REDEFINING SECURITY A Report to the Secretary of Defense and the Director of Central Intelligence February 28, 1994 Joint Security Commission Washington, D.C. 20505 The Honorable William J. Perry Secretary of Defense Pentagon Washington, D. C. 20301 The Honorable R. James Woolsey Director of Central Intelligence Washington, D. C. 20505 Dear Sirs: 1. Pursuant to your request, the Joint Security Commission was convened on June 11, 1993. The Commission was guided by your direction to develop a new approach to security that would "assure the adequacy of protection within the contours of a security system that is simplified, more uniform, and more cost effective." 2. This report presents the recommendations of the Joint Security Commission to achieve these objectives and to redefine security policies, practices and procedures. The report describes the threats to our nation's security and lays out a vision the Commission believes will shift the course of security philosophy. We also propose a new policy structure and a classification system designed to manage risks better, and we outline methods of improving government and industry personnel security policies. We offer recommendations on developing new strategies for achieving security within our information systems, including protecting the integrity and availability of both classified and unclassified information assets, and we call for a new approach to capture security costs. We provide recommendations for linking traditional physical and technical countermeasures to threat. We believe that implementation of these recommendations will result in a security system that will meet the evolving threat while being fairer, more coherent, and more cost effective. 3. In reaching its conclusions and recommendations, the Commission drew upon the perspectives of policymakers, Congress, the military, industry, and public interest groups. Although our charter was limited to a review of the Intelligence and Defense Communities, we found that many of the problems and solutions have government-wide implications. In those instances where we believe that a government-wide solution is the best answer, we have offered recommendations to that effect. 4. This report represents months of work by the Commissioners, our staff, and a vast number of citizens both in and out of government, who graciously gave us their time and comments. On behalf of the Commission, I would like to thank all who contributed to this effort and to give special recognition to our superb staff, headed so ably by Dan Ryan. Ultimately, of course, the Commissioners bear full responsibility for the analysis and recommendations contained herein. 5. As you have directed, the Commission will remain in place until June 1, to assist in the implementation of our recommendations. We look forward to working with you to achieve the objectives you have laid before us. Very respectfully, Jeffrey H. Smith Chairman Attachment EXECUTIVE SUMMARY The world has changed dramatically during the last few years, with profound implications for our society, our government, and the Defense and Intelligence Communities. Our understanding of the range of issues that impact national security is evolving. Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention. Technologies, from those used to create nuclear weapons to those that interconnect our computers, are proliferating. The implications and impacts of these technologies must be assessed. There is wide recognition that the security policies, practices, and procedures developed during the Cold War must be changed. Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity, and cost. This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next. With these imperatives in mind, the Joint Security Commission has focused its attention on the processes used to formulate and implement security policies in the Department of Defense and the Intelligence Community. In reviewing all aspects of security, the Commission has been guided by four principles: o Our security policies and services must realistically match the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate change as the threat evolves. o Our security policies and practices must be more consistent and coherent, thereby reducing inefficiencies and enabling us to allocate scarce resources effectively. o Our security standards and procedures must result in the fair and equitable treatment of those upon whom we rely to guard the nation's security. o Our security policies, practices, and procedures must provide the needed security at a price the nation can afford. The recommendations of the Commission, presented in detail in this report, fall mainly into three categories: (1) recommendations that will maintain and hopefully enhance security, but at a lower cost by avoiding duplication and increasing efficiency; (2) recommendations that will reduce current levels of security but in accordance with risk management principles based on a changing threat; and (3) recommendations that will create new processes to formulate and oversee security policy governmentwide. In a very few cases-most notably concerning personnel security and information systems security-the Commission is recommending additional security requirements that will increase costs. The Commission's recommendations also include changes that are revenue neutral but will make the security system both more rational and inherently more fair. Although the Commission is recommending certain specific changes, the primary concern of the Commission is to create new and flexible processes that will adjust security policies, practices, and procedures to achieve our stated goals as the political, economic, and military realities evolve. In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. Against this danger, we have striven to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Today's threats are more diffuse, multifaceted, and dynamic. We also know that some vulnerabilities can never be eliminated fully nor would the costs and benefits warrant trying. While the Commission recognizes that the consequences of some security failures are exceptionally dire and require exceptional protection measures, in most cases it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures. We can then select a mix that provides adequate protection without excessive cost in dollars and without impeding the efficient flow of information to those who require ready access to it. The Commission believes that the nation must develop a security framework that will provide a rational, cost-effective, flexible set of policies, practices, and procedures. This framework must use a risk management approach that considers actual threats, inherent vulnerabilities, and the availability and costs of countermeasures as the underlying basis for making security decisions. Risk management requires evaluating the resource impact of proposed changes in security policies and standards. This is practically impossible with today's accounting systems because they are not designed to collect security cost data. The Commission believes that establishing a system to capture security costs is crucial to effective streamlining and cost reduction. Therefore, we have recommended the creation of a uniform cost-accounting methodology and tracking system for security resources expended by the Department of Defense, the Intelligence Community, and supporting industry. The Commission believes two areas require particular attention. First, personnel security lies at the very heart of our security system. No amount of physical, information systems, or procedural security will be sufficient if we cannot ensure the trustworthiness of those who must deal with sensitive and classified information. Grave damage has been caused to the United States by current or former employees and contractors of the government who decided to become spies for our adversaries. Therefore, the Commission believes that renewed efforts must be made to strengthen our personnel security system. The Commission also recognizes the necessity for enhancing the training we provide security officers, managers, and workers in the importance of security and of their roles in protecting the nation's information assets. The processes we use to clear personnel in the Defense and Intelligence Communities vary widely from agency to agency. Different standards are applied by different agencies; clearances are not readily transferable; and the time to grant a clearance ranges from a few weeks in one agency to months in others. Accordingly, we recommend common standards for adjudications and a joint investigative service to standardize background investigations and thus take advantage of economies of scale. Second, information systems security requires increased attention. Productivity is, in today's world, directly related to information systems and their connectivity. The Defense and Intelligence Communities are increasingly dependent on information systems in performing their complex missions on behalf of the nation. Information systems technology is, however, evolving at a faster rate than information systems security technology. Overcoming the resulting gap will require careful threat assessments, well-thought-out investment strategies, sufficient funding, and management attention if our computers and networks are to protect the confidentiality, integrity, and availability of our classified and unclassified information assets. The Commission believes that a systems approach is necessary in making decisions about the application of security countermeasures. By placing all the responsibility for security on each of the security disciplines, we have created requirements for multiple layers of security that add little value. This is particularly apparent in physical security, where classified documents may be stored in locked containers inside locked strong rooms within secure buildings in fenced facilities patrolled by armed guards-overkill even at the height of the Cold War, much less in today's security environment. A risk-managed systems approach would tailor countermeasures to threat and should result in significant savings that could be applied to improving personnel and information systems security, or to maintaining or improving other areas directly related to successful performance of defense and intelligence missions. Nowhere will the payoff from improving our security policies, practices, and procedures be higher than in the industrial base supporting the Defense and Intelligence Communities. Our current practices subject industry to a bewildering array of requirements that are compliance-based, inconsistent, and often contradictory. Security requirements imposed on industry far exceed the requirements used by government agencies and organizations to protect the same information. While some budgetary and proprietary information must be withheld from some contractors in order to preserve competition, the Commission has found little reason to treat industry differently from government for security purposes. We must create a partnership between government and industry to enhance security, leaving adversarial roles behind. The Commission also believes that our security policies must not unnecessarily discourage foreign investment in American companies nor unduly burden our industrial base in competing for a larger share of the world's markets. Central to the Commission's recommendations is the immediate formation of a single organization-a security executive committee chaired by the Secretary of Defense (or his designee) and the Director of Central Intelligence-responsible for the creation of security policies and overseeing the coherent implementation of those policies across the Defense and Intelligence Communities. This committee would not, of course, supplant the existing statutory authorities of the Secretary of Defense and the Director of Central Intelligence, including the latter's responsibility to protect sources and methods. This committee would, however, replace numerous existing fora that today independently develop security policies and procedures that are often inconsistent and are sometimes contradictory. A single source for security policies should result in reciprocity with consequential reductions in cost and improvements in efficiency. Although it is outside the scope of our charter, the Commission also believes that this committee should, in the very near future, be expanded by the addition of representatives from other government departments and agencies and given the responsibility to formulate governmentwide security policies. The committee, which should report to the National Security Council, should oversee the security system and have an outside advisory panel of distinguished Americans to ensure that industry, academia, and public interest groups have a voice in the formulation of security policies. To facilitate the formulation, implementation, and oversight of security policies, practices, and procedures, the Commission proposes a radical new classification system that greatly simplifies the current system and eliminates the subjectivity inherent in it. The Commission worked closely with the Task Force revising Executive Order 12356 on National Security Information in analyzing possible changes and their impacts, and determined that a single level of classification with two degrees of protection should be adopted. Most classified information would be protected using a coherent set of personnel, physical, information systems, and procedural security standards and would be based on discretionary need-to-know as currently practiced for Confidential and Secret materials. Highly sensitive information, such as that protected at the Top Secret, Sensitive Compartmented Information, or Special Access Program levels today, would be protected by using a more stringent set of standards and would be based on centrally managed need-to-know determinations. Application of this system will be founded on risk management rather than complete avoidance of all risk and would concentrate on security as a service to our communities in place of the compliance-based, punitive approach in use today. The Joint Security Commission is pleased to present its recommendations for the creation of an improved process for the formulation, management, and oversight of security policies, practices, and procedures. We believe that implementation of this process and the coherent application of its results should ensure that security countermeasures are chosen to match the evolving threat and that inefficiencies and costs are minimized. The resulting security system would treat people fairly and provide a balanced mix of security needed to protect our information assets, facilities, personnel, and our nation's interests. JOINT SECURITY COMMISSION Commissioners: Jeffrey H. Smith, Chairman Duane P. Andrews J. Robert Burnett Ann Caracristi Antonia H. Chayes Anthony A. Lapham Nina J. Stewart Richard F. Stolz Harry A. Volz Larry D. Welch Staff: Dan J. Ryan, Executive Secretary, CIA John T. Elliff, Deputy Executive Secretary, DoD Marisa Barthel, CIA John E. Bloodsworth, CIA Sheila Brand, NSA Edmund Cohen, CIA Rene Davis-Harding, DoD Lee A. Falcon, DoD Mary Griggs, DoD Helmut H. Hawkins, DoD Dan L. Jacobson, DoD Richard P. Nyren, Jr., DoD Maria N. O'Connor, NSA Michael D. Reynolds, CIA Martin E. Strones, DoE Jim Sullivan, CIA Annette B. Swider, CIA Larry D. Wilcher, DoE Secretarial and Clerical Support: Barbara Dever, CIA Josephine Harrison, CIA Betty L. Richman, CIA TABLE OF CONTENTS CHAPTER 