Notwithstanding these efforts and results to date, more information continues to be classified than national security needs require. Risk management continues to be more of a goal than an operative philosophy guiding today's security decisions. Serious questions remain about the process by which classification decisions are made, and about the oversight, training, and accountability of those who make classification decisions. Particularly disturbing is the continued perception among many inside the Government that the current classification system simultaneously fails to protect the nation's core secrets while still classifying too much. Justice Potter Stewart's observation that "when everything is classified, then nothing is classified" remains very relevant today.2 As long as more information than necessary is classified, the long-term benefits of the progress cited above will be limited--benefits such as the enhanced protection of the nation's core secrets, the cost savings that will come from limiting classification, and the value of the American public knowing about the operations and activities of its government. This is particularly true given the information explosion in which the amount of data overall will increase dramatically in the years ahead.
If the progress already made is to continue, there must be a renewed focus on the all-important initial decision of whether to classify at all. Avoiding unnecessary classification in the first place should allow for a more efficient use of already-limited resources by focusing on that which truly needs protection. Combined with the proper implementation of classification practices, this also should lessen the burden of subsequent declassification efforts, contributing to a more orderly and cost-efficient review and release of information to the public. And finally, a more thoughtful and balanced consideration of the need for secrecy should enable government officials to better understand the importance of a particular piece of information and why it needs to be protected, leading to enhanced safeguarding of the nation's secrets. This chapter describes the current classification system and recent improvements to it, and highlights those areas that the Commission finds most ripe for attention as the decades-old struggle between secrecy and openness proceeds into the Information Age. Commission recommendations in this area attempt to reorient the classification decisionmaking process from one that perpetuates a "default" to classification, in which personnel tend to classify more by rote than by reason, to one that involves a more balanced assessment of the need for secrecy.
Such management concepts, however, have been applied only to very limited areas of the Government. The various stages of the life cycle still often are viewed as distinct from one another with respect to the management of classified information. The disjointed nature of current information management practices has a range of troubling consequences. Decisions concerning up-front classification practices (such as portion marking, which designates the parts of a record that are classified and the degree of protection needed) often proceed without any real consideration for how these practices will affect subsequent use of the records or efforts to declassify them. In fact, the tremendous backlog of records currently being encountered in the systematic review of older documents, discussed in Chapter III, is in large part the result of poor records management practices at earlier stages of the records' life cycle. Despite recent initiatives being developed by the National Archives, the Federal Government as a whole still lacks any coordinated plan to oversee the creation and management of electronic records, which encompass a rapidly growing share of the documents and images now being created and classified.
The "life cycle risk assessment" of classified information should encompass an analysis at each stage of the information's "life" of: (1) whether the information requires protection (given the risks, threats, and vulnerabilities to it) and, if so, how much and for how long; (2) the public's right to know about the functioning of government and whether this outweighs the need for protection in a given instance; and (3) the cost of protecting or declassifying the information. This approach also recognizes that consideration of these criteria may lead to different results at different stages of the life cycle. For example, the public benefit in knowing the information initially may be outweighed by the need for its protection, but later may carry greater relative weight and may require its release.
Success in institutionalizing such an approach at all stages in the management of classified information would result in significant benefits. These include helping to foster a better understanding and acceptance of why information was classified in the first place, enhancing the protection of information, and improving the efficiency with which resources devoted to information management are used, thus reducing costs.
Despite the difficulties inherent in trying to adjust classification criteria, a different approach--one based on the need for genuine risk assessment--can complement the more deliberative process of classification decisionmaking and focus classification on the core secrets that must remain protected. The categories of information eligible for classification should be narrowly defined, allowing exemptions only in specific, carefully- defined instances requiring approval by the National Security Council (NSC). Under the statute proposed in Chapter I, the President would retain the authority to determine which categories of information should be open to classification.
Classification categories that should be considered are:
• Names/identities of those individuals or organizations that provide information to the U.S. Government with the expectation that the information will be held in confidence or, if further disclosed, would pose a substantial risk of harm to the individual or organization that provided it.
• Foreign relations or foreign activities of the United States, that, if disclosed, would impair foreign policy.
• Plans for or conduct of military operations that, if disclosed, would impair the effectiveness of present or future operations or jeopardize human life.
• Sources and methods used to collect, process, and analyze information included under the traditional disciplines of signals intelligence (SIGINT), imagery intelligence (IMINT), measurement and signature intelligence (MASINT), and human-source intelligence (HUMINT).
• Foreign government information, the protection of which is specified by the terms of a treaty, agreement, or other international obligation.
However, neither the National Security Act nor any of the relevant executive orders has defined what constitutes a "source" or a "method," and the use of these provisions has been the subject of frequent criticism. Protection of sources and methods has been used to justify the classification of a range of information sometimes only indirectly related to a specific source or method. Sometimes included in this are "open sources" such as books, newspapers, and public broadcasts, which can in some areas (such as economic analysis) account for up to 95 percent of the information collected by the Intelligence Community.6 The view that even such open sources can reveal the methods by which analysts process information and reach their conclusions has also affected agencies' responses to public requests for information, as discussed in Chapter III.
The AEA provides for the classification of information, termed Restricted Data (RD), covering "the design, manufacture or utilization of atomic weapons . . . the production of special nuclear materials . . . or the use of special nuclear material in the production of energy." Unlike national security information, which must meet certain criteria before being classified, no affirmative decision is required on the part of the DoE to classify information as Restricted Data: if information fits within the above definition, then it is considered classified from its origin and is said to be "born classified." Statutory authority for the classification of such information also has implications for oversight of DoE classification practices, as discussed below.
