On to Chapter Nine.
Our government classifies information and subsequently applies security procedures to documents and materials containing or revealing that information to prevent adversaries from obtaining that information and using it to our detriment. Unfortunately, classifying information does not absolutely prevent an adversary from obtaining that information. The only way to keep information absolutely secret is either to tell no one about that information* or to use the Captain Kidd method.+, 1 However, for information to be of value to our government, that information usually has to be known to more than one person. Therefore, the "tell no one approach" to keeping secrets is generally not a feasible solution. The Captain Kidd method for keeping secrets is not acceptable. Consequently, our government uses the classification-of-information method to help keep secrets. Classification of information and subsequent application of security procedures delay the disclosure of that information ("buys time").++
* "Three may keep a secret if two of them are dead." Ben Franklin's Wit and Wisdom, Peter Pauper Press, Mt. Vernon, N.Y., p. 46. See also Poor Richard: The Almanacks for the Years 1733–1758, Van Wyck Brooks, ed., New York, Heritage Press, 1964, July 1735, p. 30, as reported by S. Bok, Secrets, Pantheon Books, New York, 1978, p. 108.Generally, information cannot be kept from an adversary for an unlimited period of time. Sometimes an adversary will obtain classified information through espionage activities. At other times classified information will be inadvertently disclosed and thereby revealed to an adversary. For scientific and technical information, an adversary can possibly obtain the same information through its own efforts.
+ Captain Kidd was a pirate who was said to bury his treasure for safekeeping and later recovery. He is alleged to have usually killed the persons who helped him bury this treasure to keep them from revealing its location to others or from returning on their own to dig it up. The "Captain Kidd Method" is to "terminate" the persons to whom a secret has been told after their usefulness to the discloser has ended and before they can tell this secret to someone else.
General L. R. Groves, head of the Manhattan Project, succinctly expressed that [Captain Kidd] option in a 1945 Congressional hearing on the control of atomic energy, as follows: "I would like to say that the only thing that would preserve security would be to lock everybody up, and when they decided to leave to shoot them and be done with it. That is the only way you could have perfect security" [U.S. Congress, House of Representatives, Committee on Military Affairs, "Atomic Energy," Hearings on H.R. 4280, "An Act for the Development and Control of Atomic Energy," October 9 and 18, 1945, 79th Congress, 1st Sess., 1945, Testimony of Gen. L. R. Groves at p. 20.].
++ "There are times in the course of human history when time itself may be very important" [United States v. Progressive, 467 F. Supp. 990, 994 (W.D. Wisc., 1979), appeal dismissed, 610 F.2d 819 (7th Cir., 1979)].
Even if classified information could be kept from an adversary for many years, it is usually not necessary to keep that information from the adversary for such a long period of time. For classified operational information, the conduct of that operation will reveal much of the classified information to the adversary. For operations that were never carried out, the mere passage of time will render the information of little value to anyone except historians. For a new weapon system, an adversary may learn its classified aspects when that system is deployed. Therefore, for much classified information there is only a relatively short period of time when it is important to keep that information classified. However, certain types of information such as scientific or technical information, information on intelligence sources and methods, and cryptographic information may need to remain classified for relatively long periods of time.
A classifier should, when classifying information, determine whether or not it is feasible at that time to specify a classification duration (i.e., to specify automatic declassification). The duration of information classification should be kept as short as feasible to avoid unnecessary classification costs. However, establishing too short a classification duration may result in an adversary getting the information more quickly than desired and therefore will prematurely negate the classification benefits (e.g., an adversary may quickly develop effective countermeasures to a weapons system). Therefore, a classifier must be very careful when establishing a classification duration.
A determination of duration of classification is pertinent only to the classification of NSI. Documents that contain RD or FRD, regardless of whether they contain NSI, are not to be marked in advance for declassification. The policy of the Atomic Energy Commission was that no practical time limit could be placed on the life of classified information.* Thus, RD and FRD are unique not only because they are "born classified" but also because they can "live forever."
