Good morning, everyone. It's a genuine pleasure to be here today.
J. WILLIAM LEONARD
DIRECTOR, INFORMATION SECURITY OVERSIGHT OFFICE (ISOO)
NATIONAL CLASSIFICATION MANAGEMENT SOCIETY'S (NCMS)
ANNUAL TRAINING SEMINAR
FORT WORTH, TEXAS
JULY 16, 2002
I guess I have to start off with an apology with respect to any problems I may have caused regarding the printing of the programs for your seminar. When I initially accepted your gracious invitation to speak, I did so in my capacity as a long time official on the staff of the Office of Secretary of Defense in the Pentagon. Since that time, the Department of Defense (DoD) has shipped me off to the National Archives of the United States along with their other relics. I was pleased when I learned that, for whatever reason, you were still interested in having me address your seminar in my new capacity as ISOO Director. I thought it was particularly appropriate, in view of NCMS' long history in advancing the profession of security classification management and information security, that I use this opportunity to provide my first formal public remarks as ISOO Director. My particular thanks then, to Dave Kendrick, your 2002 Seminar Chair, and Diane Raynor, your Society President, for giving me this opportunity.
I am particularly excited at being at your seminar this year in view of my prior association with your society that goes back many years. Those of you who are familiar with my background know that I spent many years at the Defense Investigative Service in various positions involving the industrial security program. I am eager to renew my involvement with NCMS while at the same time somewhat unnerved when I begin to count the number of years that I have known many of you in the room today - more years than I'm sure any of us are willing to acknowledge.
While I've been on the job for only a little more than a month, as many of you can imagine, it has been both a thrill and a challenge to be honored with my selection as the Director of the Information Security Oversight Office. It has been a thrill in that my time on the job has confirmed for me what an outstanding organization ISOO is - a direct reflection of the superior professionalism of the ISOO staff, many of whom are with you this week. It has been a challenge if only because, as you know, my predecessor occupied the position for over 21 years - so long that, for all intents and purposes, his name had become synonymous with the title, Director of ISOO. As such, long before I was selected for the position, I made the recommendation that much the same way an athlete's number is retired after he or she leaves a sport (with the athlete's jersey forever to fly from the arena's rafters), with my predecessor's retirement, his title as Director, ISOO, should likewise be retired and flown, in a symbolic sense at least, from the pillars of the National Archives Building on Pennsylvania Avenue. Although made half in jest, little did I know that official Washington would take this recommendation seriously. However, after everyone agreed that my predecessor's name and Director, ISOO were, in fact, synonymous, it was belatedly recognized that the title is actually set forth in a Presidential executive order and thus cannot be easily changed. Therefore, official Washington had no choice but to do the next best thing and amend the ISOO Director's job description to require that all future occupants of the job would have to formally change their name to Steve Garfinkel. Therefore, henceforth, you can call me "Steve."
This being my first formal public address since becoming Director of ISOO, I would like to start by addressing some of the basic philosophical principles that have guided me when it comes to information security.
Firstly, I recognize that when I was initially selected for the position, many folks questioned whether I would lean more toward secrecy or openness in Government. In fact, I further recognized that in view of my almost 30 years of experience in the national security community, some would anticipate that I would have an inherent bias toward secrecy.
In actuality, from my perspective, the issue is not one of openness vs. secrecy. I do not see it as an either/or situation. Rather, I do not believe that you can effectively have one without the other. Oftentimes, the ideal situation is achieved when an inherent tension can be maintained between the two. I see a critical role of the ISOO is to maintain this balance.
In maintaining this balance, it is important to be mindful of the fact that what makes our Nation great is not how well we can make and keep secrets. Rather it is our legacy of an open government - a defining factor of our democracy - a mark that sets us apart from most other nations in the world. In addition, as observed by Justice Potter Stewart, in an environment where everything is secret, nothing is secret. Among many undesirable outcomes, this can, in part, motivate improperly trained individuals to be their own arbiter as to what is "really" secret and what is not - leading to a lack of accountability, chaos and an environment conducive to the "leak" of classified information.
