SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2011, Issue No. 2
January 4, 2011

Secrecy News Blog: http://www.fas.org/blog/secrecy/

TIGHTENING SECURITY IN THE "POST-WIKILEAKS" ERA

The Obama Administration is moving to increase the security of classified information in response to the massive leaks of classified documents to Wikileaks in recent months. The White House Office of Management and Budget yesterday issued a detailed memorandum elaborating on the requirement to conduct an initial assessment of agency information policies and to initiate remedial steps to tighten security. Agency assessments are to be completed by January 28.

The Wikileaks model for receiving and publishing classified documents exploits gaps in information security and takes advantage of weaknesses in security discipline. It therefore produces greater disclosure in open societies, where security is often lax and penalties for violations are relatively mild, than in closed societies. Within the U.S., the Wikileaks approach yields greater disclosure from those agencies where security is comparatively poor, such as the Army, than from agencies with more rigorous security practices, such as the CIA.

What this means is that Wikileaks is exercising a kind of evolutionary pressure on government agencies, and on the government as a whole, to ratchet up security in order to prevent wholesale compromises of classified information. If the Army becomes more like the CIA in its information security policies, or so the thinking goes, and if the U.S. becomes more like some foreign countries, then it should become less vulnerable to selective security breaches.

The government's response to this pressure from Wikileaks, which was entirely predictable, is evident in the new memorandum circulated by OMB, which calls on agencies to address "any perceived vulnerabilities, weaknesses, or gaps in automated systems in the post-WikiLeaks environment."

See "Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems," Office of Management and Budget, January 3, 2011.

In an attachment to the OMB memo, the National Counterintelligence Executive and the Information Security Oversight Office provided an 11-page list of questions and requirements that agencies are supposed to use in preparing their security self-assessment. "If your agency does not have any of the required programs/processes listed, you should establish them."

Agencies are asked to "deter, detect, and defend against employee unauthorized disclosures" by gathering "early warning indicators of insider threats" and also by considering "behavioral changes in cleared employees."

So, for example, agencies are asked "Do you capture evidence of pre-employment and/or post-employment activities or participation in on-line media data mining sites like WikiLeaks or Open Leaks?" It is unclear how agencies might be expected to gather evidence of "post-employment" activities.

Among other troubling questions, agencies are asked: "Are all employees required to report their contacts with the media?" This question seems out of place since there is no existing government-wide security requirement to report "contacts with the media." Rather, this is a security policy that is unique to some intelligence agencies, and is not to be found in any other military or civilian agencies. Its presence here seems to reflect the new "evolutionary pressure" on the government to adopt the stricter security policies of intelligence.

"I am not aware of any such requirement" to report on media contacts, a senior government security official told Secrecy News. But he noted that the DNI was designated as Security Executive Agent for personnel security matters in the 2008 executive order 13467. As a result, "I suspect that an IC requirement crept in" to the OMB memo.


IG REVIEW OF SECURITY PRACTICES AT DOD FACILITIES

There are security weaknesses at many of the research facilities operated by the Department of Defense, according to a DoD Inspector General survey issued last year.

"All [military] Services identified compliance issues related to information assurance," the IG report found, based on a review of 37 out of 121 research, development, test and evaluations facilities.

"Classification marking requirements remain a problem at Army laboratories. The most common issues are a lack of declassification instructions, as well as failures to mark classified folders, media, and working papers properly.... The use of portable electronic devices in areas where classified information is discussed continues to be a problem for one-third of the Army laboratories inspected."

On the plus side, "the Army clearly has made great strides during the past year by strengthening biological surety policy... especially in the areas of inventory management and accountability." See "Summary Report of FY2009 Inspections on Security, Technology Protection, and Counterintelligence Practices at DoD Research, Development, Test, and Evaluation Facilities" (redacted), DoD Inspector General Report 10-INTEL-06, May 21, 2010.


AIR FORCE SAP POLICY LIMITS CONGRESSIONAL CONTACTS

The Air Force issued updated guidance last week concerning its highly classified special access programs, including new language prohibiting unauthorized communications with Congress.

Special access programs (SAPs) involve access and safeguarding restrictions that are more extensive than those that apply to other classified programs. SAPs are nominally established "to protect the Nation's most sensitive capabilities, information, technologies and operations."

The new Air Force guidance emphatically limits contacts with Congress concerning SAPs.

"It is strictly forbidden for any employee of the Air Force or any appropriately accessed organization or company to brief or provide SAP material to any Congressional Member or staff without DoD SAPCO [Special Access Program Central Office] approval. Additionally, the Director, SAF/AAZ will be kept informed of any interaction with Congress." See Air Force Policy Directive 16-7, "Special Access Programs," December 29, 2010:

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://www.fas.org/blog/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://www.fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://www.fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to [email protected]

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      http://www.fas.org/member/donate_today.html