FAS | Government Secrecy | Library ||| Index | Search | Join FAS

Keeping the Nation's Secrets:

A Report to the Secretary of Defense
By the Commission to
Review DOD Security Policy and Practices

(1985)

"We should begin by recognizing that spying is a fact of life... (But) we can counter this hostile threat and still remain true to our values. We don't need to fight repression by becoming repressive ourselves... But we need to put our cleverness and determination to work, and we need to deal severely with those who betray our country... There is no quick fix to this problem. Without hysteria or finger-pointing, let us move calmly and deliberately together to protect freedom."

Ronald W. Reagan
June 29, 1985

Table of Contents

Letter of Transmittal

Members of the DoD Security Review Commission

Introduction

Executive Summary

Overview

Policy and Procedures

Management And Execution
Resource Impact

Conclusion

Appendices

Letter of Transmittal

OFFICE OF THE SECRETARY OF DEFENSE
WASHINGTON, D.C. 20301

DoD Security Review Commission

19 November 1985

The Honorable Caspar W. Weinberger
Secretary of Defense
Washington, D. C. 20301

Dear Mr. Secretary:

On June 25, you established the DoD Security Review Commission. Pursuant to its charter, the Commission has examined relevant DoD policies and procedures; reviewed recent security incidents and pertinent studies and reports; conducted numerous interviews of cognizant officials, within and outside the Executive Branch, as well as of knowledgeable individuals from the private sector; solicited written views from an even wider community; examined several security systems and organizational arrangements; identified key vulnerabilities and deficiencies; and devised remedies which are consistent with accomplishment of the Department's overall mission, protection of individual rights and fiscal constraints.

I have the honor of transmitting herewith the Report of the Commission. My distinguished colleagues have asked me to underscore that this document, including its sixty-three recommendations, are unanimously agreed.

We, the Commissioners, are persuaded that implementation of our recommendations would result in significantly improved security for classified information by enhancing deterrence and providing greater likelihood of detecting potential or actual compromise at an earlier stage. Loss of our secrets whether through espionage, theft or unauthorized disclosure for other reason - will never be eliminated, but the opportunities therefor can be diminished and attempts at compromise made more difficult at acceptable - indeed modest - cost.

Sincerely,

Richard G. Stilwell
General, USA (Ret.)
Chairman

Attachment
Report of the Commission

Members of the DOD Security Review Commission

			COMMISSIONERS

Richard G. Stilwell			Robert W. Helm
General, U.S. Army (Ret.)		Assistant Secretary of Defense
Chairman				(Comptroller)

Arthur E. Brown				Fred C. Ikle
Lieutenant General, U.S. Army		Under Secretary of Defense (Policy)
Director of the Army Staff

					Robert L. J. Long
John L. Butts				Admiral, U.S. Navy (Ret.)
Rear Admiral, U.S. Navy
Director of Naval Intelligence		William E. Odom
					Lieutenant General, U.S. Army
Jerry L. Calhoun			Director, National Security Agency
Acting Assistant Secretary of Defense
(Force Management and			Winston D. Powers
Personnel)*				Lieutenant General, U.S. Air Force
					Director, Defense Communications
					Agency
Chapman B. Cox                                  
Department of Defense General
Counsel					Robert D. Springer
					Lieutenant General,  U.S. Air Force
William 0. Cregar			Inspector General of the Air Force**
Director of Security
E. I. duPont deNemours & Co.


James P. Wade				James A. Williams
Assistant Secretary of Defense		Lieutenant General, U.S. Army
(Acquisition and Logistics)		Director, Defense Intelligence Agency

	*Lawrence J. Korb, Assistant Secretary of Defense (Force Management 
	and Personnel), served on the Commission until August 31, 1985

	**Monroe W. Hatch, Lieutenant General, U.S. Air Force, Inspector 
	General of the Air Force, served on the Commission until july 15, 1985

COMMISSION STAFF

L. Britt Snider, Staff Director*
Richard F. Williams, Assistant Staff Director

Professional Staff Members

David H. Bier, U.S. Navy
Doyal L. Edwards, U.S. Air Force
William M. Hix, Colonel, U.S. Army
George L. Jackson, Captain, U.S. Navy
Harold H. Nicklas, Jr., Colonel, U.S. Army

Administrative Staff

Martha Nadine Smith, U.S. Army
Irene D. Larrow, U.S. Navy
Noel E. Sills, Staff Sergeant, U.S. Air Force

Consultant

Charles A. Krohn

	*William R. Fedor served as Staff Director until September 29, 1985

Introduction

On June 25, 1985, Secretary of Defense Caspar W. Weinberger established the Department of Defense Security Review Commission in the wake of the arrests of three retired and one active duty Navy member on charges of espionage. The Commission was directed to "conduct a review and evaluation of DoD security policies and procedures" and "identify any systematic vulnerabilities or weaknesses in DoD security programs, including an analysis of lessons learned from incidents which have occurred recently, and make recommendations for change, as appropriate." Appendix E contains the Commission's charter and terms of reference.

The Commission began its work by reviewing extant policy, programs, and procedures in the security area. It also reviewed the recommendations of other bodies which have recently urged changes to DoD security policies and procedures, notably the Subcommittee on Permanent Investigations of the Senate Government Affairs Committee and the DoD Industrial Security Review Committee (the "Harper Committee"). The Commission specifically addressed each of the problems raised by the reports of both bodies where DoD itself had not already taken action on their recommendations. Previous DoD reports in this area were also reviewed and analyzed, as were a number of audit, inspection, and survey reports of various, DoD components.

The Commission also solicited recommendations for improvement from DoD components, other departments and agencies in the Executive Branch, congressional staffs, defense contractors, and private citizens and organizations. Testimony before the Commission was presented by 34 witnesses (see Appendix A for identification). In all, more than 1,000 recommendations were received and considered.

The Commission held 17 separate formal sessions commencing on June 26, 1985 and lasting through November 6, 1985. In addition to these formal sessions, Commission members conducted separate interviews with selected corporate officials whose companies held classified defense contracts and received written views from 24 others, in order to obtain greater industry participation. (See Appendicies B and C for identification.) Informal discussions were also held with a number of other individuals who held views on the conduct of DoD's security programs.

The Commission was briefed in detail regarding past and pending espionage prosecutions, and many of the Commission's recommendations are directed at vulnerabilities apparent from the misconduct proved or alleged in these cases. However, inasmuch as the Commission wished to avoid any action that could jeopardize any pending prosecution, this report does not refer to them, or to actions alleged to have been committed by any defendant, as the basis for specific recommendatons.

The Commission's report focuses upon the protection of classified information. While fully aware of the importance of protecting unclassified but sensitive information -- a monumental "security" problem in its own right -- the Commission did not interpret its charter as requiring an analysis in this area. However, it urges more expeditious implementation of the authority given the Secretary of Defense to withhold from public disclosure unclassified technical data which is subject to export controls.

The Commission's recommendations relate primarily to countering the human intelligence threat as contrasted with the threat posed by collection through technical means. Although fully aware of the vulnerability of communications networks and automated information systems to compromise by technical means, the Commission did not assess the current capability to prevent such collections. The Commission took note that inter-agency mechanisms have recently been established at national level to develop effective technical solutions in this very complex and increasingly important area. For its part, the Commission endorses the need for accelerated research to support this effort.

The report does not address, and, unless specifically stated, does not affect policies and procedures for the protection of Sensitive Compartmented Information (SCI), which are under the purview of the Director of Central Intelligence (DCI).

The report provides only a general description of DoD security programs because it would require volumes to detail the myriad of policy and procedure in this broad and complex area. However, the report does treat the major policies and procedures and attempts to identify short-comings and vulnerabilities that are amenable to practical solution. Those solutions are set forth in the report, but without analysis of the competing alternatives within the text.

This is not to say that other alternatives were not considered; they were. Based upon the evidence before it, the Commission arrived at a unanimous position with respect to those recommendations which would be effective, given the nature of the problem, and those which would be feasible, given existing law, policy, and operational impact.

Executive Summary

Each year thousands of classified programs and projects are carried out by the Department of Defense, through its components and its contractual base, in a wide variety of operational and geographical settings. These activities generate millions of items of classified information, ultimately disseminated to almost four million individuals who require such information to perform their assigned tasks. This classified information is not only in the form of documents. An enormous inventory of classified equipment, both end items and components, must be safeguarded; and, increasingly, classified data is being processed, transmitted and stored electronically, posing serious new problems of protection.

Arrayed against this vast and immensely important target are the intelligence services of the Soviet Union, its surrogates and other countries with interests hostile to the United States and its allies. In combination, those services conduct massive and highly organized collection operations to acquire all information, classified and unclassified, of military value. Although a variety of means, both human and technical, are employed, human collection constitutes the more significant threat within the continental United States today.