While authority for declassifying Restricted Data lies solely with the DoE, the approval of the Department of Defense is required when moving out of the RD category ("transclassifying") information that "relates primarily to the military utilization of atomic weapons." Although not specified as such in the AEA, this transclassified information is referred to as Formerly Restricted Data (FRD). In almost every respect (with the exception that it cannot be shared with another country absent an agreement authorized under the AEA), FRD is treated and handled in the same way as national security information classified under executive order. Like national security information, RD and FRD can be classified Confidential, Secret, or Top Secret. The separate statutory basis for protecting nuclear information also has affected the process for declassifying this information. This process has been criticized as burdensome, inflexible, and costly by many scientists, environmental researchers, and other scholars. These critics contend that the system for declassifying RD fails to take into account scientific and technological changes, to allow reasonable access to information about environmental hazards caused by nuclear-related activities, or to consider the voluminous information now in the public domain on atomic energy and related matters. 7 The DoE's comprehensive, agency-wide effort to increase public confidence through a policy of greater openness has aided progress toward decreasing the amount of information remaining classified. Its Fundamental Classification Review (discussed further below) used a panel of leading nuclear scientists, historians, and agency representatives to reevaluate the extent to which information now classified as RD or FRD can be made publicly available. Attention to these matters should continue through the DoE's Openness Advisory Committee, composed of distinguished professionals who are responsible for advising the DoE on issues related to declassification and openness.
Since 1992, three studies--all commissioned by the DoE itself--and the draft of the still-pending Fundamental Review have called for eliminating the FRD category, asserting that information within it can be adequately protected by either the traditional classification system or the RD category.8 One of these studies, issued in 1995 by a National Academy of Sciences task force, explicitly encouraged this Commission to consider "whether there is any continuing justification for two separate and parallel classification systems."9 The Commission concludes that, as long as RD and FRD are controlled by a separate statute, legislative action will be required to bring meaningful changes to the DoE's current classification system and to bring it into greater harmony with the overall system for controlling access to national security information.
The difficulty of discerning who truly needs access to classified information has contributed to the rise of a host of methods for limiting such access. A variety of control markings and handling caveats restricts the dissemination of information and has added extra layers to the classification system. For example, thirteen access categories (known as Sigmas) limit access to Restricted Data, and within the Intelligence Community the control marking "ORCON" (Dissemination and Extraction of Information Controlled by Originator) prohibits further dissemination without the specific approval of the originator of the information.
The Congressional Emergency Relocation Site (located under the Greenbriar Hotel in West Virginia and built to house the entire Congress and some of their staff in the event of a national security emergency) was designed, constructed, and maintained as a special access program for more than thirty years until 1994 when its existence was declassified.
Additional security requirements to protect these special access programs can range from mere upgrades of the collateral system's requirements (such as rosters specifying who is to have access to the information) to entire facilities being equipped with added physical security measures or elaborate and expensive cover, concealment, deception, and operational security plans. Such measures often have been justified as the only way to provide the security necessary to protect information considered especially sensitive. Programs can concern research, development, and acquisition activities; intelligence; or military operations. They can be funded by one agency but managed by another, which often leads to difficulty in simply accounting for how many programs exist and how much money is spent on them.
Publicly acknowledged programs are considered distinct from unacknowledged programs, with the latter colloquially referred to as "black" programs because their very existence and purpose are classified. Among black programs, further distinction is made for "waived" programs, considered to be so sensitive that they are exempt from standard reporting requirements to the Congress. The chairperson, ranking member, and, on occasion, other members and staff of relevant Congressional committees are notified only orally of the existence of these programs.
There are approximately 150 DoD-approved SAPs (the exact number is classified and others have been created but not yet formally approved), down from 200 in the late 1980s, and roughly 300 SCI compartments, compared with an estimated 800 in the late 1980s.13 These numbers, however, do not include the many subcompartments, perhaps best termed "SAPs within SAPs," that further limit the extent to which personnel have access to various parts of the same program.
A notable example of the declining use of such programs to protect information considered especially sensitive is the reevaluation of how to best protect certain imagery capabilities (which also led to the declassification of large amounts of imagery dating from the 1950s and 1960s). Since 1995, an estimated 95 percent of all imagery derived from electro-optical image systems and once restricted to a highly classified SCI compartment has been produced and disseminated at the Secret level. As a result, this information can now be more widely disseminated to government "consumers," such as the military, which has relatively few individuals cleared above the Secret level.
In 1994, the DoD created the Special Access Program Oversight Committee (SAPOC) to standardize and formalize the approval, termination, revalidation, and restructuring procedures for DoD special access programs. As required by Executive Order 12958, the SAPOC annually reviews and validates all previously identified DoD special access programs for continued special access program status. The review process is intended to validate the need for continued security compartmentation or to restructure a program into either another special access program or a "collateral" program, and seeks to eliminate redundancy among programs. The SAPOC is intended to provide senior leadership, oversight, and management of all DoD special access programs, to ensure compliance with applicable executive orders and other policies and procedures, and to ensure that required information is provided to the Congress. Within the Intelligence Community, the Controlled Access Program Oversight Committee (CAPOC) performs much the same function as the SAPOC, including annual review of all such programs as required by Executive Order 12958 and a report to the Congress. The CAPOC includes within its review the SCI control system compartments and special access programs funded by the National Foreign Intelligence Program.
However, while carefully assessing program cost, schedule, and performance, these reviews have not always focused on the special security features imposed and their associated costs. Despite the improvements described above, concerns have been raised that the SAPOC is too senior a body to have the necessary working knowledge and expertise to adequately address the security procedures and costs associated with DoD special access programs.
