Information Sharing and Protection:
A Seamless Framework or Patchwork Quilt?
Remarks of J. William Leonard
Director, Information Security Oversight Office (ISOO)
National Classification Management Society's (NCMS)
Annual Training Seminar,
Salt Lake City, Utah
June 12, 2003
Our Nation and its Government are, of course, profoundly different in a post-9/11 world. Our citizens' sense of vulnerability has increased, as have their expectations of the Federal Government to keep them safe. In each situation, information is crucial. On the one hand, Americans are concerned that information may be exploited by our country's adversaries to harm us. On the other hand, impediments to information sharing among Federal agencies and with state, local and private entities need to be overcome in the interests of homeland security. Even more so, the free flow of information is essential if citizens are to be informed and if they are to be successful in holding the Government and its leaders accountable. In many regards, the Federal Government is confronted with the twin imperatives of information sharing and information protection - two responsibilities that contain inherent tension but are not necessarily incompatible.
Thus, we find ourselves today at a crucial moment in the development and implementation of Federal Government policy with respect to issues such as the protection and sharing of information. In some regards, what exists today can be seen as a series of bureaucratic fiefdoms, a veritable "patchwork quilt," that has come about as a consequence of a hodgepodge of laws, regulations and directives with respect to how the Federal Government handles and discloses information. In this vein, we are currently confronted with a unique opportunity. We can either continue, and quite possibly, add to the various seams in our information protection and disclosure regimes, or we can take the initiative and begin the process to develop and implement a seamless and congruous system for protecting and sharing all types of information, both classified and unclassified.
In reviewing our options, I believe it is important to distinguish between "disclosure" regimes, "protection" regimes, and those regimes that strive to accomplish both. Disclosure regimes attempt to limit the availability of information and may impose access requirements (e.g., the various export control regimes that require export licenses or other authorizations prior to the disclosure of certain controlled information to foreign persons). Protection regimes implement safeguarding standards (e.g., information may be releasable to the public but the information's integrity must still be protected pursuant to the Computer Security Act of 1987 while it is contained in a Federal computer system). Finally, there are those regimes that not only limit disclosure but also implement handling and safeguarding standards (e.g., the classification regimes that not only have safes, alarms, information system accreditation and approval, encrypted transmission, etc., but also establish security clearance standards).
In the unclassified arena, we are confronted with dozens of laws that restrict the disclosure of certain types of unclassified information. These include everything from the control of arms exports (which includes certain scientific and technical information) to the confidentiality of patient records and the prevention of interference with civil service examinations. The latest of the laws in this area was included in the Homeland Security Act of 2002, which created the category of Critical Infrastructure Information (CII). This same act called for the development and implementation of procedures for the identification, safeguarding and sharing of homeland security information that is sensitive but unclassified.
In addition to categories of certain unclassified information specified by law as requiring controls on its dissemination - commonly known as falling within the Freedom of Information Act's b(3) exemption - that statute also provides for eight additional types of information that are exempt from public disclosure. Some are rather specific (e.g., classified information or data concerning wells). Others are rather vague (e.g., internal personnel rules and practices of an agency). In any event, the underlying premise of the Freedom of Information Act (FOIA) is that unless information is specifically exempt, information held by Federal agencies is subject to public disclosure. However, it is important to note that being subject to public disclosure does not mean that the information does not require safeguarding, if only to preserve its integrity and availability.
Nonetheless, protection or safeguarding regimes are often confused with disclosure regimes. For example, the Computer Security Act of 1987 states that " improving the security and privacy of sensitive information in Federal computer systems is in the public interest " Since this law specifically limited "sensitive" information to information that was not classified, some say, in effect, that it serves as the veritable definition of "sensitive but unclassified" information. However, it is important to note that the Computer Security Act included specific provisions saying it was not authority to withhold information sought pursuant to the FOIA. Even more so, the continued usefulness of the concept of sensitive information in the Computer Security Act of 1987 - which envisioned computer security as an adjunct to system design and operation and used the concept of sensitive information as a criteria for establishing minimum acceptable security practices - has outlived its usefulness in the information age. As any owner of a home PC can attest, there is no such thing today as computers that we are concerned about from a security point of view and those that we are not. As set forth in subsequent congressional language, every Federal computer system must have security designed into it, regardless of its content.