Protecting a nation's defense secrets from compromise is an age-old challenge. However, the stakes for the United States have never been higher. Given the extraordinary importance of advanced technology to our nation's military capabilities, its loss to a potential adversary -- by espionage, theft or other unauthorized disclosure -- can be crucial to the military balance. So, too, can comprise of operational plans or battle tactics. Thus to the extent that classified information can be kept from the hands of those who may oppose us, the qualitative edge of United States military forces is preserved and their combat effectiveness assured.

The Department of Defense has countered the threat posed by hostile intelligence services by establishing a comprehensive set of policies and procedures designed to prevent unauthorized persons from gaining access to classified information. Some of these policies implement national directives; others were promulgated by the authority of the Secretary of Defense.

The need to protect classified information is taken as an absolute imperative in principle. In reality, however, policies fashioned to protect classified information are tempered by budgetary constraints, operational necessities and the basic rights of individuals. Moreover, some security practices continue in effect even though demonstrably unproductive.

Policymaking in the security area is centralized, but implementation is properly left to DoD components who provide instructions to thousands of commanders and supervisors around the world. In the final analysis, safeguarding classified information comes down to proper supervision and the individual's responsibility to apply the rules.

General Assessment

In general, the DoD security program has been reasonably effective. When considering the potential for compromise, known DoD losses have been relatively few. Some losses, however, have proved gravely damaging. While no system of security can provide foolproof protection, it can make espionage more difficult to undertake and more difficult to accomplish without detection; and it should miminize the compromise of classified information whatever the cause. In these respects, DoD's current program falls short of providing as much assurance as it might.

The reason, in part, is technical. There are insufficient technical means available to securely process, transmit and store classified information in electronic form. But important as this might be, the far greater challenge is people -- those who create and handle classified information, those who disseminate it, and those who oversee its protection. While the overwhelmingly majority carry out such functions responsibly, there are some who fail to do so. And the current security system falls short in limiting the opportunities for errors of omission or commission; in providing the means to identify those who transgress; and in dealing appropriately with the transgressors.

This, then, was the focus of the Commission's inquiry: how can the DoD security system be improved to ensure that only trustworthy persons are permitted within it; that they abide by the rules; that those who choose to violate the rules are detected; and those who are detected are dealt with justly but firmly.

Key Findings and Recommendations

The report contains numerous recommendations to improve the security of classified information within DoD. Highlighted below are the Commission's key findings and summaries of major recommendations.

FINDING: Requests for security clearance must be reduced and controlled. DoD components and contractors request security clearances for many individuals who do not need continuing access to classified information. Unjustifiable requests overburden the investigative process and pose an unneeded security vulnerability. Although some reductions have already been achieved, better means of control are esssential.

RECOMMENDATIONS:

FINDING: The qualiy and frequency of background investigations must be improved. The investigative basis for award of a SECRET clearance is a personal history statement and a National Agency Check which provide extremely limited knowledge of the subject. DoD conducts background investigations for TOP SECRET clearances. It conducts five-year reinvestigations only for TOP SECRET clearances and SCI accesses, and is far behind schedule in meeting this requirement.

RECOMMENDATIONS:

FINDING: The Department's most sensitive information must be accorded higher priority in attention and resources. Although the counterintelligence-scope polygraph examination is the one investigative tool which might have prevented -- or earlier detected -- recent acts of espionage, its use in the Department is severely restricted, in time and scope, by the Congress. There are no special eligibility criteria for personnel handling cryptographic materials despite their transcendent importance to an adversary. Only those individuals who have access to nuclear weapons are currently monitored formally for trustworthiness and stability. By definition, Special Access Programs are established to provide extraordinary security protection; in fact,some do not.

RECOMMENDATIONS:

FINDING: The adjudication process in which security clearance determinations are rendered must be improved. There is reason for concern about the efficacy of the adjudication process. The denial rate is low throughout the DoD but nonetheless varies widely among the military departments and defense industry. Although adjudication is the final step in determining eligibility for access to classified information, such decisions are made on the basis of vague criteria, and many adjudicators are inadequately trained. As a result, it is possible to reach different adjudicative determinations in applying the same guidelines to a given set of investigative findings.

RECOMMENDATIONS:

FINDING: Classified information must be better controlled. There are no uniform controls over SECRET information, or any requirement, apart from records disposition schedules, for unneeded classified documents to be periodically destroyed. There is no overall policy governing access to areas containing sensitive information or search of persons entering or leaving DoD installations.

RECOMMENDATIONS:

FINDING: Further initiatives are needed to counter the effectiveness of hostile intelligence activities directed at DoD. Although recent congressional and Executive Branch actions are important, more should be done to limit the size of the hostile intelligence presence within the United States and to constrain its freedom of action. Counterintelligence capabilities should be strengthened and greater efforts made to detect contacts with hostile intelligence services. Security awareness activities need to be substantially increased and their quality improved.

RECOMMENDATIONS:

FINDING: The professionalism of security personnel must be enhanced. DoD does not prescribe minimal levels of training for security personnel. In general, training is narrow in scope and coverage, is not mandatory and does not lead to official certification. Some individuals performing security duties do not adequately understand overall security concepts.

RECOMMENDATIONS:

FINDING: Substantially increased basic research is needed to guide security policy and practice. The Commission's work was hampered by the lack of firm data and meaningful analysis in several aspects of the security equation. There is minimal ongoing research although the potential dividends from a purposeful effort into a wide range of security-related matters are high.

RECOMMENDATIONS:

FINDING: More effective action should be taken against those who violate security rules. While sanctions available to remedy security violations by uniformed military personnel appear adequate, remedies with respect to civilians and contractors are not. Moreover, those remedies which are available could be better utilized.

RECOMMENDATIONS:

FINDING: The state of DoD security is critically dependent upon the actions of commanders and supervisors at all levels. Security is everybody's business and, most notably, that of the individual in charge. As with all other responsibilities vested in them, it is incumbent upon commanders and supervisors to underscore the importance of the security function by personal example, by setting forth the rules, by inspecting for compliance and by disciplining those who fall short. Throughout DoD, discharge of this responsibility is uneven. Insufficient attention has been given to the overall purpose of security as it relates to organizational mission, to observation of subordinates' security performance and insuring that basic security principles are adhered to in practice. The key to genuine improvement in DoD's security posture is continuing, pervasive oversight by commanders and supervisors at all levels.

RECOMMENDATIONS:

Resource Impact

While the resource impact of its recommendations cannot be determined with precision, the Commission estimates that the cost of implementing them would be relatively modest. If these recommendations are approved, DoD components should be directed to begin accommodating these increased outlays within the normal program/budgeting process.

Conclusion

The Commission believes that increased priority must be accorded DoD security efforts to provide reasonable assurance that the nation's secrets are protected. More resources should be allocated to security, even at the expense of other DoD programs. New safeguards must be established and old ones improved, even at some cost to operational efficiency and convenience. This is not to say that some resources cannot be saved, or operational efficiency improved, by eliminating burdensome and unproductive security requirements. Indeed, a number of such changes are recommended. But on the whole, a DoD must be willing to pay the price to protect its secrets.

The Commission arrives at this conclusion mindful that security plays a supporting role in the successful accomplishment of DoD's mission. But the success of any classified project or operation will be short-lived at best if, at the same time, the results have been revealed to potential adversaries, who are then enabled to develop countermeasures at a more rapid pace than otherwise. As bureaucratic and mundane as security requirements sometimes appear, they offer the only systematic means available to protect and preserve the defense community's triumphs and advances, over time. Security must be given its fair share of serious attention and its fair share of resources.

Overview

The might of a nation is typically expressed in terms of its resources, including its military capability, wealth, natural resources, population, industrial capacity, agricultural production and geographic features. A nation's knowledge (or information) is an important component of its might; the importance of knowledge to national power has grown markedly since World War II because of the increased importance of sophisticated systems and processes in military operations, industrial and agricultural production, transportation and other major activities. The growth in importance of knowledge to national might has been accompanied by nations' awareness that they can reduce the cost and time required to advance their own knowledge if they can obtain other nations' information -- with or without their concurrence.

The United States has, as a matter of national priority, sought to expand its knowledge and has allocated huge sums of money to programs designed to increase its knowledge across a wide range of subjects and disciplines. As the leader of the free world, the United States has willingly shared its military and other information with allies and other nations that share common purposes. At the same time, the United States has sought to deny its hard-earned knowledge, including our nation's secrets, from those who might use them against us in the future. Keenly aware of the role of knowledge and information to national might, the Commission gave great attention to DoD classified information, the hostile threat to it and the Department's efforts to protect these vital national resources.

The Target

The Department of Defense, together with its contractual base, constitutes a target of immense size and importance to the intelligence services of nations with interests inimical to the United States and its Allies. Given the major role of our Armed Forces as an instrument of U.S. foreign policy, DoD is involved in virtually every national security decision; and the myriad classified plans, programs, and actions that derive from those decisions reflect U.S. intentions and capabilities in peace, crises and war. With few exceptions, our fielded weapon systems are the world's most effective; and our laboratories and test facilities have the requisite lead in most militarily-relevant areas of research and applied technology, assuring the qualitative advantage of future weapon systems. A huge intelligence organization supports all these activities.

