer theft.
Each agency protects classified material as it sees fit. A physical document may be protected by more or less security depending on the department under which it is classified. The commission report advocates that classified material or information stored within the United States be protected by one of two levels of a national physical security standard to be determined at a later date.
A database would be maintained that registers facilities in each area that are certified as meeting security requirements. All agencies requiring a specific level of security for storing classified documents could deposit items at the appropriate facility. Agencies would not be allowed to alter the level of security provided at the facility.
Another problem cited by the report is the decentralization de·cen·tral·ize
v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es
1. To distribute the administrative functions or powers of (a central authority) among several local authorities. of technical surveillance countermeasures Techniques and measures to detect and neutralize a wide variety of hostile penetration technologies that are used to obtain unauthorized access to classified and sensitive information. (TSCM TSCM technical surveillance countermeasures (US DoD)
TSCM Tactical Strike Coordination Manager
TSCM Tactical Strike Coordination Module
TSCM Temperature Scram Circuit Monitor
TSCM Tomahawk Strike Coordination Module ) activities. Resources are allocated at the agency or department level. To decrease expenses and increase communication, the commission recommends that routine inspections be eliminated within the United States and overseas inspections be increased. Any domestic inspections should be prompted by a clear threat to security. A training program would be coordinated to support overseas inspections and prepare for technological advances in technical surveillance equipment.
The report also advocates that a badge system be developed for government employees and contractors with security clearance. The badge system would include visual and electronic recognition, automated access control, and various encoded levels of access.
Joint investigative service. The commission recommends that a joint investigative service be established. The service would perform all personnel security background investigations for a fee. Agencies served would include the Department of Defense (DOD (1) (Dial On Demand) A feature that allows a device to automatically dial a telephone number. For example, an ISDN router with dial on demand will automatically dial up the ISP when it senses IP traffic destined for the Internet. ), the National Security Agency, the National Reconnaissance Office Noun 1. National Reconnaissance Office - an intelligence agency in the United States Department of Defense that designs and builds and operates space reconnaissance systems to detect trouble spots worldwide and to monitor arms control agreements and environmental , the CIA, and other organizations that report to the Secretary of Defense or the Director of Central Intelligence (DCI (Display Control Interface) An Intel/Microsoft programming interface for full-motion video and games in Windows. It allowed applications to take advantage of video accelerator features built into the display adapter. ). The service would also perform industrial security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the common to the defense and intelligence communities. It would be funded through existing security organizations and report jointly to the Secretary of Defense and the DCI.
Classification. The government's classification system is designed to protect sensitive military and intelligence information. The nature of the current classification process, according to the commission, is too complex and needlessly large. To correct the problem, the report recommends a simplified, two-level system. An agency source says the draft executive order on classified documents advocates a more traditional three-level approach.
The current system uses three levels of classification: confidential, secret, and top secret. In addition to these are at least nine other protection categories called departmental special access programs. Certain agencies, such as the CIA and the branches of the armed services The Constitution authorizes Congress to raise, support, and regulate armed services for the national defense. The President of the United States is commander in chief of all the branches of the services and has ultimate control over most military matters. , all have different security requirements. Restrictions to specific programs are specialized, creating a vast number of classifications.
Classification decisions are based on an assessment of the damage expected if the information is released to the general public. But because levels of damage are difficult to define, people often differ in their judgment of the sensitivity of information.
Given the number of classifications, and the disagreement about which information should be classified and for how long, the commission concludes that the classification system has grown out of control. In place of the current system, a single, government-wide standard for the protection of classified information is recommended.
In the commission proposal, classification systems are confined con·fine
v. con·fined, con·fin·ing, con·fines
1. To keep within bounds; restrict: Please confine your remarks to the issues at hand. See Synonyms at limit. to two levels: classified and unclassified. There would be a single legal definition governing classified information, thus removing the need for value judgments.
Recognizing the validity of agency-specific security requirements, classified information would be generally protected (secret) or specially protected (secret compartmented access). According to Ron Beatty, director of corporate security at Rockwell International Rockwell International was the ultimate incarnation of a series of companies under the sphere of influence of Willard Rockwell, who had made his fortune after the invention and successful launch of a new bearing system for truck axles in 1919. Corporation of Seal Beach Seal Beach, city (1990 pop. 25,098), Orange co., S Calif., on the Pacific coast; inc. 1915. It is a beach city with an active art colony. Transportation equipment and concrete are among the city's manufactures. U.S. naval stations are nearby. , California, the classification system must have this flexibility. Agencies will never have identical security needs. "The commission is looking for Looking for
In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. commonalties among the types of classified information," says Beatty. "By weeding out some idiosyncrasies, the system will become more efficient."