Industrial contractors performing classified contracts are governed by the National Industrial Security Program (NISP), created in 1993 by Executive Order 12829 to "serve as a single, integrated, cohesive industrial security program to protect classified information." A Supplement to the NISP operating manual (NISPOM) was issued in February 1995 with a "menu of options" from which government program managers can select when establishing standards for contractors involved with special access programs. However, industrial contractors report that wide variations still exist in the standards applied by government program managers of different SAPs. The "menu of options" continues to allow conflicting and costly security requirements. For example, a senior security officer from a large industrial contractor presented the Commission with a thick set of supplemental forms--all prepared by different program managers and often requesting the same information--that frequently are required before contractor employees can be granted access to certain special access programs.
Within the Intelligence Community, special access programs have been standardized by DCI directives, while those within the DoD continue to operate based on a menu with a wide variety of choices. Some military services continue to increase security regulations for SAPs, while others try to do the opposite. To address this problem, many industry representatives suggest establishing a clearer "baseline" standard and then requiring a specific justification before any additional security can be imposed.
The Commission recommends that the Security Policy Board (SPB) implement within one year the JSC recommendation on establishing a single set of security standards for SAPs. The SPB, in conjunction with the DoD, should examine whether the NISPOM Supplement should continue to allow individual SAP program managers to select the security measures for their program rather than conform to a single standard. Industrial contractors should be included in this review and in the development of a single set of standards.
Agencies protect some unclassified information in response to legal mandates (such as the Privacy Act) or specific agency regulations. Most specify the types of information that fall into this category, ranging from the very broad and general (e.g., "adverse effect upon the national interest" if disclosed) to the very detailed and specific (e.g., particular aspects of atomic energy defense programs). Agencies control access to this information through a need-to-know process, store it in locked desks or cabinets, and provide at least rudimentary protection when used in automated information systems. Still, there is little oversight of which information is designated as sensitive, and virtually any agency employee can decide which information is to be so regulated.
Moreover, the very lack of consistency from one agency to another contributes to confusion about why this information is to be protected and how it is to be handled. These designations sometimes are mistaken for a fourth classification level, causing unclassified information with these markings to be treated like classified information. Numerous officials expressed concern to the Commission about the protection and handling of their agencies' information by other agencies; some even admitted to classifying information inappropriately to ensure its protection. A related concern arises from U.S. compliance with agreements under which it is obligated to protect information provided by foreign governments at a level at least equal to that provided by those governments. Lacking any clear level of protection for unclassified sensitive information, the U.S. Government must protect a great deal of unclassified foreign information as though it were classified, thus incurring the accompanying security costs.15
In response to studies that identified the number of original classifiers as a contributing factor to the amount of classification and noted that many individuals possessed the ability to classify originally simply because it was viewed as a measure of status, many agencies have dramatically reduced the number of people with that authority.16 As of 1995, there were fewer than 5,400 individuals specifically authorized to classify information in the first instance, the smallest number since such statistics were first collected in the early 1970s (when almost 60,000 persons had that authority).17
While OCAs account for only six percent of all classification actions in any given year, this does not provide an accurate measure of their influence on the overall amount of information classified. As the only individuals actually designating what information is classified, their decision to classify particular information constitutes the first stage of its life cycle as national security information. Many original classifiers also are responsible for the classification guides that others use in the course of their daily work. A decision to include a piece of information in such a guide thus can lead to a multitude of subsequent "derivative" classification actions.
Because the original classification decision is the linchpin on which all other subsequent decisions depend, extreme care should be taken in making this initial decision. The current practice of merely citing one of the categories of classifiable information on the "classified why" line does little to lessen the tendency to classify by rote and does not adequately reflect the long-term consequences of an original classification decision. Requiring all original classifiers to provide a more detailed justification for each original classification decision would assist in this regard. Such a statement could include: (1) the damage to the national security that might result from the unauthorized disclosure of the information, as well as the other criteria (discussed below) used in making the decision; (2) how the information differs from information already classified; and (3) the classification guidance consulted in determining that the information was not already classified.
Both the Central Intelligence Agency (CIA) and the DoE already have such a requirement and report no significant administrative burden in its implementation; the DoE notes that it allows for enhanced oversight by permitting internal review of original decisions. Requiring such a written justification would prompt original classifiers to think more carefully about their decisions and make a more concerted effort to consult existing classification guidance. A written record of original decisions might have the added benefit of encouraging the preparation or updating of classification guides. Finally, an explanation of the intent behind a decision should assist both in oversight of classification decisions and the life cycle management of information by helping others determine subsequently whether the information still warrants classification.
All Others 1%
Source: Averages for all classification activity (original and derivative) for
years 1990-1995 as reported by the Information Security Oversight Office.
*RD and FRD at the DoE; figures provided by the DoE.
Requiring the identification of derivative classifiers could help begin to change this mindset. Some agencies--such as the CIA, DoE, National Reconnaissance Office (NRO), and Treasury Department--already require that all personnel identify themselves on the documents they classify, and they report few administrative problems. A separate line for classification would distinguish responsibility for classification from responsibility for content, assist with agency oversight of classification management and classification challenges, and help with processing Freedom of Information Act (FOIA) requests. Furthermore, knowing that they would be associated with the classification of a document over its life cycle, derivative classifiers might become more likely to consult classification guides, seek guidance from superiors, and properly portion mark documents--in short, to weigh the classification decision more carefully.
In contrast to Original Classification Authorities, most derivative classifiers are not required to be evaluated on their classification actions. Although Executive Order 12958 states that such performance ratings should be given to those "whose duties significantly involve the creation or handling of classified information," most agencies have not applied this requirement to those who classify derivatively. As a corollary to improved training for derivative classifiers (recommended below), long-term benefits could accrue by including the proper classification of information (the classification of only that information required for the legitimate protection of national security) as a critical element in the performance evaluations of all those authorized to classify. Knowing that one will be evaluated based, in part, on careful attention to classification responsibilities would provide a positive incentive to exercise this duty responsibly.