It follows that most elements of the Department must deal with classified information. Thousands of classified programs and projects are carried out annually throughout the large and complex structures of the three Military Departments, the Office of the Secretary of Defense, the Organization of the Joint Chiefs of Staff, the Unified and Specified Commands, and the Defense Agencies. The geographic distribution of classified information is also extensive. DoD maintains an official presence -- some very large, as in Western Europe and Korea -- in 95 countries. Additionally, vast quantities of classified documents, technical data, and equipments are released to Allied and friendly governments and to international organizations under bilateral and multilateral arrangements.

The volume of classified material produced, received, transmitted, and stored within DoD is staggering. DoD reported that some 16 million documents were classified in 1984. The number of classified documents actually maintained in DoD filing systems and those of its contractors is unknown; however, an estimate of 100 million is not unrealistic.

But size alone does not begin to convey the dimensions of the task of protecting classified information. DoD, for example, maintains enormous inventories of classified end items and components, which require different protection than documents. Similarly, the DoD is moving at a bewildering rate from controlling "hard-copy" documents to controlling classified information electronically stored and transmitted by automated data processing systems. Within DoD, there are an estimated 16,000 computers, most of which process information of value to an adversary, and many of which are internetted. And not only government facilities are involved -- classified work is presently progressing at over 13,000 cleared defense industrial firms.

Not surprising, 90 percent of the personnel in the Executive Branch who have security clearances are in DoD. 2.6 million uniformed and civilian personnel hold some form of clearance (after the 10 percent reduction mandated in June 1985 by the Secretary of Defense). These are augmented by 1.2 million cleared industrial employees. (DoD, incidentially, administers industrial security not only for itself but for 18 other Executive departments and agencies.) A substantial number of these cleared personnel -- military, civilian and contractor -- are located outside the continental United States.

In short, the challenge of protecting United States defense secrets is of almost immeasurable scope.

The Threat

The Soviet Union, its Warsaw Pact and Cuban surrogates, and other countries with interests adverse to the United States, have conducted and will continue to conduct massive and highly organized intelligence gathering operations against DoD personnel, installations, and contractors. Such operations utilize both human and technical collectors targeted against classified and unclassified information of military value.

Unclassified information available to the public is systematically exploited by the intelligence services of these countries, and, by authoritative accounts, comprises t he bulk of information being collected. Unclassified information which is not available to the public generally, but which is militarily significant, is also sought through a wide variety of sources. For example, information which is transmitted electronically through the air can be presumed to be within the reach of hostile intelligence. Similarly, it can be presumed that hostile intelligence will exploit every chance to acquire information of military value through industrial sources; through attendance at scientific and technical conferences; or through purchase, direct or via intermediaries.

Classified miltiary information presents a more lucrative, if more difficult, target. Since such information is not, in theory, made public or transmitted over means which permit exploitation, the avenue to it is usually through persons who have, or may attempt to gain, authorized access. Indeed, there are hundreds of contacts with suspected intelligence agents reported by DoD personnel and contractors every year, evidence of an active and continuing effort at recruitment. Unfortunately, there are numerous examples where DoD employees and contractors have volunteered their services, offering to sell classified information to which they have access. While evidence suggests that such disaffections are rare when compared to the size of the defense community, one person with sufficient access to classified information may be in a position to do incalculable harm to the national security, to include jeopardizing the lives of Americans.

It also merits underscoring that the same level of damage to the national security can be caused by persons who are not in the employ of a foreign power. The transmittal of classified information to unauthorized persons -- whether by indiscretion or wittingly -- places it beyond government controls. One must therefore assume that it may ultimately appear in the data bank of a hostile intelligence service.

None of this is new; indeed, espionage is as old as the relationship between nations, and unauthorized disclosures of defense secrets have plagued governments for centuries. The stakes today, however, are much higher than ever before. Given the extraordinary importance of sophisticated technology to our nation's military capabilities, its loss to a potential adversary -- by espionage, theft or unauthorized disclosure -- can have a substantial and long-term bearing upon the military balance of power. Similarly, the loss of operational plans or tactics can provide an adversary with precisely the edge needed to defeat United States forces in combat. To the extent, therefore, that classified information can be kept from the hands of those who may oppose us, the effectiveness of United States military forces is preserved and extended for longer periods at lower costs to the defense effort.

The DoD Response: In Retrospect

Responding to the hostile intelligence threat over the years, DoD has established for its components and contractors a comprehensive set of policies and procedures to prevent access to classified information by unauthorized persons. Some of these policies and procedures implement law and national policy; many DoD promulgates on its own authority. In either case, however, DoD typically has determined how classified information will be protected against specific vulnerabilties by adjusting policy and procedure to the resources available, or which can reasonably be obtained, and to the probable impact of such policies and procedures on mission accomplishment. Thus, even though the protection of classified information is, in general, taken as an absolute imperative, how this is accomplished often gives way to practical considerations of budget constraints and operational necessity. Moreover, even after policies and procedures are agreed to, these same considerations affect the level of implementation. Policies and procedures which are not adequately funded fall short of their objective; those which are perceived as interfering unduly with mission accomplishment are often not enforced.

Inadequately implemented policy and procedure does not constitute, however, the entire problem. Some policy and procedure continue to be implemented after they have proved to be ineffective, and, on balance, a waste of resources. Elimination or adjustment of long-time practice, despite demonstrated reason therefor, has proven difficult for security policymakers.

While policymaking is centralized at OSD level, implementation is properly left to DoD components who provide instructions to thousands of commanders and supervisors at installations and facilities around the world in a variety of operational settings. Posters in the Pentagon proclaim that "Security is Everyone's Business," and certainly, in the final analysis, protecting classified information comes down to the responsibility of individual employees to apply the rules and proper supervision.

Despite the complexity of policy and procedure and the vast population of cleared personnel governed by it, the DoD security program must be regarded as reasonably effective. Considering the potential for compromise, known DoD losses have been, on the whole, relatively few. Some of these, however, have proved gravely damaging. Clearly there is room for improvement. Many people are cleared who do not need access to classified information. Background investigations yield relatively little derogatory information on those being cleared, and under the existing adjudication process, far fewer still are actually denied a clearance. Once cleared, very little reevaluation or reinvestigation actually occurs, and relatively few indications of security problems are surfaced. The principle that a cleared individual is authorized access only to that information he "needs-to-know" is generally not enforced. For those contemplating espionage or intent on compromise of classified information for other reasons, the system does not provide sufficient deterrence. Moreoever, the volume of classified information created and stored within DoD, and the less-than-stringent manner in which it is sometimes handled internally, often present opportunities to the would-be culprit that should not otherwise arise. Security regulations are often violated but only serious cases are typically made a matter of report; few of those are investigated, even where a pattern of such conduct is in evidence; and fewer still result in punishment.

Policy and Procedures

DoD policy and procedures to protect classified information are grouped into three categories: those that seek to insure that only trustworthy persons have limited and continuing access to classified material; those that regulate and control the information itself; and those that seek to cope with the hostile intelligence threat to the information. The effectiveness of the Department's classified information control system is largely a function of the success of these policies and procedures.

Gaining and Maintaining Access to Classified Information

Persons may gain access to classified information needed to perform official duties after receiving a security clearance. Requests for clearance originate with and are validated by the organizations to which individuals are assigned or the defense contractors with which employed. They are submitted together with a personal history statement filled out by the subject, to the Defense Investigative Service (DIS), which carries out appropriate background checks, based upon the level of clearance requested. Normally only TOP SECRET clearances require field investigation; SECRET and CONFIDENTIAL clearances generally require only a check of the records of relevant government agencies. The results of these investigations are returned, in the case of DoD personnel, to the requesting component and, in the case of defense contractors, to the Defense Industrial Security Clearance Office in Columbus, Ohio, for final processing. A decision to award a security clearance takes into account all the factors involved in a particular case, and is made on the basis of an overall, common sense determination that access by the individual concerned is "clearly consistent with the national security", the standard for civilian employees set forth in Executive Order 10450 or, in the case of industrial employees, Executive Order 10865. Once a clearance has been awarded, it remains valid until the requirement for access to classified information is terminated. However, receipt of adverse information regarding an individual may lead to a "readjudication" of his or her clearance. Those who have TOP SECRET clearances or SCI access are required to be reinvestigated every five years although, due to lack of sufficient resources being allocated, DoD lags far behind in meeting the TOP SECRET requirement.

