Photo courtesy of the National Reconnaissance Office
Executive Order 13526, “Classified National Security Information” and its two predecessors established specific, time-based declassification requirements for all national security agencies. Despite these identical mandates, a Government-wide approach to declassification remains elusive. Separate agency declassification programs evolved into a segmented declassification system where each agency reviewed its information and attempted to identify any classified information created by other agencies. Agencies are required to perform the same tasks, such as completing automatic, systematic, and mandatory declassification reviews, yet their design and implementation of these requirements are disintegrated and lack interoperability, resulting in inefficient inter-agency coordination.. The declassification system has become increasingly inefficient and complex. Accordingly, the public has become increasingly frustrated and confused by what it encounters when trying to navigate the labyrinth of agency programs.
Declassification performs a service crucial to democratic society, informing citizens and promoting responsible dialogue between the public and Government. There are significant policy benefits from declassification that can aid national security decisions and diplomacy. Declassification is a valuable information sharing tool, particularly when information holders must partner with stakeholders outside the intelligence and defense communities. Information may be the newest and most important policy tool of the modern era, with declassification during operations offering a strategic advantage. Public release not only makes policymakers accountable for their decisions and actions; it also affords agencies the opportunity to correct misinformation in the public domain and bolster their position in current debates.
One of the main recommendations found in the Board’s 2008 Report to the President on Improving Declassification included the recommendation of creating a center dedicated to declassification. The center would focus not only on processing the huge paper backlog of records at the National Archives, but would also work to improve the declassification system across government to make it more efficient and effective for users. The result of this recommendation was the establishment of the National Declassification Center, which has accomplished a great deal in tackling the immense 366 million page backlog of records. However, many documents still await declassification review. The NDC’s efforts are often stymied by the needlessly redundant and burdensome referral process, as well as the refusal by agencies to appropriately manage risk.
For these reasons, the Board recommends the President bolster the authority and capacity of the National Declassification Center with specific measures to advance a government-wide declassification strategy.
Specifically, Executive Order 13526 should be amended to eliminate the additional three years now permitted for review of multiple agency equities in all archival records (including those stored outside the NDC). The requirement of agencies to share declassification guidance with other classifying agencies and the NDC should be strengthened. Retention of agency declassification authority should be contingent upon sharing agency guidance. The President should direct Agencies to consult the NDC before prioritizing their records for declassification and transfer to the National Archives. The Interagency National Declassification Center Advisory Panel (NAP) should have representation from the public, including representation from the Government Openness advocacy community. An inter-agency effort to develop new declassification review processes should be coordinated by the NDC and be based on a risk management approach.
Without dramatic improvement in the declassification process, the rate at which classified records are being created will drive an exponential growth in the archival backlog of classified records awaiting declassification, and public access to the nation’s history will deteriorate further. It is am imperative that the NDC continue its leading role in working with agencies and the public to collaboratively look for new technological solutions, rooted in updated policies and practices, that tackle the growing volumes of information, particularly digital information, that await declassification review.
Photograph courtesy of the National Archives
“It is time to reexamine the long-standing tension between secrecy and openness, and develop a new way of thinking about government secrecy as we move into the next century.” -Report of the Commission on Protecting and Reducing Government Secrecy, 1997, Senate Document 105-2, Public Law 236.
Document Courtesy of the National Security Agency
After extensive research and discussions with stakeholders in and outside Government, the Board has concluded that the current classification system is too antiquated to fully support today’s national security mission. The system keeps too many secrets, and keeps them too long. Its practices are overly complex, and serve to obstruct desirable information sharing inside of government and with the public. There are many explanations for over-classification: much classification occurs essentially automatically; criteria and agency guidance have not kept pace with the information explosion; and despite numerous Presidential orders to refrain from unwarranted classification, a culture persists that defaults to the avoidance of risk rather than its proper management.
To partially address the concerns of excessive classification, we recommend that classification be simplified and rationalized by placing national security information in only two categories. This would allow proper alignment with the actual two-tiered practices existing throughout most of government for information protection security clearances, physical safeguarding, and information system accreditation.
Top Secret would remain the Higher-Level category, retaining its current, high level of protection. All other classified information would be categorized at a Lower-Level, which would follow standards for a lower level of protection. Both categories would include compartmented and special access information, as they do today.
Newly established criteria for classifying information in the two tiers would identify the needed levels of protection against disclosure of the information. Identifiable risk should be the basis for determining if a level of protection is needed and if classification is warranted and, if so, at what level and duration.
The difficulty of applying the current concept of presumed “damage” during derivative classification would be replaced by a more concrete application of the level of protection necessary for sharing and protecting. This change in guidance would reflect how classification is actually practiced by derivative classifiers – deciding how much protection is needed based on the sensitivity of the information to both protect and share appropriately.