Commission recommendations would establish standard criteria for the consideration, review, and management of information requiring classification. Categories of information legally qualifying for special protection are:
* Technology that provides a significant battlefield edge
* Sensitive military operations This is a list of missions, operations, and projects. Missions in support of other missions are not listed independently. World War I
''See also List of military engagements of World War I
* Intelligence methods
* Information jeopardizing human operatives
* Sensitive intelligence, counterintelligence coun·ter·in·tel·li·gence
The branch of an intelligence service charged with keeping sensitive information from an enemy, deceiving that enemy, preventing subversion and sabotage, and collecting political and military information. , or special activity data
* Cryptologic cryp·tol·o·gy
The study of cryptanalysis or cryptography.
crypto·log systems or activities
* Sensitive policy issues or relationships with foreign governments
* U.S. negotiating positions
* Any information on weapons of mass destruction Weapons that are capable of a high order of destruction and/or of being used in such a manner as to destroy large numbers of people. Weapons of mass destruction can be high explosives or nuclear, biological, chemical, and radiological weapons, but exclude the means of transporting or
After documents have been classified, several precepts would apply to the protected material under the commission's recommendations. The person or agency classifying the information would identify a specific date or event after which information can be declassified de·clas·si·fy
tr.v. de·clas·si·fied, de·clas·si·fy·ing, de·clas·si·fies
To remove official security classification from (a document).
de·clas . If no date or event is specified, the documents would be declassified in ten years. The commission advises that an executive order specify categories to be exempt from the ten-year declassification de·clas·si·fy
tr.v. de·clas·si·fied, de·clas·si·fy·ing, de·clas·si·fies
To remove official security classification from (a document).
Personnel security. The commission is also recommending enhancements to the personnel security program. The first aspect of personnel security to be addressed is the clearance system. The report calls current procedures "needlessly complex, cumbersome, and costly." Among the problems cited are the fact that security clearances are sought for those who do not need clearance, many forms exist for the same type of clearance, and communication between agencies is sparse. Investigation techniques can be inconsistent when they are conducted by a number of agencies. The result is that clearances are granted by one agency and rejected by another.
The report recommends that clearances be requested only for personnel who require physical access to classified information or technology. In many circumstances, the current system requires all people at a given organization to be cleared even if only one person is using the material. For those who need access to a facility, the report recommends that a determination should be based on the results of a less complicated National Agency Check with Inquiries (NACI NACI National Advisory Committee on Immunization (Canada)
NACI National Advisory Council on Innovation (South Africa)
NACI National Agency Check with Inquiries ).
Under the commission's plan, a fee would be charged to agencies and organizations requesting clearances. Charging would do more than raise money. With fee-for-service funding, the agency or organization using the service would be motivated to limit use, resulting in increased efficiency and an appropriately sized department.
Screening of contractor personnel would be conducted by the government or an independent company hired by the government specifically for that purpose, not by the company that employs the personnel. According to the commission, this action would save a great deal of time and money. Only those individuals with a relative expectation of success would be applying for security clearances through the government.
On the technical side, the commission recommends that the personnel security questionnaire devised by the National Industrial Security Program be adopted for use throughout DOD and the intelligence community. A standard prescreening form would also be developed.
The report advocates that the government invest in automation. The Secretary of Defense and the DCI would automate the clearance process to increase timeliness, reduce costs, and improve the efficiency of the entire personnel security program.
Security committee. According to the commission, shifting priorities among government agencies causes security policy to become fragmented and diffused. To develop a unified policy, a government-wide Security Executive Committee would oversee security policy. The committee would replace other security bodies and report directly to the National Security Council. Such a committee would have ramifications ramifications npl → Auswirkungen pl outside of the intelligence and security communities because it would apply to many agencies that are not currently linked to security, such as the Justice Department and the State Department.
Threat assessments. To make the assessment of threats more uniform and accessible, the commission recommends that the Secretary of Defense and the DCI appoint the DCI's Counterintelligence Center as executive agent for all counterintelligence and security threat analysis. This national agency would become a focal point focal point
See focus. for threat analysis and would be easily accessible by government and industry.
The next step. The future of the report and its recommendations is uncertain. While some issues may be addressed quickly, others that involve interagency coordination Within the context of Department of Defense involvement, the coordination that occurs between elements of Department of Defense, and engaged US Government agencies, nongovernmental organizations, and regional and international organizations for the purpose of accomplishing an objective. and congressional funding, will take longer. According to Dale Hartig of the Defense Investigative Service, even if all of the recommendations are accepted by various governmental departments, actual change may occur only over the long term. "It is probably premature to discuss the report from the aspect of outcomes," says Hartig. "A great deal of work remains."
"The report may be a bit ahead of its time," says Beatty, "but action on the commission's recommendations is still possible." Though Beatty agrees that looking at problems objectively is the first step, change may be difficult for an entity as large as the federal government.
Teresa Anderson is a staff editor at Security Management.