With different agencies (and different programs within agencies) preparing guides, they can sometimes contradict one another. Another problem is the failure of some agencies to regularly update these guides, a matter of particular concern to industrial contractors who must rely on guides often prepared without their input and which, at times, fail to consider information already in the public domain. As required by Executive Order 12958, many agencies now are reviewing and updating their classification guides, a development that may improve the quality of these guides.
Those who classify must have a clear understanding of how their senior managers view classification management and how they want them to approach their classification responsibilities. Some agencies attribute a decrease in original classification decisions to the increased use of classification guides. For the successful implementation of a life cycle approach to information management, and given the exponential effect of guides on subsequent derivative decisions, it is imperative that guides be reviewed frequently. Equally critical is that these reviews include a risk assessment analysis to determine whether information still requires the same level of protection or whether protection is still needed at all. Those guides pertaining to industrial programs could benefit from the input of contractors. More up-to-date guides should also assist with the declassification of information, as discussed in Chapter III.
Executive Order 12958's requirement that original classifiers "receive training in original classification" constitutes an important step in attempting to improve the quality of classification decisions. However, while offering suggestions as to what agencies might include in this training, neither the Order nor its implementing directive establishes minimum standards for this training, and there are no current plans to consider such minimum standards. Moreover, no training is required for derivative classifiers. To their credit, several agencies maintain formal training programs for those authorized to classify, although these vary widely and the number of personnel involved remains small.
Expanding the training mandated in Executive Order 12958 for original classifiers to include derivative classifiers, and requiring periodic attendance at agency programs on classification designed to ensure continued proficiency over time, are but two ways to improve the practices of classifiers. Training, subject to minimum Executive Branch standards, could also serve as a prerequisite for being evaluated on one's approach to classification, as suggested below.
The Commission recommends that agencies take several steps to enhance the proficiency of classifiers and improve their accountability by requiring additional information on the rationale for classification, by improving classification guidance, and by strengthening training and evaluation programs.
The task of deciding which information is to be classified, at which level, and for how long remains in large part a subjective judgment open to a range of interpretation. The absence of widespread training and the unavailability or lack of clarity of some classification guides only make appropriate classification decisions all the more difficult. Experts in classification management have pointed out that this first step of the classification management process--the identification by original classifiers of information that should be protected, coupled with derivative classifiers' interpretation of those decisions--tends to be the weakest link in the process of identifying, marking, and then protecting the information.
To reduce this subjectivity, several agencies are developing or already using technologies that attempt to quantify the damage that information might cause if disclosed and then actually make decisions for the classifier. However, even the most advanced programs cannot reduce entirely the subjectivity inherent in classification. Of potentially much greater benefit are "decision tools" that can assist classifiers in making classification decisions. These tools, such as one being developed at the NRO, guide classifiers through the process step-by-step, permitting a computer-generated document to be classified only after the preparer has gone through all the necessary steps and certified that the information contained within the document satisfies the criteria for classification. The National Security Council has taken this approach one step further, applying it to electronic mail; "masks" prevent NSC personnel from sending or printing internal electronic mail messages until they have certified whether classification is needed, a reform that, according to one former official, has contributed to a recent decrease in the amount of classification at the NSC.22
The importance of the initial decision to classify cannot be overstated. Classification means that resources will be spent throughout the information's life cycle to protect, distribute, and limit access to information that would be unnecessary if the information were not classified. Classification also means that those who need the information in the course of their work have to be investigated and adjudicated for access. Classification further means that a document may have to be edited to remove some of the most sensitive details if it becomes necessary for the information to be more widely distributed. Finally, classification means that some form of review will have to take place if and when the document is considered for declassification, archiving, or long-term storage.
Despite the significance of this initial decision, relatively little is known about exactly how much information is classified. Much of this uncertainty derives from the fact that over two decades of statistical reporting by the ISOO and its predecessor, the Interagency Classification Review Committee, have chronicled classification "actions" (the individual act of designating a document as classified by either an original or derivative classifier) rather than the actual amount of classified materials generated. These actions are based on extrapolations of samplings that often take place at different times and vary in duration from agency to agency. The more than 3.5 million actions reported in 1995 are an extremely rough estimate of the number of actions that may have occurred that year. Nor does this estimate necessarily correlate to the number of pages, computer diskettes, or images classified that year, since a single action can result in the classification of a one-page memorandum or a document hundreds of pages long.
Given this uncertainty, it should not be surprising that there is little agreement on the extent of overclassification. For over a decade the ISOO has estimated that between one and ten percent of all classified documents are unnecessarily classified.24 In 1995, a White Paper prepared by the DoD Inspector General concluded that the classification process at the DoD is "fundamentally sound" and that "the present size of classified holdings is not the result of too much information being needlessly classified." 25 In contrast, a 1985 preliminary study prepared by the staff of two House subcommittees proposed a classification system in which "roughly nine-tenths of what is now classified" would no longer qualify for classification.26 More recently, former NSC Executive Secretary Rodney B. McDaniel estimated that only ten percent of classification was for "legitimate protection of secrets."27 Given the uncertainty surrounding the breadth of classification, however, efforts to quantify with any precision the extent of unnecessary classification not only may be futile, but are unlikely to help in understanding its causes or possible remedies.
It may be more meaningful to recognize that the perennial problem of unwarranted classification attests to the continued failure of classifiers to engage in a rigorous assessment of the need for classification. For instance, in seeking to protect information about certain weapons systems (the classification of which has been permitted under successive executive orders), many of the support functions associated with these systems, such as information concerning logistical and administrative support, have also been classified even though it was doubtful that their disclosure could have caused any damage to the national security. In the Commission's review of one intelligence agency's documents, a memorandum to employees of the agency describing an upcoming "family day" in which family members could visit the agency was classified Confidential because the person who signed the memorandum was under cover. By simply omitting the name of that individual, the memo would have been unclassified. The entire agenda for a Commission meeting at one intelligence agency was classified because one word--not crucial to the topic being discussed--revealed a classified relationship. At other meetings, Commission staff inquiries as to why certain briefing slides were classified were met with responses such as "I'm not sure," or "This is just the way we prepare our materials."