We understand that the adoption of a two-tiered model will pose greater challenges for those agencies whose internal practices are more dependent upon current distinctions between Secret and Confidential. We are not advocating for simply eliminating the Confidential category of classification, thereby exacerbating problems of over-classification in the system. Rather, we believe the adoption of a two-tiered model would align the classification system to what is actually occurring in practice throughout Government. Confidential information is safeguarded on Secret-level systems. The Lower-level of classification in the two-tiers will be defined by the appropriate levels of protection needed to ensure the classified information may be secured and shared appropriately. Guidance must be updated and longstanding practices of rote classification in the current system must be redesigned to make classifiers re-think deep-rooted cultural biases that favor classification and instead choose not to classify in the first instance unless a risk assessment proves protection is needed.
The Public Interest Declassification Board will host an open meeting on Thursday, December 6, 2012 to discuss its recommendations to the President on Transforming the Security Classification System. The full Report to the President will be published online on December 6th at http://www.archives.gov/declassification/pidb. The meeting will focus on the Board’s fourteen recommendations for transformation. The recommendations center on the need for new policies for classifying information, new processes for declassifying information, and the imperative for using and integrating technology into these processes. Press and media are welcome to attend.
When: Thursday, December 6, 2012 from 9:00 a.m. – 10:30 a.m.
Doors Open: 8:45 a.m.
Where: The Archivist’s Reception Room, Room 105 in the National Archives Building
Address: 700 Pennsylvania Avenue, NW, Washington, D.C.
(Note: Attendees must enter through the Pennsylvania Avenue entrance.)
Space is limited and attendees must register via email@example.com; provide your name and professional affiliation (if applicable). You will receive a confirmation e-mail from the Public Interest Declassification Board staff confirming your reservation. Please note that one form of Government-issued photo identification (e.g. driver’s license) is required to gain admittance.
In anticipation of the report’s release, today the Board will re-engage its followers by re-opening its blog, Transforming Classification, where it will post summaries of some of the key recommendations in the report. Be sure to stay connected to the Board’s activities and look for more information about the Board on its website: http://www.archives.gov/declassification/pidb.
The Public Interest Declassification Board is pleased to announce the completion of its report, Transforming the Security Classification System. The President asked that we study the security classification system and make recommendations for its transformation to better meet the needs of users in the digital age.
The report will be released to the public on the Board’s website on Thursday, December 6, 2012.
The Board consulted extensively with experts from the Government Openness advocacy community, civil society and transparency groups, archival researchers, and technologists and solicited opinions from distinguished civil servants, Executive department and agency officials and the Congress. Our efforts were designed to gain a broad perspective on issues confronting the classification system and led to the fourteen core recommendations in this report.
The classification system exists to protect national security, but its outdated design and implementation often hinders that mission. The system is compromised by over-classification and, not coincidentally, by increasing instances of unauthorized disclosures. This undermines the credibility of the classification system, blurs the focus on what truly requires protection, and fails to serve the public interest. Notwithstanding the best efforts of information security professionals, the current system is outmoded and unsustainable; transformation is not simply advisable but imperative.
We believe transformation will require a White House-led steering committee to drive reform, led by a chair that is carefully selected and appointed with specific authorities granted by the President. In anticipation of the report’s release, we will re-engage our followers by re-opening our blog, Transforming Classification, where we will post summaries of some of the key recommendations in the report beginning Monday, November 26, 2012. Be sure to stay connected to the Board’s activities and look for more information about the Board on our website: http://www.archives.gov/declassification/pidb.
Thank you for participating in the Transforming Classification Blog. The Blog is now closed for comments. The Board appreciates all of the comments and submissions that were received.
We will continue to evaluate the comments and submissions you posted on the blog as we consider what changes to make on how best to transform the classification system in response to the President’s request.
I read the PIDB papers as well as the submissions from the seven commentators. Rather than comment through a blog on each of the proposals, I decided to summarize my reactions and raise a few additional issues. I am numbering the paragraphs to make it easier to see the separate topics.
1. In general, I believe the Board is moving in the right direction. Certainly any transformation must be Janus-faced, just as archival systems are: looking forward to processes to be adopted in the future while finding new ways to deal with the legacy of past systems. The PIDB papers recognize that, although not always explicitly. The aim must be to reduce prospectively reduce the burden while reducing the backlog.