* This view is more likely to be correct with respect to classified scientific or technical information than with respect to operational information. Most of the Atomic Energy Commission's classified information was scientific and technical information.EO 12356 states that NSI should be classified "as long as required by national security considerations."2 "When it can be determined, a specific date or event for declassification shall be set by the original classification authority at the time the information is originally classified."2 Some prior EOs established time limits for declassification. The first such EO was issued by President Kennedy on September 20, 1961.3 It established four groups of information with respect to automatic downgrading and declassification. Classified information in Group 1 was exempt from automatic downgrading or declassification. It included foreign government information, information from international organizations, RD and FRD, and information requiring special handling such as intelligence and cryptology information.+ Group 2 information included extremely sensitive information or material which was exempted, on an individual basis, from automatic downgrading or declassification. Information in Group 3 was automatically downgraded at 12-year intervals until the lowest classification level was reached. It was not automatically declassified. Group 4 information was automatically downgraded at 3-year intervals and automatically declassified 12 years after date of issuance.
+ Note that Group 1 seems to have included those areas of NSI whose unauthorized disclosure is presumed to cause damage to the national security [see EO 12356, §1.3(c)], plus cryptographic and classified atomic energy information.EO 12065 stated that, as a general rule, information should be declassified within 6 years of its classification.4 Exceptions were provided, but they were to be used sparingly. Information classified longer than 6 years was to be reviewed at a date established at the time of classification but no later than 20 years after its original classification (30 years for foreign government information).
Automatic downgrading and declassification did not achieve all expected objectives. It was said that automatic declassification did not result "in a reduction in storage and handling costs nor does such action contribute materially to informing the public on government activities."5 From a practical standpoint, automatic declassification was said at most to make certain information accessible to historical researchers.5 One reason why time-phased downgrading or declassification was said not to work was that program managers excluded classified material from automatic downgrading or declassification because of a lack of "sufficient competent personnel to make the value judgments needed to determine what should be classified and what should not, or what need be no longer classified."6
EO 12356 was said to eliminate those "artificial 6- and 20-year limitations [present in prior EOs] that substituted for judgment of original classification authorities."7
PRINCIPLES FOR DETERMINING THE DURATION
OF INFORMATION CLASSIFICATION
As might be expected, there is a divergence of opinion on how long information can be kept classified before an adversary becomes aware of that information. A 1970 Report of the Defense Science Board Task Force on Secrecy expressed the following opinion:It is unlikely that classified information will remain secure for periods as long as five years, and it is more reasonable to assume that it will become known by others in periods as short as one year through independent discovery, clandestine disclosure or other means.8Hanson Baldwin stated that "the experience of history has been that no military secrets can long be kept; in any case, there is nearly always a definite time limit on their importance."9 Vanevar Bush had a different opinion:Sometimes . . . you will hear it argued that no secret can be kept very long anyhow. This argument flies in the face of the facts [citing the years of effort the U.S. put into "pulse detection of submarines," how well that secret was kept, and how fortunate it was for the U.S. in World War II that the secret had been kept].10With respect to military equipment, it has been stated that its classification "does not diminish in fixed proportion to elapsed time, but in relation to events, the timing of which usually cannot be predicted."11 John Foster, former Director of Defense Research and Engineering, DoD, stated the following in 1974:The time span of sensitivity [of classified information] can be affected by any number of factors: the state-of-the-art of technology, the success of our or the enemies intelligence activities, political, military, and technical developments, and many more. The point is that there can be no magic formula or standard for determining the number of years to retain classification on any particular piece of equipment or item of information.12The length of the delay on information disclosure that is possible by classifying information usually depends on the type of information being protected (e.g., subjective or objective; operational or scientific), the number of persons knowing the information, the kind of security procedures used to protect this information, and the diligence in classification and security matters of those possessing and protecting the information.13 In favorable situations, the "leaks" of classified information will be in small, fragmentary increments that are widely spaced in time, geographically scattered, and hopefully not completely accurate.
The period of time during which classified information about a military weapon system is kept from an adversary is frequently termed "lead time." Technological lead time is essential if a nation wants to depend on the quality of its weapon systems rather than the quantity. The baseline for lead time determination is the normal time required to transmit information in the absence of a classification system. By classifying information, lead time may exceed this baseline by (1) the time required for independent discovery by an adversary, (2) the time elapsed before an inadvertent unauthorized disclosure, (3) the time elapsed before a deliberate unauthorized disclosure (espionage or deliberate leak), or (4) the time elapsed before authorized disclosure (declassification). Assuming that the classification and security systems work as planned, then the time required for independent discovery (or until authorized disclosure) is the lead time.