Both outside and within Government, confusion abounds with respect to the multitude of disclosure and safeguarding regimes for unclassified information. For certain information, there are limitations on disclosure but no protection standards. For other information, there may exist protection standards but no limitations on disclosure. In any event, when requirements for new regimes are set forth and new standards are promulgated, very rarely, if ever, is recognition made of what already exists. This can result in overlapping or inconsistent rules or applications. It also results in the continuation of numerous regimes, many of which date back to the Cold War era and which have never been revalidated or revised as a consequence of the new environment in which our Nation finds itself. It can also result in incongruous standards. For example, should a Federal employee disclose certain unclassified information - specifically Critical Infrastructure Information - in an unauthorized manner, that individual now is subject to criminal sanctions under Section 214(f) of the Homeland Security Act. At the same time, an unauthorized disclosure of certain types of classified information by that same employee would not necessarily be subject to criminal sanctions. The reason for such disparity is not readily apparent.
Things are not much better in the classified realm. One of the great fallacies is the belief that the Federal Government uses a three-tier classification process - TOP SECRET, SECRET and CONFIDENTIAL. In reality, the Federal Government has so many varieties of classification that it can make Heinz look modest at the number of varieties it offers.
First, of course, there is national security information classified pursuant to Executive Order 12958, as amended. Then there is information under the purview of the Department of Energy requiring protection pursuant to the Atomic Energy Act of 1954, as amended. In addition, there is information relating to the protection of intelligence sources and methods, which is under the purview of the Director of Central Intelligence. While these are the "big three" regimes that utilize classification levels and categories, it does not end there. The National Security Agency, for example, is responsible for matters relating to the protection and dissemination of signals intelligence information as well as communications security information. In addition, the Defense Department serves as the United States Security Authority for NATO and as such promulgates Government-wide requirements for the protection of NATO classified information within the United States. The list goes on.
The above results in what I refer to as different "flavors" of classification. Each "flavor" carries its own protection and disclosure standards. These differing standards are usually not better or worse than comparable standards - they are just different. In fact, the difference is more often than not one of nuance rather than substance. Yet, it is these nuances that can serve as significant impediments to information sharing, especially in the networking of information systems.
Let me give you one example. Several years ago, this Nation engaged in armed conflict in Kosovo in the Balkans. American Service members were placed in harms' way in the discharge of what in essence was a NATO operation. Since this was a NATO campaign, much of the information generated, such as Air Tasking Orders (ATOs) and the like was often considered to be NATO classified information. Normally, such information would be transmitted on the backbone of the Pentagon's command and control system, a secure computer network known as the SIPRNET. However, the SIPRNET was accredited to transmit U.S. classified national security information, not NATO classified information. Clearly, if the SIPRNET was secure enough to transmit U.S. military classified information, it should be secure enough to transmit NATO classified information, especially since more often than not, the information in question originated with one U.S. unit and was being transmitted to another U.S. unit. However, since NATO requirements were "different" - not better or worse but just different - many U.S. units were prohibited from using the existing secure network and had to employ work-around procedures. In the final analysis, these work-around procedures were no more and, quite possibly less secure and even more importantly, potentially delayed information from being shared in a timely manner.
I use the above not to single out U.S. procedures for NATO classified information from several years ago but to give just one example of the numerous impediments that continue to persist in the sharing of classified information not only between Federal agencies and with other non-Federal elements but even within single Federal agencies. This is especially so when information is introduced into information systems that are accredited and approved by different authorities using different standards. It is no wonder that Government computer systems have such a difficult time "talking" to each other.