2. Looking forward, the promise of computer technology must be explored, including a process of continuous updating and recording the status of items or portions of items. The idea of a research laboratory somewhere, whether at NDC or in one of the agencies, is a good one. The CACI characterization of “self-declassifying documents” is a useful one to pursue. However, I think these techniques must be coupled with a greatly reduced scope of classification and therefore volume of classified items. The government needs to be very clear about what it really must protect and then do a serious job of managing those items.
3. One area that is not sufficiently explored in the papers is the problem of declassifying audiovisual and geographic material. While some of this could be tagged in the future technology system, it would likely require special handling, especially for streaming audio and video where the discrete parts are not obvious. In the past information in this format has been limited to a few specialized agencies, but it appears likely that many more agencies will use these systems in the future, whether satellite images for flood management, photos from video cams on a battlefield, or feeds to the White House during the Osama bin Laden raid.
4. Regularizing the declassification review of classified Congressional records is needed. The PIDB paper seems aimed exclusively at paper records, but any arrangement should include the full range of Congressional electronic and audiovisual records (such as video or audio of closed hearings) as well. And the availability of these records for FRUS compilers is a very important step.
5. Just as the PIDB is now looking at the legislative branch, it might be worth considering whether the judicial branch retains any classified records when a hearing involves the in-camera presentation. In particular, does the Foreign Intelligence Surveillance Court retain any classified items? If so, a process for declassifying those should also be considered.
6. Discretionary declassification and release of contemporary national security information is certainly possible, although in the past the costs have been considerable for entities like the JFK review board. Rather than set up a separate entity, Congress might give a mandatory instruction to NDC to undertake a specific project.
7. Simplifying the declassification process for historical records—Janus looking back—is essential. The PIDB paper has it just right: until the “ownership” question is solved, this referral system will stymie any other reform efforts. I favor the single centralized review option. I do not think agency training and manuals to be used by many different entities across the government, even if frequently repeated and updated, will be as effective as a single team that can be held accountable for its work.
8. The PIDB needs to address the issue of when and how the U.S. Government will protect the classified information of a foreign government. As I understand the system at present, if the information in a U.S. created item comes from a friendly government, the U.S. will consult that government and if it objects to the disclosure of the information, the U.S. will not overrule that government. This means that we vitiate our disclosure laws in favor of a stricter or more arbitrary regime in use in another country. A balance needs to be struck between the objections of a friendly power and the need for the U.S. to be the master of its own records and their disclosure
9. Another issue that needs to be solved is the problem of agencies not turning records over to the National Archives. Although the statue says that the Archivist can “direct and effect” the transfer of records over 30 years old (44 USC 2107(2)), there is no enforcement mechanism. The agencies routinely ignore the 30-year line, which means that even with a single declassification body for records in the Archives, agencies would still hold many records that include information with other equities. In theory the 30-year line could be enforced through an executive order, but those are so routinely ignored that legislation may be necessary. The Constitution Project’s proposed Historical Records Act could be a vehicle for this.
10. “Automatic” declassification at a 25-year line must have some opt-out procedures for information that truly must be kept secret for longer periods, such as information on the manufacture of weapons of mass destruction. But there also must be some final date at which all information can be open: a “don’t ask, don’t tell” rule for documents. Whether 50 years is long enough is debatable, but the debate needs to occur. The agencies must quit protecting documents such as the 200-year-old item that the NSA recently declassified. They need to turn over the original records (for non-electronic formats) not the duplicate copy that NSA sends while retaining the originals and not, as with the CIA’s two major reports on Guatemala 1954, sending NARA the still classified original while putting a declassified version on the CIA’s website. Furthermore, the records need to be sent in context; again, using NSA as an example, not a sending a selection of random documents (see the recent list which provides no context information) but instead transferring items in file units.
11. Certainly FRD must be reviewed on its merits not on the mere designation as FRD. Using the ISCAP process as described in the PIDB paper is a good idea. However, this should also be extended to RD information when it reaches 25 years of age. The principle must be that no information is withheld from the American people without review.
12. Finally, agencies need to understand that FOIA is an option for withholding information that does not require the information to be classified. It appears that some agencies think that the only way to withhold information is to classify it, ignoring the robust provisions of the FOIA.
Best wishes on the transformation of the system.
Trudy Huskamp Peterson
In order to induce a transformation of the national security classification system, the President should set a performance goal that will advance the desired transformation, and then mandate its achievement by executive branch agencies.
Instead of trying to specify each and every one of the policy and procedural changes needed for an effective transformation, this approach would seek to catalyze change by establishing a mandatory performance objective (or multiple objectives) and then requiring agencies to work out the necessary adjustments.
Several questions immediately arise. First, what is the desired transformation of the classification system that the current process seeks to promote?