Classification duration may be defined (1) in terms of a time period measured from the origination date of a document (i.e., at a future date) or (2) in terms of a future event which must occur prior to declassification.2 If a date or event cannot be specified, then a classified document containing NSI will be marked to indicate that the originating agency's determination is required for declassification.*, 14 The specified marking is "Originating Agency's Determination Required" or "OADR." This indicates that the agency that originally classified the information (or originated the document) has the sole authority to determine when the information (or document) can be declassified. Therefore, for classification decisions, the question is whether a duration of classification can be specified for classified information or whether no duration can be specified so that declassification must await the actual disclosure event.
* Of the 512,000 original classification decisions by executive agencies in FY 1991, 5% were assigned a date or an event for declassification and 95% were marked OADR ["Information Security Oversight Office (ISOO) 1991 Report to the President," Information Security Oversight Office, Wash., D.C., March 1992, pp. 12–15].DoD regulations allow, under certain conditions, a subsequent extension of a classification duration that was specified by the original classifier of the information:The duration of classification specified at the time of original classification may be extended only by officials with requisite original classification authority and only if all known holders of the information can be notified of such action before the date or event previously set for declassification.15The next two sections discuss classification duration described by a time period or an event, respectively. A following section suggests that it may be possible to estimate a classification duration based on the probability of its unauthorized disclosure, which in turn depends to a great extent on the number of persons who have been given the information. The final section of this chapter briefly mentions some aspects of classification duration applicable to scientific or technical information.
Classification Duration Defined by a Time Period
A specific classification duration time period is frequently used within DOE and its contractors for classified notices that direct the recipient to classify a specific document that was previously mistakenly issued to that recipient as unclassified. Some of those notices are classified only because they indicate that a certain document, currently not marked as classified, contains classified information. The classification of those notices is usually Confidential–NSI,* and they are usually marked to be declassified 2 years from their issue. This is based on the assumption that within 2 years all copies of the document to be upgraded will have been properly marked or destroyed. Of course, if there is doubt about accomplishing this within 2 years, then the notice should be marked OADR.
* If the notice described Secret Restricted Data (SRD) that was in the document that was issued as unclassified, then the notice itself would also be classified SRD.Executive Orders preceding EO 12356 established time limits for classification of certain types of NSI. As mentioned earlier in this chapter, those classification duration requirements were not included in EO 12356.
Classification Duration Defined by an Event
An example of declassification triggered by an event might be the classification of information related to military operations. This information is fluid or transient and needs to be classified for only a relatively short period of time. Plans for an operation may be highly classified before and during the operation.+ After the operation is over, the plans (especially information about the time and place the operation is to begin) will not be of much value to an adversary and therefore can probably be declassified. Declassification of the plans at that time will not affect the outcome of the operation (although those plans might provide insights into the philosophy of the planners and could remain classified for that reason). Therefore, classified operations plans could be designated to be declassified when a specified time period has elapsed after the operation has started or after the operation has been completed.++ Some classified information about an operation, such as the start date, can of course be declassified immediately after that start date.
+ Operation Overlord was the code name for the Allied invasion of Nazi-held France during World War II. When planning started for that operation there were only 32 persons who were cleared and knowledgeable about that operation. Two days before D-day, the invasion of Normandy, about five or six thousand persons were knowledgeable about everything except the exact destination [G. C. Jacobus, "Panel-Research in Automated Classification Management," J. Natl. Class. Mgmt. Soc., 3(2), 49–68 (1967) p. 55]. Several hours after that invasion began, millions of persons knew about the operation.Certain classified information about nuclear material shipments is generally declassified after the happening of an event (completion of the shipment). Prior to and during the shipment, information such as time of shipment and specific route taken is classified for reasons of security. After the shipment is over, there is usually no need to keep that information classified (unless it would reveal patterns in shipments, etc.). That information can therefore be declassified when the shipment has been received by the consignee.
