APPROACHING THE NEXT CENTURY
The first duty of government is to provide security for its citizens. This security takes many forms, including a strong military, a robust economy, and mutually beneficial international relationships. In a democracy, the people's security also depends on the health of the democracy itself. This, in turn, depends on the protection of democracy's processes and the careful maintenance of the balance between the right of the public to know and the government's responsibility to provide for security.
As the twentieth century nears its end, events require that the United States assess the basic assumptions and goals that guide the protection of government information, facilities, and people. Our preoccupation with the specter of nuclear annihilation has been reduced; the resources for national security programs are declining sharply; and the information age has irrevocably altered the way we do business. Concurrently, the continued preeminent role of the United States in world political, military, and economic affairs makes our government and industrial activities of major interest to foreign powers. In this environment, the security practices and procedures that developed from World War II until the 1990s require fundamental reexamination.
For some time, it has been recognized that the security system is fragmented, complex, and costly. The Infrastructure Report of the Community Management Review requested by then Director of Central Intelligence (DCI) Robert Gates labeled current security policies and practices as the "greatest deterrents to major savings in infrastructure," and recommended the creation of a DCI security commission to design and implement a new security system. The DCI's Task Force on Standards of Classification and Control Report, commonly known as the "Gries Report," called for revision of the classification and control system on the grounds that it was "unsuited to the geopolitical and fiscal realities . . . in the 1990s." The Gulf War reinforced the military's need to analyze and move vast amounts of information to distant theaters of operation. Industry has been concerned about the inconsistency and cost of current security practices and procedures. Congress is convinced that change is necessary.
The Secretary of Defense and the Director of Central Intelligence acknowledged these concerns and established the Joint Security Commission in May 1993. The Commission's task was to review security policies and procedures with three simple goals: (1) find what works and keep it; (2) determine what no longer works and fix it; and (3) identify what the future demands and implement it.
In the nine months since its creation, the Joint Security Commission has attempted to fulfill this task by conducting an extensive security review within the Department of Defense and the Intelligence Community. In doing so, the Commission sought not only the perspectives of policymakers, the Congress, industrial leaders, the military, and public interest groups but also the technical expertise of government and industry security personnel. Many will recognize their words and opinions in the text of this report and we acknowledge a debt of gratitude for their contributions. We also commend the many initiatives already underway-such as those instituted by the National Industrial Security Program and the DCI's Security Forum-to streamline and modernize the government's security policies and practices and to incorporate risk management strategies.
The Commission's considered opinion, however, is that these changes alone are not enough. The security system must not only overcome the inefficiencies of the past but also rise to the challenges of the future. It must be dynamic, flexible, and forward looking.
Nowhere is this more apparent than in the area of information systems and networks. The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century and believes that there is insufficient awareness of the grave risks we face in this arena. The nation's increased dependence upon the reliable performance of the massive information systems and networks that control the basic functions of our infrastructure carries with it an increased security risk. Never has information been more accessible or more vulnerable. This vulnerability applies not only to government information but also to the information held by private citizens and institutions. We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully, much less rise to, the challenge. Fundamental and very tough questions are involved: What should the government's role be in helping to protect information assets and intellectual capital that are in private hands? How should technology developed by the government to protect classified information be provided to the private sector for the protection of sensitive but unclassified information? Protecting the confidentiality, integrity, and availability of the nation's information systems and information assets-both public and private- must be among our highest national priorities.
The Commission believes that there are fundamental weaknesses in the security structure and culture that must be fixed. Security policy formulation is fragmented. Multiple groups with differing interests and authorities work independently of one another and with insufficient horizontal integration. Efforts are duplicated and coordination is arduous and slow. Each department or agency produces its own implementation rules that can introduce subtle changes or additions to the overall policy. There is no effective mechanism to ensure commonality.
The Commission believes that the complexity and cost of current security practices and procedures are symptoms of the underlying fragmentation and cannot be alleviated without addressing it. We, therefore, propose that a security executive committee be created to assume responsibility for the development and oversight of security policy for the US Government and to function as a continuing agent of change. We further propose that a security advisory board be constituted to interject a nongovernment and public interest perspective into government security policy. These proposals are described in detail in chapter 11.
Some other problems that we identify and discuss in this report are:
o Countermeasures are frequently out of balance with the threat. They have too often been based on worst-case scenarios rather than realistic assessments of threats and vulnerabilities.
o The classification system is cumbersome and classifies too much for too long. The zeal to protect information has sometimes inhibited the flow of information to those who need it.
o Personnel security is the centerpiece of the Federal security system, but current procedures are needlessly complex and costly. There are too many inconsistencies, too many forms, and too much delay.
o There are too many layers of physical security and they cost too much money. A facility's security may include multiple layers-fences, alarms, guards, security containers, access control devices, closed circuit television, locks, and special construction requirements-that are not necessarily needed.
o Large sums have been spent on technical security within the United States despite a minimal level of threat.
o Procedural security measures are not always effective. Elaborate record keeping procedures for document control are costly and can no longer be relied upon to deter compromise in the age of personal computers, facsimile machines, copier equipment, modems, and networks which offer ample opportunities to copy documents without detection. Procedural security that is still necessary, such as badges and visitor control, can be streamlined.
o Operations security (OPSEC) is important and sometimes critical in a military environment and for sensitive operations, but it has been extended to inappropriate situations and environments.