My provisional answer to the question would be that the desired transformation should aim to achieve a classification system that has a reduced scope of application (i.e., fewer categories of secrets), a reduced volume of classification activity (less classification), and a reduced duration of classification. In order to best serve its national security purpose, the classification system should be “lean and mean,” not bloated and arbitrary. Its dimensions should be stable or shrinking, not perpetually growing.
What are the characteristics of a performance goal that would help to catalyze a change in classification policy?
Any performance goal that is selected should be intrinsically significant, not abstract or merely procedural. It should be worthwhile as a policy objective in its own right in order to justify and propel the desired changes in current classification policy and practice. And yet it should be reasonably achievable right now or in the near term. Vague or idealized conceptions or labor-intensive proposals that have no realistic chance of acceptance will not serve as effective catalysts.
What is a concrete example of such a performance goal?
One possible example would be a new requirement to publish a declassified documentary history of major U.S. national security policy decisions and actions no later than 25 years after the events they record, allowing for only the narrowest of exemptions. This publication would be analogous to the Foreign Relations of the United States series and to the Public Papers of the President in its professional quality and documentary character, but it would focus on publication of classified national security policy records that are to be newly declassified for this purpose.
As a performance goal for catalyzing transformation of the classification system, this proposal has several pertinent features:
First, the idea that the full record of U.S. national security policy should be regularly disclosed is an inherently powerful one that properly characterizes an open society. The nation should be able to take pride in routinely disclosing the records of its national security history, including even (or especially) shameful or problematic episodes, and airing them fully and publicly. This is a worthy objective independent of its potential for inducing transformation of classification policy– which is one of the things that make it a useful tool for purposes of catalyzing change.
Second, this proposal would engage and require the cooperation of the entire national security establishment, including its military, diplomatic and intelligence components. It would also sweep broadly across different record formats and types of media. To the extent that audio, video, and other records (including congressional records) formed an essential part of the national security record, they would be encompassed as well.
And third, the proposal is both feasible today and it is in significant tension with current classification and declassification policy, which means that it would require and inspire numerous changes in practice.
As noted above, the concept of a regular documentary record of national security policy is similar to the Foreign Relations of the United States (FRUS) series on foreign policy that is published by the U.S. State Department. But the FRUS production process is mired in administrative and classification disputes. It mainly serves a narrow constituency of diplomatic historians. It is far from meeting its goal of publishing records within 30 years of the recorded events. Agencies habitually disregard deadlines for reviewing documents for inclusion in FRUS, and they adhere to obsolete classification practices, such as censoring the amounts of half-century old intelligence budget figures.
By contrast, in the proposed initiative for a new documentary history of national security policy, most of those longstanding obstacles could be eliminated by presidential fiat. For example, the President could set new classification standards for this particular project, ordering that those 25 year old classified records that are deemed essential to a thorough, accurate and reliable account of U.S. national security history will be declassified unless they meet the narrow criteria that ordinarily permit 50 year old records to be exempted from declassification. This would mean that only information that would identify a confidential human intelligence source or reveal key design concepts for weapons of mass destruction could be withheld from publication in the new series. This step alone would drastically simplify the declassification review process by making most such reviews pointless and irrelevant. Also, the kind of missed deadlines that plague FRUS would be interpreted as concurrence by the reviewing agency.
In this way, the continuing production of an official record of national security history, vetted by professional historians (whether at the State Department or elsewhere), would have the catalytic potential to break the current logjam in production of the FRUS series and in declassification more broadly (with indirect but salutary effects on classification as well). It would generate a newly available series of permanently valuable record collections for the nation as a whole. While it would not constitute a transformation of the classification system all by itself, it would advance the process of modernizing and rationalizing classification policy, and would help to galvanize further changes.
Many other types of catalytic performance goals could be imagined and adopted. What is crucial is that they must trigger meaningful and measurable changes in classification and declassification practice in the near term.
Finally, I would like to reiterate the importance of the pending Fundamental Classification Guidance Review, which was mandated by the President in December 2009, and which must be completed by June 2012. If implemented in good faith, this process should both reduce the current scope of classification and diminish the future declassification burden. Nothing else on the near-term policy horizon has comparable transformative potential. But the Review process needs clearly articulated performance goals of its own, as well as active support, encouragement and leadership in order to succeed.
How We Got Here
In signing Executive Order 13526 – the 10th Executive Order on National Security Classification signed since Roosevelt’s Order in 1940 – President Obama also stated that he looks forward to “…reviewing recommendations from the study that the National Security Advisor will undertake in cooperation with the Public Interest Declassification Board to design a more fundamental transformation of the security classification system.”