++ The DoD security classification guidance for Operation Desert Storm, the 1991 military operation by the United Nations against Iraq, suggested that classifiers should consider marking information with "Declassification Upon Termination of Hostilities" to avoid declassification problems at the end of that operation [as reported in "DOD Keeps Tight Lid on Desert Storm Data, Sites National Security Reasons," Inside the Pentagon, Wash., D.C., 7(15), 1 and 12–14 (Apr. 11, 1991) p. 13].
If the purpose of classification is to buy lead time while developing a weapon system, then generally much of the information concerning that system may be declassified when the system is deployed. At deployment, the adversary usually has an opportunity to observe the hardware and its operations, so the operational capability will be known and other associated classified information may be inferred. Consequently, certain information may be marked as "declassify after deployment."
Classification Duration Based on Probability
of Unauthorized Disclosures
General. The preceding sections provided guidance for establishing a classification duration as a function of elapsed time (e.g., declassifying on a certain date) or on the happening of an event. In those situations, the classifier has determined that national security considerations no longer require that the information be classified after a certain date or event. The classification of the information "perishes" at that date or on that event because the information is then no longer valuable to us or to an adversary. The government (the classifier) directly controls the perishability of the classification because the government controls whether or not an event happens.
There is another type of perishability of classification which should be considered when estimating the duration of classification or when predicting how long classified information can realistically be expected to be kept from an adversary. Classification of information perishes, or at least the need for or major benefit of classification perishes, when an adversary obtains the classified information through unauthorized disclosures (via either espionage by the adversary or mistakes by the possessor of the information).*,+ This other type of perishability is not controlled directly by a government but is somewhat under government control.
* However, if there is more than one adversary from whom the information is being kept, then just because one adversary obtains that information is not a reason for declassifying that information and making it available to all adversaries.Perishability of classified information through unauthorized disclosure of that information to an adversary depends on several factors, a major one of which is the number of persons to whom the classified information has been given.++ A government can control (e.g., through clearances and need-to-know requirements) the number of persons who have access to that information. Therefore, perishability through unauthorized disclosure may be somewhat controllable as well as somewhat predictable.
+ Classification of certain objective information, such as scientific or technical information, also perishes when an adversary obtains that information through its own, nonespionage, efforts. This type of perishability will not be discussed in this section.
++ Note that a characteristic of a "protectable" trade secret is that it is known only to a few people [M. F. Jager, Trade Secret Law, Clark Boardman Co., Ltd., New York, 1988, §2.02, p. 2-14].Some relationships that may be used to estimate the probability of unauthorized disclosure of classified information, based on the number of persons who know that information and on other factors, are given in Appendix G for different types of unauthorized disclosures. That appendix provides the details of those probability relationships and gives the rationale for their development. Those probability relationships are summarized in the following paragraphs.
Types of Unauthorized Disclosures. Unauthorized disclosures of classified information occur when that information is obtained by someone not authorized to receive such information. An unauthorized disclosure occurs when classified information is received by an individual who does not have a security clearance.* Unauthorized disclosures can be either deliberate or inadvertent, direct or indirect, oral or written.
* An unauthorized disclosure might also occur when an individual with a security clearance but without a need to know receives classified information that he or she does not need to know. That type of unauthorized disclosure was not considered in Appendix G, since the major unauthorized disclosure risk occurs when the classified information is disclosed to an uncleared person.Deliberate unauthorized disclosures include transmittals from a U.S. citizen with a security clearance to a foreign government (from a spy to an adversary). They also include leaks to the press (i.e., essentially public releases) by a member of the government (e.g., for political reasons). Deliberate unauthorized disclosures are direct disclosures. The classified information goes directly to someone not authorized to receive that information. Whether or not deliberate disclosures are oral or written is not important—direct disclosures are meant to get directly to an adversary or to be released to the public such that subsequent transmittal to an adversary is a foregone conclusion.
Inadvertent unauthorized disclosures may be oral or written, direct or indirect. An inadvertent direct unauthorized disclosure is an oral or written communication received directly by an unauthorized person when the transmitter made a mistake and the intended unclassified communication actually contained classified information. An inadvertent indirect unauthorized disclosure occurs, for example, when a person working on a classified project communicates (orally or in writing) with a colleague on that project, when the communication is intended to contain no classified information, when the communication actually contains classified information, and when the communication is overheard by or read by an unauthorized person.
