Rechanneling security toward changing threats.
The commission was formed in June 1993, at the request of the Director of the CIA. It was charged with reexamining the government's security policies in light of post-Cold-War threats. The White House recently released the commission's report outlining a new organizational approach to government security programs. Accompanying the commission report, though not released to the public, was a White House draft executive order on classified documents.
The report describes the evolving threats to national security and how they affect security philosophy at the highest levels of government. It is similar in scope to the operating manual expected to be issued later this year by the National Industrial Security Program (NISP), which was established by President Bush.
Physical security. The commission found that the amount of physical security provided to protect classified information in facilities within the United States is excessive. At the same time, information security may be lacking. The report recommends that priorities be reevaluated.
Modern threats call for increased spending on information systems security, says Joint Security Commission Chairman Jeffrey Smith, a lawyer with Arnold & Porter of Washington, D.C. Protecting the information in computer systems should not be limited to classified information, but should include unclassified but crucial elements of government, such as air traffic control information, he says.
According to Smith, the focus needs to be shifted in other ways, as well. "There is far too much time, money, and effort spent on physical security and not enough on personnel security," he says. Smith says the report's most urgent recommendation is that the government should not require contractors or agencies to defend against remote threats, such as spies scaling twelve-foot walls. Resources should, instead, be focused on more probable risks, such as disgruntled employees and computer theft.
Each agency protects classified material as it sees fit. A physical document may be protected by more or less security depending on the department under which it is classified. The commission report advocates that classified material or information stored within the United States be protected by one of two levels of a national physical security standard to be determined at a later date.
A database would be maintained that registers facilities in each area that are certified as meeting security requirements. All agencies requiring a specific level of security for storing classified documents could deposit items at the appropriate facility. Agencies would not be allowed to alter the level of security provided at the facility.
Another problem cited by the report is the decentralization of technical surveillance countermeasures (TSCM) activities. Resources are allocated at the agency or department level. To decrease expenses and increase communication, the commission recommends that routine inspections be eliminated within the United States and overseas inspections be increased. Any domestic inspections should be prompted by a clear threat to security. A training program would be coordinated to support overseas inspections and prepare for technological advances in technical surveillance equipment.
The report also advocates that a badge system be developed for government employees and contractors with security clearance. The badge system would include visual and electronic recognition, automated access control, and various encoded levels of access.
Joint investigative service. The commission recommends that a joint investigative service be established. The service would perform all personnel security background investigations for a fee. Agencies served would include the Department of Defense (DOD), the National Security Agency, the National Reconnaissance Office, the CIA, and other organizations that report to the Secretary of Defense or the Director of Central Intelligence (DCI). The service would also perform industrial security services common to the defense and intelligence communities. It would be funded through existing security organizations and report jointly to the Secretary of Defense and the DCI.
Classification. The government's classification system is designed to protect sensitive military and intelligence information. The nature of the current classification process, according to the commission, is too complex and needlessly large. To correct the problem, the report recommends a simplified, two-level system. An agency source says the draft executive order on classified documents advocates a more traditional three-level approach.
The current system uses three levels of classification: confidential, secret, and top secret. In addition to these are at least nine other protection categories called departmental special access programs. Certain agencies, such as the CIA and the branches of the armed services, all have different security requirements. Restrictions to specific programs are specialized, creating a vast number of classifications.
Classification decisions are based on an assessment of the damage expected if the information is released to the general public. But because levels of damage are difficult to define, people often differ in their judgment of the sensitivity of information.
Given the number of classifications, and the disagreement about which information should be classified and for how long, the commission concludes that the classification system has grown out of control. In place of the current system, a single, government-wide standard for the protection of classified information is recommended.
In the commission proposal, classification systems are confined to two levels: classified and unclassified. There would be a single legal definition governing classified information, thus removing the need for value judgments.
Recognizing the validity of agency-specific security requirements, classified information would be generally protected (secret) or specially protected (secret compartmented access). According to Ron Beatty, director of corporate security at Rockwell International Corporation of Seal Beach, California, the classification system must have this flexibility. Agencies will never have identical security needs. "The commission is looking for commonalties among the types of classified information," says Beatty. "By weeding out some idiosyncrasies, the system will become more efficient."
