SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2013, Issue No. 76
August 26, 2013

Secrecy News Blog: http://blogs.fas.org/secrecy/

IG SAYS HOMELAND SECURITY SECRECY PROGRAM IS IN GOOD SHAPE

The Department of Homeland Security "is streamlining classification guidance and more clearly identifying categories of what can be released and what needs to remain classified," according to a new report from the DHS Inspector General.

The Reducing Over-classification Act of 2010 required the Inspector General at each executive branch agency that classifies information to evaluate the agency's classification practices and to report on the results by the end of September 2013. The new DHS report is the first of the bunch to be published. See "Reducing Over-classification of DHS' National Security Information," DHS Office of Inspector General Report OIG-13-106, August 2013:

The report sheds new light on DHS classification practices and provides some useful criticism, but it has a serious conceptual flaw.

The flaw lies in the report's definition of the problem: "Over-classification is defined as classifying information that does not meet one or more of the standards necessary for classification under Executive Order 13526."

The problem is that this is a definition of misclassification, not over-classification. If information does not meet the standards for classification -- for example, if it is not government information -- then its classification is simply a mistake, not an act of over-classification. By using such a definition, the DHS IG fails to recognize the real dimensions of over-classification and overlooks its most vexing aspect: the classification of information that arguably does meet the standards of the Executive Order but that need not or should not be classified.

Over-classification in this deeper sense is at the center of many current controversies over government secrecy policy. Can the role of the CIA in targeted killing operations be acknowledged? Should the fact of bulk collection of telephone metadata records by NSA have been admitted before it was leaked? Though such information was eligible for classification under the Executive Order, the decision to classify it now appears questionable.

But such issues are unfortunately beyond the scope of the DHS IG report, which does not allow for the possibility that information could both "meet the standards necessary for classification under the Executive Order" and still be over-classified. Not a single instance of such over-classification was identified. Rather, the IG concluded that DHS has "successfully implemented all policies and procedures required" and thus "DHS has a strong [classification] program."

Despite its limited conception of the problem, the IG report found some significant areas for improvement. Notably, DHS classifiers have been using obsolete software to apply classification markings. As a result, "59 of the 372 DHS we reviewed contained declassification, sourcing, and marking errors." A new Classification Marking Tool is currently being acquired by DHS. Still, "eighty interviewees noted that they would like more hands-on training to ensure they could classify information properly."

Curiously, the IG report found that DHS officials had an equivocal attitude towards efforts to challenge classification decisions.

"All persons interviewed knew and were trained on the process of formally or informally challenging a classification, but some stated that they would be reluctant to disagree with the originator's classification. They did not fear retribution from senior management, but they did not believe that they were experts in challenging classification" (p. 16).

However, DHS employees resisted the possibility of offering incentives to challenge classification decisions. "When asked, 90 out of 100 DHS derivative classifier interviewees said that they believed offering incentives may lead to unnecessary challenges, and challenges will be raised not in the spirit of reducing classification but for incentive reasons" (p. 10).

Such skepticism is totally speculative, and ought to be tested in practice. But instead of proposing a pilot program to validate or discredit the use of incentives for classification challenges, the DHS Inspector General unfortunately just dropped the subject.

The IG report found that DHS had successfully performed the Fundamental Classification Guidance Review, leading to a 39 percent reduction in the number of security classification guides.

The report also noted that the classification statistics reported by DHS to the Information Security Oversight Office "may not be accurate," and DHS officials acknowledged that there are "long-standing issues associated with the reliability and accuracy" of the reported numbers.

Despite its limitations, the DHS IG review seems to have been a useful exercise that focused new attention on the Department's classification activities. Additional reports from other agencies that conduct much larger classification programs are expected shortly.


US CYBER OFFENSE IS "THE BEST IN THE WORLD"

The subject of offensive cyber action by the U.S. government was classified for many years and was hardly discussed in public at all. Then several years ago the possibility of U.S. cyber offense was formally acknowledged, though it was mostly discussed in the conditional mood, as a capability that might be developed and employed under certain hypothetical circumstances.

Today, however, U.S. offensive cyber warfare is treated as an established fact. Not only that but, officials say, the U.S. military is pretty good at it.