Probability of Unauthorized Disclosures of Classified Information Reaching an Adversary. The probability of an unauthorized disclosure of classified information reaching an adversary is a linear function of the number of persons who know that classified information and on several other factors. The generalized equation for this probability is as follows, for a disclosure scenario S:
Probability (S) = ks x NPs x NCOMs x CREVs x COPs x UARs x RTAs,where ks is a constant that depends on the general scenario, NP is the number of persons who know the classified information, NCOM is the average number of communications by each of those persons during a time period, CREV is a classification review factor that is approximately a constant for each general scenario, COP is the average number of copies of each communication, UAR is the number of unauthorized recipients of each communication, and RTA is the probability that one of those unauthorized recipients will send the classified information to an adversary. The numerical value of some of those factors may be estimated for general unauthorized disclosure scenarios, while some may be estimated only for specific scenarios.
As mentioned above, in all scenarios the probability that an unauthorized disclosure of classified information will reach an adversary is a linear function of the number of persons who know the classified information, NP. However, in one scenario, that probability also seems to be a function of the square of NP. That situation is the inadvertent indirect unauthorized oral disclosure scenario, where the total number of communications, NCOM(total), is a function of the number of interactions of classified project participants and is therefore a function of the square of NP. In the other scenarios, the total number of communications is a product of NP and NCOM.
The baseline probability* of classified information reaching an adversary through an unauthorized disclosure is the deliberate disclosure scenario, the espionage situation. That probability is solely a function of NP. The constant in the equation, or at least its lower limit, can be estimated with reasonable certainty based on the number of U.S. citizens with security clearances who have sent classified information to adversaries (the number of "spies") in recent years. The probabilities for other scenarios are more complex to estimate. Those probabilities are described in Appendix G, where the approximations and estimates used to derive those probabilities are also discussed.
* Baseline means that all the other probabilities of unauthorized disclosure should be less than this since those other probabilities can be under greater control by us.The generalized equation for the probability of unauthorized disclosures provides a simple, direct way to describe the factors important to protecting classified information. The equation shows, in a straightforward manner, that classified information about a project can best be protected by limiting the number of persons to whom that information is given (stringently enforcing need-to-know requirements), by minimizing the number of "unclassified" communications related to that project and generated by such persons, by minimizing the number of copies of such communications, and by requiring classification review of all job-related communications originated by project personnel. Some of those methods to protect classified information will be difficult to achieve. However, the equation can be used, for a specific classified project, to help determine the weak links with respect to unauthorized release of classified information concerning that project. This helps classification management programs and security programs in ensuring that available classification and security resources are spent to correct those weak links. It is interesting that evaluation of the probability equation for several scenarios appears to indicate that a major source of unauthorized disclosures is conversations about a classified project which take place between project workers in nonsecure locations. This conclusion is supported by observations previously reported with respect to industrial espionage (see Appendix G). It is hoped that further evaluation of the probability equation and its parameters and constants will lead to additional results useful in protecting classified information.
Classification Duration of Scientific or Technical Information
Technical information will generally need to be classified for longer periods of time than either military operational information or information that is classified to protect lead time. However, even the national security value of scientific and technical information is transient. This is because the steady, worldwide advance of science and technology along broad fronts (the general progress of knowledge) may lead others to discover that same information. Also, other nations are usually expending efforts in research and development in the same general technology (if that technology shows great promise of providing national security benefits), and they may make similar discoveries at about the same time as our discoveries.
The rate at which scientific and technical information loses its value (how quickly it can be declassified) depends on the particular field of knowledge (whether it is new and rapidly developing or an old, well-established field that is progressing relatively slowly), the relative research and development efforts of the competing nations,* and on other factors. Much RD is very technical in nature (e.g., uranium isotope separation information; nuclear weapon design data) and some RD has been classified for a relatively long period of time (over 40 years). In other national defense areas, such as some conventional weapon technologies, technological advances may quickly occur and obsolescence may be rapid—estimated at about 5 years in certain areas.