Historians regard President Truman’s second Order, EO 10104, and President Clinton’s EO 12958 as sweeping changes to the national security classification system. Most significant of Truman’s changes was the indication that the Chief Executive was relying upon “authority vested in me by the Constitution and statutes, and as President of the United States.” Prior Orders had relied on statutes requiring the protection of military bases in the United States as the basis for classification. Also changed in Truman’s new Order was the first use of the term “national security” as the previous orders had been intended to protect only information related to “national defense.”
President Bill Clinton’s 1995 Order also included sweeping changes to classification. Most significantly it set a specific duration for classification allowing classification to expire, causing automatic declassification, rather than requiring that agencies conduct reviews to declassify information. Also included in this new order was reintroduction of the “balancing test” first introduced in EO 12065 by President Carter in 1978, a provision encouraging employees to challenge classification they believed inaccurate, and creation of the Interagency Security Classification Appeals Panel (ISCAP) as well as the Public Interest Declassification Board (PIDB). The Clinton Order also put tighter controls on the practice of reclassification of information that had been released to the public.
Much has changed in the years since the Roosevelt Order in 1940 issued during WW-II, but despite what has been regarded as “sweeping changes” the national security classification system in the US remains very much the same as it was in the 1950s.
A New Approach to Classified Information
I propose an approach where we start by defining the problem in the context of 2011 and write an entirely new solution without regard for any previous solutions or problems. We can’t continue to regard the world as paper created by typewriters. We also can’t view the world as two opposing sides in a conflict where there are only combatants and outsiders. Rigid conformance to standards based on military protocols and clearly defined roles and responsibilities must be exchanged for a system where essential elements of information are protected and other information is regarded as serving the purpose of our common defense.
No longer is our information structured along government organizational lines or pertaining to only governmental issues. The battles of the 21st Century are asymmetrical; the enemies are amorphous having no uniforms, no political boundaries, or common language. Our “side” of the battle is also not a uniformed army with trained, proven soldiers under the command of a single leader; instead we consist of military, government, private sector, state, local, tribal entities, foreign partners, and sometimes citizens. We simply can’t see classification as a tool to protect military secrets, intelligence and diplomatic affairs from everyone who is not part of the military, diplomatic or intelligence organizations. Our world has changed and we must change classification accordingly.
Terrorism is the result of extreme views manifested in violence with the intent of inflicting the greatest harm possible on every citizen of the United States and allied nations. These views are harbored by foreign citizens of a number of nations, by some American citizens, and by members of extremist factions of certain religions. Terrorists are not restrained behind international borders or organized in a recognizable fashion. They are free to move about the globe striking both our military and our citizens without any warning or notice.
Classified information prepared by the government for the government and distributed to only the government will not win the battles or serve the interests of our nation. At the same time our government has capabilities that can be lost in an instant if the information about those capabilities falls into the wrong hands. We are faced with a dilemma; do we hoard information that we painstakingly collected, knowing it will do no real good, or do we share the information knowing it will potentially be of only short term benefit as its eventual compromise means we will no longer obtain the same information without new techniques and means.
In 2011 we face challenges never envisioned in executive Orders since 1940. We’ve become increasingly aware of these challenges since 9/11/2001, but our framework for identifying information that requires protection and employing safeguards for that protection was designed during World War II and not changed fundamentally since then.
Current Classification Principles
A few core principles define the process for classification in the United States:
1) National Security: Although the definition has changed slightly over time, information subject to categorization and protection is limited to information pertaining to national defense, foreign relations, and since 2003 defense against transnational terrorism.
2) Vetting: Since at least the Eisenhower Order access to information that is marked as Confidential, Secret or Top Secret was restricted to individuals who have been vetted or “cleared” to one of those levels. Progressively more stringent investigation methods are used at each level with the intent of identifying any previous criminal behavior or other personality flaws that will potentially make the individual susceptible to coercion by foreign powers or prone to malfeasance or misfeasance leading to the compromise of the information the United States seeks to protect,
3) Levels: Information regarded as “classified” is placed in categories that are based on the sensitivity of that information. We have titled these categories “Confidential,” “Secret,” and “Top Secret” since the 1953 Eisenhower Order. We have never, however, defined clearly what damage, serious damage or exceptionally grave damage actually means. The lack of definition gives us the greatest flexibility in the current system and is also the single greatest flaw.
4) Safeguarding: For each of these levels of sensitivity a regimen of security safeguards is proscribed to help prevent individuals and adversaries who are not vetted from obtaining the categorized information. The required safeguards, like the vetting process, are progressively more stringent as the level of sensitivity increases. Other than provisions allowing waiver in the case of imminent loss of life, these standards must be firmly adhered to regardless of the volume of sensitive information.
Fundamental transformation may not be without significant wringing of hands by those accustomed to the system we’ve had since 1940, but we simply must change the way we protect and share information.
First, consider some core principles that may help define a new classification system:
Orders since 1953 have narrowly focused on information of military or foreign affairs significance as being classified. The current effort to define Controlled Unclassified Information is an attempt to embrace as important to the United States information about our infrastructure, vulnerabilities of our cities and our citizens, information that crosses the boundary between law enforcement and intelligence, and information that can be used to mount, or defend against, an attack in the United States. We are moving toward a standard our foreign allies have embraced many years ago for protection of information that is in the national interest.
With the President’s signing of Executive Order 13549 on CUI, the distinction between CUI and NSI is no longer a legal distinction regarding the power of the Executive, but rather steeped in the way that the classification system has evolved over the past 70 years. The emerging standards for the administration of CUI will likely involve categories of CUI, standards for who can have access, physical and technical security standards for protection of CUI, and standards for duration of control and procedures for decontrol of CUI. We have created a system in almost perfect parallel to the national security classification system, absent only some of the vestiges of the Cold War that are outdated and present weaknesses in the national security system we use today.
We must consider as a fundamental principle of a transformed classification system the need to embrace all information that requires some protection from immediate public disclosure as part of a single system of protections and safeguards.
A fundamental error made in 1940 and not corrected since is the principle that the vetting process used to validate the trustworthiness of individuals who protect sensitive information must be linked to the sensitivity level of each piece of classified information.
People are cleared at the Confidential, Secret or Top Secret level today. In practice there are really only two methods for vetting the people who are trusted with classified information. We should consider moving from three levels of vetting to just two and the ability to list those individuals who do not meet the standard for trust and confidence by the US government:
Trusted: Individuals needing routine access to sensitive information must be determined to be Trusted. To be regarded as trusted, these individuals should be free of criminal convictions or warrants and have had their bona fides verified by a competent authority. The process for hiring all military personnel, all US government civilian personnel, police, fire fighters, first responders, and those in positions requiring the public trust including elected officials must be considered a level of vetting that demonstrates a fundamental level of trust.
Highly Trusted: Individuals who need routine access to highly sensitive information must be determined to be highly trusted. These individuals must meet the standards for Trusted individuals and in addition must undergo a background investigation similar to today’s SSBI used for TS clearance and SCI access. Although not limited to US Government officials.
Excluded: Individuals who have exhibited behaviors that suggest an unacceptable risk of compromise to sensitive information may be listed as excluded from an ability to receive protected information. Only excluded individuals would be precluded from receiving classified information that they may need to do a job unless the information is judged to protect their life or the lives of others under their responsibility.
A key concept in this new approach is “routine access.” Information should always go to individuals who need the information to do their job. Non-routine access to any level of information may be given to individuals who are not either Trusted or Highly Trusted provided they are not on an Excluded list. A transformed classification system must be predicated on identifying information that requires protection from disclosure to adversaries and providing that information to anyone who can reasonably be trusted to use that information and protect it in an appropriate way.
Levels of Classification
For practical purposes there are only two levels of classification now that are tied to two types of employee vetting used by the US Government. Little if any distinction really exists between Confidential and Secret. These levels can easily be combined to a single level.
Particularly sensitive information is now protected as Top Secret and requires a distinctively greater vetting process. In a new model where routine access requires a higher level of trust, a two classification level system for information that is currently in the National Security Classification system would work.
Including aspects of the current process to codify Controlled Unclassified Information (CUI) should also be a part of the new system, particularly with its redefinition of national security to national interest.
Without paying any attention to what any new categories would be named or called, the concept of simplifying classification and including information currently in the CUI domain would look something like the model below:
We are in an electronic age managed under rules developed for paper documents. Access to electronic systems containing classified information requires that users be cleared and read-in to every level of information stored or processed on the system. This has led to the need for clearances and access to Special Access Programs in some cases to actually do unclassified work on a classified system. As a result the number of people cleared/accessed has risen dramatically actually putting at risk the information the system was designed to protect.
Safeguarding rules must also be changed to allow risk management. Systems containing a few documents at the lower levels of classification should not need to meet the more rigorous standards of systems that routinely store and process classified information. Likewise, systems with reasonable safeguards to keep users from accessing data not intended for them must not require that all users have the highest levels of trust.
Similarly, physical security standards for facilities storing hard copy or electronic classified information should also be flexible depending on the volume of data or information in any facility. Facilities holding only small amounts of low level information should be considered a low risk and meet less stringent safeguarding standards than facilities holding vast quantities of paper or electronic records containing sensitive information.