So, where does this leave us? Even without the events of 9/11, information sharing and protection would be one of the significant imperatives facing the Federal Government today. Our ability to share and leverage information is the source of American power and might in the 21st century. It is the source of our economic strength. Our military power, our intelligence and law enforcement prowess, and our technological research and development superiority are highly dependent upon effective information sharing that entails taking vast amounts of information from disparate sources and synthesizing it in timely and unprecedented ways. Whether on the battlefield, in the analyst's or criminal investigator's office, or in the laboratory, it is the innovative application of information in heretofore unfathomable ways that provides our Nation the decisive edge in undertakings such as the global war on terrorism.
I firmly believe that never before have we had such a clear and demonstrable need for a seamless process for sharing and protecting information, regardless of classification. Yet, in many ways, we are not only continuing the current "patchwork quilt," but we are quite possibly adding new seams every day. And these seams not only can serve as impediments to information sharing, they can also develop into the tears in the fabric through which information that requires protection may slip, as well intentioned individuals use work-around procedures in order to get the job done.
The above is as much, if not more of, a cultural issue than a policy or technology issue. However, changes in policy and the employment of the latest technology can help drive the needed cultural changes required to achieve a more seamless framework.So what needs to be done? In the classified arena the challenges are many and, from my personal perspective, include:
While the challenges confronting us in the classified world are significant, in some ways they are exceeded by those in the unclassified arena. Again, from my personal perspective, these include:
- We need to reengineer existing policy to be more consistent with the electronic environment in which the Government increasingly operates. The current frameworks are document-centric and have fundamentally remained unchanged for the past 60 years.
- We need greater congruity in the various classification regimes and we need to remove the nuance differences in protection standards, especially with respect to accrediting information systems.
- We need to revisit what is commonly referred to as the "third-agency rule" or ORCON, which stands for "originator controlled." I firmly believe that restrictions on interagency information sharing should no longer be the default position of Executive Order 12958 and other frameworks. We should replace the current default position of "that shall not share unles" with one that states that it is clearly expected that we will share and that therefore affected agencies need to work out issues beforehand so as to permit the timely sharing of information.
- We also need to reconsider other fundamental issues such as the "need-to-know" principle. While originators of information are in the best position to recognize their equities, they are not omniscient and cannot be cognizant of all possible users of the information and how it can be applied. Also, today's environment highlights the fact that as strong as the originating agency's equities may be, they do not automatically take precedence over all others. Even more profound consequences may occur should information not be effectively shared.
- Finally, we need to be more proficient at "writing for release." Oftentimes, substantive information can be conveyed without gratuitous references to intelligence sources or methods or other issues that would, if included, result in the information being classified or classified at a higher level than otherwise would be required.
What would be the essential elements of such a framework? Drawing analogies with the current classification system for national security information that, despite its imperfections, is well understood and predictable, I personally believe that such a framework should include:
- We need to agree on a lexicon. Sensitive but unclassified information is a very imprecise term that has more often than not been misunderstood. It might refer to information that should be protected from public disclosure, or should be safeguarded, or both.
- We also need a central authority within the Federal Government that, working with Congress, would be responsible to revalidate and synchronize the various existing regimes controlling unclassified information.
- Finally, we need a simplified framework that can serve as a template for the identification, control and protection of unclassified information whose dissemination is controlled. In addition, this template should be congruous with that afforded classified information so as to more readily provide for the fusion of all-source information, to include unclassified information, whether controlled or not. This framework should not be perceived nor should it operate as a de facto "fourth classification level." It should, however, bring consistency and uniformity to the myriad of control regimes currently in place for various types of unclassified information.
I would like to emphasize that I am not advocating the creation of a new classification system to cover the ephemeral universe of information often referred to as sensitive but unclassified information. Rather, I am acknowledging that the reality of controls on the dissemination of certain unclassified information has been with us for decades. As such, and especially in light of today's environment, the controls in this area require standardization and consistency and need to be narrowly drawn so as to address the impulse to "play it safe" and needlessly restrict the dissemination of information. They also require informed public debate with respect to what information is included in such a system and what is excluded.