Commission recommendations would establish standard criteria for the consideration, review, and management of information requiring classification. Categories of information legally qualifying for special protection are:
* Technology that provides a significant battlefield edge
* Sensitive military operations or plans for the operations
* Intelligence methods
* Information jeopardizing human operatives
* Sensitive intelligence, counterintelligence, or special activity data
* Cryptologic systems or activities
* Sensitive policy issues or relationships with foreign governments
* U.S. negotiating positions
* Any information on weapons of mass destruction
After documents have been classified, several precepts would apply to the protected material under the commission's recommendations. The person or agency classifying the information would identify a specific date or event after which information can be declassified. If no date or event is specified, the documents would be declassified in ten years. The commission advises that an executive order specify categories to be exempt from the ten-year declassification requirement.
Personnel security. The commission is also recommending enhancements to the personnel security program. The first aspect of personnel security to be addressed is the clearance system. The report calls current procedures "needlessly complex, cumbersome, and costly." Among the problems cited are the fact that security clearances are sought for those who do not need clearance, many forms exist for the same type of clearance, and communication between agencies is sparse. Investigation techniques can be inconsistent when they are conducted by a number of agencies. The result is that clearances are granted by one agency and rejected by another.
The report recommends that clearances be requested only for personnel who require physical access to classified information or technology. In many circumstances, the current system requires all people at a given organization to be cleared even if only one person is using the material. For those who need access to a facility, the report recommends that a determination should be based on the results of a less complicated National Agency Check with Inquiries (NACI).
Under the commission's plan, a fee would be charged to agencies and organizations requesting clearances. Charging would do more than raise money. With fee-for-service funding, the agency or organization using the service would be motivated to limit use, resulting in increased efficiency and an appropriately sized department.
Screening of contractor personnel would be conducted by the government or an independent company hired by the government specifically for that purpose, not by the company that employs the personnel. According to the commission, this action would save a great deal of time and money. Only those individuals with a relative expectation of success would be applying for security clearances through the government.
On the technical side, the commission recommends that the personnel security questionnaire devised by the National Industrial Security Program be adopted for use throughout DOD and the intelligence community. A standard prescreening form would also be developed.
The report advocates that the government invest in automation. The Secretary of Defense and the DCI would automate the clearance process to increase timeliness, reduce costs, and improve the efficiency of the entire personnel security program.
Security committee. According to the commission, shifting priorities among government agencies causes security policy to become fragmented and diffused. To develop a unified policy, a government-wide Security Executive Committee would oversee security policy. The committee would replace other security bodies and report directly to the National Security Council. Such a committee would have ramifications outside of the intelligence and security communities because it would apply to many agencies that are not currently linked to security, such as the Justice Department and the State Department.
Threat assessments. To make the assessment of threats more uniform and accessible, the commission recommends that the Secretary of Defense and the DCI appoint the DCI's Counterintelligence Center as executive agent for all counterintelligence and security threat analysis. This national agency would become a focal point for threat analysis and would be easily accessible by government and industry.
The next step. The future of the report and its recommendations is uncertain. While some issues may be addressed quickly, others that involve interagency coordination and congressional funding, will take longer. According to Dale Hartig of the Defense Investigative Service, even if all of the recommendations are accepted by various governmental departments, actual change may occur only over the long term. "It is probably premature to discuss the report from the aspect of outcomes," says Hartig. "A great deal of work remains."
"The report may be a bit ahead of its time," says Beatty, "but action on the commission's recommendations is still possible." Though Beatty agrees that looking at problems objectively is the first step, change may be difficult for an entity as large as the federal government.
Teresa Anderson is a staff editor at Security Management.
|Printer friendly Cite/link Email Feedback|
|Date:||Jun 1, 1994|
|Previous Article:||A plan to prevent pilfering.|
|Next Article:||Judicial decisions.|