1. APPROACHING THE NEXT CENTURY 1 Implementing the New Paradigm-Risk Management 4 CHAPTER 2. CLASSIFICATION MANAGEMENT 7 Classification-Driving Security 7 The Current Classification System-Cumbersome and Confusing 7 Special Access Programs-Lacking Faith in the System 8 A New System-Streamlined and Straightforward 10 A Simplified Controlled Access System 12 Limiting Use of Special Access Controls 13 Uniform Risk Criteria for Secret Controlled Access Information 15 Increasing the Flow of Data 17 Special Cover Measures 19 Security Oversight of Compartmented Access Programs 20 Classification Management Practices 22 Dissemination Controls-Impediments to Getting Intelligence into the Hands of Customers 22 Sharing Classified Information 24 Billet and Access Control Policies 24 Secrecy Agreements 25 Declassification 27 Making the Classification System Really Work-An Integrated Approach with Appropriate Oversight 30 Dealing with Sensitive but Unclassified Information 31 CHAPTER 3. THREAT ASSESSMENTS-THE BASIS OF SMART SECURITY DECISIONS 33 Asleep at the Wheel 33 A Wake-Up Call 35 CHAPTER 4. PERSONNEL SECURITY-THE FIRST AND BEST DEFENSE 39 The Process Begins 40 Requesting a Clearance 40 Prescreening and Fairness 41 Forms and Automation-Ending the Paper Trail 42 Investigations-Assessing Trustworthiness 44 Investigative Requirements-Streamlining the Process 44 Continuing Evaluation-Reinvestigations and Safety Nets 45 Clearance Processing-Time Is Money 47 Adjudication 48 Adjudicative Standards and Criteria 48 DoD Adjudicative Facilities 50 Reciprocity 50 Procedural Safeguards 51 DoD Contractor Personnel 53 DoD Civilian Personnel 54 Differences and Comparative Advantages 54 Military Personnel 59 Special Access Approvals 60 The Polygraph 61 Background 61 Applications of the Polygraph 62 Recommendations 66 Oversight 67 Standardization 68 Training, Research, and Development 69 CHAPTER 5. PHYSICAL, TECHNICAL, AND PROCEDURAL SECURITY 71 Physical Security Standards 72 Facility Certification 73 Facilities, Containers, and Locks 74 Industrial Security Inspections 75 TEMPEST 76 Technical Surveillance Countermeasures (TSCM) 77 Procedural Security 78 Central Clearance Verification 78 Certification of Contractor Visits 79 Communitywide Badge Systems 80 Document Tracking and Control 81 Document Destruction 82 Document Transmittal 83 Operations Security 83 CHAPTER 6. PROTECTING ADVANCED TECHNOLOGY 87 Foreign Ownership, Control, and Influence 88 Foreign Exchange Agreements-The Status Quo 90 Threat Analysis-Vital to Protecting Advanced Technology 91 The National Disclosure Policy 92 Recording Foreign Disclosure Decisions 93 CHAPTER 7. A JOINT INVESTIGATIVE SERVICE 95 Personnel Security Investigations 95 Industrial Security 97 Establishment of a Joint Investigative Service 98 CHAPTER 8. INFORMATION SYSTEMS SECURITY 101 The Threat to Information and Information Systems 102 Dated Policies 104 Failed Strategies 105 The New Information Systems Security Reality 106 Information Systems Security Policy for Tomorrow 106 The Investment Strategy for Information Systems Security 107 Research and Development-A Need to Consolidate 109 Infrastructure Security Management 110 Auditing Infrastructure Utilization 110 Managing the Risk to Information Systems 111 Emergency Response-The Need for Help 112 Information Systems Security Professionals 112 CHAPTER 9. THE COST OF SECURITY-AN ELUSIVE TARGET 115 Understanding Security Costs 115 Costs in Black and White 116 Visible and Invisible Security Costs 116 "There's No Way to Know How Much We're Spending on Security!" 118 Work to Date in the DoD 118 Intelligence Community Efforts 119 Capturing Security Costs in Industry 119 Moving Towards Consistency 121 Getting to the Bottom Line-The Payoff Is Long Term . . . 121 . . . With Up-Front Costs in the Near Term 122 The Bottom Line 122 CHAPTER 10. SECURITY AWARENESS, TRAINING, AND EDUCATION 123 The Present 123 Training for the Future 123 CHAPTER 11. A SECURITY ARCHITECTURE FOR THE FUTURE 127 The Present 127 The Future 128 ENDNOTES 131 APPENDIXES 135 A. Statement of Commissioner Lapham on Secrecy Agreements 135 B. Statement of Commissioner Chayes on Procedural Safeguards 137 C. Statement of Commissioner Lapham on Polygraph 139 D. Acronyms 151 E. Acknowledgments 155 CHAPTER 1: APPROACHING THE NEXT CENTURY The first duty of government is to provide security for its citizens. This security takes many forms, including a strong military, a robust economy, and mutually beneficial international relationships. In a democracy, the people's security also depends on the health of the democracy itself. This, in turn, depends on the protection of democracy's processes and the careful maintenance of the balance between the right of the public to know and the government's responsibility to provide for security. As the twentieth century nears its end, events require that the United States assess the basic assumptions and goals that guide the protection of government information, facilities, and people. Our preoccupation with the specter of nuclear annihilation has been reduced; the resources for national security programs are declining sharply; and the information age has irrevocably altered the way we do business. Concurrently, the continued preeminent role of the United States in world political, military, and economic affairs makes our government and industrial activities of major interest to foreign powers. In this environment, the security practices and procedures that developed from World War II until the 1990s require fundamental reexamination. For some time, it has been recognized that the security system is fragmented, complex, and costly. The Infrastructure Report of the Community Management Review requested by then Director of Central Intelligence (DCI) Robert Gates labeled current security policies and practices as the "greatest deterrents to major savings in infrastructure," and recommended the creation of a DCI security commission to design and implement a new security system. The DCI's Task Force on Standards of Classification and Control Report, commonly known as the "Gries Report," called for revision of the classification and control system on the grounds that it was "unsuited to the geopolitical and fiscal realities . . . in the 1990s." The Gulf War reinforced the military's need to analyze and move vast amounts of information to distant theaters of operation. Industry has been concerned about the inconsistency and cost of current security practices and procedures. Congress is convinced that change is necessary. The Secretary of Defense and the Director of Central Intelligence acknowledged these concerns and established the Joint Security Commission in May 1993. The Commission's task was to review security policies and procedures with three simple goals: (1) find what works and keep it; (2) determine what no longer works and fix it; and (3) identify what the future demands and implement it. In the nine months since its creation, the Joint Security Commission has attempted to fulfill this task by conducting an extensive security review within the Department of Defense and the Intelligence Community. In doing so, the Commission sought not only the perspectives of policymakers, the Congress, industrial leaders, the military, and public interest groups but also the technical expertise of government and industry security personnel. Many will recognize their words and opinions in the text of this report and we acknowledge a debt of gratitude for their contributions. We also commend the many initiatives already underway-such as those instituted by the National Industrial Security Program and the DCI's Security Forum-to streamline and modernize the government's security policies and practices and to incorporate risk management strategies. The Commission's considered opinion, however, is that these changes alone are not enough. The security system must not only overcome the inefficiencies of the past but also rise to the challenges of the future. It must be dynamic, flexible, and forward looking. Nowhere is this more apparent than in the area of information systems and networks. The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century and believes that there is insufficient awareness of the grave risks we face in this arena. The nation's increased dependence upon the reliable performance of the massive information systems and networks that control the basic functions of our infrastructure carries with it an increased security risk. Never has information been more accessible or more vulnerable. This vulnerability applies not only to government information but also to the information held by private citizens and institutions. We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully, much less rise to, the challenge. Fundamental and very tough questions are involved: What should the governmentUs role be in helping to protect information assets and intellectual capital that are in private hands? How should technology developed by the government to protect classified information be provided to the private sector for the protection of sensitive but unclassified information? Protecting the confidentiality, integrity, and availability of the nation's information systems and information assets-both public and private- must be among our highest national priorities. The Commission believes that there are fundamental weaknesses in the security structure and culture that must be fixed. Security policy formulation is fragmented. Multiple groups with differing interests and authorities work independently of one another and with insufficient horizontal integration. Efforts are duplicated and coordination is arduous and slow. Each department or agency produces its own implementation rules that can introduce subtle changes or additions to the overall policy. There is no effective mechanism to ensure commonality. The Commission believes that the complexity and cost of current security practices and procedures are symptoms of the underlying fragmentation and cannot be alleviated without addressing it. We, therefore, propose that a security executive committee be created to assume responsibility for the development and oversight of security policy for the US Government and to function as a continuing agent of change. We further propose that a security advisory board be constituted to interject a nongovernment and public interest perspective into government security policy. These proposals are described in detail in chapter 11. Some other problems that we identify and discuss in this report are: o Countermeasures are frequently out of balance with the threat. They have too often been based on worst-case scenarios rather than realistic assessments of threats and vulnerabilities. o The classification system is cumbersome and classifies too much for too long. The zeal to protect information has sometimes inhibited the flow of information to those who need it. o Personnel security is the centerpiece of the Federal security system, but current procedures are needlessly complex and costly. There are too many inconsistencies, too many forms, and too much delay. o There are too many layers of physical security and they cost too much money. A facility's security may include multiple layers-fences, alarms, guards, security containers, access control devices, closed circuit television, locks, and special construction requirements-that are not necessarily needed. o Large sums have been spent on technical security within the United States despite a minimal level of threat. o Procedural security measures are not always effective. Elaborate record keeping procedures for document control are costly and can no longer be relied upon to deter compromise in the age of personal computers, facsimile machines, copier equipment, modems, and networks which offer ample opportunities to copy documents without detection. Procedural security that is still necessary, such as badges and visitor control, can be streamlined. o Operations security (OPSEC) is important and sometimes critical in a military environment and for sensitive operations, but it has been extended to inappropriate situations and environments. The problems are many and the mandate for change is strong, but change must be guided by clear goals and principles. We envision security as a dynamic and flexible system guided by four basic principles: o Our security policies and services must be realistically matched to the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate their evolution as the threat changes. o Our security policies and practices must be consistent and coherent across the Defense and Intelligence Communities, thereby reducing inefficiencies and enabling us to allocate scarce resources efficiently. o Our security standards and procedures must result in the fair and equitable treatment of the members of our communities upon whom we rely to guard the nation's security. o Our security policies, practices, and procedures must provide the security we need at a price we can afford. The Commission believes that the application of these principles will make the security system less fragmented, less complex, and more cost effective. We also believe that the progress made will be eroded over time without a fundamental adjustment in the way security is viewed and practiced. Security can no longer be seen as an independent, external authority that rigidly imposes procedures and demands compliance. The Commission believes that it is time for a paradigm shift. o Security is a service that should be based on an integrated assessment of threat, vulnerability, and customer needs. Conceptually, it should be the way that we think rather than a manual of rules. Security then becomes a more positive undertaking that values the spirit over the letter of the law, problem prevention over problem resolution, and individual responsibility over external oversight. It is a partnership between security and operations that balances the need to protect with the need to get the job done. Industry is a valuable partner and participant in this process. o Security must come from an integrated system that recognizes the interdependence of the individual security disciplines and establishes a logical nexus between the sensitivity of information and the personnel, physical, information, and technical security countermeasures applied in protecting the information. In this model, the individual security disciplines are interlocking pieces of a puzzle, each critical to overall success but none sufficient by itself. o Security is a shared responsibility. Each individual has a role to play in ensuring the best possible protection for our information, personnel, and assets. Individual and management accountability for security actions and decisions are prerequisites for dynamic and responsive security processes. o Security is a balance between opposing equities. The imperative to protect cannot automatically be allowed to outweigh mission requirements or the public's fundamental right-to-know and it must never obscure the understanding that an informed public is the foundation of a democratic government. Implementing the New Paradigm-Risk Management In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. For the better part of the last half century, we viewed the Soviet Union and its allies as capable of exploiting our every weakness. Against this danger, we strove to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Since the future of the free world was considered highly dependent on how successfully we maintained our secrets, the costs of security programs, the