"We believe our [cyber] offense is the best in the world," said Gen. Keith B. Alexander, director of the National Security Agency and Commander of U.S. Cyber Command. His comments appeared in newly published answers to questions for the record from a March 2013 hearing of the House Armed Services Committee (at p. 87).

"Cyber offense requires a deep, persistent and pervasive presence on adversary networks in order to precisely deliver effects," Gen. Alexander explained in response to a question from Rep. Trent Franks (R-AZ). "We maintain that access, gain deep understanding of the adversary, and develop offensive capabilities through the advanced skills and tradecraft of our analysts, operators and developers. When authorized to deliver offensive cyber effects, our technological and operational superiority delivers unparalleled effects against our adversaries' systems."

"Potential adversaries are demonstrating a rapidly increasing level of sophistication in their offensive cyber capabilities and tactics. In order for the Department of Defense to deny these adversaries an asymmetric advantage, it is essential that we continue the rapid development and resourcing of our Cyber Mission Forces."

In response to another question for the record from Rep. James R. Langevin (D-RI), Gen. Alexander said that "Over the next three years we will train the Cyber Mission Forces that will perform world-class offensive and defensive cyber operations as part of our Cyber National Mission Teams, Cyber Combat Mission Teams and Cyber Protection Forces. We do not require additional authorities or resources to train the currently identified cyber professionals" (at page 85).

See "Information Technology and Cyber Operations: Modernization and Policy Issues to Support the Future Force," hearing before the House Armed Services Committee, Subcommittee on Intelligence, Emerging Threats and Capabilities, March 13, 2013 (published July 2013):

At the time of his confirmation hearing before the Senate Armed Services Committee in 2010, Gen. Alexander was asked in a pre-hearing question, "Has the U.S. ever 'demonstrated capabilities' in cyberspace in a way that would lead to deterrence of potential adversaries?" He replied (Question 15p): "Not in any significant way."

This seems to have been an incomplete response. Committee Chairman Sen. Carl Levin noted in questions for the record of Gen. Alexander's confirmation hearing in 2010 that in fact offensive cyber capabilities had already been demonstrated: "Unfortunately, we also learned, after asking a specific question following the appearance of a Washington Post article reporting on an apparent offensive cyber operation, that DOD has undertaken a number of offensive cyber operations in the last several years, none of which was reported to the Armed Services Committees...."

On the vital question of oversight, Senator Levin asked: "Lieutenant General Alexander, do you agree that it is appropriate that the Armed Services Committees be informed of all U.S. offensive cyber operations?"

Gen. Alexander provided an affirmative response, but in a way that altered the terms of the question: "Yes, I agree that in almost all circumstances the Armed Services Committees should be informed in a timely manner of significant offensive cyber operations conducted by CYBERCOM."


FINANCIAL DISCLOSURE BY FEDERAL OFFICIALS, MORE FROM CRS

New and updated reports from the Congressional Research Service that Congress has withheld from broad public distribution include the following.

Financial Disclosure by Federal Officials and Publication of Disclosure Reports, August 22, 2013:

Defense Surplus Equipment Disposal: Background Information, August 22, 2013:

Iraq: Politics, Governance, and Human Rights, August 22, 2013:

The United Arab Emirates (UAE): Issues for U.S. Policy, August 20, 2013:

Changing the Federal Reserve's Mandate: An Economic Analysis, August 12, 2013:

The Affordable Care Act and Small Business: Economic Issues, August 15, 2013:

Financing Natural Catastrophe Exposure: Issues and Options for Improving Risk Transfer Markets, August 15, 2013:

Reauthorizing the Office of National Drug Control Policy: Issues for Consideration, August 13, 2013:

International Drug Control Policy: Background and U.S. Responses, August 13, 2013:

Mexico's Peña Nieto Administration: Priorities and Key Issues in U.S.-Mexican Relations, August 15, 2013:

Latin America and the Caribbean: Key Issues for the 113th Congress, August 9, 2013:

Uzbekistan: Recent Developments and U.S. Interests, August 21, 2013:

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://blogs.fas.org/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://blogs.fas.org/secrecy/subscribe/

To UNSUBSCRIBE, go to:
      http://blogs.fas.org/secrecy/unsubscribe/

OR email your request to [email protected]

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      https://members.fas.org/donate/