These exceptions aside, three years after the JSC report, risk management continues to be more of a goal than an operative philosophy guiding today's security decisions. The desire to avoid any and all possible loss too frequently continues to be the predominant approach to security in general and to classification management in particular. However, the JSC's proposal to apply risk management to the classification system by restructuring that system entirely is only one way to reform the system. Concentrating on the initial decision of whether or not to classify--the point at which classifiers decide whether to place the information in that three-tiered classification structure--holds greater potential for improving the classification process and reducing the amount of information classified than does restructuring the entire system.
Neither of the two steps for deciding whether or not to classify serves as a significant deterrent to unnecessary classification. Moreover, the emphasis on damage to the national security can contribute to unnecessary secrecy. Although some agencies, such as the Department of the Navy (see box), have gone beyond these criteria, the vast majority of classifiers still employ an approach that fails to reflect the magnitude of the decision to classify. Classifiers, instead, should consider a range of factors when making the decision to classify and, in so doing, undertake a more balanced analysis of whether classification is necessary. In this regard, the Commission seeks to build on the 1995 report of the National Research Council which, in its review of the classification and declassification practices of the DoE, recommended that before such decisions are made, "the benefits of classification [must] clearly outweigh the costs."28
Such factors could be considered when original classification decisions are made, during the preparation of classification guides, and when derivative classifiers find themselves in situations where guidance is unclear.
Considering these factors could lead an official to conclude that while information may fall within one of the specified categories eligible for classification and might cause damage to the national security if disclosed, the actual threat to that information or likelihood of compromise may be so low or nonexistent that classification is not necessary. The costs of protecting a particular piece of information may be so high that they outweigh the possible advantages to be gained from its protection. In other cases, the sensitivity of information, or its value to the national security, may be so great that protection--no matter the cost--would be warranted.
Introducing these additional factors into the classification decisionmaking process may, in some cases, make this initial decision somewhat more difficult. However, given the long-term implications of the initial decision, a more deliberative process is necessary. This should allow for a more efficient use of classification in the short-term and lead to savings in both time and resources in subsequent reviews for downgrading or declassification.
The consideration of additional factors should not be viewed as an invitation to embark on intensive efforts to quantify these factors into complicated mathematical formulas or intricate computer programs. Patterned after the National Research Council's call for costs and benefits of secrecy at the DoE to be considered in their "broadest sense," the Commission believes that simply having to think more about whether classification is necessary may cause classifiers to give their decisions greater care--a process that should lead to more reasoned classification and may, in many cases, lead to less classification.29
The Commission recommends that classification decisions, including the establishment of special access programs, no longer be based solely on damage to the national security. Additional factors, such as the cost of protection, vulnerability, threat, risk, value of the information, and public benefit from release, could also be considered when making classification decisions.
Under the SPB umbrella, many areas of security policy, such as personnel security, are coordinated more effectively than before. Representatives from various agencies now have a common venue to discuss matters of mutual concern. In contrast, however, responsibility for developing, implementing, and overseeing classification and declassification policies prescribed by executive order is not clearly defined, and is fragmented between the SPB and the ISOO. Less than a year after the SPB was created, Executive Order 12958 continued the practice of charging the ISOO with not only overseeing agency classification and declassification practices, but with leading "interagency meetings to discuss matters pertaining" to the Order--in other words, classification policy. In an effort to deal with this jurisdictional overlap, the ISOO Director serves as chair of the SPB's Classification Management Committee, a group which also serves as an advisory committee to the ISOO.
Officials of both the ISOO and the SPB acknowledge that this arrangement has been far from satisfactory and, on numerous occasions, has worked to the detriment of timely and coherent information security policy. For example, confusion over the roles of the two organizations resulted in some disagreement over the extent to which the SPB could influence the specifics of the directive implementing Executive Order 12958, a directive the President tasked to the ISOO. In addition, there was intense debate between the ISOO and the SPB staff over the degree to which agencies could "opt out" of certain provisions of the Order's safeguarding directive (laying out how agencies are to physically protect classified information), for which the SPB is responsible. Concerns raised by the ISOO were overruled, and member agencies moved to exempt themselves unilaterally from parts of the directive.
Nor are these problems restricted to the classification management arena. Significant problems remain with regard to the SPB's overall functioning. The SPB has failed to make meaningful progress on several key issues, such as developing an effective framework for applying (or even a workable definition of) risk management principles to security decisions, as well as implementing JSC recommendations to standardize the security rules applicable to special access programs. Despite this, several monthly meetings of the Security Policy Forum have been canceled because there reportedly were an insufficient number of agenda items or no substantive issues ready for decisionmaking.
In addition, the SPB's plethora of committees and working groups has left the early crucial stages of policy development in the hands of less-senior representatives who may not even be aware of the positions advocated by the agencies' more senior officials. Indeed, these representatives have at times spent months negotiating consensus products, only to have these overturned by their own senior management at higher levels within the SPB structure. Moreover, the fact that the SPB staff, which also plays an influential role in policy development, is detailed from and will return to the very agencies affected by these policies is yet another example of how difficult it is for the SPB to represent anything more than the collective will of the government security bureaucracy.