constraints on needed information flow, and the negative impact on individuals and our economic competitiveness were all secondary considerations. We used worst case scenarios as the basis for most of our security planning. The threats today are more diffuse, multifaceted, and dynamic. National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world. The possibility of failure of democratic reform in Russia poses a constant danger. Further, Russia's ability to maintain control of its special weapons, China's supplying of equipment and technology to unstable countries, and North Korea's, Iran's and Iraq's attempts to develop nuclear weapons, have serious and far-reaching implications for regional security and stability. Burgeoning ethnic and religious rivalries that cross traditional boundaries endanger both new and long-standing peace agreements, drawing the United States into an expanding role in peacekeeping and humanitarian missions. The bombing of the World Trade Center and the assassination of two CIA employees in Virginia heightened our sensitivity to the fact that terrorist activities against Americans can occur domestically as well as abroad. Violent crime and narcotics trafficking in our neighborhoods also continue to threaten American lives and values. The Commission recognizes that the consequences of failures to protect against some of these threats are exceptionally dire. For instance, terrorists' use of weapons of mass destruction, or an adversary's foreknowledge of our battle plans, could have consequences so grave as to demand the highest reasonably attainable standard of security. This is true even if the probability of a successful attack is small and the cost of protection is high. Some inherent vulnerabilities can never be eliminated fully, nor would the cost and benefit warrant this risk avoidance approach. In most cases, however, it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We can and must provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making. The Commission views the risk management process as a five-step procedure: 1. Asset valuation and judgment about consequence of loss. We determine what is to be protected and appraise its value. Part of asset valuation is understanding that assets may have a value to an adversary that is different from their value to us. 2. Identification and characterization of the threats to specific assets. Intelligence assessments must address threats to the asset in as much detail as possible, based on the needs of the customer. These assessments may be commissioned at the national level to feed the development of security policies and standards, at the program level to guide systems design, or in planning intelligence support for military or other operations. 3. Identification and characterization of the vulnerability of specific assets. Vulnerability assessments help us identify weaknesses in the asset that could be exploited. The manager may then be able to make design or operational changes to reduce risk levels by altering the nature of the asset itself. Cost is an important factor in these decisions, as design changes can be expensive and can impact other mission areas. 4. Identification of countermeasures, costs, and tradeoffs. There may be a number of different countermeasures available to protect an asset, each with varying costs and effectiveness. In many cases, there is a point beyond which adding countermeasures will raise costs without appreciably enhancing the protection afforded. 5. Risk assessment. Asset valuation, threat analysis, and vulnerability assessments are considered, along with the acceptable level of risk and any uncertainties, to decide how great is the risk and what countermeasures to apply. This process is depicted in the following figure: Identify and Analyze Identify and cost characterize vulnerabilities countermeasures \ | / Risk Assess the value of -- management -- Assess risks the potential target decisions | Cost-effective security Figure 1. The Risk Management Process When any of these steps are left out, the result can either be inadequate protection or unnecessary and overly expensive protection. Frequently, the missing element is the incorporation of specific, up-to-date threat assessments in the development of security policies. With no documented threat information, countermeasures are often based on worst case scenarios. The Commission stresses that managers must make tradeoffs during the decision phase between cost and risk, balancing the cost in dollars, manpower, and decreased flow of needed information against possible asset compromise or loss. Policy decisions resulting from the risk management process can then guide security planning. At the national level, these risk management decisions should form the backbone of, and provide the standards for, the security system. The resulting standards would promote consistency, coherence, and reciprocity across programs and agencies. CHAPTER 2. CLASSSIFICATION MANAGEMENT Classification-Driving Security The classification system is designed primarily to protect the confidentiality of certain military, foreign policy, and intelligence information. It deals with only a small slice of the government information that requires protection although it drives the government's security apparatus and most of its costs. Despite the best of intentions, the classification system, largely unchanged since the Eisenhower administration, has grown out of control. More information is being classified and for extended periods of time. Security rules proliferate, becoming more complex yet remaining unrelated to the threat. Security costs increase as inconsistent requirements are imposed by different agencies or by different program managers within the same agency. This accretion of security rules and requirements to protect classified information does not make the system work better. Indeed, the classification system is not trusted on the inside any more than it is trusted on the outside. Insiders do not trust it to protect information that needs protection. Outsiders do not trust it to release information that does not need protection. This Cold War classification system can be simplified. In place of more than 12 levels of protection and widely differing and inconsistent security policies and practices, the Commission recommends a single, rational, governmentwide standard for the protection of classified information. The Current Classification System- Cumbersome and Confusing The classification system is more complex than necessary. Classification is inherently subjective and the current system inappropriately links levels of classification with levels of protection. The current classification system starts with three levels of classification (Confidential, Secret, and Top Secret), often referred to collectively as collateral. Layered on top of these three levels are at least nine additional protection categories. These include Department of Defense Special Access Programs (DoD SAPs), Department of Energy Special Access Programs, Director of Central Intelligence Sensitive Compartmented Information Programs (DCI SCI), and other material controlled by special access or "bigot" lists (Footnote 1) such as the war plans of the Joint Chiefs of Staff and the operational files and source information of the CIA Operations Directorate. Further complicating the system are restrictive markings and dissemination controls such as ORCON (dissemination and extraction of information controlled by originator), NOFORN (not releasable to foreign nationals), and "Eyes Only." Classification Levels of Protection TOP SECRET TS - BIGOT LIST TS - SCI TS - DoD SAP SECRET S - BIGOT LIST S - SCI S - DoD SAP CONFIDENTIAL C - BIGOT LIST C - SCI C - DoD SAP UNCLASSIFIED Figure 2. The Current Classification System Currently, proper classification depends on assessing the expected damage to national security caused by unauthorized disclosure of the information. Information is classified as Confidential if damage is expected to occur. Secret is used if serious damage will result. Information is Top Secret only if exceptionally grave damage will occur. However, because it is difficult to precisely define levels of damage, reasonable persons can and do differ in their evaluation. Yet, it is not even clear why the effort to assess damage should be made since the protection required is not dependent on the level of damage. For example, greater protection is provided for Secret information in SCI channels, disclosure of which would cause "serious damage" to national security, than for Top Secret information that is not within a special access program, disclosure of which would cause "exceptionally grave damage." Moreover, from a Freedom of Information Act or an Espionage Act standpoint, the significant issue is whether the information is classified, not the level at which it is classified. We conclude that there is no need for levels of classification. Information is not more classified or less classified. It either is classified or it is not. Indeed, thinking about information as more or less classified has led to statements that information is "only Confidential" or "only Secret." This thinking also has led to efforts to link classification levels with the length of time protection is required. Yet we know that some Top Secret information, such as an invasion date, may need to be protected for days, while some Secret information, like the identity of a confidential source, may need to be protected for decades. Special Access Programs-Lacking Faith in the System Special access programs (Footnote 2) are used to compensate for the fact that the classification system is not trusted to protect information effectively and does not adequately enforce the "need to know" principle. For example, the Top Secret classification is supposed to protect information that, if improperly disclosed, would result in exceptionally grave damage to the national security. Yet, the perception is that the "regular" classification system cannot protect such information because it has no provision for limiting which cleared persons have access to the information. In the 1980s, as confidence in the traditional classification system declined, more and more information was put into SAP and SCI compartments based on assertions that the regular classification system provided inadequate need-to-know restrictions. The special access system gave the program manager the ability to decide who had a need-to-know and thus to strictly control access to the information. But elaborate, costly, and largely separate structures emerged. According to some, the system has grown out of control with each SAP program manager able to set independent security rules. The Department of Defense divides these programs into three categories: acquisition, intelligence, and operations and support. (Footnote 3) Programs in these categories are further defined as either acknowledged or unacknowledged. (Footnote 4) Some of the most sensitive DoD programs are "waived" or "carved out" from certain oversight and administrative requirements. There are over one hundred DoD SAPs, with many having numerous compartments and subcompartments, designed to further segregate and limit access to information. Each special access program manager is free to establish the security rules that will apply to his or her particular program. Within the Intelligence Community, the term Sensitive Compartmented Information (SCI) refers to data about sophisticated technical collection systems, information collected by those systems, and information concerning or derived from particularly sensitive methods or analytical processes. Specific SCI control systems serve as umbrellas for protecting a type of collection effort or a type of information. Within each SCI system are compartments and within them, subcompartments, all designed to formally segregate data and restrict access to it to those with a need-to-know, as determined by a central authority for each system. There are over 300 SCI compartments (recently reduced from over 800) grouped into a dozen or so control channels. Special activities have their own non-SCI control channels. Rules relating to SCI programs are found in DCI Directives (DCIDs), but implementation is uneven and minimum standards are often exceeded. In addition to the formal SAP, SCI, and covert action control channels, strict need-to-know access restrictions also are imposed for other types of information within the DoD and the Intelligence Community. These include information identifying intelligence sources and liaison relationships, as well as information about military plans, such as the Single Integrated Operations Plan (SIOP) for strategic nuclear war or the battle plan for the invasion of Iraq during the Gulf War. Access to such information is generally controlled by access or bigot lists. The Commission agrees that some types of classified information, such as identities of intelligence sources, information about sensitive intelligence methods, plans for operations, and technological advances that provide our military forces unique advantages on the battlefield, may require more protection than others. However, we do not agree that each SAP manager needs to establish a unique set of security rules, or that SAP security rules and SCI security rules need to be different. Current practice has begun to recognize this fact and to coalesce around two standards: one for Confidential and Secret, the other for Top Secret and SAPs/SCI. In personnel security, for example, agencies do not have separate clearance standards for Confidential and Secret. And a single clearance standard for Top Secret and SCI is evolving with DoD SAPs beginning to follow this standard, even though program managers today have the authority to impose their own standards and many do so. A New System-Streamlined and Straightforward The opportunity to change the classification system comes at an important point in our history. In this post-Cold War period, we can move away from a strategy that has been characterized as something close to total risk avoidance and develop instead an approach more clearly based on risk management. We continue to recognize that there is information that needs the protection of the classification system and that there are costs associated with the unauthorized disclosure of information vital to the national security. But we also recognize that in a democracy the public needs access to information about what its government is doing and that there are significant costs associated with keeping information classified and tightly controlled. In sum, it is important to consider the political, economic, and opportunity costs of classifying information, as well as the costs of failing to classify information. The Commission finds that the costly and complicated bureaucracy that provides security is a reflection of the underlying complexity of the classification management system. The Commission believes that a less complicated system can help correct the current approach that has led to classifying too much at too high a level and for too long. We propose a new one-level classification system. Under this system, information either is classified or it is not. There would be a single legal definition of classified information and no need to pretend that we can precisely measure the amount of damage to national security that would be caused by an unauthorized disclosure. Two degrees of protection will be available, instead of the dozen or so now used. Information either will be