On the other hand, excessive openness can contribute to real damage to national security and then feed a legitimate reluctance to share information. Secrecy is an essential tool in protecting national security. Many intelligence sources and methods are only effective to the extent that they remain secret. Loss of an intelligence source or method can, for example, spell the difference in being able to preclude a terrorist attack. Additionally, our diplomats and trade representatives must be able to assure our foreign counterparts that the information and its source that are shared in the course of delicate negotiations are held in confidence. Similarly, the effectiveness of our secrecy system can spell the difference between success and failure on the battlefield. With our Nation at war and with significant adversaries planning to do us harm, effective secrecy can save the lives of our men and women of the military services who place themselves in harm's way to defend our Nation.
Secondly, I believe that ineffective secrecy can provide a false sense of security.
One of the most basic principles of making secrets is that it must be possible to keep the "secret" secret. There are times when what you are trying to protect has so permeated the public domain, or is so ubiquitous, or can become known through so many different avenues, that it is literally impossible to protect. For example, based upon my prior experience in DoD, oftentimes I would encounter military commanders preoccupied by perceived vulnerabilities from new technologies, especially with respect to surveillance and reconnaissance capabilities available to potential adversaries. While focusing on countering new threats, the good old fashioned threats, such as a local national with a cell phone standing on a hill overlooking a military operation, or the local national actually working on the military base, would be overlooked.
Oftentimes, the best security is accepting as a given the fact that what you want to protect is or will become known to others - and plan your operations accordingly.
Thirdly, I believe that oftentimes we rely on secrecy as a crutch to compensate for shortcomings in other areas such as personnel security, automated information systems controls, and just plain day-to-day management.
A typical response to the shock, for example, of an espionage case, is oftentimes the call for greater compartmentalization of information. Such cases clearly represent one of the greatest risks to our national security - i.e., the threat posed by the malevolent insider. The power of information technology significantly increases the amount of information accessible to all and thus increases the magnitude of damage that a single malevolent insider can inflict.
However, the compartmentalization of information comes at a price as well. Oftentimes, national security can be put at as much if not greater risk if pertinent information is not shared with appropriate parties. Greater emphasis thus needs to be given to using information technology to better enable the detection of misuse and abuse of information rather than needlessly restricting the dissemination of information because we can never be sure when an authorized insider will "go bad." Such technology exists today and is routinely used in the commercial sector.
Fourthly, I firmly believe that the current information security regime is a product of the industrial age and needs to be brought into the information age.
The current framework for information security is document-centric. Yet with eGov solutions, the revolution in military affairs, and the like, the world around us is information technology-centric. In the military realm, for example, vast volumes of classified information can be generated and passed from the intelligence collection phase, through the planning phase, and all the way through to the weapons-on-target phase, without a single document being generated.
In creating information systems architecture, a fundamental step is business process reengineering, whereby you rethink and redesign the business process before the application of information technology solutions. In doing so, the focus is on outcomes, not tasks. Yet, when it comes to information security, we have had a tendency to apply the document-centric process in its entirety to the information systems environment, with little to no attention to fundamentally rethinking or redesigning the process. As a result, the focus on applying information security in the automated environment is oftentimes directed toward limiting dissemination as opposed to the overall outcome (i.e., ensuring that designated information cannot be accessed and used by unauthorized personnel to damage national security). We often lose sight of the fact that secrecy is a means and not an end unto itself. This is critically important in the automated information systems environment where the intent is to leverage the power of information, which can often be achieved only by widening its dissemination.
Which brings me to my fifth basic principle, i.e., secrecy does not necessarily equate to information security.
Our ability to share and leverage information is the source of American power and might in the 21st century. It is the source of our economic strength. It is the basis of the revolution in military affairs that will provide the framework for our unprecedented military superiority for the next generation. Yet, the accepted process for safeguarding of classified information establishes a system of "stovepipes" and "filters." Furthermore, it is based upon the "push" model of information management in which the authorized holder of the information has the sole prerogative of determining whether a prospective recipient requires access to specific information.