The Commission notes that virtually all of the extant federal policy with respect to gaining and maintaining access to classified information, including the revision of Executive Order 10450, is under review by an interagency working group, chartered under National Security Decision Directive 84, and chaired by the Department of Justice. Unfortunately, this project has been delayed for many months awaiting Administration approval of the working group's proposed course of action. The Commission urges the Secretary to continue to press for National Security Council approval of this inter-agency group's terms of reference for revamping federal policy in this crucial area.

Requests for Security Clearances

There is no effective mechanism in place for adequately screening requests for security clearances to ensure that nominees actually need access to classified information. Components and contractors frequently request security clearances to provide additional assurance regarding the trustworthiness of their employees, even if they have no need for access to classified information. In many cases, persons are nominated for clearances because they were previously cleared and want to maintain such status. There is also a common practice of clearing those who may physically require access to a controlled area, regardless of whether such persons need access to classified information. Similarly, clearances are sometimes requested to avoid the requirement to escort uncleared persons in a classified area, even where such persons need not be exposed to classified information. Further, many contractors nominate employees for security clearances to establish and maintain a "stockpile" of cleared employees to be in a better competitive position to obtain classified work.

These practices are very damaging in two respects. Where TOP SECRET clearances are concerned -- which require substantial field investigation and reinvestigations -- unjustified requests delay the clearances and reinvestigation of those who legitimately -- and sometimes urgently -- need access. Such delays necessarily result in lost time in a productive capacity both in DoD components and in industry. Moreover, overburdening field investigators erodes the quality of investigations.

The recent action of the Secretary of Defense to direct an across-the-board 10 percent reduction in the number of existing clearances, and, concomitantly, his instruction to reduce by 10 percent the number of new clearance requests to. be made in fiscal year 1986 should provide an immediate, if temporary, control of the process. More permanent means of control are essential and feasible.

The first is to adopt a system of billet control for TOP SECRET similar to that in effect for SCI accesses. Each component would identify those positions within its respective organization which required a TOP SECRET clearance. These would then be validated and maintained by appropriate authority. Only persons coming into such validated positions would be eligible for a TOP SECRET clearance. When they left such positions, the clearance would lapse. Provisions would be made to adjust the number of authorized positions based upon new classified functions or contracts, as validated by appropriate authority.

The second is to remove from the security clearance process those individuals who require access to classified facilities but not to classified information; and to institute other procedures to assess their reliability.

The third is to reaffirm the policy that the continuing need for access to classified information is the condition precedent for requesting a security clearance while, concurrently, authorizing responsible officials to grant one-time access to the next higher level of classification to meet unforeseen contingencies.

RECOMMENDATIONS:

Eligibility for Security Clearances

Current DoD policy permits immigrant aliens (i.e., foreign nationals admitted into the United States for permanent residence) to receive SECRET security clearances based upon DoD's need to utilize the special expertise possessed by that individual, provided DoD has the ability to establish investigative coverage for the previous 10 years. Currently, native-born and naturalized United States citizens may be cleared at any level; no distinction is made based upon country of origin and no additional residence requirement exists for naturalized citizens (who typically must have maintained residence in the United States for a minimum of five years as a condition of naturalization). Dual citizens are treated as United States citizens. Foreign nationals who are employed by DoD do not receive security clearances, per se, but, with high-level approval, may receive a "Limited Access Authorization", which entitles them to access up to SECRET level information for a specific purpose.

Although there are relatively few cases where these policies are known to have led to penetrations of DoD by hostile agents, they undoubtedly increase that risk. Policies can be tightened without jeopardizing DoD's use of such individuals, with due regard for their rights as recognized under United States law.

RECOMMENDATIONS:

Initial Investigations

Largely due to requirements originating from the DCI (for SCI access) and the Office of Personnel Management (OPM) (for civilian employees of DoD), DIS conducts three different types of background investigation for TOP SECRET clearance. A SECRET clearance is granted on the basis of only a National Agency Check (NAC); a CONFIDENTIAL clearance is similarly based upon a NAC.

Unless the existence of potentially derogatory information is indicated by the subject on his personal history statement, the sum total of investigation performed by DIS for a SECRET clearance consists of a check of FBI criminal records and a check of the Defense Central Index of Investigations, which would indicate any previous investigations by DoD elements.. Thus, unless the subject himself suggested the existence of possible derogatory information, the NAC would likely turn up only evidence of criminal involvement with the federal system. The Department has long recognized the inadequacy of the NAC. However, since there are more than three million persons with SECRET clearances and more than 900,000 SECRET clearances are granted each year, adding field investigations for SECRET clearances could require as much as a quadrupling of DIS investigative resources. Thus, expansions of the investigations required for SECRET clearances have been heretofore regarded as infeasible.

On the average, the background investigation for TOP SECRET currently takes 90 days. A NAC, required for a SECRET clearance, presently averages 60 days. If the case turns up derogatory information that must be further developed, or if it involves investigative leads abroad or that are otherwise difficult to accomplish, the processing time may be considerably extended. Individuals who are awaiting completion of their security checks may not have access to classified information. Interim clearances may be awarded, however, based upon case-by-case justification, allowing interim access to TOP SECRET information based upon the submission of a "clean" personal history statement and a NAC, and interim access to SECRET based upon submission of a personal history statement, without having to await completion of the field investigation. If derogatory information should turn up in the course of the field investigation, the interim clearance is immediately withdrawn pending resolution of the case. Although precise figures are not available, it is clear that the costs to DoD, in terms of lost production capability that result from employees and contractors awaiting for background investigations to be completed, are substantial.

Given the relatively small number of cases in which derogatory information is developed by the initial investigation where the personal history statement indicates no adverse information, the Commission believes the Department would incur small risk in providing interim access to information classified at the SECRET level for a period of several weeks, based upon the submission of a "clean" personal history statement. Adoption of this procedure DoD-wide would enable both DoD components and contractors to utilize their employees in cleared positions at a much earlier stage, avoiding considerable costs in terms of lost productivity.

Normally, DIS investigators doing background investigations receive excellent cooperation both from official and private sources of information. There has been a long-standing problem, however, with several state and local jurisdictions that refuse to provide DIS with certain criminal history information concerning the subjects of background investigations. Frequently these problems arise from state or local law, or the interpretations of such law made by local authorities, precluding the release of criminal history data which did not result in convictions or release for other than law enforcement purposes, even though the subject has consented to the release of such data. Where this problem exists, DoD is forced to determine the clearance without benefit of potentially significant criminal history data.

The Intelligence Authorization Bill for FY 1986, as reported from the conference committee, contained a provision which provides DoD, OPM, and CIA investigators access to state and local criminal history records notwithstanding state or local laws to the contrary. If enacted, this measure should provide DoD with the legal authority needed to access such data.

RECOMMENDATIONS:

Adjudication

The results of background investigations requested by DoD components are returned to central adjudication points* within each DoD component for processing in accordance with DoD Regulation 5200.2-R, the basic DoD personnel security regulation. The investigative reports on contractor employees which contain significant derogatory information are sent to the Defense Industrial Security Clearance Review (DISCR) Office where they are adjudicated in accordance with DoD Directive 5220.6. Both DoD Regulation 5200.2-R and DoD Directive 5200.6 contain adjudicative guidelines for those charged with making clearance determinations. The adjudicative criteria in DoD Directive 5200.6 have recently been revised to mirror those in DoD Regulation 5200.2-R, with the exception of the criteria relating to criminal misconduct. Under the industrial criteria, a person who is convicted of a felony, or admits to conduct which would constitute a felony under state or local law, cannot be granted a security clearance unless a waiver is approved by the Under Secretary of Defense for Policy for compelling national security reasons. Under the guidelines applying to military and civilian personnel, such conduct is considered a factor, but not in itself determinant of the clearance decision.

Experience has demonstrated that the adjudication criteria in both regulations are stated so generally that it is possible for different adjudicators to arrive at different determinations after applying the same guidelines to a given set of investigative results.

DoD requires no formal training for persons performing adjudicative functions. Indeed, no such training is conducted beyond an occasional seminar. The application of adjudication guidelines thus becomes largely a matter of on-the-job training. Moreover, the grade levels of adjudicators appear uniformly low, considering the degree of judgment and skill required. (See discussions on "Training" and "Career Development" below.)

All of these factors tend to produce inconsistent, uneven results in terms of adjudications. While no precise analysis of the extent of this problem was available to the Commission, there is little confidence that the adjudication process in many DoD components guarantees the same results based upon a given set of investigative findings. The imprecision of adjudicative standards partially explains why relatively few clearances are denied on the basis of the initial investigation. In the absence of definite standards, adjudicators, using their own "overall common sense" yardstick, may be inclined to conclude that access by the subject is "not clearly inconsistent" with the national security, regardless of the investigative findings involved. In fact, with respect to DoD components, only 2.5 percent of the initial clearance determinations resulted in denials in 1984. With respect to contractors, only 0.2 percent of the cases resulted in denials.

