FAS | Secrecy | Library || Index | Search |


CHAPTER 11.

 

A SECURITY ARCHITECTURE FOR THE FUTURE

 

 

Throughout this report, we have identified problems that contribute to the complexity and cost of the security system and proposed recommendations for overcoming them. But as noted earlier, many of these problems are merely symptoms, not causes. The Commission unanimously believes that the fragmentation of the security policy structure is the prime cause of the problems now associated with security policies, practices, and procedures and that no substantive and long-term improvements can be achieved without a unifying structure to provide leadership, focus, and direction to the government security communities.

 

 

The Present

 

US Government security policies and practices have evolved in an ad hoc manner over the last four decades. Security policy is enunciated in a collection of documents (Executive Orders, National Security Decision Directives, National Security Directives, Presidential Decision Directives, legislation, and individual department or agency directives and orders) prepared at different times, by different people, in response to different requirements and events, not as part of a coherent planned effort. Additionally, the individual policy documents have been developed through consensus, an approach that is not only time consuming and slow to respond to change, but can also produce unsatisfactory results. Policy is often weakened in order to achieve consensus. As a result, the departments or agencies are allowed to ignore aspects of policy which they do not support, as has happened with the SSBI mandated by NSD 63, the new TEMPEST policy outlined in NSTISSI 7000, and the elimination of the two person rule.

 

ASPWG

 

MASINT Com Treaty Impl WG

SIGINT Com CSE


CIO

SAP WG OSPG

 

 

 

 

 

Figure 8. The Current Policy Structure

 

This piecemeal approach to security policy has led to a decentralized policy structure in which multiple groups with different interests and authorities work independently of one another. Figure 8 represents some of the Defense and Intelligence Community groups that either have some role in the formulation of security policy or influence the process. Many of these groups have overlapping memberships and responsibilities, others operate in isolation, but all exact a cost in terms of time, energy, and efficiency.

 

Each department or agency head is responsible for the appropriate implementation of security policy within his or her own organization. This decentralization presents its own unique set of challenges. The process is slow and some people never seem to get the word. Multiple agency originated implementation documents, while accommodating unique agency or department needs, also allow ample opportunity for the introduction of subtle changes, clarifications, reinterpretations, or additions that grow more pronounced with each iteration and can subvert efforts to standardize or update security policies and practices.

 

Oversight responsibility rests primarily with the department or agency heads and their respective Inspectors General. Although the Director of Central Intelligence has statutory authority for the protection of sources and methods, no comparable authority exists within the Defense Department where the Under Secretary of Defense (Policy), the Assistant Secretary of Defense (Command, Control, Communications and Intelligence), the defense agencies, services, and Joint and Unified Commands all have a responsibility for security policy. In addition, there is no effective mechanism to look across government to ensure that security policy is being implemented properly, if at all. Some personnel interviewed in the Defense and Intelligence Communities believe that there is, in fact, no penalty for noncompliance with security policy.

 

 

The Future

 

The problems inherent in this fragmented approach to security policy argue strongly for the creation of a security policy structure capable of pulling these disparate elements together and overcoming the bureaucracies' traditional resistance to innovation and change. The Commission recommends the establishment of a security executive committee to unify security policy development; serve as a mechanism for coordination, dispute resolution, evaluation, and oversight; and provide a focal point for Congressional and public inquiries regarding security policy or its application. Individual department heads would be able to request exceptions from general policies for their departments if deemed necessary.

 

 


 

 

 

 

 

 

Figure 9. The Security Executive Committee

 

In view of the national security responsibilities assigned to the Department of Defense and the Director of Central Intelligence, we propose that the Secretary of Defense, or his designee, and the Director of Central Intelligence jointly chair the security executive committee. In recognition of the need to view security from a national perspective, the other permanent members would be the Deputy National Security Adviser, the Deputy Secretary of State, the Deputy Secretary of Treasury, the Deputy Secretary of Energy, the Deputy Secretary of Commerce, the Deputy Attorney General, the Chairman of the Joint Chiefs of Staff, and the Director of OMB. Other departments or agencies would be invited to attend committee meetings as required by the subject under discussion. In the Commission's view, the security executive committee should be established by the President under the auspices of the National Security Council.

 

The security executive committee would be assisted by a security advisory board composed of distinguished Americans who would provide a non-government and public interest perspective to security policy. The board would act as a barometer for the committee to ensure that security policy and implementation is consistent with the overall goals of the government, such as openness, cost effectiveness, and fairness.

 

A small permanent interagency staff would provide support for the security executive committee as required. Our concept would be to focus the staff on four functional areas: threat, policy development, implementation, and oversight. We would anticipate that the staff would facilitate, track, and expedite actions and would support whatever interagency committees and groups might be required to ensure full community participation in the development and coordination of security policy and to effect horizontal integration of the individual security disciplines. The functions of existing staff structures, such as the Information Security Oversight Office (ISOO), the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Executive Secretariat, and elements of the Community Counterintelligence and Security Countermeasures Office (CCISCMO) could be consolidated as subcommittees or in the permanent staff in order to streamline the structure and reinforce the concept of horizontal integration.

 

The security executive committee has a pivotal role in implementing the changes that we are proposing and in achieving our vision for the future. If created, it will facilitate the continuous and dynamic review of security policies, practices, and procedures needed to propel the government security communities into the new century. The scope and stature of its membership will give greater prominence to security and will combine the government security communities into a cohesive framework that can address the full range of security issues. It will monitor implementation to ensure that it is timely and consistent.

 

As an early goal, we believe the committee should enunciate a cohesive national level strategy for security which lays out goals and objectives and assigns responsibilities across government. The national scope of the strategy would ensure consistency and reciprocity among departments and agencies and recognize that security is a governmentwide responsibility.

 

 

Recommendation 76

The Commission recommends the establishment of a national level security policy committee to provide structure and coherence to US Government security policy, practices and procedures. The committee will:

1) Develop government security policy and standards.

2) Ensure long term and continuing implementation oversight.

3) Serve as an ombudsman to resolve disputes.

4) Monitor security resources expended and provide security program guidance.

As a first step, the Commission recommends that the Secretary of Defense and the Director of Central Intelligence immediately establish a committee to fulfill these functions for the Defense and Intelligence Communities.

 

 

 

 



Endnotes
Back to JSC Top Page


FAS | Secrecy | Library || Index | Search |