- Great specificity with respect to what information is covered and what is not covered. An effective example would be the classification guides that are called for in the classified national security information regime. Imprecision in this area can actually serve as a significant impediment to information sharing since individuals unsure as to what is covered oftentimes err on the side of caution and improperly restrict the dissemination of information that should not be restricted, at possible consequence to our nation's well-being. There is no underestimating the bureaucratic impulse to "play it safe" and withhold information.
- Strict limitations as to who can designate information as falling under the system of controls - analogous to original classification authorities in the classified arena.
- Built-in discretion that allows controls not to be applied even if the information is eligible. For example, the national security classification regime specifies what can be classified, not what should be classified. An original classifying authority can decide not to classify information that otherwise meets the classification criteria.
- Built-in criteria that must be satisfied in order to place controls on dissemination (e.g., its existing availability).
- Information requiring control must be clearly designated as such - to include information orally disseminated.
- We should employ uniform "due-diligence" standards with respect to how to handle and protect controlled information. These standards should mesh with those routinely employed in the private and non-Federal public sector so as to minimize or preclude the promulgation of unique Federal safeguarding standards.
- The application of controls should be for a fixed duration of time. The passage of time clearly impacts the relative sensitivity of information, especially in the dynamic area of information system technology vulnerabilities - where simple system configuration changes can instantly close existing vulnerabilities while opening new ones.
- A process should exist whereby both authorized holders and outsiders can appeal the application of dissemination controls - although these procedures need not necessarily be as elaborate as that provided through the Interagency Security Classification Appeals Panel within the classified national security information realm.
- Effective education, training and awareness are essential. One of the principal problems in many of today's unclassified controlled regimes is that rank and file employees are at times uninformed with respect to even the most rudimentary basics as to what unclassified information in their possession is subject to control and what are the proper procedures to follow. They often leave such details to agency FOIA and Privacy Act specialists. Compare that if you will to the traditional training and indoctrination most cleared people receive with respect to the proper handling of classified information.
- For any system to work, it must have built-in accountability, both for the improper application of controls and the failure to apply or follow legitimate controls. In setting up a system of accountability with partners in the private and non-Federal public sector, we should avoid a mass centralized process of designating authorized recipients and recording nondisclosure agreements and the like. Rather, we should take advantage of existing employer-employee processes that all organizations, both private and public, have, for informing employees what is suitable for dissemination outside of the workplace and what is not, holding them accountable for adherence to that policy.
- Finally, we must avoid falling into what I call the "need-to-know trap" when institutionalizing a system of controls for certain unclassified information. For example, a water works operator may submit a report of anomalous activity involving the water authority. Standing by itself, that information may appear innocuous; however, it may be a critical link, for example, to a public health official dealing with his or her own anomaly. That public health official should be able to access and become aware of that information from the waterworks operator without a supposedly omniscient authority in the middle making singular decisions as to who should receive the information and who should not. The essence of information sharing is that the entity on the "edge" should be in a position to receive the same information as those at the "center." This, of course, is about as significant a cultural change as there is possible. Nonetheless, the controlled unclassified arena can benefit as much from "writing for release" as can the classified realm, as well as from the application of the latest in information technology.
In closing, I take note of the theme of your seminar this year, Preserving our Past - Protecting our Future. In large part, it describes the mission of ISOO, so I took particular interest in your outstanding program this year. Your theme also reflects the nature of some of the challenges we are confronting today as a Nation. However, just as the generations who have proceeded us effectively dealt with the daunting challenges with which they were confronted, I am confident that today's Americans, and in particular the NCMS membership, will succeed in meeting the current challenges of information sharing and protection in a post-9/11 environment. I am also confident that in dealing with these challenges, we will emerge stronger, more united, and as committed to our fundamental democratic principles as ever.