Clearly, there is a pressing need to improve the adjudication process, the ultimate step in determining an individual's trustworthiness for access to classification information. The key requirement is the enunciation of more precise criteria and, particularly, better definition of behavior which is, per se, not consistent with the national security. This is a fertile area for research, as there is scant empirical data available on which to base sound standards. One approach to this task might be to analyze the "Statements of Reasons" issued by the Defense Industrial Security Clearance Review Office to justify the denials of industrial clearances. Such analysis should begin to produce more concrete, better defined criteria for denials which have also been subjected to legal review.

RECOMMENDATIONS:

Periodic Reinvestigations

Recent espionage cases have involved persons with security clearances who were recruited by or offered their services to hostile intelligence services. The Department has an obvious need to ensure that persons who are being initially cleared have not been recruited and are not vulnerable to recruitment by hostile intelligence. As a practical matter, however, the greater and more probable threat to DoD security is the individual who is recruited after he has been cleared. Nevertheless, DoD has devoted relatively small investigative resources to reinvestigations.

Since 1983*, the Department has required reinvestigations at five-year intervals of persons holding TOP SECRET clearances and SCI accesses. These are comprehensive investigations, but have so far resulted in very few terminations. Moreover, DIS is far behind schedule in completing these reinvestigations.

Since 1983, DIS has conducted roughly 27,000 such investigations a year. But given there are approximately 700,000 persons in the affected categories, it would be impossible to eliminate the backlog if the same level of effort continues. Fortunately, the Congress has approved an additional 25 million dollars for DIS in fiscal year 1986 to be applied to the existing backlog of periodic reinvestigations. If this level of effort remains constant, DIS expects to be back on schedule in five years.

No periodic reinvestigations are required for SECRET or CONFIDENTIAL clearances, and, given the volume of such clearances now in existence (3.3 million SECRET and 400,000 CONFIDENTIAL), an across-the-board requirement to conduct reinvestigations for SECRET clearances will not be feasible without a substantial increase in DIS investigative resources. However, it should be feasible to conduct some reinvestigations in the SECRET category where the subject has access to information of unusual sensitivity.

RECOMMENDATIONS:

Use of the Polygraph as a Condition of Continuing Access

Polygraph examinations have been used in DoD for many years for a variety of purposes. Prior to 1985, however, the polygraph was not used within DoD as a condition of continuing access to classified information except at the NSA, and, since 1981, in a sensitive Air Force project.

While there were no legal restrictions on DoD use of the polygraph for this specific purpose before 1984, and it had been required for applicants for employment at both CIA and NSA for many years, DoD had refrained from using a broad lifestyle polygraph examination to supplement its personnel security program, largely out of concern for the privacy of, and fairness to, employees already on the rolls. In 1982, however, the Department proposed a modest expansion of the use of polygraph examinations, limited to questions of a counterintelligence (rather than personal) nature, and set forth a variety of procedural safeguards to ensure that its employees were treated equitably and with a minimum of personal intrusion. The objective was to authorize DoD components to use such examinations, under the ground rules established, as a condition of access to specially designated programs of high sensitivity.

This proposal, although endorsed by DoD components, was not implemented at the time because of congressional concerns regarding expanded use of the polygraph. After a number of hearings and consultations, however, the Department reached general agreement with the relevant congressional committees for a test of this concept in fiscal year 1985, limited to 3,500 counterintelligence-scope examinations. Authority to conduct such a test was included in the FY 1985 Defense Authorization Act.

Although the initial test had not been completed, the Armed Services Committees agreed, in conference action on the FY 86 Defense Authorization Bill, to extend the test program at the same 3,500-examination level for FY 86 and increase it to 7,000 for FY 87.

Based upon this action, DoD has directed the Army to serve as Executive Agent for polygraph training, and expand its training facility to accommodate 108 students annually, the increased output estimated to be required to carry out the 7,000 examinations authorized in FY 87. DoD components were encouraged to analyze their requirements and ensure they are satisfied.

While these actions are going forward, it is clear that the limited, year-to-year authorization, apparently favored by the Armed Services Committees, is impeding the planning and successful execution of the expansion of the DoD training facility, and, accordingly, the program as a whole. It is simply not feasible to concert long-term arrangements and attract high-caliber personnel to commit to them, based upon an uncertain, year-to-year authority.

The Commission is convinced that the counterintelligence-scope polygraph is the primary technique currently available to the Department which offers any realistic promise of detecting penetrations of its classified programs by hostile intelligence services. Moreover, even the possibility of having to take such examinations will provide a powerful deterrent to those who might otherwise consider espionage. Accordingly, the Commission urges that a substantial, albeit gradual, expansion of the Department's program should be undertaken.

Obviously, because of the very limited capability DoD now possesses to conduct polygraph examinations, its limited ability to train new examiners in the near-term, and its determination to maintain the stringent quality controls that characterize this program, DoD will be constrained to relatively small numbers of examinations for some time to come. It makes sense, therefore, to utilize them on a systematic basis only for specially-designated TOP SECRET and Special Access Programs as the Congress has approved. It would also be desirable, however, for persons cleared at the SECRET and TOP SECRET levels to face the possibility of a randomly administered polygraph examination at some time during their careers. Similarly, there may be programs classified at the SECRET level which themselves are of peculiar sensitivity to justify requiring such examinations of all participants. Under the formulation contained in the FY 1986 Defense Authorization Act, a limited polygraph examination within such categories would be barred.

RECOMMENDATION:

Establishing Special Controls Governing Access to Cryptographic Materials

Prior to 1975, the Department had special designations for persons who had access to, or were custodians of, cryptographic materials and equipment. Persons whose duties required such access were formally authorized access and required to sign briefing statements acknowledging their special responsibilities to protect this type of information. The program was discontinued in 1975, on the grounds that the administrative burden of the comprehensive program, which at that time included hundreds of thousands of DoD employees, did not justify the rather small benefits that were perceived.

It is clear, nonetheless, that cryptographic information continues to have crucial significance inasmuch as its compromise to hostile intelligence services can, in turn, lead to the compromise of any classified information being transmitted over secure voice or secure, data channels.

The Commission, thus, unanimously favors the reinstitution of special controls to govern access by DoD employees and contractors whose duties involve continuous, long-term access to classified cryptographic information in large quantities or with highly sensitive applications. Only U.S. citizens would be eligible for access, and they must, among other things, agree at the time access is given to take a counterintelligence-scope polygraph examination if asked to do so during their period of access. A "crypto-access" program with more focused coverage than before, which also provides greater deterrence, would fully justify the administrative burdens entailed.

RECOMMENDATION:

Continuing Command/Supervisory Evaluations

Commanders and supervisors at all levels of DoD and defense industry are charged by regulations with reporting to appropriate investigative authorities adverse information which could have a bearing upon subordinates' worthiness to retain a security clearance. Based upon the experience both of DIS and the military investigative agencies, relatively little such information is actually reported. For example, only about four percent of cleared defense contractors have reported such data. In part, this is due to the reluctance of commanders/supervisors to report matters, especially of a personal nature,which could affect their subordinates' reputations orhave a deleterious effect on morale. Another reason is that many commanders/supervisors are not sensitive to the significance of their subordinates' conduct from a security point of view. With respect to industry in particular, where the loss of a security clearance could mean the loss of ajob, many employers are reluctant to report adverse information to the government for fear of prompting lawsuits by the affected employee. Finally, as a practical matter, contractors typically exercise very little supervision over cleared employees assigned in overseas locations.

To encourage such reporting by industry, DoD clarified its policy in 1983 to state that it does not expect the reporting of rumor or innuendo regarding the private lives of cleared industry employees. Still, it does expect to receive reports of information which are matters of official record or of problems which have required professional treatment. Relatedly, cleared contractors do not now review that portion of an employee's personal history statement (i.e., "the privacy portion") that contains personal data (e.g., certain criminal history data, use of drugs) unless the employee consents to such review. As a consequence, information concerning the employee's background which may be known by the company and which would supplement or contradict that provided by the employee on the form is not being collected from the employer at the time the clearance is requested. The rationale for this policy is that DoD will obtain more information from contractor employees if they can be assured their employer will not have access; and, secondly, to prevent the employer from using such information for other purposes which could adversely and unfairly affect the employee, (e.g., terminate employment, reduce promotion chances).

The Commission believes the lack of commanders' and supervisors' involvement in the security process is cause for concern because the command/supervisory system offers the most likely means of identifying security problems, including indicators, of espionage, among cleared personnel. In virtually every recent espionage case, there has been evidence of conduct known to the commander/supervisor which, if recognized and reported, might have had a bearing on the continued access of the individual concerned and could have resulted in detection of espionage activities.