generally protected (labeled SECRET) or specially protected (labeled SECRET COMPARTMENTED ACCESS). Each protection level would be defined both in terms of the type of information to be included and the type of protection. The protections available for each level will be standardized. Most special handling and dissemination markings will be unnecessary and special access controls will be integral to, rather than added onto, the classification system. In addition, only certain clearly defined categories of information will qualify for special protection and only in certain clearly defined circumstances. Classification Levels of Protection Classified SECRET SECRET COMPARTMENTED ACCESS Unclassified Figure 3. The Proposed Classification System The vast majority of classified information would be generally protected to promote the availability and accessibility of the information. Baseline security protection standards will be established and discretionary need-to-know would apply; a cleared individual could determine whether to pass the information to another cleared individual. Generally protected information would incorporate current Confidential and Secret documents, which will not have to be remarked. The Commission recognizes that most departments and agencies have, and will want to continue, procedures that govern the manner in which Secret information is disseminated within their organizations. Some may also wish to maintain limited control on their information that is passed to other agencies, such as a requirement that the recipient agency not pass the information on to a third agency without obtaining permission from the originating agency. Finally, there may be unique problems that arise in implementing this new approach that require an exemption from general rules, such as the manner in which CINCs communicate with Navy vessels. The Commission recognizes the need for flexibility, but does not want to lose the advantages of the new system through creating loopholes by, for example, permitting heads of departments and agencies to create "mini SAPs" by imposing dissemination controls. Therefore, the Commission recommends that heads of departments or agencies be permitted to establish dissemination controls on Secret information only upon approval of the security executive committee proposed in chapter 11. As a result of risk analysis, a limited amount of information would be specially protected as Secret Compartmented Access information. Enhanced security protection standards would apply, requiring a higher clearance standard for access and a centralized need-to-know control structure provided by an access or bigot list. Compartmented access information would incorporate most current Top Secret, Special Access, and Sensitive Compartmented Information. The Commission finds that classification management is the "operating system" of the security world. Classification drives the way much of security policies are implemented and security practices are carried out. Standards, organizations, procedures, and policies governing everything from the levels of security clearance, to procedures for processing information, to sentencing guidelines for individuals convicted of espionage are based on our existing classification structure. The complexity of the existing classification system is the root cause for much of the confusion of the existing security system. (Footnote 5) Simplify the classification system and simplification of the security system will follow. The Commission notes that the existing classification management system is evolving naturally into a two-level system. Confidential and Secret information is handled using similar or identical standards. Top Secret, SCI, and SAP information is protected using more stringent and substantially common standards. The Commission believes that this natural occurring division forms an excellent basis for an improved classification system. The proposed system will better relate needed asset protection to security countermeasures. In place of the myriad investigative and adjudicative requirements and the differing physical security standards, two security standards, based on analysis of risk, would be developed to guide application of the two degrees of protection for these security disciplines. Procedures for securing classified information would likewise have only two standards. Similar simplifications would follow throughout the rest of the security system. The Commission recommends the establishment of a one-level classification system with two degrees of protection A Simplified Controlled Access System The Commission concludes that the current special access system needs to be simplified. Enhanced security protection can be achieved with less compartmentation and fewer barriers to the flow of information. Instead of the current complicated system with the multiple control officers and multiple control channels, information requiring special protection would be marked SECRET COMPARTMENTED ACCESS and would carry a designator, such as a codeword or number, identifying the relevant access list. A single specially protected information control officer and channel would replace the panoply of structures and systems for protecting SCI, SAPs, or bigot list controlled access information. Thus, instead of the structure shown below in figure 4: Special access Programs (E.O.) / | \ Bigot lists SCI DoD SAPs | | | digraphs/ control programs trigraphs systems | | compartments compartments | | sub sub compartments compartments Figure 4. Current Special Access Programs Structure We propose the following structure: Controlled access system | compartments Figure 5. Proposed Special Access Programs Structure The Commission recommends that: a) All special access, SCI, covert action control systems, war plans, and bigot list activities be integrated into the new classification system. b) A single control channel for SECRET COMPARTMENTED ACCESS information, with a codeword for each need-to-know list, replace all existing special control channels. Limiting Use of Special Access Controls The Commission concludes that simplifying the system will aid in identifying and better protecting information that really needs enhanced security protection. Viewing information as part of a special access program often meant that everything in the program had to be compartmented. Analyzing the impact of the loss of specific information focuses attention on what needs special protection and what does not, and would result in less information being placed at the compartmented access level. Steps will be taken to limit the amount of information that is specially protected and to prevent the migration of information from the generally protected level to the specially protected level. A first step is to identify clearly in an executive order those limited categories of information qualifying for special protection. The Commission suggests the following categories of information be considered for special protection: o A technology application that provides a significant battlefield edge and that could be copied or countered if key information were disclosed to a potential adversary. o A sensitive military operation or plans for the operation in circumstances in which disclosure might impair its current or future success. o A fragile intelligence method when the opposition is not aware of either the fact, or special capabilities of the method and, were they to become aware of it, could employ countermeasures to deny us information or use deception to feed the US incorrect information. o A human source in circumstances in which the US would lose its ability to use the source and/or the source or the source's family is likely to be harmed. o A sensitive intelligence, counterintelligence, or special activity in circumstances in which disclosure would impair its success. o Information that would impair US cryptologic systems or activities. o Sensitive policy issues or relationships with a foreign government which, if revealed, would significantly harm foreign government cooperation with the US. o A US negotiating position in circumstances in which such disclosure would cause us to lose a negotiating advantage. o Scientific and technical information that describes the design of weapons of mass destruction that could significantly assist others to develop or to improve such weapons, or to significantly enhance their ability to circumvent the control features of such weapons. The Commission recommends that compartmented access be considered for the categories of information detailed above and any other categories of equally sensitive information, and that all current and future Special Access Programs, war plans requiring limited access controls, Sensitive Compartmented Information, covert action control systems, and bigot lists be reviewed and validated against that list. Perhaps the greatest weakness in the entire system is that critical specially protected information within the various DoD and SCI compartments is not clearly identified. Individuals within government and industry are forced to protect everything within a particular compartment, rather than just the small amount of information that truly needs compartmented access status and need-to-know controls. One general officer likened the situation to trying to protect every blade of grass on a baseball field. He had to have a hundred players to guard the entire field, when only four persons to protect home plate would suffice. The Commission believes a rigorous review is needed to identify and separate the information that will continue to require special protection from that which does not. Such a review will allow many compartmented access compartments to be eliminated and will permit the consolidation of critical data within fewer remaining compartments. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that managers for each compartmented access system undertake a review to identify information within all compartments and subcompartments that requires continued special protection. This information should be consolidated in the fewest compartments possible. Uniform Risk Criteria for Secret Compartmented Access Information The Commission believes that decisions to require special protection for sensitive information and activities should be consistently made based on common risk management principles. The Commission found that uniform risk assessment criteria do not exist for establishing, designating, managing, and disestablishing SAP and SCI compartments. Each component develops its own procedures for assessing the risks dictating compartmented access protection, often with little external guidance or oversight. Some elements place unclassified technologies and independent research and development efforts directly under special protection as soon as a promising military application is discovered. Others do not, and thus disparities exist among agencies in the way the same basic technology or application is classified, designated, and protected. The decision to designate a DoD SAP as unacknowledged radically increases its cost and severely inhibits oversight, coordination, and integration with other similar programs. Critics advised the Commission that state of the art advances and efficiency gains may be sacrificed or significantly hindered once a technology-based program is brought under special controls. If an acquisition SAP is unacknowledged, others working in the same technology area may be unaware that another agency is developing a program. The government may pay several times over for the same technology or application developed under different special programs within different agencies. Two military services and the DoE have programs involving the same technological application. One military service classified its program as Top Secret Special Access with a deadly force protection requirement. The other military service classified its program as Secret Special Access with little more than tight need-to-know protection applied. The DoE classified its program as collateral Secret, adopting discretionary need-to-know procedures. Despite the fact that the Commission did find one or two examples of programs coordinating common technology or scientific issues, the potential still exists for disconnects in coordination and integration among various DoD SAPs and non-SAP programs. In the above example, the three government agency program managers are aware of the other programs, but refuse to devise a common protection standard. This problem is not uncommon. The strict SAP control inhibits the flow of information. One result is that comparable advances in state-of-the-art technology by related noncompartmented government research efforts are not readily accepted by some SAP managers as valid reasons to decompartment their programs. The government pays a high cost when this occurs. Continuing special security controls when they may not be necessary is expensive. But, the controls are probably much less costly than the lost opportunities caused by inhibiting non-governmental research initiatives with potential payoffs for the SAP itself. The Commission applauds the DoD's action to establish joint coordination and review of Stealth and related low-observable technologies developed by numerous special programs. However, this effort should be expanded to achieve integration across the DoD components and non-DoD agencies in other areas of technology to reduce apparent gaps in the integration of SAP decisions with national-level science and technology intelligence, counterintelligence, and counterproliferation intelligence analysis. Again, using the example above, a common security standard is needed to reduce conflicting analyses regarding the true state-of-the-art or the actual threat to advanced technologies that in turn leads to the application of varying degrees of security and the resulting costs. There also is the need for coordination of DoD special program issues and decisions with other governmental interests, such as foreign relations with the Department of State and national intelligence issues with the Director of Central Intelligence. In the past, decisions were made not to brief the Director of Central Intelligence on certain DoD programs that affected national intelligence interests. Such decisions can occur when senior-level personnel are not made aware of, for example, the existence of a subcompartment or the impact of certain activities under special programs. The Commission's recommendations on threat assessment and risk management should be followed in determining whether and how special protection is to be applied, especially with respect to unacknowledged programs. This criteria should form the basis for decisions made on special protection throughout the government. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence: a) Establish uniform risk assessment criteria for the consideration, designation, review, management and decompartmentation of information requiring special protection. b) Conduct independent risk assessments of the unacknowledged status of compartmented access programs, based upon all-source analysis of relevant intelligence and counterintelligence information. c) Review similar compartmented access programs to ensure reciprocity and eliminate redundancy. d) Institute a formal mechanism to review designation, coordination, and integration issues related to compartmented access programs to ensure that the DoD elements, the Intelligence Community, the Departments of State, Energy, Commerce, and others are advised of compartmented access program issues affecting their interests. Currently, SAP security policies are developed independently by individual program managers. Within the Intelligence Community, actual SCI program practices often exceed the DCID standard. The Commission found that many of the problems with the SAPs and the SCI programs are due to obsolete security standards and inconsistent, program-specific applications. The conflicting policies of the DoD and Intelligence Community elements add significant unnecessary expense to the system, with no appreciable increase in security. Common standards for special protection would bring coherence to the DoD and Intelligence Communities, and bridge the gap between the DoDs SAPs and the DCI's SCI programs. Under the new classification scheme, the security executive committee, described in chapter 11, will work with security professionals and program managers to develop a single uniform security policy and set of standards adequate to protect all DoD and Intelligence Community special programs. As a consequence, there no longer would be the wide variances in security practices that significantly raise costs, particularly in industry. Managers of special programs would not be granted unbridled discretion in deciding which security measures to employ, but they would be allowed to waive down from the standard in circumstances in which reciprocity is not affected. In sum, reciprocity, integration, and the ability to control overall costs requires that a uniform standard be followed in most cases, but exceptions could be made in appropriate circumstances. The Commission recommends that: a) A single, consolidated policy and set of security standards be established for Secret Compartmented Access information, including all current SAPs, SCI, covert action, and the various bigot list programs. b) Standards contain some flexibility, but waivers down from compartmented access security measures be permitted only when there is no impact upon reciprocity. Increasing the Flow of Data Many persons who spoke to the Commission were quite critical of the Intelligence Community's tendency to disseminate intelligence data within compartmented channels rather than at the generally protected level. Combatant commanders are adamant that intelligence must be released at the Secret level to be useful to them. Law enforcement agencies increasingly assert that most intelligence information passed to them is overclassified and therefore often unusable. Excessive compartmentation precludes the timely dissemination of intelligence pending completion of reviews to remove (or sanitize) source and method revealing information or until permission is granted for release of originator-controlled data. This has an adverse impact on the timeliness and specificity of intelligence. The impact is very serious to users of intelligence in the DoD, its agencies, and the military services. During the Gulf War, the limited amount of sanitized operations-related intelligence information forced one military officer to meet his warfighting needs by regularly flying two Captains back and forth to US installations in Europe to get additional information decompartmented and then to return with as much of this hard copy intelligence data and imagery as they could carry. All users made clear to the Commission that they want intelligence provided in a more timely manner, with as much specificity as possible, and with fewer dissemination restrictions. Currently compartmented data should be reviewed to remove source- or method-revealing information so that significantly more intelligence information can be made available as generally protected information. Those sanitizing intelligence should also ensure as much usable data remains as possible. Concerns have been raised that, at times, so much information is removed in order to protect sources and methods, the ability of users of the information to make critical decisions is undermined. The Commission is encouraged by efforts under way to limit the amount of controlled access information within the Intelligence Community. Most intelligence reporting based on human sources is not compartmented because source-identifying information is deleted. Further, a significant amount of imagery is being released outside of compartmented channels. While the National Security Agency has made progress in decompartmenting its information, more can be done. Significant benefit would be gained if the National Security Agency were to form a task force, similar to the one formed by the Central Imagery Office, to drastically reduce the amount of compartmented information it produces, and to release more intelligence at the generally protected level. The Commission believes that, as a general rule, only the limited amount of intelligence that would materially compromise sensitive sources and methods or collection strategies, as well as that which has exceptional political sensitivity due to the nature of the target, should remain within compartmented channels. The remaining vast majority of data should be routinely released as generally protected information. Where source-revealing information must necessarily be included, the Commission strongly recommends the use of a tear line. Those who need to know how the information was derived will have access to the information above the tear line, marked SECRET COMPARTMENTED ACCESS. Those who need to act on the information, but do not need to know the source of the information, will receive the generally protected information below the tear line, marked SECRET. The Commission recommends that: a) All intelligence reporting within compartmented channels be severely restricted to the limited amount of information that would compromise sensitive sources and methods or collection strategies, or that has exceptional political sensitivity. b) All other intelligence products, particularly when related to military operations, be released as generally protected information. Advanced weapon systems and specialized intelligence capabilities are of little use to the military commander if he is unaware of them and unable to train warfighting elements in the use of the new capability. Briefing commanders when compartmented access programs are ready for use is not enough. Military elements must be kept aware of the program, its goals and objectives, and its potential employment well ahead of production and deployment in order to fully incorporate new capabilities into unit war plans. Although many technologies, weapon systems, and intelligence capabilities are ultimately developed for use by the warfighter, no effective procedure exists to ensure that combatant commanders are briefed on all such systems, their capabilities, and projected availability for use. Moreover, the Commission found that even when military elements are briefed, they are put under such tight constraints that they are unable to use the compartmented access information in any practical way. This prohibits field elements from being able to incorporate these capabilities into war planning and other crisis activities. A senior military officer on the Joint Staff expressed concern that current classification and security procedures constrict the flow of operational information to the warfighter at the tactical level. He felt that we still treat certain capabilities as pearls too precious to wear-we acknowledge their value, but because of their value, we lock them up and don't use them for fear of losing them. The Commission believes that more needs to be done to keep combatant commanders informed of current and upcoming programs, capabilities, weapons, and operations that could potentially be used in a military venue. Accordingly, a separate, small entity should be established and given the responsibility to work with the owners of compartmented access information to disseminate it aggressively to combatant commanders. This entity, with full access to all compartmented access programs, would balance the perceived reluctance of special access program managers to share information against the perceived tendency of military entities to disseminate this information broadly within a command. The intent is to ensure that combatant commanders are more fully informed about compartmented access activities while taking into account the sensitivity and fragility of the information. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence: a) Establish a separate entity to work with special access program managers and combatant commanders to ensure that military commands are more fully aware of compartmented access information concerning current and projected technologies, weapons, techniques, operations and programs that are pertinent to their responsibilities. b) Delegate authority to combatant commanders to brief staff members with a need-to-know on compartmented access information so that these capabilities can be incorporated into conflict planning activities. Special Cover Measures There are many valid reasons for the special cover measures used by some military and intelligence organizations, such as potentially life-threatening, high-risk, covert operations and intelligence and counterintelligence investigations or operations. However, these techniques also have increasingly been used for major acquisition and technology-based contracts to conceal the fact of the existence of a facility or activity or to mask government-contractor affiliations. The Commission found that the use of cover to conceal the existence of a government facility or the fact of government research and development interest in a particular technology is broader than necessary and significantly increases costs. For example, one military service routinely uses cover mechanisms for its acquisition controlled access programs without regard to individual threat or need. Another military organization uses cover to hide the existence of certain activities or facilities. Critics maintain that in many cases, cover is being used to hide what is already known and widely reported in the news media. Several government agencies paid, under various secure contracts, to have a significant number of "sterile" telephones installed to hide contractors' affiliations with the government. In many cases, the sterile telephones were installed next to secure telephones required by other classified government contracts. In one case, a contractor had 200 sterile telephones next to 173 STU-III telephones and 145 secure "green" phone lines. These cover mechanisms are expensive and the marginal security benefits gained by compartmenting knowledge of the existence of a government or contractor facility often are outweighed by the costs of concealment, including the costs to other programs that would benefit from sharing technical knowledge and sharing use of the facility. Special protection generally should focus on the most sensitive uses of a facility, rather than the fact of its existence. Organizations with high-funding profiles and extensive contracts, such as the National Reconnaissance Office, have incorporated elaborate rules into their daily operations to conceal the fact of their existence and to hide the identity and affiliation of organization employees and contractors. Even though the NRO's existence was finally declassified in 1992, classification for most of its personnel and activities remains in place. We believe many NRO classification requirements currently imposed can be dropped without danger to essential NRO activities. The Commission believes an overall review of the DoD and Intelligence Community organizations employing cover mechanisms is needed to determine whether such costly measures continue to be necessary. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence: a) Rescind blanket classified status for the NRO and its employees. b) Review the cover status of the DoD and Intelligence Community elements and personnel, rescinding cover for those without a documented covert intelligence or operational mission. c) Review existing covert contractual requirements to determine those that may be canceled as soon as advantageous to the government. d) Develop new policies for cover that limits its use to those situations for which it is needed. Security Oversight of Compartmented Access Programs The DoD management framework provides for oversight of all DoD compartmented access programs through reviews by the Deputy Secretary of Defense. Oversight is also provided by reports to Congress. The Commission has reviewed the reporting procedures that exist with respect to Congressional oversight of the DoD controlled access programs, including those for programs that are waived from certain requirements due to their extreme sensitivity. We see no need to modify existing reporting procedures and believe that the current system should continue without change. Until recently there has been no procedure for centralized assessment of special program proposals submitted directly to the Deputy Secretary of Defense by the military departments. The recent formation of the DoD Special Access Program Oversight Committee, which the Commission fully supports, will ensure that every program is reviewed by a panel of senior officials prior to its establishment, and annually thereafter, to determine whether compartmentation for each program is still required. This new management structure is an important initiative to improve centralized review, cross-program integration, security policy guidance, and oversight of special programs. The Commission suggests that the Oversight Committee expand this review to incorporate a separate evaluation of the proposed or actual security countermeasures for each special program. A separate review could yield alternate security countermeasures to replace the sometimes costly or inefficient countermeasures proposed by the sponsoring special program managers. For existing controlled access programs, the Committee should examine how previously-approved security countermeasures are actually implemented. This may reveal security practices that are no longer necessary and help to lessen the gap between actual practice and policies for controlled access programs. Finally, the Commission believes that security cost-drivers, such as unacknowledged special program status, imposition of cover, mandatory polygraphs for access, and waivers from Defense Investigative Service inspections of contractors, should be considered and approved separately by the DoD Special Access Program Oversight Committee before they are imposed. These steps will aid the Oversight Committee in eliminating unnecessary and costly security practices and in redirecting scarce protection resources to other program priorities. The Commission believes that the DoD's new approach to overseeing controlled access programs is reasonable. However, the Commission believes the process could be strengthened by establishing a security oversight arm that is wholly independent from the everyday management and security of controlled access programs. An independent viewpoint is necessary to interject an unbiased, broader perspective on controlled access proposals and practices because many believe that SAPs are created not simply for security reasons, but to create a specialized cadre of experts, streamline procurement, limit oversight, and thus speed development. Others are concerned that fundamental questions about the propriety of controlled access activities may not be raised by those within the special program community, or be presented to senior policymakers outside of the sponsoring military service. This new oversight function would have to have up-front, across-the-board access to all special access programs. The Commission's proposed independent oversight arm also would provide valuable guidance with respect to access control practices applied to programs other than recognized SAPs. In the past, certain DoD components have limited the distribution of particular types of classified information, such as military plans, without formally designating the program as a SAP, because SAPs require high-level approval and oversight. These programs use labels such as LIMDIS (limited distribution), SPECAT (special category), or other less formal designations. The Commission views these programs as "SAP-like" in that aspects of approved specially protected programs, such as multiple compartments and nondisclosure agreements, often are imposed upon those given access to the information. However, DoD officials have taken the position that compartmentation to protect military plans should not be considered a "program" within the meaning of Special Access Program regulations, but simply a "planning document." As a result, military plans currently are not included in senior-level special program reviews. In the future, none of these "plans versus program" distinctions should matter under the Commission's proposed new classification structure. However, independent oversight will continue to be necessary for controlled access programs to ensure that security issues are fully aired to senior management. Assigning independent responsibility for conducting inquiries regarding activities protected by special programs and similar compartments, will give the Secretary of Defense a valuable check and serve as a safety valve in ensuring that security protections are not misused, and that questionable practices are brought to light and resolved within the Department. The Commission recommends that the Secretary of Defense: a) Under the auspices of the DoD Special Access Program Oversight Committee: 1) Conduct a separate evaluation of proposed or actual security countermeasures for controlled access programs. 