With the exception of the access granted to the Commission staff, the SPB process remains largely isolated from outside observers. Because there is the potential that information of a classified nature may arise, meetings at all levels of the SPB structure are usually held in secure facilities, requiring attendees to possess security clearances. As a result, while certain industry group representatives with clearances have been permitted to attend meetings, other nongovernmental representatives without clearances cannot. Although a draft legal opinion by the Justice Department has affirmed this practice, the result is that policies developed within the SPB are debated and promulgated out of view of the public and of the Congress. All of this directly contradicts the JSC's vision of an organization that would "provide a focal point for Congressional and public inquiries regarding security policy or its applications."
Nor are the two entities that were designed explicitly to serve as venues for public input to the policymaking process actually doing so. In the same directive that established the SPB, the President (as the JSC recommended) created a five-member Security Policy Advisory Board to provide ongoing "non-governmental and public interest" input into the SPB process. More than two years later, however, only three positions have been filled, and there appears to be no active effort to fill the remaining two. Moreover, while these individuals carry impressive credentials, all come from government security and intelligence backgrounds. In addition, the Advisory Board deals only with issues referred to it by the SPB. Similarly, although an Information Security Policy Advisory Council (ISPAC) was created under Executive Order 12958 to "advise the President" on the policies contained in the Order, over a year and a half later none of the Council's seven seats have been filled, no meetings have been held, and none are expected for the foreseeable future.
The potential consequences of the SPB's failure to pursue its oversight obligations, however, have been mitigated by the ISOO's continued activity in this area. As directed by Executive Order 12958, the ISOO continues to oversee agency classification practices. The ISOO has achieved some success, notwithstanding its limited resources and personnel and the fact that it has been shuffled among three different agencies in as many years.31 Although questions have emerged concerning its ability to act independently of its new parent agency, the National Archives and Records Administration, the ISOO has remained independent of the agencies generating the bulk of classified information.
Given all of the above, it is not surprising that the ISOO's own Director has characterized its work as "overseeing agency oversight."32 Yet the absence of more aggressive oversight by the ISOO may simply be an acknowledgment of its inability to enforce agency compliance with established rules. Although the ISOO has always possessed the authority to report on improper classification, acting on those reports remains the prerogative of the agencies themselves. In fact, while the ISOO often has been able to resolve disagreements by working with agencies, only once has it issued a formal report on abuse of classification to an agency.
Instead, the ISOO has directed much of its effort to describing agency classification practices in its annual report. This report has evolved significantly in recent years to include an array of statistical data on classification and declassification activity and, as of 1995, the costs associated with classification. Yet even this report, which is the ISOO's primary oversight tool, is widely considered within agencies to be more of an externally-imposed requirement than a helpful internal management tool--a point that has been confirmed by the ISOO Director himself. In addition, several agencies admit to doing little to ensure the accuracy of the data they report, further calling into question the value of these annual reports in their present form.
There are certain prerequisites if policymaking and oversight in this area are to succeed. With respect to policymaking, any specific rules promulgated by the Executive Branch need to comply with the key principles of the statute and must not be solely the product of the implementing agencies. While agencies should be allowed to contribute to the development of these rules, final authority must reside elsewhere, in a forward-thinking body of innovative members engaged in continual reassessment of the appropriateness and effectiveness of these policies. Recognizing the critical role of staff in such an organization, this body would benefit immeasurably from a permanent staff with the necessary expertise and independence from affected agencies.
The policymaking process must also become more open. Only on the rarest of occasions when classified information must be discussed should representatives of outside organizations be prohibited from attending. In addition, the President should work to fill the remaining positions on the Security Policy Advisory Board with individuals who would bring the "non-governmental and public interest perspective" that the President intended the Advisory Board to provide. Likewise, the President should promptly appoint the Information Security Policy Advisory Council so that it may begin to advise the President on Executive Order 12958.
Oversight should be the responsibility of a strong and active organization, independent of the agencies that classify, perhaps modeled after agency inspectors general offices. To be truly effective, such an organization should also possess the means to compel agency compliance with established policies. One possibility would be to empower it with some form of limited budgetary authority--such as the review and certification of agencies' expenditures for classification and declassification activities before they are submitted to the Office of Management and Budget (OMB). A greater willingness on the part of both the National Security Council and OMB officials to question the classification of the documents they receive could provide an additional incentive for senior agency officials to address classification matters more seriously. Equally critical is that such a body have adequate resources, whether through a budget line item or the reallocation of resources from the principal classifying agencies.
The Commission believes that classification and declassification policy and oversight should not be viewed solely as security matters. Instead, they should be viewed primarily as information management issues which require personnel with subject matter and records management expertise. In addition, classification and declassification are unique in that, unlike many security issues, they profoundly affect numerous individuals and organizations outside the Government.
Under the statutory approach recommended in Chapter I, the President would retain the authority to establish policymaking and oversight mechanisms to fulfill the basic principles of the legislation. Therefore, the Commission envisions that this recommendation could be achieved by an executive order modifying either Executive Order 12958 (which sets out the responsibilities of the ISOO) or Presidential Decision Directive 29 (which sets out the responsibilities of the SPB), or both.
The Commission recommends that responsibility for classification and declassification policy development and oversight be assigned to a single Executive Branch body, designated by the President and independent of the agencies that classify. This entity should have sufficient resources and be empowered to carry out oversight of agency practices and to develop policy. Based on its oversight findings, this body would then make recommendations for policy and implementation of classification and declassification issues directly to the National Security Council. The Security Policy Board would have an opportunity to comment on these policy recommendations through the NSC process.