This framework reflects the premise that national security considerations always necessitate the restriction of the dissemination of classified information. It also is based upon the premise that originators of classified information are omniscient and are cognizant of all possible users of the information and how it can be applied. Today's default position is to give recipients the minimum information they need to do the job so as to minimize exposure should security violations or outright espionage compromise information that can be used to damage national security.
This framework does not reflect the reality that national security can be placed at risk if classified information is not effectively shared. Nor does it reflect the reality that our military power and our intelligence and law enforcement prowess are dependent upon taking vast amounts of information from disparate sources and synthesizing it in unprecedented ways. Whether on the battlefield or in the analyst's or criminal investigator's office, it is the innovative application of information in heretofore unfathomable ways that provides our nation the decisive edge in undertakings such as the global war on terrorism. These enhanced capabilities are dependent upon the full implementation of a "pull" model of information management where many users from multiple agencies avail themselves of the array of available information from disparate sources and also make available to all the results of their processing of that information. This must occur routinely on an interagency basis.
These basic principles are the precepts that will be guiding me in the years to come as I fulfill the responsibilities of the position of ISOO Director. In fulfilling these responsibilities, I look forward to working with all the organizations represented in this room today and other interested communities in the public and private sectors, in ensuring that our information security policies foster an informed American public while at the same time protecting our citizens and democratic institutions from harm.
So much for a philosophical overview -- what are the other day-to-day activities with which ISOO is involved? Laura Kimberly, the Associate Director for Policy, will be doing two sessions of a workshop this week. In these workshops she will be talking about the ISOO mission and functions and how ISOO relates to your activity's security program. She will also be giving more detailed updates on ISOO activities regarding the Executive Orders on security classification and the National Industrial Security Program. Other members of the ISOO staff who will be here this week will assist her in these workshops. I'd like to acknowledge them right now and have them stand up as I call their name. [Pause for introductions] I encourage you to interact with the ISOO staff members throughout this seminar.
In terms of general news, some of you may be aware that there have been working group meetings at the interagency level to examine the possibility of recommending changes to Executive Order 12958 governing classified national security information. Generally speaking, there is no ground swell of opinion to the effect that substantive changes are required to the current Executive Order in the near term. As a minimum, there appears to be interagency consensus that the deadline for automatic declassification of the backlog of 25-year-old or more material needs to be extended beyond the April 2003 date set forth in the November 1999 amendment to the original Executive Order.
When the Executive Order was initially crafted over seven years ago, no one really knew how much 25-year-old or more material there was, how much would have to be reviewed, and exactly what was entailed in conducting the review prior to the imposition of the original 5-year deadline of April 17, 2000. We now have over six years of experience in implementing the automatic declassification provisions of this Order. The executive branch has managed to declassify almost 900 million pages. Agencies are continuing to chip away at the mountain of older classified records, even as new, older material is being added. The Executive Branch deserves much praise for its efforts to fulfill the automatic declassification requirements of the Order. It is a struggle to maintain this very important component of the national program, particularly in the face of the war on terrorism. ISOO will continue to push agencies to declassify as many older records as possible, working with them to address the issues related to the more difficult records that deal with intelligence information and contain equities of more than one agency. We will also work with the agencies in the classification process, encouraging them to be prudent as they make decisions to classify information and to develop consistent and detailed classification guidance. Consistency and uniformity in classification will assist the declassification of information.
Just as we have obviously learned a great deal more than we knew when the Executive Order was originally crafted, the environment we operate in also has changed. For example, organizations such as the Security Policy Board no longer exist. It is only in view of these changes and our increased knowledge that modifications to the Executive Order are currently being considered. However, it is too soon to tell whether or not any of this working group level activity will turn into real changes in the Executive Order in the near term.
