On July 17, 2000 a public meeting of the President’s Security Policy Advisory Board (SPAB) was held at the Marriott Crystal Gateway Hotel in Arlington, Virginia. The meeting was held in conjunction with the annual seminar of the National Classification Management Society (NCMS). Board Chairman General Larry Welch, USAF (Ret), presided with board member Rear Admiral Thomas Brooks, USN (Ret). Approximately 60 persons from the public and private sector also attended.
MinutesJuly 17, 2000
Security Policy Advisory Board Meeting
Marriott Crystal Gateway Hotel
The meeting was called to order at 1400 hours by Mr. Bill Isaacs, a member of the Security Policy Board (SPB) staff serving as the Responsible Federal Officer in support of the SPAB. He welcomed all in attendance and introduced the advisory board members.
1. Mr. Kirk Bailey of the Frank Russell Company, Seattle, Washington gave a thought provoking presentation called the Agora “Privacy Raid". His presentation covered issues regarding Privacy and Technology.
Mr. Bailey has been working as an information technology professional in the banking and insurance industries for the last 28 years. His professional experience has helped him to shape strong opinions regarding privacy and how technology is used. He is the founder of The Agora, a Northwest regional association of information systems security professionals, technicians, experts, and officials from the private sector, public agencies, government, and law enforcement.
The Agora “Privacy Raid" was an exercise conducted by a team of security professionals and law enforcement officials in October and November of 1999 and first reported in the New York Times by Tina Kelly on December 13, 1999. The exercise involved a challenge issued by Mr. Bailey to his Agora colleagues to discover all they could about his private information and life without his cooperation, official permission, and without breaking the law.
The results of this test were remarkable and underscored many important issues of interest to the general public. For less than $100 worth of expenses, the exercise participants were able to come up with: a certified copy of Mr. Bailey’s birth certificate, Social Security Number, a complete picture of his personal finances, control over his checking and savings accounts, a history of his home utilities usage, copies of his home phone bills, an electronic image of his signature, complete information about his past and current real estate transactions, listings of his current and former neighbors and their phone numbers, his college transcripts, information about his childhood, what charities he supports, and even what his cats eat.
U.S. Representative Jim McDermott, D-WA, who sponsored federal legislation to protect privacy of medical records and DNA information, attended the Agora presentation when the results were announced. His reaction: “As someone in political life, I know I have very little privacy. But the ordinary citizen ought to be scared to death by what we saw today."
2. Mr. Joseph Mahaley, Director, Office of Security Affairs, Department of Energy(DOE), spoke of the enhanced protection measures being afforded classified information at the DOE and he outlined the implementing instructions ordered by the Secretary. These enhancements are intended to tighten access to security areas, and reduce and consolidate certain classified matter used by the National Nuclear Security Administration (NNSA).
The first initiative relates to encryption of classified electronic media. National Security Agency (NSA) approved encryption is required for selected high density (high volume) media containing classified information.
The second area is the enhanced verification procedures for vault and vault type room access. Effective immediately, enhanced verification procedures have been implemented that record duration and time of access for all personnel accessing NNSA vaults and vault type rooms that contain emergency response assets or nuclear weapons design, use control systems, vulnerability information, or Top Secret or Special Access Program matter.
The next initiative relates to manning of open vault and vault type rooms. Effective immediately, all open vaults and vault type rooms containing certain types of classified information will be continuously controlled by at least one person with appropriate clearance and need-to-know, and when not controlled, will be locked and alarmed.
Next an evaluation of existing vault and vault type room procedures will be accomplished. NNSA Operations/Area/Field Offices will conduct a comprehensive evaluation of existing vault and vault type room and security container management procedures to ensure classified material is protected by the most secure and effective technology, best practices, and procedures currently in use by either industry or the Federal Government. Additionally, effective immediately, increased security requirements are mandated for certain classified electronic media. The intent of this initiative is to control access and to place designated material/media under strict continuous accountability rules.
Lastly, an inventory of all NNSA Nuclear Emergency Search Team (NEST) and Accident Response Group (ARG) databases will be conducted immediately. All elements of NEST and ARG will inventory and maintain accountability for all classified computer equipment and removable classified media that support NEST and ARG operations.
General Welch asked why these new guidelines were not issued by the new Director of the NNSA, General John Gordon. Mr. Mahaley responded that they were issued by General Habiger because, as of the date of issuance June 23, 2000, General Gordon had not yet been sworn in as the new Director.
3. One of the recommendations of the Joint Security Commission II was the need to clarify the role of the SPB in national level security policy oversight.
The Security Policy Board Executive Committee ratified the recommendation and tasked the SPB Forum with producing a mechanism for security oversight. Mr. Michael Brown, Office Security Plans and Programs Division, Office of the Chief of Naval Operations, Department of the Navy, headed a working group tasked by the Forum to develop this mechanism.
The plan and implementation, outlined by Mr. Brown, are as follows. The process is to assess consistency of policy with National goals. Are the policies cost and operationally effective and do they support reciprocity. The assessment would focus on “what policies are working," would be managed at the Assistant Secretary level, and the result would be part of the SPB’s annual report to the President. The reporting mechanism will be a minimally intrusive questionnaire submitted annually on February 1st allowing agencies to report implementation successes and difficulties.
The 1st report will focus on the following 6 White House-approved SPB policies: National Security Investigative Standards for Background Investigations for Access to Classified Information, National Security Investigative Standards for Temporary Eligibility for Access, National Security Adjudicative Guidelines for Determining Eligibility for Access to Classified Information, National Policy on Technical Surveillance Countermeasures, National Policy on Reciprocity of Facility Use and Inspection and the National Directive on Safeguarding Classified National Security Information.
3. Mr. J. William Leonard, the Acting Deputy Assistant Secretary of Defense for Security and Information Operations, Department of Defense (DoD) gave an update on the Department’s plan to reduce the backlog of investigations that currently exists in the DoD.
In November 1999, the Deputy Secretary of Defense directed formation of an Overarching Integrated Product Team (OIPT) to refine the Periodic Reinvestigations (PR) backlog and estimate the cost of eliminating that backlog by the end of Fiscal Year 2002. In March 2000, the Deputy Secretary approved the recommendations made by the OIPT which are as follows: The Defense Security Service would be responsible for 45% of the investigative workload, the Office of Personnel Management (OPM) would be engaged to perform 40% of the required workload, and 15% would be contracted out to the private sector. As stated above, the deadline to eliminate the backlog is the end of FY 2002. This recovery plan was briefed to at two Defense Management Council sessions.
To fund this recovery plan, the Department of Defense Comptroller, issued the “spend plan" on June 22, 2000. The spend plan requirements called for use of existing resources to fund the FY01 portion of the plan and to budget resources for the FY02 portion. A senior official will be appointed within each Defense Component to monitor the required monthly workload sent to DSS/OPM for accomplishment of the plan. The Assistant Secretary of Defense Command, Control, Communications and Intelligence (ASDC3I) will issue further implementing guidance for this recovery plan by August 22, 2000.
Mr. Leonard then provided the following information:
FY2001 FY2002 Total Cases 1,102,460 1,091,506 2,193,966 Funding $367,707 $358,508 $726,215 ($ mil)
Mr. Leonard offered some keys to the success of the Spend Plan. The DoD Components must provide the cases and funds per the schedule. DSS, OPM and the contractors must meet production goals. The quality of the investigation must be maintained and continuous monitoring must be conducted to identify potential additional impediments to successful completion of the plan.
Mr. Leonard closed by stating the Defense Agencies funded their portion of the backlog “out of hide" and will essentially be current by the end of FY00 and the Intelligence Agencies (DIA, NSA, NIMA) are current now.
General Welch asked Mr. Leonard to define what is meant by “being current" at the Defense Agencies and the Intelligence Agencies. Mr. Leonard responded by stating that the required PRs will have been submitted for investigation by the end of the Fiscal Year.
Question: An individual from the audience asked; “Will reciprocity be effected with the varied investigative activities conducting background investigations"?
BOARD COMMENTARY: General Welch responded that if the investigative and adjudicative standards were met and quality was assured reciprocity should be well served.
Question: An individual from industry expressed concern that with all these varied activities conducting investigations, tracking the status of an investigation would be difficult. He added that it is imperative that industry security professionals have the ability to determine the status of their investigative requests.
BOARD COMMENTARY: General Welch agreed that tracking the status of an investigation is most important and that he would share this concern with General Cunningham at the Defense Security Service.
The meeting was adjourned by Mr. Isaacs at 1545 hours.