At the top tier there is still a need to identify very sensitive information that can be disseminated to a large number of people with a specific need to have the information, and provisions for some material to have significantly reduced access and additional safeguards.
The current system for Sensitive Compartmented Information (SCI) and Special Access Programs (SAP) has gotten out of control with little formal guidance for most control systems on what aspects of a program are really SCI and what aspects can be protected appropriately as collateral classified information.
Compartmentation at its core is risk management. When classified information is so fragile that exposure to a large number of trusted individuals would still lead to likely compromise of the information, dissemination is restricted to far fewer individuals who are individually approved for access. Compartmentation can also be used to reduce the risk of exposure by simply taking elements of a sensitive program and only allowing a very few individuals to have the entire scope of information.
Like a jigsaw puzzle, compartmentation is a means of protecting individual pieces. It’s the reverse of mosaic or compilation where individual pieces are carved out and given to some people and other pieces are given to other people and virtually nobody gets the whole picture.
We’ve lost that concept in current implementation when hundreds of thousands of people are briefed into a compartment for access to an IT system or when virtually all information about a program is compartmented exactly the same way.
To transform national security classification we simply must look at compartmentation and produce a single set of standards for its use that make sense and are faithful to the purposes for which compartmentation was designed.
We need a bold new approach that starts with a clean piece of paper. Our world has changed and the way we need to protect and share information has also changed. We can no longer look at the protection of information to safeguard our nation as only related to diplomatic negotiation and military strategy and operations.
Similarly the rigid rules for access to information that work well in a military environment, no longer apply. We must separate the elements of trust, sensitivity of information and safeguarding. Each has a purpose, but when these separate sets of rules are tied inextricably to one another the system is bound in a way that makes use of the information ineffective.
I propose we convene a new kind of Continental Congress where those individuals most familiar with the needs to protect and share information can work together to chart a new course for information protection that will work well in the 21st century.
In July 2009, The Constitution Project’s (TCP) bipartisan Liberty and Security Committee published a report entitled Reining in Excessive Secrecy: Recommendations for Reform of the Classification and Controlled Unclassified Information Systems. This report included fifteen specific recommendations to the Executive Branch and three specific recommendations for Congress, all designed to reform the classification regime. In December 2009, President Obama issued Executive Order 13526, and while this Executive Order incorporated some of TCP’s recommendations, the majority were not adopted at all or were not implemented fully. Further, to date, none of TCP’s legislative proposals have been implemented. Therefore, in response to the Public Interest Declassification Board’s (PIDB) request for proposals for transforming the classification system, TCP is submitting its original recommendations, updated to reflect what progress has been made to date and what more remains to be done.
A. RECOMMENDATIONS TO THE EXECUTIVE BRANCH
Endorse Presumption of Openness
1. As TCP noted in Reining in Excessive Secrecy, the executive orders governing classification have been amended over time to increase secrecy, often counter to the goals of openness and accountability. Executive Order 13526 represents a departure from this trend, but did not go far enough. As such, the President should amend the executive order, pledging accountability in the classification process. The order should establish a new framework for designating information with a presumption in favor of openness that limits classification only to information that must be protected to avoid harm to national security, with clear standards and procedures for proper classification.
2. TCP applauds the insertion of Section 1.1(b) in Executive Order 13526, which states that if “significant doubt” exists as to whether information needs to be classified, it should not be classified. However, this provision alone does not ensure adequate safe guards against over-classification. The order should include an affirmative presumption in favor of lower level classifications, or declassification, such that decisionmakers resolve any doubts (not just “significant” doubts) by applying the lower classification level or no classification.
3. TCP previously recommended that then Section 1.1(c), which creates a presumption that foreign government information is classified, should be eliminated. This provision (now contained in Section 1.1(d)) is still unnecessary because such information is already subject to classification as one of the categories noted in Section 1.4.
4. TCP continues to urge adoption of its previous recommendation that the order should clarify that information “may” be classified if standards are met, but that the classifier has discretion. Although Section 1.1(a) clearly states that for original classifications, information “may be originally classified under the terms of this order only if all of the following conditions are met,” this is undermined by the descriptions of available classification levels which include the term “shall.” Specifically, in Section 1.2(a), which sets forth the available classification levels, each category (i.e. Top Secret, Secret, and Confidential) should state that it “applies to” the described information, rather than that it “shall be applied to” such information.
5. TCP previously recommended there be an explicit prohibition on classifying material that does not meet the definitions of Top Secret, Secret, and Confidential outlined in Section 1.2. To date, no such prohibition exists and TCP urges its creation.
Weigh Public Interest in Classification/Declassification Decisions
6. TCP urges that its prior recommendation to require consideration of the public interest before information is classified should be implemented.