The Commission has already recommended, and the Deputy Secretary of Defense has approved, two actions to treat this problem. The first requires annual military and civilian performance and fitness reports be revised to incorporate a requirement for the commander supervisor to comment upon subordinates' discharge of security responsibilities. The second requires commanders and supervisors to review all personnel history statements submitted by subordinates with TOP SECRET clearances for purpose of initiating the required 5-year reinvestigations. If the commander/supervisor is aware of additional information concerning the employee which may have security signficance, he will be required to provide such information at the time the reinvestigation is requested. A copy of the Deputy Secretary's actions is included at Appendix D.

An additional and important means of involving commanders and supervisors in DoD components would be to institute a program modelled after the DoD Personnel Reliability Program (PRP) which is designed to ensure that persons with access to nuclear weapons remain trustworthy and stable while performing such duties and which has proved its effectiveness over the years. Under this program,'the commander/supervisor is required to make an initial evaluation of the individual and certify that, after review of the individual's pertinent records, he is fit for his anticipated duties. Periodic evaluation of participating personnel focuses upon indicators of possible unsuitability for continued duties. The same concept could be applied to a wide range of classified programs, although, given the resources required, it would likely have to be limited to specifically designated programs of particular sensitivity.

RECOMMENDATIONS:

Acquiring Information from Additional Sources

There are no formal channels in DoD for individuals to report information of security signficance except through their command or organizational channels. Similarly, employees in defense industry are advised to report information of security significance to their security officer or supervisor. This tends to discourage reporting of pertinent information sinc e the typical employee is reluctant to "inform" on fellow employees, and, in most cases, is unable to gauge whether the information is significant enough to justify the unpleasant consequences which may follow.

One means of stimulating such reports would be to obtain congressional authority to reward persons who provide information leading to an arrest for espionage, or the identification of hostile intelligence agents. There is legal precedent for this approach to obtaining information on terrorists, tax evaders, and other types of criminal behavior. Rewards may encourage more reporting of significant information by employees who now convince themselves that information in their possession is too "insignificant" to warrant getting involved.

Also, DoD has no formal, systematic means of obtaining relevant information concerning cleared personnel from law enforcement or regulatory agencies of federal, state, and local government. DoD should have a means of learning of misconduct which is already a matter of public record, whether or not it is also reported by the commander or supervisor. Similarly, other information with potential security significance is available within the federal government (e.g., loan defaults, stock ownership by foreign interests, tax liens), but DIS routinely does not seek or obtain access.

RECOMMENDATIONS:

Managing and Controlling Classified Information

The majority of DoD's policies and procedures for managing and controlling classified information implement Executive Order 12356, which prescribes policy and procedure for the entire Executive Branch. The Executive Order, among other things, establishes the levels of classified information and delegates the authority to classify information to the heads of departments and agencies, including the Secretaries of Army, Navy, and Air Force, who may further delegate such authority as necessary. The order further provides that information shall be classified if it falls into certain prescribed categories (e.g., "military plans, weapons or operations; vulnerabilities or capabilities of systems; installations, projects or plans relating to the national security") and its unauthorized disclosure could reasonably be expected to damage the national security. Dissemination of such information is limited, to those who are determined to be trustworthy, i.e., have a security clearance and a "need-to-know" such information in the performance of official duties. Transmission of such information by either electronic means or by physical relocation must utilize methods which will prevent the disclosure of the information concerned to unauthorized persons. Such information must be stored in approved containers or under other approved conditions, and must be safeguarded to the extent necessary to prevent unauthorized access.

With some exceptions, these safeguarding requirements are essentially the same for DoD components and cleared DoD contractors. The latter are bound by the terms of their contracts to perform classified work and to abide by DoD industrial security regulations.

Executive Order 12356 also permits the heads of departments and agencies to establish "Special Access Programs" to protect "particularly sensitive" classified information; such programs are subject to "systems of accounting" established by agency heads.

Executive Order 12356 does not explicitly treat the transmission of United States classified information to foreign governments, apart from providing that classified information shall not be disseminated outside the Executive Branch unless it is given "equivalent" protection by the recipient. More detailed policy governing the foreign release of classified military information is found in the National Disclosure Policy, promulgated by the President and administered for the Secretaries of Defense and State by the National Disclosure Policy Committee, chaired by a representative of the Secretary of Defense.

Classification

There are no verifiable figures as to the amount of classified material produced in DoD and in defense industry each year. DoD reported an estimated 16 million documents classified in 1984, but this estimate is based on a sampling of message traffic from selected automated systems. DoD concedes the actual figure may vary considerably. In any case, it is clear that the volume of classified documents is enormous. Obviously, the Department needs to protect much of what it is doing with classification controls. Nonetheless, too much information appears to be classified and much at higher levels than is warranted. Current policy specifies that the signer of a classified document is responsible for the classification assigned but frequently, out of ignorance or expedience, little scrutiny is given such determinations. Similarly, while challenges to improper classifications are permitted, few take the time to raise questionable classifications with the originator.

The Secretary of Defense and Secretaries of the Military Departments have granted the authority to make "original" classification decisions, (i.e., to decide at the outset whether and at what level a program, project or policy is to be classified) to 2,296 "original classification authorities", including 504 officials with TOP SECRET classification authority and 1,423 with SECRET authority. Over the last 10 years DoD has pared down the number of officials with original classification authority; further reductions can be made. Given the fact that relatively few original classification decisions are actually made each year and these typically govern new programs and projects, such decisions necessarily ought to be made or approved by a limited number of senior-level officials. At present, there appear to be original classification authorities in some DoD components who are not in positions to exercise such control.

All persons who create new classified documents based upon an original decisions to classify a program, project or policy are bound to carry over the "original" classification decision to the document being created. This process is called "derivative classification", and comprises by far the bulk of classification activity carried-out in DoD.

DoD requires that original classification authorities issue classification guides prior to the implementation of a classified program and project, setting forth the levels of classification to be assigned to the overall project and to its component parts. Currently 1,455 such guides are in existence, however, many of these are incomplete and seriously outdated, notwithstanding the DoD requirement that they be reviewed biennially. Generally, classification guides do not cover policy determinations and actions ensuing therefrom.

Cleared DoD contractors do not have "original classification authority" and must apply the classifications given them by the cognizant project or program office to the documents they create. This classification guidance is provided in the form of a contract security specification to all classified contracts (DD Form 254), which is intended to provide the contractor with specific classification guidance, including the applicable classification guide, and the identification of the individual to be contacted if questions arise regarding classification. While logical in concept, this system is flawed in practice, being dependent largely upon the thoroughness and diligence of the contracting office to provide the required guidance. Although DIS regional offices have "classification managers" assigned to fadlitate the interchange between contractor and program office, they are not in a position to provide such guidance or to motivate the contracting office to become more deeply involved. The contractor, though desiring answers, is often not inclined to bother his DoD benefactor.

In general, shortcomings in the area of classification are primarily a matter of inadequate implementation of existing policy, rather than a matter of deficient policy. (These inadequacies are generally addressed in Recommendation 53, below, under "Command/Supervisor Emphasis.")

The remedy, is straightforward: disciplined compliance with the rules.

RECOMMENDATION:

Dissemination of Classified Information

Classified information may be disseminated only to someone with a security clearance at the level of the information concerned who has a "need-to-know" such information in the performance of official duties. TOP SECRET information is strictly accounted for both in DoD and in industry by a system of receipts, serialization, disclosure records, and inventories. Control procedures for SECRET and CONFIDENTIAL information are left to DoD components and, in practice, vary widely. Cleared DoD contractors, however, are required to maintain a chain of accountability for all SECRETdocuments.

Reproduction of TOP SECRET information under existing policy must be approved by the originator of the information in question. Reproduction of SECRET and CONFIDENTIAL documents is not so restricted, and reproduction controls, if any, are left to components to determine.

Most classified documents produced within DoD are multi-addressee memoranda, messages or publications, whose recipients could number in the hundreds. They are routinely handled by clerical and administrative personnel, as well as the staffs of the named addressees. Often such documents are distributed to recipients who have simply indicated they have an "interest" in the general subject matter covered in this and recurring reports without any critical evaluation of their need-to-know. Similarly, with respect to message traffic, often little confirmation of "need-to-know" is done initially or on a continuing basis. Getting on the list usually guarantees access, regardless of actual need.

Classified information is exempted from release to the public under the Freedom of Information Act (FOIA), and, obviously, is not permitted to be released in open congressional testimony or in articles intended for open publication. While DoD has mechanisms to provide security review of each of these potential channels to prevent improper dissemination, there are occasions when such disclosures occur due to human error or negligence. In 1984, CIA obtained congressional approval to exempt certain categories of its files from review under the FOIA, but DoD has no similar authority for its highly sensitive files. To require that such information be submitted to classification review is ultimately a waste of DoD resources since it cannot be released under any circumstances, and it risks the possibility that through human error it might be inadvertently disclosed.