Agencies are now required by Executive Order 12958 to institute ongoing self-inspection programs, including the periodic review and assessment of their classified product. Under the Order's implementing directive, however, such reviews are only one of several options that agencies "may include" in their program. Many agencies still fail to devote sufficient resources and personnel to reviewing their own practices and classified product. In contrast, the recently developed Information Management Audit and Improvement Program at the CIA serves as a model for how to implement an oversight program. Following audits to evaluate compliance with classification and records management policies, auditors intend to work with staff in a non-punitive manner to improve compliance. Citing the "many benefits" they provide, the ISOO has pointed out that "document reviews highlight an individual agency's performance in classifying and marking documents and suggest areas in need of improvement."34
Each agency with the authority to classify would benefit from an established program, subject to minimum Executive Branch standards, for regular evaluations of its classification and declassification decisions, including the review of representative samples of agency classified materials. Such evaluation programs would help foster a nonpunitive approach to improving the quality of classification decisions. Improved agency evaluations, which could be implemented by an agency ombudsman (as suggested in Chapter III), could serve as the basis for outside review of an agency's classification program. In addition, a greater willingness on the part of agency executive secretaries to question the classification assignments of the documents they receive could provide an additional incentive for personnel throughout those agencies to classify properly.
To improve existing practices, senior officials across all the agencies that classify must exert greater leadership and make it clear to subordinates that reducing secrecy, consistent with national security concerns, is a priority. Policies that either implicitly or explicitly encourage classification without much thought to the consequences of that decision must give way to those that encourage a more balanced consideration of the need for secrecy. Those who classify must be instructed and then evaluated on how they approach their classification responsibilities. Classifiers must be aware that classification means that resources will be spent throughout the information's life cycle to protect, distribute, and limit access to information that would be unnecessary if the information were not classified. The tools designed to assist those classifiers, including classification guides, must be readily available and reflect current national security realities. Underlying all these reforms is the need for a more stable and consistent classification regime, which over fifty years of Executive Branch regulation has been unable to provide.
The age-old struggle to find the proper equilibrium between the need for secrecy in certain instances and the need for open government will by no means end with this Commission. Still, the proposals set out above have the potential to reorient the secrecy system to reflect the fact that reducing secrecy and protecting core national secrets are not exclusive of, but instead dependent upon, one another.
1 The President has designated the following 29 officials (including himself) as having the authority to classify originally: Vice President, Chief of Staff to the President, Director of OMB, National Security Advisor, Director of the Office of National Drug Control Policy, Chairman of the President's Foreign Intelligence Advisory Board; Secretaries of State, Treasury, Defense, Army, Navy, Air Force, Energy, Commerce, and Transportation; Attorney General; Chairman of the Nuclear Regulatory Commission, Director of the Arms Control and Disarmament Agency, Director of Central Intelligence, Administrator of the National Aeronautics and Space Administration, Director of the Federal Emergency Management Agency, U.S. Trade Representative, Chairman of the Council of Economic Advisors, Director of the Office of Science and Technology Policy, Administrator of the Agency for International Development, Director of the U.S. Information Agency, President of the Export-Import Bank of the United States, and the President of Overseas Private Investment Corporation; and Information Security Oversight Office, 1995 Report to the President (Washington, D.C.: Information Security Oversight Office, 1996), 16.
2 New York Times Co. v. United States, 403 U.S. 713, 729 (1971) (concurring opinion).
3 Peter Hernon, "Information Life Cycle: Its Place in the Management of U.S. Government Information Resources," Government Information Quarterly 11, no. 2 (1994): 147, quoting General Services Administration, Information Resources Management Service, Applying Technology to Record Systems: A Media Guideline (Washington, D.C.: May 1993), 45.
4 National Archives and Records Administration, Draft "Requirements for Electronic Recordkeeping in the Office Environment (College Park: National Archives and Records Administration, 1996), 4.
5 Joint Security Commission, Redefining Security (Washington, D.C.: 1994), 5.
6 Commission on the Roles and Capabilities of the United States Intelligence Community, Preparing for the 21st Century: An Appraisal of U.S. Intelligence (Washington, D.C.: Government Printing Office, 1995), 88.
7 National Academy of Sciences Panel on DoE Declassification Policy and Practice, Committee on International Security and Arms Control, Review of the Department of Energy's Response to the Recommendations in the National Research Council Study of DoE Declassification Policy and Practice (Washington, D.C.: National Academy of Sciences, July 1996), 15-21.
8 Meridian Corporation, Classification Policy Study (Washington, D.C.: Department of Energy, 4 July 1992), 56; National Research Council, A Review of the Department of Energy Classification Policy and Practice (Washington, D.C.: National Academy Press, 1995), 90; Department of Energy, Openness...Creating a Legacy: Fundamental Classification Policy Review, Draft Report for Public Comment (Washington, D.C.: Department of Energy, 2 February 1996), 22. In a 1996 follow-up to their 1995 report, the National Research Council explained that an additional problem with FRD is the difficulty of obtaining interagency agreement on which information is to be transclassified and declassified. According to the NRC, "relatively low-ranking staff members from other [non-DoE] agencies may be able to block proposed. . . actions for inappropriate reasons." (National Academy of Sciences Panel on DoE Declassification Policy and Practice, Committee on International Security and Arms Control, Review of the Department of Energy's Response, 9).
9 National Research Council, A Review of the Department of Energy Classification Policy and Practices, 48.
10 Averages for years 1990-1995, as reported by the Information Security Oversight Office.
11 Among the first was the 1957 Commission on Government Security, which called for the outright abolition of the Confidential level (The Commission on Government Security, Report of the Commission on Government Security [Washington, D.C.: Government Printing Office, 1957], 176). Although it did not call for its abolition, the 1970 Seitz Task Force called the Confidential level "probably useless" as applied at the time to research and development (Defense Science Board, Task Force on Secrecy, Report of the Defense Science Board: Task Force on Secrecy [Washington, D.C.: Office of the Director of Defense Research and Engineering, 1 July 1970], 10). The initial draft of what would later become Executive Order 12958 also eliminated the Confidential level. However, it was retained out of concerns that (1) the military services, which use a great deal of Confidential information, would be forced to spend enormous sums of money replacing safes so that the information could be protected at the Secret level, and (2) doing so could jeopardize prior or pending prosecutions under the Espionage Act.