The problems are many and the mandate for change is strong, but change must be guided by clear goals and principles. We envision security as a dynamic and flexible system guided by four basic principles:
o Our security policies and services must be realistically matched to the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate their evolution as the threat changes.
o Our security policies and practices must be consistent and coherent across the Defense and Intelligence Communities, thereby reducing inefficiencies and enabling us to allocate scarce resources efficiently.
o Our security standards and procedures must result in the fair and equitable treatment of the members of our communities upon whom we rely to guard the nation's security.
o Our security policies, practices, and procedures must provide the security we need at a price we can afford.
The Commission believes that the application of these principles will make the security system less fragmented, less complex, and more cost effective. We also believe that the progress made will be eroded over time without a fundamental adjustment in the way security is viewed and practiced. Security can no longer be seen as an independent, external authority that rigidly imposes procedures and demands compliance. The Commission believes that it is time for a paradigm shift.
o Security is a service that should be based on an integrated assessment of threat, vulnerability, and customer needs. Conceptually, it should be the way that we think rather than a manual of rules. Security then becomes a more positive undertaking that values the spirit over the letter of the law, problem prevention over problem resolution, and individual responsibility over external oversight. It is a partnership between security and operations that balances the need to protect with the need to get the job done. Industry is a valuable partner and participant in this process.
o Security must come from an integrated system that recognizes the interdependence of the individual security disciplines and establishes a logical nexus between the sensitivity of information and the personnel, physical, information, and technical security countermeasures applied in protecting the information. In this model, the individual security disciplines are interlocking pieces of a puzzle, each critical to overall success but none sufficient by itself.
o Security is a shared responsibility. Each individual has a role to play in ensuring the best possible protection for our information, personnel, and assets. Individual and management accountability for security actions and decisions are prerequisites for dynamic and responsive security processes.
o Security is a balance between opposing equities. The imperative to protect cannot automatically be allowed to outweigh mission requirements or the public's fundamental right-to-know and it must never obscure the understanding that an informed public is the foundation of a democratic government.
Implementing the New Paradigm-Risk Management
In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. For the better part of the last half century, we viewed the Soviet Union and its allies as capable of exploiting our every weakness. Against this danger, we strove to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Since the future of the free world was considered highly dependent on how successfully we maintained our secrets, the costs of security programs, the constraints on needed information flow, and the negative impact on individuals and our economic competitiveness were all secondary considerations. We used worst case scenarios as the basis for most of our security planning.
The threats today are more diffuse, multifaceted, and dynamic. National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world. The possibility of failure of democratic reform in Russia poses a constant danger. Further, Russia's ability to maintain control of its special weapons, China's supplying of equipment and technology to unstable countries, and North Korea's, Iran's and Iraq's attempts to develop nuclear weapons, have serious and far-reaching implications for regional security and stability. Burgeoning ethnic and religious rivalries that cross traditional boundaries endanger both new and long-standing peace agreements, drawing the United States into an expanding role in peacekeeping and humanitarian missions. The bombing of the World Trade Center and the assassination of two CIA employees in Virginia heightened our sensitivity to the fact that terrorist activities against Americans can occur domestically as well as abroad. Violent crime and narcotics trafficking in our neighborhoods also continue to threaten American lives and values.
The Commission recognizes that the consequences of failures to protect against some of these threats are exceptionally dire. For instance, terrorists' use of weapons of mass destruction, or an adversary's foreknowledge of our battle plans, could have consequences so grave as to demand the highest reasonably attainable standard of security. This is true even if the probability of a successful attack is small and the cost of protection is high. Some inherent vulnerabilities can never be eliminated fully, nor would the cost and benefit warrant this risk avoidance approach. In most cases, however, it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We can and must provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making.
The Commission views the risk management process as a five-step procedure:
1. Asset valuation and judgment about consequence of loss. We determine what is to be protected and appraise its value. Part of asset valuation is understanding that assets may have a value to an adversary that is different from their value to us.
2. Identification and characterization of the threats to specific assets. Intelligence assessments must address threats to the asset in as much detail as possible, based on the needs of the customer. These assessments may be commissioned at the national level to feed the development of security policies and standards, at the program level to guide systems design, or in planning intelligence support for military or other operations.
3. Identification and characterization of the vulnerability of specific assets. Vulnerability assessments help us identify weaknesses in the asset that could be exploited. The manager may then be able to make design or operational changes to reduce risk levels by altering the nature of the asset itself. Cost is an important factor in these decisions, as design changes can be expensive and can impact other mission areas.
4. Identification of countermeasures, costs, and tradeoffs. There may be a number of different countermeasures available to protect an asset, each with varying costs and effectiveness. In many cases, there is a point beyond which adding countermeasures will raise costs without appreciably enhancing the protection afforded.
5. Risk assessment. Asset valuation, threat analysis, and vulnerability assessments are considered, along with the acceptable level of risk and any uncertainties, to decide how great is the risk and what countermeasures to apply.
When any of these steps are left out, the result can either be inadequate protection or unnecessary and overly expensive protection. Frequently, the missing element is the incorporation of specific, up-to-date threat assessments in the development of security policies. With no documented threat information, countermeasures are often based on worst case scenarios.
The Commission stresses that managers must make tradeoffs during the decision phase between cost and risk, balancing the cost in dollars, manpower, and decreased flow of needed information against possible asset compromise or loss. Policy decisions resulting from the risk management process can then guide security planning. At the national level, these risk management decisions should form the backbone of, and provide the standards for, the security system. The resulting standards would promote consistency, coherence, and reciprocity across programs and agencies.