In a related vein, although Executive Order 12356 provides that departments and agencies may disseminate classified information to persons outside the Executive branch provided such information is given "equivalent protection" by the recipient, DoD elements frequently provide classified information to the Congress without any understanding of how such information will be protected. While all congressional staff members who receive access to classified DoD information are, in theory, cleared by DoD, little attention is given the handling and storage of such information by congressional staffs, who are not, in fact, bound by the safeguarding requirements of Executive Order 12356. The Roth/Nunn Subcommittee report cited this deficiency as requiring the attention of the Congress.

RECOMMENDATIONS:

Transmission of Classified Information

Classified information must be transmitted in a manner that precludes its disclosure to unauthorized personnel. Classified telephone conversations between cleared persons must be over secure voice equipment. Classified electronic communications between ADP equipments must be transmitted over encrypted, or otherwise protected, circuits. Couriers, commercial carriers, and others who handle and transport classified information or material generally must be cleared to the level of the classified information concerned. There are, unfortunately, shortcomings -- some serious -- in each of these areas.

Heretofore, there have been serious shortages of secure voice equipment needed to support DoD and its cleared contractors. This had led to "talking around" classified information over unsecured communications channels vulnerable to hostile intelligence intercept. The NSA has initiated a revolutionary effort to make low-cost secure voice equipment available to DoD components, and, on a direct-purchase basis, to cleared contractors. Although this effort is in its initial phases of implementation, it promises a quantum increase in the capability to transmit classified information by secure voice means.

There are also major problems in the area of automated systems security. While DoD and its contractors have grown increasingly dependent on automated systems to process both classified and unclassified information, insufficient attention has been given to building security capabilities into computers and related distribution systems.

Computer security encompasses various internal technical measures as part of the architecture, design, and operation of automated information Systems. Devices.. currently susceptible to unauthorized manipulation include computers, workstations, word processors, and storage transmission and communications systems used to create, process, transfer, and destroy information in electronic form. The technical flaws that render computers vulnerable often exist at the most complex, obscure levels of microelectronics and software engineering. Frequently even skilled engineers and computer scientists do not understand them. The subject is at the leading edge of technology.

The National Computer Security Center (NCSC) has been established at NSA to develop standards for new "trusted" computer systems and to evaluate products for use within DoD. It will be years, however, before all existing DoD systems are adequately analyzed and upgraded or replaced.

Because the federal government accounts for only four percent of the domestic computer market, NSCS strategy from the outset has been to encourage major computer manufacturers to build enhanced security into their standard product lines. Working in cooperation with industry, the NCSC identifies vulnerabilities, develops countermeasures, establishes standards of trust, and promotes government and private sector awareness of the risks and opportunities.

Adequate current funding for computer security research is essential, since the effect of research will not be realized in practice for 10 to 15 years.

Information classified at the SECRET or CONFIDENTIAL level may be appropriately wrapped and sent through registered and first class United States mail channels, respectively, so long as it remains entirely within United States postal control.

Current policy requires that TOP SECRET documents be couriered by a person with appropriate clearance. There is no uniform policy or system, however, for selecting and authorizing such couriers. Most of the TOP SECRET and other very sensitive material which is couriered long distances is handled by the Armed Forces Courier Service (ARFCOS) which operates worldwide under a charter issued by the joint Chiefs of Staff. Although ARFCOS has, for the most part, been able to carry out its mission in a secure manner, it does not possess the physical facilities, communications means, or secure vehicles necessary to protect effectively the very sensitive classified information in its trust.

Commercial carriers in the United States which transport classified material are required to be cleared at the appropriate level. Through a system of receipts, minimal accountability is maintained from cleared sender to cleared recipient. Although it is patently impossible for DoD personnel to accompany all of the many shipments, checks could be made by DoD elements to determine whether the carrier complies with DoD requirements.

RECOMMENDATIONS:

Retention and Storage

Unless a classified document is marked for declassification upon a certain date or event, it will remain classified until declassified by the originating office or higher authority. It may be retained, in theory, only while there remains a "need". In practice, however, there are no real controls in DoD, over the retention of classified information apart from the practical one of a place to store it. The required characteristics for such storage containers are detailed in existing policy.

There are statutory and DoD prohibitions regarding the destruction of "permanently valuable records" of the government, but the vast majority of clagsified documents held by DoD and its contractors do not qualify as such. The bulk of DoD's classified holdings are not "record copies" of classified documents held by the originator; instead, they consist of the multitude of "additional copies" of classified memoranda, messages, and publications that find their way into thousands of safes and filing cabinets.

Under current policy, destruction certificates signed by two witnesses are required for the destruction of TOP SECRET information; for SECRET, one witness is required, unless the requirement for destruction certificates has been waived to meet operational exigencies. As a practical matter, these requirements are not adhered to or enforced in many DoD components.

RECOMMENDATIONS:

Special Access Programs

Authority to establish Special Access Programs is contained in Executive Order 12356, "National Security Information". The intent is to ensure that sensitive activities are afforded greater protection than that normally accorded classified information. With few exceptions, such programs involve intelligence, military operations, research and development, and acquisition.

Special Access Programs originating in DoD must be approved by the Secretaries of the Military Departments or, in the case of other DoD components, by the DUSD(P) on behalf of the Secretary of Defense.

Such programs have proliferated in DoD in recent years, apparently out of concern that "normal" security does not sufficiently protect the information at issue. In a few cases, the special security aspects of these programs consist of nothing more than access lists; most, however, involve elaborate security frameworks and requirements, and may involve substantial numbers of persons with access. Most involve defense industry and are typically excluded from the Defense Industry Security Program by decision of the sponsoring department or DoD agency (hence the term "carve out" contract).

All such programs are required to be reported to the DUSD(P) who maintains the "system of accounting" required by Executive Order 12356. DUSD(P) concedes that not all programs have been reported. Under DoD policy, each of the Military Departments is required to maintain a focal point office for administration of its own Special Access Programs. The DoD Inspector General has also created a special cell of cleared inspectors to conduct audits of such programs.

While the Commission is of the unanimous view that such programs are essential, they clearly present problems from a security viewpoint.

First, although the sole rationale for the creation of Special Access Programs under Executive Order 12356 is to provide enhanced security, there is sometimes too little scrutiny of this determination at the time such programs are created. Unless an objective inquiry of each case is made by the appropriate authorities, the possibility exists that such programs could be established for other than security reasons, e.g., to avoid competitive procurement processes, normal inspections and oversight, or to expedite procurement actions. With or without justification, there is considerable congressional sentiment that security is not the primary cause of the recent increase in Special Access Programs. Congress voiced such concern in its report on the FY 1984 Defense Appropriation Bill.

Second, unless there are security requirements established and adhered to by all such programs which exceed the measures normally applied to classified information, then the purpose of creating such programs in the first place in negated. The Commission has received reports from some contractors that, in fact, some Special Access Programs are afforded less security protection than collateral classified programs. This anomaly results from either failure to utilize the security expertise of the sponsoring agency in the development of the security plan and in inspections, or delegation of responsibility to prime contractors to ensure subcontractors comply with all special security requirements, a procedure not authorized for collateral classified contracts.

Third, it is apparent from reports received by the Commission that there is no uniformity in the extra security measures stipulated by DoD components for Special Access Programs. The individually developed security requirements, aggravated by the proliferation of Special Access Programs, place an undue burden on contractors who are participating in a number of such programs.

Fourth, it is also essential that appropriate oversight of the security administration of these programs be accomplished to ensure compliance with those security requirements which are imposed. Refusal to grant special program access to the DoD Inspector General for oversight purposes must be reported to the Congress in accordance with the statutory provisions of the Inspector General Act. Some progress is being made in each of these areas by a DUSD(P)-chaired Special Access Program Working Group. A draft set of minimum standards to apply to all Special Access Programs, including those with industry involvement, has been under discussion. The need for serious and continuing oversight is acknowledged.

RECOMMENDATIONS:

International Cooperation Involving the Transfer of Classified Information

Transfers of classified military information to foreign governments are governed by the National Disclosure Policy, promulgated by the President, which provides the general criteria and conditions to govern such transfers, and delegates authority for DoD components to transfer certain categories of classified information to certain foreign recipients on their own initiatives. Any contemplated transfer of classified information which exceeds the eligibility levels established under the National Disclosure Policy must be considered and approved on a case-by-case basis by the National Disclosure Policy Committee (NDPC), an interagency body chaired by a representative of the Secretary of Defense.

The NDPC, as a major part of its functions, also conducts periodic surveys of the security framework within recipient countries to ensure that equivalent levels of protection can be and are being provided United States classified information. Based upon the surveys, the eligibility levels of recipient countries are adjusted.

This framework islogical, and works reasonably well in practice. There is, however, room for improvement.