12 The 1957 Commission on Government Security pointed out disagreement over how effectively the need-to-know principle was being implemented (Commission on Government Security, Report of the Commission on Government Security, 313). By 1984, ISOO found "widespread indifference" to the principle (Information Security Oversight Office, Annual Report to the President for FY 1984 [Washington, D.C.: Information Security Oversight Office, 1985], 23). In 1994 the Joint Security Commission stated that the classification system "does not adequately enforce the 'need-to-know' principle" (Joint Security Commission, Redefining Security, 8).
13 Controlled Access Program Oversight Committee (CAPOC), Community Management Staff official, interview by Commission staff, June 1996; Office of the Under Secretary of Defense for Policy Support officials, interview by Commission staff, June 1996.
14 This Commission requested information from all thirteen Cabinet-level departments and 34 agencies thought most likely to generate sensitive unclassified information. Of the twelve departments and 32 agencies that responded, nine departments and 30 agencies stated that they generate such information.
15 Office of the Assistant Deputy to the Under Secretary of Defense (Policy) for Policy Support officials, interview by Commission staff, 22 May 1996.
16 A 1956 report commissioned by the Secretary of Defense recommended that DoD reduce the number of individuals with the authority to classify information as Top Secret (Department of Defense, Committee on Classified Information, Report to the Secretary of Defense by the Committee on Classified Information [Washington, D.C.: Department of Defense, 8 November 1956], 6). The 1985 Stilwell Commission report called for "further reductions" in the number of Original Classification Authorities at the Department of Defense (The Commission to Review DoD Security Policies and Practices, Keeping the Nation's Secrets: A Report to the Secretary of Defense by the Commission to Review DoD Security Policies and Practices [Washington, D.C.: Department of Defense, 1985], 49).
17 Information Security Oversight Office, 1995 Report to the President, 11.
18 Average for years 1990-1995, as reported by the Information Security Oversight Office. 19 Information Security Oversight Office official, interview by Commission staff, June 1996.
20 The General Accounting Office first stated in 1979 that the practice of allowing personnel to classify derivatively through the use of guides "seriously weakens control over the classification process because it allows thousands of individuals who are not designated as classifiers to be involved in the process without being personally accountable" (General Accounting Office, Improved Executive Branch Oversight Needed for the Government's National Security Information Classification Program, LCD-78-125 [Washington, D.C.: General Accounting Office, 9 March 1979], iv).
21 Steven Garfinkel, letter to Chairman Lee Hamilton, Subcommittee on Europe and the Middle East, Committee on Foreign Affairs, Washington, D.C., 4 August 1989. The letter responded to inquiries by Chairman Hamilton concerning the operation of the classification system.
22 Morton Halperin, meeting with Commission staff, 19 October 1995.
23 The Joint Security Commission argued that a "less complicated system can help correct the current approach that has led to classifying too much at too high a level and for too long" (Redefining Security, 10).
24 Steven Garfinkel, Director, Information Security Oversight Office, stated at a May 5, 1982, congressional hearing that "about 5 percent of the documents [ISOO] review[s] clearly don't merit classification" (House Committee on Government Operations, Security Classification Policy and Executive Order 12356, Committee on Government Operations, 97th Cong., 2d sess., 12 August 1982, 44). In 1992 ISOO reported that its review of nearly 11,000 classified documents revealed that only 1.5 percent should not have been classified, and the need for another 1.7 percent was "questionable" (Information Security Oversight Office, Report to the President for FY 1992 [Washington, D.C.: Information Security Oversight Office, 1993], 9). In 1996 Director Garfinkel stated to Commission staff that the problem of unnecessary classification ranges between 5 and 10 percent "at most" (interview by Commission staff, 15 May 1996).
25 Inspector General, Department of Defense, White Paper: Classification and Declassification Within the Department of Defense (Washington, D.C.: Department of Defense, May 1995), letter of transmittal and page i.
26 Subcommittee on Civil and Constitutional Rights, House Committee on the Judiciary and Subcommittee on Civil Service, Committee on Post Office and Civil Service Preliminary Joint Staff Study on the Protection of National Secrets, 48.
27 Thomas P. Coakley, ed., C 3 I: Issues of Command and Control (Washington, D.C.: National Defense University Press, 1991), 94.
28 National Research Council, A Review of the Department of Energy Classification Policy and Practices, 89.
29 National Academy of Sciences, A Review of the Department of Energy's Response, 6.
30 President, Presidential Decision Directive 29, "Security Policy Coordination" (15 September 1994), 2.
31 When created by President Carter's Executive Order 12065, the ISOO was placed within the General Services Administration and received general policy direction from the National Security Council. In FY 1995, the ISOO was moved to the Office of Management and Budget (OMB) as a result of an attempt within Congress to place the office within the NSC--a move that sparked concerns that the ISOO's oversight activities would conflict with the NSC's policymaking role. However, some OMB officials strongly opposed having the ISOO based within the OMB, and Congress in turn transferred the ISOO to NARA beginning in FY 1996. During FY 1996, the ISOO operated on funds earmarked for NARA, which did not receive any additional appropriation to accommodate the ISOO's activities.
32 Steven Garfinkel, telephone conversation with Commission staff, August 1996.
33 The three most recent executive orders on classification (Executive Orders 12065, 12356, and 12958) highlight this particularly well. All three orders directed agencies to establish security education and/or training programs to ensure their implementation, but none specified that classification management (to be distinguished from security generally) be included in this training.
34 Information Security Oversight Office, Annual Report for FY 1992 (Washington, D.C.: Information Security Oversight Office, 1993), 4.
Go Back to the Top Page of the Commission Report
Proceed to Chapter Three