7. TCP continues to recommend that the government should be required to weigh the public value of the information in declassification decisions. Specifically, Section 3.1(d) of EO 13526 should be amended to delete the current first sentence and alter the next sentence so that it reads: “Information may continue to be classified only if the need to protect such information outweighs the public interest in disclosure of the information.” Also, Section 3.5(c) should be revised so that the first sentence is expanded as follows: “Agencies conducting a mandatory review for declassification shall declassify information that no longer meets the standards for classification under this order, or where the public interest in disclosure outweighs the need to protect the information.” In the second sentence of this section, “authorized and warranted” should be changed to “required,” so that the sentence would read “They shall release this information unless withholding is otherwise required under applicable law.”
Aid Sharing of National Security Information
8. To ensure national security information may be shared among the necessary parties, TCP again urges the government to create clear and effective processes for sharing classified information.
Provide Accountability and Limits on Classification
9. The Executive Order should explicitly prohibit abuse of classification markings. To date, no such prohibition has been put into place.
10. TCP also previously recommended that the timeframes for automatic declassification be decreased. Like its predecessor order, Section 1.5(b) of EO 13526 presently states that “[i]f the original classification authority cannot determine an earlier specific date or event for declassification,” information shall be automatically declassified after 10 years, unless the sensitivity of the information requires longer classification, in which case it shall be automatically declassified after a period up to 25 years. The lower time limit of this automatic declassification range should be decreased from 10 years to 5 years, and the upper limit should be decreased from 25 years to 20 years.
11. The order should be amended to include more robust methods of systematization and improvement of the process for declassification of historical records and institute stricter standards for reclassification.
12. Contrary to TCP’s recommendation, EO 13526 did not decrease the time period for automatic declassification under Section 3.3 from 25 years down to 20 years, and TCP urges that this change should still be made. However, the order did strengthen the requirements for seeking an extension of this time period. TCP had recommended that Section 3.3(b) be amended so that an extension of the classification time period beyond 25 years should not be available if release of the information simply “could be expected to” result in one of various listed harmful results. TCP welcomes the revised standard, which permits an extension only when release of the information “should clearly and demonstrably be expected to” lead to the listed harmful results.
13. The existing classification order provides for “derivative classification” by personnel who are not required to possess original classification authority to “carry forward” the original classifications into summaries, discussions, and other documents that are created from or rely upon such classified material. While TCP is gratified that EO 13526 added Section 2.1(d), which imposes training requirements on personnel with derivative classification authority, since derivative classifications may be made by personnel who have less training and authority than original classifiers, the order should require greater oversight of the derivative classification process. Specifically, the order should require that derivative classifications must be reviewed and approved by a person with original classification authority within 5 years of the derivative classification marking in order to retain their classification.
14. TCP applauds EO 13526’s establishment of a Fundamental Classification Guidance Review. Nonetheless, despite this first step, TCP urges that the order should be amended to establish new mechanisms for oversight of the classification system to guarantee accountability and transparency. The order should be revised to strengthen the role of the Director of the Information Security Oversight Office (ISOO) by replacing “have the authority to” with “regularly” in the first sentence of Section 5.2(b)(4), so that that provision would read “regularly conduct on-site reviews of each agency’s program established under this order, and require of each agency those reports, information, and other cooperation that may be necessary to fulfill its responsibilities.” The order also should require regular audits and reporting by the Inspectors General (IGs) of each federal agency that maintains classified materials, or by some other external oversight authority.
Create Agency-Level Review of Classification
15. As noted above, TCP is gratified that EO 13526 established a Fundamental Classification Guidance Review. However, the current EO does not include sufficient public oversight. The review should be public and should include a public notice and comment period and publication in the Federal Register. The review should also have the explicit objective of reducing national security secrecy to the essential minimum and declassifying all information that has been classified without a valid national security justification, consistent with the declassification standards laid out above.
B. RECOMMENDATIONS TO CONGRESS
1. Provide Accountability and Limits on Classification by Passing Legislation to Limit Classification
It is vital that all branches of government come together to address the problems of over-classification and secrecy. The President should work with Congress to ensure passage of legislation designed to reduce over-classification.
2. Strengthen Congressional Oversight of the Classification Process
Congress should be rigorous in its oversight of the classification processes at each agency and at all levels of government. It should pass legislation designed to reduce over-classification.
3. Pass an Omnibus Historical Records Act
To increase government openness, Congress should pass an omnibus Historical Records Act that would accelerate declassification of historical records. This would ensure that historically significant information is declassified in a timely manner. The HRA would provide government transparency by decreasing unnecessary secrecy as well as increase public access to historical records.