The Commission was made keenly aware of the risk to United States classified information once it leaves United States control, even in the hands of friendly allied countries. Although the United States attempts to assure itself of both the capability and intent of recipient governments to protect United States classified information prior to providing such information, as a practical matters, the United States has little control over such information once in foreign hands, and has little expectation that it will learn of compromises. The problem is particularly critical with respect to co-production arrangements, where losses could entail not only the end-item being produced but also the technical "know-how" necessary to manufacture it in large quantities. It is also not uncommon for Defense or State Department officials who deal with other governments regularly with respect to.arms sales to suggest the United States is willing to sell classified, weapons systems prior to obtaining the necessary approval of the responsible military service, and, as required, the NDPC. Such statements have the effect of skewing the NDPC approval process which then must consider the political consequences of failing to follow through on what the other government perceived as a United States commitment.

Finally, the NDPC security survey program is only modestly effective. Too few surveys are carried out, and there is insufficient flexibility in the program to satisfy DoD's most pressing requirements. Even with respect to those surveys which are conducted, many lack the probing, objective analysis required, and, because survey team members (representing NDPC member agencies) return to their regular duties upon completion of the survey, survey reports are often outdated when finally published.

RECOMMENDATIONS:

Detecting and Countering Hostile Intelligence Activities Against DoD

The FBI has primary United States government responsibility for keeping track of the activities of known or suspected hostile intelligence agents within the United States. However, DoD foreign counterintelligence agencies (the Army Intelligence and Security Command, the Naval Investigative Service, and the Air Force Office of Special Investigations) each conduct, in conjunction with the FBI within the United States and in coordination with the CIA abroad, counterintelligence operations and investigations designed to identify and counter hostile intelligence activities against their respective services.

DoD components also dedicate substantial resources to security awareness briefing programs among their employees to sensitize them to potential hostile intelligence activities. Their experience has been that the greater the reach of such programs, the more information concerning hostile approaches is reported. In industry, cleared contractors regularly receive "Security Awareness Bulletins" published by DIS; the military services also provide threat briefings to selected contractors, which are supplemented by the FBI's Development of Counterintelligence Awareness (DECA) Program, which again involves briefings to selected defense contractors.

In addition, a variety of measures are currently being implemented on a fragmented basis within DoD which are designed to provide indications of possible espionage activities. These include requirements to report contacts with foreign representatives; to report travel to designated countries or, in some cases, to any foreign country; the use of sources at sensitive projects to report evidence of hostile intelligence activities or indications of espionage; and the use of physical searches to determine if classified information is being removed from the premises without authority.

Limiting and Controlling the Hostile Intelligence Presence within the United States

DoD information is the primary target of the hostile intelligence presence within the United States. DoD, therefore, has a major stake in what United States actions are taken to reduce (or expand) the size of the hostile intelligence presence, as well as to limit (or expand) its operational environment in the United States. A major step towards achieving reciprocity of treatment for diplomatic personnel was the establishment by statute of the Office of Foreign Missions within the Department of State in 1982. The diplomatic personnel of certain countries are now required to obtain travel accommodations and needed services through the Office of Foreign Missions, which handles such requests in a manner similar to the way in which United States diplomats are treated in the country concerned.

Recently, additional measures have been instituted in both the Legislative and Executive Branches which would have the effect of further reducing or controlling the hostile intelligence threat. In the FY 1986 State Department Authorization Bill, for example, two significant provisions impacting the hostile intelligence presence in the United States were added on congressional committees' initiative. The first would apply to United Nations Secretariat employees who are nationals of a country whose diplomatic personnel are subject to the Office of Foreign controls, those same limitations and conditions, unless waived by the Secretary of State. Thes econd would establish the policy of "substantial equivalence" between the numbers of Soviet diplomatic personnel admitted into the United States, and United States diplomatic personnel admitted into the Soviet Union, unless the President determines additional Soviet diplomatic personnel may be admitted.

Further restrictions ought to be instituted on the travel of non-Soviet Warsaw Pact nationals assigned to the United.Nations secretariat, or to the diplomatic missions so accredited. The United States has heretofore refrained from imposing travel restrictions on any non-Soviet Warsaw Pact diplomatic and consular personnel in this country. The rationale has been that our diplomatic personnel accredited to East European governments are allowed considerable latitude of movement. A reciprocity principle is sound insofar as it applies to non-Soviet Warsaw Pact diplomatic personnel accredited to the United States Government. Extention of the principle to personnel at the United Nations is quite another matter. They are not accredited to the USG; their duties should be exclusively geared to the business of the UN; but, as a practical matter, they constitute a substantial augmentation of the intelligence collection capabilities based at or directed from their nations' embassies in Washington. The United States has no comparable means of augmenting its diplomatic missions in the non-Soviet Warsaw Pact countries. Should those countries react to travel restrictions on its UN personnel by restricting our diplomatic and consular officials, the U.S. would be fully justified in taking similar action against those personnel of the countries concerned that are accredited to our government.

RECOMMENDATION:

Identifying and Monitoring Hostile Intelligence Agents

The FBI has primary responsibility for identifying and monitoring known or suspected hostile intelligence agents within the United States. Counterintelligence elements of the military services also have trained cadres of counterintelligence specialists who conduct joint counterintelligence operations in the United States with the FBI involving DoD personnel or information. DoD agencies do not, however, routinely support the FBI in terms of monitoring the activities of known or suspected hostile intelligence agents unless such support is specifically related to a joint operation. Potentially, DoD has the capability to provide considerable support to help meet operational exigencies -- not only with agents but also with technical and logistical assets.

RECOMMENDATION:

Counterintelligence Operations and Analysis

Policy matters concerning the DoD foreign counterintelligence activities are coordinated through the Defense Counterintelligence Board, chaired by a representative of DUSD(P). The counterintelligence elements of the military services conduct both offensive and defensive counterintelligence operations and investigations, the details of which are largely classified.They also analyze available information from these operations as well as from other agencies in the counterintelligence community, and provide counterintelligence reports to their respective services (which are also shared with the community). The DIA, while having no operational counterintelligence role, plays a major role in the production of multi-disciplinary counterintelligence analyses for DoD as a whole, and coordinates the production of finished reports by the service agencies.

Although resources for the conduct of counterintelligence operations have increased in recent years, more are needed to fund additional analysis of operations to enhance the capability to utilize "lessons learned" from operational activities. This will provide better understanding of hostile intelligence targeting and modus operandi, as well as improved security to counterintelligence operations.

RECOMMENDATIONS:

Security Awareness Programs

All DoD components with classified functions have some type of security awareness program, consisting typically of required briefings, briefings statements, audiovisual aids, posters, and publications of all types, describing the hostile intelligence threat. Although such programs are not centrally coordinated in DoD, substantial, if uneven, effort is devoted to them. Morever, they have proven reasonably effective in sensitizing personnel to possible hostile intelligence approaches. The military services report the number of contacts reported rises in proportion to the number of security awareness briefings which they are able to administer.

Although DoD components should continue to be manage and administer their own security awareness programs, DoD should facilitate and coordinate these programs to avoid duplication of effort, and to improve the caliber of briefings and training aids. (See Recommendation 57, below.)

Awareness programs in industry are far smaller. While the DIS publishes periodically a "Security Awareness Bulletin", sent to all cleared contractors, it is rarely seen beyond the company security office. Similarly, while the Military Departments and the FBI present threat briefings to selected DoD contractors, these reach only a small portion of the 1.2 million cleared contractor employees, usually being given to security or management officials. There is no overall coordination of security awareness programs within the defense industry. The Commission believes that considerable dividends in improved security could be achieved by a relatively small investment to bolster the security consciousness of cleared contractor personnel through an effective security awareness program.

RECOMMENDATION:

Reporting Indications of Possible Espionage

There are existing requirements for DoD employees and contractors to report suspected espionage. However, there are few specific or uniform DoD requirements applicable to all employees and contractors to report information which could indicate to experienced investigators the possibility of espionage activity and the need for further investigation. To the extent that such information is being reported, the requirements to do so are largely a matter of component regulations, and, in the case of cleared contractors, the requirements of the Industrial Security Manual.

Reports of unofficial or unsanctioned contacts with representatives of foreign governments, particularly where efforts are made to elicit defense-related information could indicate espionage activities. While most DoD components have some type of requirement to report such contacts, they are not uniform nor are they well enforced. In industry, there is no requirement to report such contacts short of the requirement to report possible evidence of espionage.

Similarly, foreign travel at particular intervals and to particular locations could indicate to experienced investigators possible espionage requiring follow-up. While many DoD components and defense industry have requirements to report travel by cleared personnel to Communist-bloc countries, very few components require reporting of travel to other foreign countries.

Other indicators of possible espionage activities are not generally required to be reported, although such reports are occasionally made and acted upon. They include such things as unexplained affluence; unexplained absences; attempts to solicit information beyond one's need-to-know; and unexplained, unaccompanied visits to classified areas during non-work hours. In certain particularly sensitive programs, some military counter-intelligence agencies ask a certain person(s) within such programs to watch for and report any such indicators directly to the investigative agency. Such sources are not utilized, however, in most DoD components or in industry.

RECOMMENDATIONS: