INTRODUCTION
The first meeting of the Security Policy Advisory Board (SPAB) took place at the Institute for Defense Analysis on l9 August l996 at 0900 hours. General Larry Welch, USAF (Ret.) presided with Advisory Board members Ms. Nina Stewart and Rear Admiral Thomas Brooks, USN (Ret.) present. Also present were:
Peter Saderholm
Joseph Holthaus
Terry Thompson
Vicky LaBarre
Dan Jacobson
Betty Frazier
Gary Harris
Ricardo Cazessus
Peter Nelson
Martin Dougherty
Steven Garfinkel
Numerous members of the private sector attended and participated. In all, 35 individuals attended.
Mr. Thompson opened the meeting with an introduction of SPAB members and a statement describing the birth of the SPAB.
AGENDA ITEMS
A. Description of the Security Policy Advisory Board
General Welch described the purpose, scope, and function of the SPAB. The Board will function as an independent and non-government entity advising the National Security Council {NSC) and the President on security policy initiatives. Its meetings are open to the public and a primary function of the Board is to provide a conduit of communication between the public and the security policy community. Meetings will be held on a regular basis.
B. Review of Joint Security Commission Report (JSC)
General Welch discussed the origin of this new security policy process by reflecting on the JSC Report. He indicated that, at the time of the Commission, it was clear the security apparatus was in need of modernization. A changed world demanded security decisions based on actual threats and vulnerabilities rather than worst case scenarios, realistic costs associated with security regulation and risk management rather than risk avoidance. The basic principles enumerated by the Commission upon which all security management must rest are: "a.) The government's security policies must realistically match the threats faced and be sufficiently flexible to facilitate change as the threats evolve; b.) The government's policies must be consistent and have the ability to allocate resources effectively; c.) The government's practices must result in the fair and equitable treatment of all Americans who guard the nation's security and; d.) The government's security policies must provide the security needed at an affordable price."
The General then discussed some areas examined and reported by the JSC. The Classification Management System, to include Special Access Programs and risk criteria, were thought to be very much in need of fundamental overhaul. Current, relevant threat assessments should be an integral element of any security evaluation and should be given higher priority. Risk management, rather than worst case scenarios, must form the basis for our decisions. The JSC invested a great deal of time in the personnel security arena and performed in-depth evaluations of investigations, adjudications, procedural rights of individuals, and polygraph. Physical, technical, and procedural security; protecting advanced technologies; the cost of security; and security awareness and training were also dealt with by the Commission.
General Welch then reviewed some of the summary findings of the Commission. Personnel security practices were found to vary widely from agency to agency; attention to information systems security was found lacking; the classification system classifies too much for too long; and there were thought to be too many layers of physical and technical security. He then focused on the pivotal recommendations to form the Security Policy Board (SPB), a permanent body to coordinate security policy throughout government, and the SPAB, an entity designed to provide a non-government, independent perspective to the security policy process.
C. Purpose of Organization of SPB
Mr. Thompson then introduced Mr. Saderholm, Director, SPB Staff, who discussed the purpose and organization of the SPB. He began by stating the first meeting of the SPB took place 27 September l994; four additional meetings have occurred since. This Board consists of ten Deputy Secretaries or their equivalent. The next level of the policy mechanism is the Security Policy Forum which is composed of 35 senior members of the government security community who regularly meet to discuss and recommend policy. To date, they have met on 12 occasions. There are five substantive working committees staffed largely by subject matter experts who begin the upward spiral of research for, and articulation of new security policies. They are supported by 21 different working groups.
Mr. Saderholm then reiterated the four basic principles of security policy mentioned by General Welch. He indicated that oversight and evaluation are critical ingredients in the policy process and now, for the first time, a mechanism to resolve the inevitable conflicts present in robust discussions of complex issues, a vote by senior policymakers, has been included. He also indicated that security policies must be rational and based on some form of data driven analysis. Those policies must then be applied uniformly and security officers must provide utility in the overall operation of any working unit.
Mr. Saderholm indicated the JSC report is still a living, breathing document and he reviewed some successes in its implementation. Executive Order (E.O.) 12958, dealing with the handling of classified information was approved by President Clinton on 17 April 1995. E.O. 12968, addressing access to classified information, was approved by the President on 2 August 1995. Implementing Directives pertinent to E.O. 12968 were crafted by the policy community and have been helpful in its initial stages of application. He mentioned reciprocity as a top priority and a concept which demands full participation and trust. Remaining challenges include attaching a greater emphasis to threat and risk management to include a "one stop shopping" concept for users.
At this juncture, General Welch inquired as to the lag that is often present between the policymaker's pronouncement and implementation. Mr. Saderholm replied that the current security policy mechanism is advisory to the NSC. The new security policies will only be fully enforced after they are approved by the White Mouse. At this time, several are awaiting the final step. Because most executive departments and agencies have participated in the policy formulation and approved the version forwarded to the White House, they have begun voluntary internal implementation.
D. Standardized Clearance Procedures
Mr. Thompson then introduced Mr. Peter Nelson, Deputy Director for Personnel Security, DoD/OASD/C3I, who discussed standardized clearance procedures. Mr. Nelson was the first Chairman of the Personnel Security Committee of the Security Policy Forum. Mr. Nelson stated E.O. 12968 directed the SPB to develop a common set of guidelines for determining access to classified information, including special access programs. Additionally the E.O. charged the Board with developing a set of common investigative standards. The adjudicative standards include 13 guidelines and require, as before, the application of the "whole person concept." No negative inference may be drawn based solely on sexual orientation and/or mental health counseling, while the input of credentialed medical professionals is required to evaluate drug, mental health, and alcohol issues. The primary purpose of this effort is to promote reciprocal acceptance of security clearances and access determinations throughout the government without resorting to costly and time-consuming file reviews and readjudications. These standards were approved by the SPB on 25 March 1996 and await Presidential approval.
Appeal standards have been redrawn under the auspices of E.O. 12968. Individuals who have had access eligibility revoked or denied are entitled to: a.) A written statement outlining the basis for the decision; b.) Documents upon which the denial or revocation is based; c.) The advice of counsel; d.) A reasonable opportunity to respond in writing and a review of the decision; e.) written notice and reasons for the result of the review; f.) Opportunity to appeal; and g.) Opportunity for a personal appearance. These procedures for due process now apply in the civilian arena and the contractor world except that a trial type hearing applies to contractor proceedings.
Investigative standards for access to classified information have been revised and updated. The revised Single Scope Background Investigation (SSBI) approved by the SPB is actually a variable scope investigation ranging from three years for neighborhood checks to ten years for local agency checks. Much of the findings were based on research performed by the Defense Personnel Security Research Center.
General Welch asked if this meant that we now have an SSBI acceptable to all government agencies. Mr. Nelson replied in the affirmative with the possible exception of specific Special Access Program requirements which are permitted additional criteria in E.O. 12968.
Admiral Brooks asked if a common data base exists to preclude the necessity of passing clearances. Mr. Nelson answered that is the objective and the DCII is in the process of linking with OPM data bases. At this time, however, a common data base does not exist. Mr. Saderholm stated that we have taken only the first step in that each agency has decided on a uniform process. Next, we will deal with the mechanical implementation of this decision. No funding has been allocated for this purpose at this time. Admiral Brooks asked where the directive authority lies to accomplish this and other tasks. Mr. Saderholm replied that such authority does not exist. A questioner from the audience then stated that, while he applauded this effort, the real problem lies in the area of special accesses. Admiral Brooks indicated a centralized data base could eliminate much of the duplication. Another questioner indicated that program managers seem to always want Program Access Requests and duplicative additional security processing.
E. Classification/Declassification
Mr. Thompson introduced Mr. Steven Garfinkel, Director, Information Security Oversight Office, who addressed the group on the classification/declassification issue. Mr. Garfinkel is also Chairman of the Classification Management Committee of the Security Policy Forum. Mr. Garfinkel stated the number of classified documents is substantially lower than several years ago. This may be due, in part, to the end of the.Cold War and the efforts of the JSC. He indicated a process inversion may also contribute to this decline. Classified information is now deemed to be automatically unclassified after a certain period unless the parent agencies take active measures to retain the information as classified. In effect, agencies must now allocate resources to keep information classified rather than investing effort in declassification.
Admiral Brooks asked after what period is information automatically declassified. Mr. Garfinkel responded, "25 years". He continued that infrastructure now exists in CIA, NSA, and NRO to tackle this problem. He also noted it can be an expensive process. General Welch asked Mr. Garfinkel to discuss the five year period for the initial declassification effort. Mr. Garfinkel indicated that the E.O. will be five years old in the year 2000 and the five year transition period will be completed at that point. At that time, information deemed as having historical significance, and at least 25 years old will be automatically declassified. Admiral Brooks asked about destruction of classified information. Mr. Garfinkel replied that intentional destruction of permanently valuable information is a crime. As a general proposition, it is held that classified information shall not be destroyed unless and until it undergoes an appropriate review. Ms. Stewart asked for the numbers of classified documents which exist today as compared to previous years. Mr. Garfinkel indicated he is presently not at liberty to divulge that information in a public forum because it is part of a special report prepared for the White House. He anticipates White House approval to do so in just a few weeks. Mr. Garfinkel also emphasized that initial classification decisions are now made more carefully and the classification process is being streamlined to accomplish greater efficiency in this area.