2) Separately review and approve unacknowledged status, imposition of cover, mandatory polygraph for access requirements, and waivers from Defense Investigative Service security inspections of contractors before they may be imposed on controlled access programs. b) Assign security oversight responsibilities for controlled access activities to an independent DoD office outside the special program community. CLASSIFICATION MANAGEMENT PRACTICES There are a number of additional areas dealing with the implementation and management of the classification system, whether the current or the proposed system, that require consideration and improvement. Dissemination Controls-Impediments to Getting Intelligence into the Hands of Customers A senior intelligence official stated that "the day-to-day most serious problem is that we don't get intelligence to the policymakers in a way that they can use it." The issue is not merely that too much information is compartmented, but that intelligence users may be denied timely access to intelligence data and other classified information due to an originator's tendency to include unnecessary control markings. Four of the standard control markings (Footnote 6) established by the Director of Central Intelligence for the Intelligence Community are security controls; two are not. (Footnote 7) The Commission recommends that three of the four security control markings be eliminated. They are duplicative, unnecessary, and impede the timely transfer of intelligence to those who need it. WNINTEL (Warning Notice - Intelligence Sources and Methods Involved) is implicit in the specially protected category, ORCON ( Dissemination and Extraction of Information Controlled by Originator) is viewed as more of an impediment to intelligence users than a protection for intelligence producers, and all US classified information is NOFORN (not releasable to foreign nationals), unless a decision is made to release such information. Accordingly, the REL TO (authorized for release to . . . ) control should suffice. Under the new classification system, security control markings, apart from REL TO, will not be needed or desirable for generally protected information labeled SECRET, because such information will be under a discretionary need-to-know regime. Similarly, security control markings will not be needed or desirable for specially protected information labeled SECRET COMPARTMENTED ACCESS because such information incorporates centralized access controls that already specify the personnel (government, contractor, foreign government) who are to receive the information. The Commission recommends that the two remaining control markings: PROPIN (PROPRIETARY INFORMATION), and NOCONTRACT (not releasable to contractors or consultants) be combined into a single marking: government-industry-restricted information (GOVIND). The NOCONTRACT marking, as currently used, often prevents contractors from obtaining the information they need to do their job. This is particularly inappropriate in the case of Federally Funded Research and Development Centers (FFRDCs). These are non-profit institutions with no production facilities, no products or services to sell in commercial markets, and that are not supposed to compete with non-FFRDCs. Accordingly, procedures should be developed to routinely obtain advance agreement that corporate proprietary information is given to the government with the express understanding that such information can be shared with FFRDCs as required by the government. In the system we propose, government employees and contractors will be cleared to the same standard and appropriately indoctrinated. Consequently, there will be no need to restrict information from contractors with a need to know, other than to protect two types of information. The first is information that is provided to the government by a commercial firm or private source under an express or implied understanding that the information will be protected as a trade secret or proprietary data and will not be disseminated to a potential competitor. The second is government information, for example budgetary information, that could give the contractor an unfair competitive advantage. A new marking, GOVIND, would restrict both types of information. Agency-specific dissemination controls such as "Exclusive For," "Secret/Sensitive," or "Eyes Only" add to the confusion, and are rarely enforced. We recommend that no agency-specific, dissemination-control markings be used for security purposes. There is no consistency between agencies in the terms used. Whatever unique handling restrictions they imply usually are not understood by the recipient agencies and are improperly applied. The Commission recommends that, with the exception of "GOVIND" and "REL TO," dissemination markings and controls be eliminated. Sharing Classified Information The world is changing and US classified information not only is provided to close allies, but also to coalition partners, some of whom normally have interests quite divergent from ours. The US also finds it necessary to provide classified information to the NATO and the United Nations in circumstances where such information, once provided, may be broadly distributed. It is not possible to anticipate every situation, and flexibility must be preserved so that military commanders and foreign policy officials are able to meet the special needs and requirements of each situation. Nevertheless, it is helpful to have general governmentwide guidance as to the types of information that readily can be shared or that pose particular problems. This reduces the amount of information that must be assimilated and the number of decisions that must be made on an ad hoc basis in the heat of a crisis. The security executive committee should review information sharing requirements and ensure that guidance and expertise is readily available to inform and assist officials who must make release decisions. The Commission recommends development of governmentwide guidance for sharing classified information with coalition partners and with the United Nations. Billet and Access Control Policies One of the most frustrating features of many current SAP and SCI systems is the resource-intensive, bureaucratic procedure for authorizing access. Military commanders and senior managers confront cumbersome approval requirements, often including arbitrary numerical ceilings and rigid billet structures, if they wish to bring another person with a legitimate reason for access into the compartment. Program managers try to limit the number of people allowed access to many special programs by imposing an arbitrary ceiling on the number of individual billets (spaces) authorized for a particular organization or facility. Both government and industry organizations are forced to resort to inefficient and costly practices to get around the access restrictions to get the job done. The Commission found that the imposition of these numerical ceilings and rigid billet structures does not reduce the actual number of persons accessed nor enhance the security of a controlled access program. Instead, these practices add unnecessary complexity and confusion. Because a special access program manager refused to approve a new billet structure with a higher billet ceiling, a government supervisor briefed and debriefed multiple people against a single authorized billet to get the number of people needed for the program. The supervisor would brief an engineer, telling the engineer to think about a particular controlled access issue, then immediately debrief him/her. The same procedure was followed with other needed personnel until all had been briefed on the controlled access program, given a problem to resolve under the program, and then debriefed. Several weeks later, the supervisor used the same brief/debrief method to obtain the solutions from the personnel. These controls only give the illusion of security while adding excessive cost and inefficiency to the access approval process. The Commission, therefore, recommends an end to the practice of limiting access to specially protected information based on the number of authorized billets or imposed numerical ceilings. The Commission believes that, to permit more effective accomplishment of mission tasks, a zero-based review and update of controlled access rosters in concert with using elements is necessary to determine the personnel who truly have a bona fide contractual or job-related requirement for controlled access information. The results of the review should form the backbone of new access management processes that should eventually feed into a data base system. Quite simply, the number of persons accessed to specially protected information should be based on the number necessary to accomplish the job. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that controlled access program managers conduct a zero-based review to ensure that all personnel with a mission-essential need to know specially protected information receive access to the information. The number of accessed personnel should meet the need for properly cleared and indoctrinated persons to support acquisition, planning, and operations and not depend on arbitrary ceilings. Secrecy Agreements At present, most US Government employees and contractors granted access to classified information sign a Classified Information Nondisclosure Agreement (Secrecy Agreement) in which they agree never to divulge classified information to an unauthorized person. While this agreement does not contain a prepublication review provision, the individual agrees that, if there is uncertainty about the classification status of information, he will confirm with an authorized official that the information is unclassified before he discloses it. Recipients of access to Sensitive Compartmented Information (SCI) and DoD Special Access Programs (SAPs) sign a nondisclosure agreement or indoctrination statement with a prepublication requirement each time that they are admitted to a compartment, program, or category of information within a program. The SCI agreement obligates the signer not to disclose anything marked as SCI or that they know to be SCI, and to submit for review any material that "contains or purports to contain any SCI or description of activities that produce or relate to SCI, or that they have reason to believe are derived from SCI." Recipients of National Security Agency information agree to submit for review all information that contains or purports to contain, refers to, or is based upon "Protected Information," essentially defined as classified information obtained as a result of their relationship with the NSA. Recipients of DoD SAP information sign a similar agreement that indoctrinates them into the program and obligates them to submit for review all information which contains or purports to contain any "Designated Classified Information," (essentially defined as SAP information) or description of activities that produce or relate to Designated Classified Information. Central Intelligence Agency employees sign a secrecy agreement that contains a significantly broader prepublication agreement that obligates them to submit for review any material they contemplate disclosing that contains any mention of intelligence data or activities or contains any other information or material that might be based upon classified information. There are strong arguments for this expansive language. It has more teeth and gives broader legal protection. Because the obligation is not limited to classified information, the government can proceed against the individual simply for failing to submit for prior review information that mentioned or was based on intelligence without having to prove classification. Most of the Commissioners are not persuaded that persons with access to the same classified information should have differing obligations. Most Commissioners also are not persuaded that intelligence professionals at the CIA should be held to a higher standard than that applied to others in government who receive CIA information. These Commissioners do, however, acknowledge that it is not unreasonable for a Director of Central Intelligence to conclude that CIA employees should be held to a higher standard because, for example, CIA employees are more likely to be exposed to sensitive sources and methods information over their career than many employees in other agencies. Prepublication review is designed to guard against the malicious and the uncertain. Those with malicious intent will not submit material for review no matter how broad the standard. The conscientious employee or retiree, uncertain as to whether information is classified, will submit material even with a narrow standard. The Commission is concerned about the chilling affect of any prepublication review, but particularly the broad standards in the current CIA secrecy agreement. Government employees should not forfeit the ability to participate in public policy debates merely because they have, or had, access to highly classified information. Indeed, their participation in the debate should be encouraged. On balance, the majority of the Commissioners concluded that there should be one standard secrecy agreement for government and contractor employees with access to compartmented information that does not incorporate the higher review standard in the current CIA version. However, the Commission also recognizes that the Director of Central Intelligence may conclude that his statutory responsibility to protect sources and methods requires that he maintain the stricter version. Regardless of the prepublication review standard, the Commission believes that it is neither legally required nor desirable, with respect to SCI and SAP material, for the individual to sign a separate nondisclosure agreement for each compartment, subcompartment, program and category of information within a program. A single secrecy agreement obligates the individual not to disclose classified information. A single prepublication provision obligates the individual to submit specially protected material for review. Although there is no harm in reminding an individual of his obligation to protect the information, the multiple forms may in fact create the erroneous impression that unless a new form is signed for each type of information or for each compartment, the obligation to protect the information and submit it for prepublication review is somehow not present. Moreover, there are costs involved in producing, using, and storing the plethora of forms, particularly in an environment in which many individuals have multiple accesses. These costs can and should be avoided. The Commission believes that standardization of secrecy or nondisclosure agreements and of prepublication review requirements is needed. (Footnote 8) Two agreement forms should suffice: one agreement for generally protected information, and one for specially protected information. If an individual signs the agreement for specially protected information, it will be the only agreement required. The Commission recommends that no individual sign more than two nondisclosure agreements. One standardized agreement, without a prepublication review provision, will be used for generally protected information; the other standardized agreement, with a prepublication review provision, will be used for specially protected information. If an individual signs the agreement for specially protected information, signing an agreement for generally protected information would not be necessary. Declassification Simply put, the current system for declassification does not work. Much of the information that is classified does not have a declassification date. Generally it is marked OADR (Originating Agency's Determination Required) and remains classified indefinitely. Detailed review of these documents is not feasible, and arbitrary bulk or automatic declassification schemes are perceived as risking the loss of information that still requires protection. The Cold War period produced a huge amount of classified information, and thus, an enormous backlog of potentially declassifiable information. In addition to information held by individual agencies, there are an estimated 300-400 million pages of classified information in the National Archives. Millions of additional documents are classified each year. The Information Security Oversight Office reports between 6-7 million original and derivative classification actions per year in Fiscal Years 1990 to 1992. Agencies generally are not willing to declassify information without review, yet as the mountain of classified information grows, it is clear that a line-by-line and document-by-document review of this information would be extremely expensive and time consuming. (Footnote 9) Moreover, given public and congressional concern today that sufficient resources are not being devoted to current FOIA, Privacy Act, and mandatory review requesters, diverting limited available resources to a time-consuming review process that is not driven by customer demand is unacceptable. Any declassification regime, therefore, must be examined to ensure that it does not create a significant burden for government agencies without providing any great advantage to the public. Put more positively, a new classification system should maintain classification for the shortest possible time and make the declassification system more efficient rather than more costly. We believe that a great deal of information can be automatically released in ten years and that most information can be released in 25 years. What is necessary, however, is to distinguish those categories of information that are good candidates for declassification after 10, 15, or 20 years from categories of information, such as human-source information, that may require protection for longer periods of time. By correctly categorizing classified information, we can reduce the number of times that the government needs to review documents and develop a strategy that will allow release of information without the need for line-by-line review. We recommend that a new Executive order on classification specify certain categories of information that can be exempted from automatic declassification at the end of 10 years, and also permit agency heads to nominate, and the security executive committee to approve additional limited categories of information that may require protection longer than 10 but fewer than 25 years. Information could then be marked at the time of its creation to reflect a date upon which it would be automatically declassified. For example, if it were believed, with respect to a particular category of information that, at the end of 10 years, classification would have to be extended for the majority of information in that category, a longer time period would be selected. Otherwise, when the 10-year, automatic-declassification date arrived, the agency would feel compelled to do a line-by-line review of the information, most of the information probably would remain classified, a great deal of cost would be incurred, and little advantage would be derived by the public. On the other hand, if it were believed that most of the information in that category could be released at the end of 15 years, then it would be expected that when the automatic declassification date arrived, the agency would feel more comfortable adopting a risk management rather than a risk avoidance approach to the material. The agency would be far less likely to see the need for line-by-line review of the information and far more willing to release the information with little or no review. For example, if it were believed that finished intelligence could be released in 15 years, then it could be expected that at the end of that period reviewers might conclude that the release of 15-year-old political intelligence would not result in significant harm, that the release of 15-year-old economic intelligence would not do significant harm, but that there were a couple of weapon systems still in use and still of continued interest. In such a scenario, reviewers might look to see if 15-year-old military intelligence written on these two weapon systems still should remain classified, but would not undertake a line-by-line review of the rest of the 15-year-old finished intelligence. We are keenly aware that an important underpinning of our system of government is an informed citizenry and that without the prompt release of pertinent information, intelligent public policy debate, academic discussion, and historical research is handicapped. Nevertheless, there are clear examples where the American people are better served by continued protection of certain classified information. For example, the revelation of the identity of a confidential intelligence source, even after the passage of years, can have a serious negative impact on that individual and would not serve US interests. Similarly, release of information about a previous generation of US weapons can still have a significant negative impact on the safety of US forces. o We believe the proper balance can be struck in the Executive order by allowing agency heads to exempt, at the time of its creation, specific information from the 25 year automatic declassification. This information would be within the following categories: o Information that would jeopardize a human intelligence source or impair use of an intelligence method. o Information that would compromise sensitive military operations. o Information that would impair US cryptologic systems or activities. o Information about weapons technology that provides the US with a battlefield advantage or would assist in the development or use of weapons of mass destruction. The Commission recommends that four principles drive the declassification system: a) A classifier should attempt to identify a specific date or event when information can be declassified. b) If no date or event is specified, there is a rebuttable presumption that all classified information would be declassified no later than 10 years from the date of creation. c) The Executive order should specify categories of information, exempt from the 10 year declassification requirement, that can remain classified for 25 years. Agency heads should prepare guidelines to implement exemption of these categories. These guidelines will be approved by the security executive committee. d) The Executive order should also specify very narrow categories of information that will be exempt from the 25 year automatic declassification requirements. These categories should include information that would jeopardize a human intelligence source or compromise ongoing sensitive military capabilities. Heads of agencies should develop guidelines that will implement the exemption of these categories from automatic declassification. These guidelines would be approved by the security executive committee. Making the Classification System Really Work-An Integrated Approach with Appropriate Oversight The one-level classification system with two degrees of protection is designed to provide a framework that will support a coherent and consistent governmentwide approach to both classification and security. It recognizes that classification drives security costs and that security practices are evolving naturally, albeit slowly, around two levels of protection. It and the other classification management recommendations build upon steps already taken by, and borrow from the ideas of, thoughtful security professionals. Nevertheless, no system can be expected to work very well if there is no one in charge. Today, there are few governmentwide standards and, even when standards are supposed to have general applicability, they often are translated and interpreted in ways that do violence to the concept of standardization. Often there is no penalty for noncompliance. Moreover, we conclude that the Information Security Oversight Office (ISOO) simply is not positioned to ensure compliance. Without an effective policy and oversight structure, no coherent security policy is likely to evolve. Instead, inconsistent rules will continue to be formulated, and disputes will continue to impede the development of a uniform policy. The proposed security executive committee, on the other hand, would be positioned to provide effective centralized oversight. Its staff could include a strengthened ISOO, headed by a security ombudsman, with a broader security oversight role. In addition, the outside security advisory board we propose would provide a mechanism for nongovernment and public interest concerns about the system to be raised to the committee. Although centralized oversight is a necessary and important innovation, effective oversight must begin at the agency level. We recommend, therefore, that each agency appoint a classification ombudsman whose mission is to encourage and act on complaints about over-classification. The ombudsman also will be required to routinely review a representative sample of the agency's classified material. This individual would have the authority to ask why a particular piece of information was classified and to order it declassified if no persuasive reason is forthcoming. Real-time review of employee complaints, cable traffic, and other documents; real-time identification of categories of information subject to misclassification; and real-time identification of the individuals responsible for classification errors would add management oversight of classification decisions and attach penalties to what too often can be characterized as classification by rote. The system outlined above, in its broad contours, has been in place in the Department of State for the past two years, and we are told that over the past six months noticeable progress has been made. Information that previously had been classified is no longer classified and greater discipline has been injected into the entire classification process. The Commission recommends: a) Strong centralized oversight by the security executive committee as well as more effective oversight at the agency level. b) A strengthened Information Security Oversight Office as a part of the security executive committee staff. c) A requirement that each agency appoint a classification ombudsman, establish a hot line for employee classification questions and complaints, and institute a spot check system. Dealing with Sensitive but Unclassified Information The information universe usually is subdivided into classified and unclassified, with best estimates of the ratio having classified as about ten percent of total government information. Unclassified information is further subdivided into sensitive information-unclassified information which has some confidentiality requirement-and non-sensitive information which may be disseminated freely. It has been estimated that as much as seventy-five percent of all government-held information may be sensitive. Government-held sensitive but unclassified information is information whose loss, misuse, unauthorized access to, or modification of, could adversely affect the national interest or the conduct of Federal programs, or adversely affect the privacy to which individuals are entitled under the Privacy Act. As with classified information, this information must be protected to ensure its confidentiality, integrity, and availability. In some cases, we do not wish unauthorized persons to see certain information, such as medical or personnel records. Sometimes, it is more important that information is not changed or destroyed, such as with payroll or other payment records. Finally, it may be important to ensure the availability of these records within the period of time necessary for their particular use or application. For example, if a system were intentionally clogged or disrupted, we might be unable to access treatment data to deal with a medical emergency or logistics data to deal with a military or diplomatic crisis. The Commission believes that our information infrastructure is at increasing risk, but its vulnerability is not sufficiently understood or appreciated and there is not in place a process to appropriately deal with the problem. Increased attention must be paid to identifying and protecting sensitive but unclassified information within the Defense and Intelligence Communities. In addition, the information system security countermeasures that are developed should be available more broadly to protect such information in the rest of the government, as well as information that, while neither classified nor government-held, is crucial to US security in its broadest sense. We have in mind information about, and contained in, our air traffic control system, the social security system, the banking, credit, and stock market systems, the telephone and communications networks, and the power grids and pipeline networks. All of these are highly automated systems that require appropriate security measures to protect confidentiality, integrity and availability. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence put in place a process to evaluate the vulnerability of sensitive but unclassified information within the Defense and Intelligence Communities and to explore appropriate countermeasures. CHAPTER 3: THREAT ASSESSMENTS - THE BASIS FOR SMART SECURITY DECISIONS Asleep at the Wheel While our broad national security agenda helps set the stage for determining what to protect, the actions of other states and individuals define more precisely where security must be focused. The Commission has frequently been reminded that the United States is the single biggest intelligence target in the world. Traditional, long-range intelligence threat predictions are now of reduced value in a world of evolving alliances and volatile political, socioeconomic, cultural, and regional crises. (Footnote 10) Threats must be reassessed frequently. The Commission found many instances, discussed throughout this report, where security countermeasures currently employed appear to be excessive in terms of the threats or are not linked to threats at all. A critical element necessary to make smart security decisions is reliable, usable, intelligence data defining the threat. Currently, there are efforts underway in the Defense and Intelligence Communities to incorporate threat assessments when developing security policies. For example, the DoD's Acquisition Systems Protection Program (ASPP), designed to protect leading-edge technology, calls for incorporating threat assessments in each phase of advanced weapon systems development. Defector information and espionage lessons learned are taken into account in updating personnel security procedures. Physical and technical security policies and countermeasures, traditionally based on vulnerability assessments, are now being developed using threat information. As a result, security policies are being revised and dramatically changed. The Commission applauds these efforts. However, getting from the Intelligence Community-specifically the counterintelligence organizations-the threat information necessary to support coherent, risk-based security countermeasures policies, military operations, and industry is an ad hoc rather than a systematic process. In the absence of access to threat assessment information, security policies have been based on risk avoidance, constrained primarily by the availability of resources. The reasons for the failure to incorporate intelligence and counterintelligence information into security policies are numerous. Traditionally, the intelligence and counterintelligence communities have been separate and distinct from their security counterparts. Intelligence and counterintelligence activities are discrete programs where budgets are built and justified in terms of collection and production against specific targets. Security programs, on the other hand, are normally funded from base operating or administrative funds of various agencies and are difficult to link to specific programs. These programs and funds, when accounted for at all, generally have not had to face the scrutiny of cost-risk analysis (with some individual exceptions). Security officials do not always know how to task the Intelligence Community for threat information. They have neither the necessary clearances and contacts within the Intelligence Community nor an understanding of the contribution that intelligence producers can make. The counterintelligence community, for its part, focuses on its mission of conducting investigations and collecting, analyzing, and exploiting information to identify and neutralize the intelligence activities of foreign powers that adversely affect US national security. Yet the security policy community has not been viewed as a primary customer. Consequently, intelligence and counterintelligence requirements are not defined to support rational security decision making. The Commission believes that the security community must work closely with the National Advisory Group for Counterintelligence and the newly appointed Issue Coordinators to develop collection and production strategies that address security consumers needs. When security officials do task for threat information, support is not always timely and frequently is overclassified. Department of Defense customers often wait months while counterintelligence requirements are forwarded through several operational levels for approval, and to service headquarters elements for validation. The requirement is then forwarded to analysis centers for drafting, which requires an additional 120 days. Some DoD personnel reported to the Commission response times longer than a year for critically needed requests. Roadblocks are also encountered if classified information needs to be disseminated in an unclassified form. The counterintelligence community seems unable to provide unclassified analyses. One senior DoD official requested an unclassified report to use in a contractor security awareness briefing. The report arrived six months later-stamped Secret, Not Releasable to Contractors. In the absence of a comprehensive threat assessment process, some security organizations have performed their own. The Air Force's Special Access Program (SAP) has created dedicated analytic cells to provide timely assessments. Air Force SAP intelligence specialists directly contact the scientific community and perform independent assessments on cutting edge Air Force technologies and developmental weapon systems. Navy and Army SAP programs draw upon cleared service analysts. Not possessing a cadre of analysts, DoD field elements postulate the local threat using worst case scenarios until finished assessments arrive. This results in employing stringent, expensive countermeasures to prevent the loss of critical technologies information. The field elements note that when the much awaited reports do show up, they are either too general to be applicable, or they contradict other services or the Defense Intelligence Agency's assessments, often regarding the same technology. A DoD program manager requested an assessment of the foreign intelligence threat to a city, with particular emphasis on whether there was targeting of the advanced technology system that was being developed at a facility. Eighteen months later, the program manager received from one DoD element an assessment, stating that the threat to his area was low, with no particular foreign interest in the technology. Another DoD element had already informed him, six months earlier, that there was an established, aggressive foreign intelligence collection program targeting the developing technology. There is a schism concerning threat information between security policy officials and the Intelligence Community that widens greatly when it comes to a supportive relationship between counterintelligence organizations and security professionals. At the national level, counterintelligence funding is under the purview of the DCI's National Foreign Intelligence Program. But the counterintelligence community is a loose confederation of separate activities held together by budgetary convenience, not centralized management. The five major counterintelligence organizations (FBI, CIA, Army, Navy, and Air Force) can work together collegially, but frequently strike out on their own. Some of these organizations have difficulty identifying their customers. Indeed, one senior counterintelligence official points with pride to the fact that "we (counterintelligence organizations) are our own best customer." Counterintelligence information is collected, analyzed, produced, and disseminated separately from normal intelligence channels. Critics charge that this process ignores national strategy and policymakers' needs. This fragmented counterintelligence organizational structure has also created large gaps in knowledge. For example, there is no common counterintelligence data base, either within the Department of Defense itself or among the counterintelligence organizations generally, from which threat assessments might be drawn. This shortfall may contribute to the difficulty counterintelligence organizations have had in supporting clearly defined customers, like the National Industrial Security Program (NISP). Despite two years of work by counterintelligence representatives within the NISP, no mechanism was created to communicate threat data to industry. For senior policymakers, while there is an interagency coordination process to support them, the products fall short. National counterintelligence assessments, such as the "Winds of Change" and the "Triennial Threat Assessment of the Foreign Intelligence Threat and Effectiveness of US Counterintelligence and Security Countermeasures," need to use more current data, be made more policy-relevant, and provide a clearer picture for the reader. As now written, these assessments do not respond, in a timely manner, directly to national-level requirements, aid resource allocation, or meet the needs of program managers and military commanders. Future editions, if any, require a keen understanding of senior policymakers' requirements and tighter analytic presentation and packaging. The Commission heard from many individuals within the Department of Defense about the need to streamline the counterintelligence structure and we understand that the Deputy Secretary of Defense and the Director of Central Intelligence the are considering options to do this. The Commission believes such restructuring can bring savings and better service, but we would expand the discussion to include the Attorney General and the Director of the FBI so as to incorporate other major counterintelligence organizations. A Wake-Up Call Information about the dangers posed by foreign governments and organizations does not come solely from counterintelligence assets. Much of it comes from human sources or defectors, signals intelligence, imagery assets, our diplomatic corps, and other sources that need to be more actively tasked by security officials. In other areas of intelligence production, consumers have a single place to go for analytic assistance. For example, counterterrorism and nonproliferation consumers have individual points of contact that respond, in a coordinated fashion, to their needs. The DCI's Counterterrorism Center (CTC) and Nonproliferation Center (NPC) personnel reportedly broker timely responses to policymakers' requests. These offices do not compete with established production elements. They serve as facilitators, drawing on information and substantive expertise from within the community. The Commission recommends that the Secretary of Defense and the Director of Central Intelligence appoint the DCI's Counterintelligence Center as executive agent for "one-stop shopping" for counterintelligence and security countermeasures threat analysis. The Commission does not intend by this recommendation to create a counterintelligence "czar" or to supplant existing authority for counterintelligence investigations, operations, or the unique, individual analytic efforts in support of specific law enforcement or military operations. Rather, we seek a national-level focal point for threat analysis that is easily accessible by government and industry to support broad security management decisions. This "one-stop shopping" office must operate as a corporate information asset of benefit to all government and industry customers. The Counterterrorism Center customer response office can serve as a model. While the Counterintelligence Center lacks the expertise in domestic threats that the Federal Bureau of Investigation has, it provides an established, credible intelligence production office with professional analysts able to tap into the full range of intelligence and operational reporting. It also has the most experience in providing analysis for senior policymakers. However, the Commission notes that the current analytic and community elements of the Counterintelligence Center must expand and change dramatically to include a broader community and industry flavor and to incorporate expertise in the security countermeasures areas that it lacks currently, such as threats to information systems security. The Commission expects that the Counterintelligence Center will draw upon the experience and knowledge of other agencies when preparing responses for risk management decisionmaking and coordinate the products extensively. This includes drawing upon the NSA's and the DISA's ongoing efforts that focus on threats to information systems security. Existing interagency analytic efforts, such as the National Advisory Group for Counterintelligence's Analytic Working Group, will fold into this initiative. Further, dissemination procedures need to be restructured, allowing customers to pull the information they need from the system, instead of having it pushed to them in restricted formats. Threat information needs to get out to users at all levels in the Defense and Intelligence Communities and in industry. The Commission is aware of and applauds a recent decision by the counterintelligence agencies to create an interagency data base. However, the data base needs to expand to allow for users with varying classification levels. The Commission also urges the community to take advantage of the counterintelligence data base program now under way within the Department of Defense and ensure that the two data bases are compatible. This interagency data base initiative should be undertaken and a prototype fielded immediately. The Commission recommends that the DCI's Counterintelligence Center serve as the executive agent to spearhead the rapid creation of a communitywide counterintelligence and security countermeasures data base for government and industry use. CHAPTER 4. PERSONNEL SECURITY - THE FIRST AND BEST DEFENSE So far as concerns the DoD and the Intelligence Community, the main purpose of personnel security programs is to protect the national security interests of the United States by insuring the reliability and trustworthiness of those to whom information vital to those interests is entrusted. Because the government is so completely dependent on cleared personnel to safeguard classified information, the personnel security system is at the very heart of the government's security mission. Without adequate personnel screening, the rest of the security mission would be a worthless facade and a waste of resources. Recent history is regrettably all too rich in proof of the damage that a single cleared person can cause. The Commission believes that the personnel security program will remain the centerpiece of the Federal security system in the post Cold War era, particularly as we move to a new classification system in which more information is moved out of compartments and made available to greater numbers of people. For this reason, the Commission is recommending enhancements to the personnel security program. These enhancements will result in increased costs, but the Commission believes these costs will be offset by other improvements we suggest. The process of granting clearances will always be controversial. It makes determinations about security risk by examining personal background information to form a judgment that can have serious consequences for the individual and for the government. There is no perfectly reliable or unarguably correct way to predict whether an individual will become a security problem in the future. In the end, all clearance decisions are judgments, hopefully well informed and carefully made, but nevertheless fallible. From t