Moving on to the other Executive Order for which ISOO is responsible, for those of you who are familiar with my background, you know that the industrial security program is near and dear to my heart. Almost 30 years ago, when I started my career as a Federal civil servant, I was a GS-5 Industrial Security Representative in New York City. Since then, most of my subsequent assignments involved various responsibilities in industrial security. Also, like so many of you, I can say I was there at the birth of the National Industrial Security Program (NISP), being a part of the seemingly endless series of working group meetings that were held ten or more years ago.
Those efforts, of course, bore fruit with the promulgation of Executive Order 12829 in January 1993 setting forth the construct of the National Industrial Security Program. Through the efforts of so many in both Government and industry, we were able to establish a framework designed to establish an integrated and cohesive program that safeguards classified information while preserving the Nation's economic and technological interests.
I am realistic enough to know that anything that is intended to be integrated and cohesive is not easily achieved and, once achieved, not easily preserved. Rather, despite tremendous advances that we have seen in this regard during the past decade, for industrial security it is a goal that requires constant attention and perseverance. As such, the success of the NISP will always remain a high priority for the ISOO.
In this regard, ISOO will shortly be undertaking a survey in order to evaluate just how integrated and cohesive the NISP really is and to assess overall perceptions and attitudes toward the NISP. We also intend to identify through this survey any systemic problems that may exist.
By way of background, over the last six years, ISOO has conducted two surveys of the program. Unlike past surveys, this new survey will be conducted electronically. The Defense Security Service (DSS) will send out notification of the survey and, to ensure that we cover all of the bases, we will supplement the DSS distribution with facilities unique to other NISP signatories. Incorporated in the notification will be a link to the online survey. The respondents to the survey will remain anonymous to their Cognizant Security Agency. However, to allow responsible Government organizations to address and identify systemic problems, ISOO will segregate the data to provide for regional results.
To underscore its importance, we plan to supplement the survey through interviews and site visits. Our overall objective is to develop the most accurate assessment to date on the status of the NISP.
The survey questions deal with areas such as: the respondent's level of program knowledge and level of confidence in the program, areas of concerns, barriers to full program implementation, and suggested changes or recommendations for improvement to the NISP. Additionally, we have incorporated topics identified by industry, such as meaningful clearance reform, reciprocity issues between various agencies, imposition of sensitive, but unclassified data protection requirements, implementation of Chapter 8 automated information systems requirements. I want to emphasize that participation in the survey is strictly voluntary and individual submissions will only be accessible by ISOO.
We plan to launch this survey in late August and end it a month later. Site visits will be conducted thereafter until late October. We plan to finalize the report by late December and publish the survey results in February of next year.
Continuing with an update on general news, some of you are probably aware that our organization, along with others, is looking at the issue of potential clearance of State, local, tribal and private sector personnel. This review is taking place in the context of ensuring that timely information is provided to those who need it in order to deter, interdict, protect and respond to potential threats balanced by the imperative to protect classified national security information. Our main focus is on getting a clearer understanding of just how many and under what framework such clearances already exist - both pre- and post-9/11 - and seeing what, if any, recommendations should be made. In that ISOO's review has only just begun, it is still too early to tell if any recommendations are warranted.
Finally, in the context of nothing is really ever new, efforts are still underway to implement the requirements of Executive Order 12968 that require employees who have regular access to particularly sensitive classified information to submit relevant information concerning their financial condition. While progress is being made as to how this requirement will be formulated, final determinations have yet to be promulgated. However, when they are, I expect ISOO to be tasked to ensure the confidentiality of such disclosures within the context of the National Industrial Security Program.
In closing, I wish you the best during the course of your seminar for the next several days. Your theme, Harnessing Security Challenges, aptly describes the era in which we find ourselves. The nature of the security challenges we confront today is unlike any of those that our Nation has dealt with in the past. However, just as the generations who have proceeded us effectively dealt with the daunting challenges with which they were confronted, I am confident that today's Americans will not only prevail in overcoming the current test of our national will, but will emerge stronger and more united than ever.