F. Financial Disclosure
Mr. Thompson then introduced Lieutenant Colonel Gary Harris, USAF, SPB Staff, who discussed the financial disclosure issue. Colonel Harris stated the Counterintelligence and Security Enhancement Act of 1994 mandated financial disclosure of those individuals with particularly sensitive classified accesses. The Act was further refined by E.O. 12968 which required the completion of a financial disclosure form by cleared persons having access to certain categories of information. Who is actually subject to the requirements of the E.O. is determined by the cognizant agency heads within a well defined framework of access. Estimates vary, but our initial projection calls for 50,000 to 70,000 filers. The fundamental purpose of financial disclosure and the filing of a form is to identify unexplained affluence. However, there are two fundamental approaches to the problem. The first is to provide investigators basic information about the existence and location of assets; the values of those assets need not be listed. The second is to provide some methodology to identify possible cases of unexplained affluence. In this context, the values of assets are important for they would be compared with other information, acquired either through investigation, review of public records, or both. To that end, the SPB met in March 1996 to approve a form originally crafted by the Personnel Security Committee. A lengthy discussion was held as to whether dollar amounts ought to be assigned by the filer; with one proposal being the use of ranges rather than specific amounts. A final format for this form has not yet been approved by the Board.
PUBLIC DISCUSSION
The floor was then opened up for discussion and public comment.
Mr. Don Fuqua, President of Aerospace Industries Association, asked to make a statement for the record. Speaking for the presidents of the Professional Services Council and the American Defense Preparedness Association, Mr. Fuqua indicated his Association expressed some reticence regarding the financial disclosure issue in a CODSIA letter to Anthony Lake, dated 29 June 1995. He summarized his Association's concerns in four points: a.) Completing financial disclosure forms entails a substantial burden on the filer; b.) The effort will be resource intensive; c.) Safeguarding the information promises to be problematic; and d.) There exists an intrinsic intrusiveness associated with this effort. Mr. Fuqua indicated he subsequently wrote another letter to the Chairman of the SPB. His organization remains concerned about safeguarding the information, the targeted populations and how and to whom the information will be submitted. He recommended a test run of any such form be conducted before full implementation.
Ms. Stewart asked if Mr. Fuqua's organization is opposed to the use of any form or would a simplified version suffice. Mr. Fuqua answered that it depended on the level of access i.e., particularly sensitive accesses might need to be handled somewhat differently as compared to less sensitive accesses. General Welch asked how the Association members might feel about providing access to their financial accounts in lieu of completing a form. Mr. Fuqua stated there would likely be less resistance to that idea. General Welch advised that, in the past, agencies have had great difficulty obtaining access to financial records. Mr. Fuqua stated the membership might be more forthcoming on that issue if they understood the information was tightly controlled. Colonel Harris added that. the E.O. also requires filers to complete a consent form to facilitate investigative access, but it can be used only in limited cases where espionage is suspected.
Mr. Thompson then introduced Dr. John Pustay, Executive Vice President of TASC, who wished to comment on financial disclosure. He indicated the policy may be less than rational and may have an adverse impact on recruiting. He is particularly concerned about the necessity for reporting financial assets of spouses and children and requested a thorough cost benefit analysis be conducted before moving forward "full throttle". General Welch added there exists a wide range of intrusiveness levels. He asked if there was a break line in terms of the contents of a form which would then provide a definition of an acceptable form. He also asked if Mr. Pustay would be more comfortable if no form were used. Mr. Pustay replied in the negative. Colonel Harris volunteered that the form provides an avenue for quick and easy explanation, as in the case of inheritance. Mr. Pustay indicated assets and liabilities are fluid and, consequently, difficult to track on a timely basis. An attendee volunteered that a major portion of the security community does not believe a form is necessary. General Welch indicated that in past instances, even if we uncovered indications of inappropriate wealth, this still did not guarantee access to follow up investigative data. Ms. Stewart indicated a discussion and revisiting of the issue at the most basic level, to include a cost benefit analysis, is a good idea.
Mr. Bernard Lamoureux, Lockheed-Martin, then endorsed the remarks of Messrs. Fuqua and Pustay. He indicated he is concerned about the numbers of employees who will be subject to the financial disclosure form, who in government will evaluate the information, and by what standards. He termed the emphasis on financial disclosure as an over reaction to the Ames case.
Admiral Brooks expressed a concern that a normal bureaucratic tendency to be on the "safe" side could require more and more individuals to complete a form.
ADJOURNMENT/NEXT MEETING
There were no further comments and Mr. Thompson closed the meeting by thanking the participants for their time and indicated the date and time of the next SPAB meeting will be announced in the Federal Register.