* "Now, I think that really when it comes to military security and the relative advantages of giving out information and not giving it out, what we are interested in from the military standpoint is the relative movement, you might say, of ourselves and other nations. It isn't so much how fast we progress; it is the relative motion of the two" [Gen. L. R. Groves in Atomic Energy Act of 1946, Hearings before the Special Subcommittee on Atomic Energy, U.S. Senate, on S. 1717, "A Bill for the Development and Control of Atomic Energy," February 18, 19, and 27, 1946, 79th Cong., 2nd Sess., U.S. Govt. Printing Office, 1946, p. 495].It is very difficult to estimate the rate of progress of science or technology or the date by which an adversary will have obtained the classified scientific and technical information by its independent efforts. Therefore, this type of information is usually not marked in advance for declassification. Classified scientific or technical information is usually evaluated periodically to determine whether it may be declassified. That evaluation process is described in a subsequent chapter on declassifying information.
1. A. H. Katz, "Classification: System or Security Blanket," J. Natl. Class. Mgmt. Soc., 8, 76–82 (1972), p. 81.
2. Executive Order 12356, Fed. Reg., 47, 14874 (Apr. 6, 1982), §1.4(a).
3. Executive Order 10964, "Amendment of Executive Order No. 10501, Entitled `Safeguarding Official Information in the Interests of the Defense of the United States,'" Fed. Reg., 26, 8932 (Sept. 22, 1961).
4. Executive Order 12065, Fed. Reg., 43, 28949 (June 28, 1978), §1-4.
5. D. O. Cooke, testifying for the Department of Defense, as reported in U.S. Government Information Policies and Practices--The Pentagon Papers (Part 2), Hearings Before a Subcommittee of the Committee on Government Operations, House of Representatives, 92nd Congress, 1st Session, June 28 and 29, 1971, U.S. Govt. Printing Office, p. 601.
6. J. S. Foster, in Government Secrecy, Hearings Before the Subcommittee on Intergovernmental Relations of the Committee on Government Operations, U.S. Senate, 93rd Congress, 2nd Session, May 22, 23, 29, 30, 31 and June 10, 1974, U.S. Govt. Printing Office, p. 269. Hereafter cited as "J. S. Foster, "Government Secrecy."
7. A. F. Van Cook, "Information Security and Technology Transfer (An OUSD Overview of Executive Order 12356 and DoD's View Concerning Implementation)," J. Natl. Class. Mgmt. Soc., 18, 1–7 (1982), p. 3.
8. U.S. Department of Defense, Report of the Defense Science Board Task Force on Secrecy, F. Seitz, Chairman, Office of the Director of Defense Research and Engineering, July 1, 1970, p. 1.
9. H. Baldwin, quoted in Bull. At. Sci., 1(9), (Apr. 15, 1946) p. 6.
10. V. Bush, in an address before the American Society of Newspaper Editors, April 16, 1948, as reported in Tab E, pp. 3–4, in Report to the Secretary of Defense by the Committee on Classified Information, C. A. Coolidge, Chairman, U.S. Department of Defense, Nov. 8, 1956.
11. E. Hill, "Defence Procurement and Classification in the U.K.," J. Natl. Class. Mgmt. Soc., 16, 20–27 (1980), p. 25.
12. J. S. Foster, Government Secrecy, p. 268.
13. See, for example, C. L. Marshall, Director of Classification, Atomic Energy Commission, in Government Secrecy, Hearings Before the Subcommittee on Intergovernmental Relations of the Committee on Government Operations, U.S. Senate, 93rd Congress, 2nd Session, May 22, 23, 29, 30, and 31 and June 10, 1974, U.S. Govt. Printing Office, 1974, p. 278.
14. Information Security Oversight Office, "Directive No. 1," Fed. Reg., 47, 27836 (June 25, 1982), §2001.5(d)(3); 32 CFR Part 2001.5(d)(3).
15. U.S. Department of Defense, Information Security Program Regulation, DoD 5200.1-R, Chap. II, §2-302, June 1986.
16. A. F. Van Cook, "Downgrading and Declassification—Some Observations," J. Natl. Class. Mgmt. Soc., 3(1), 11–18 (1967), p. 12.