Modernization of Secrecy System is Stalled

Today’s national security classification system “relies on antiquated policies from another era that undercut its effectiveness today,” the Information Security Oversight Office told the President in a report released yesterday.

Modernizing the system is a “government-wide imperative,” the new ISOO annual report said.

But that is a familiar refrain by now. It is much the same message that was delivered with notable urgency by ISOO in last year’s annual report which found that the secrecy system is “hamstrung by old practices and outdated technology.”

The precise nature of the modernization that is needed is a subject of some disagreement. Is it a matter of improving efficiency in order to cope with expanding digital information flows? Or have the role of secrecy and the proper scope of classification changed in a fundamental way?

Whatever the goal, no identifiable progress has been made over the past year in overcoming those obsolete practices, and no new investment has been made in a technology strategy to help modernize national security information policy. In fact, ISOO’s own budget for secrecy oversight has been reduced.

Even agencies that are making use of advanced technologies such as artificial intelligence, machine learning, and predictive analytics in other areas have not considered their application to classification or declassification, ISOO said. “These technologies remain untapped in this area.”

At some point, the failure to update secrecy policy becomes a choice to let the secrecy system fail.

“We’re ringing the alarm bells as loud as we can,” said ISOO director Mark A. Bradley.

Leaks of Classified Info Surge Under Trump

The number of leaks of classified information reported as potential crimes by federal agencies reached record high levels during the first two years of the Trump Administration, according to data released by the Justice Department last week.

Agencies transmitted 120 leak referrals to the Justice Department in 2017, and 88 leak referrals in 2018, for an average of 104 per year. By comparison, the average number of leak referrals during the Obama Administration (20092016) was 39 per year.


There are a “staggering number of leaks,” then-Attorney General Jeff Sessions said at an August 4, 2017 briefing about efforts to prevent the unauthorized disclosures.

“Referrals for investigations of classified leaks to the Department of Justice from our intelligence agencies have exploded,” AG Sessions said at that time. He outlined several steps that the Administration would take to combat leaks of classified information, including tripling the number of active leak investigations by the FBI.

“We had about nine open investigations of classified leaks in the last 3 years,” he told the House Judiciary Committee at a November 2017 hearing. “We have 27 investigations open today.” (Some of those investigations pertain to leaks that occurred before President Trump took office.)

“We intend to get to the bottom of these leaks. I think it reached—has reached epidemic proportions. It cannot be allowed to continue,” Sessions said then, “and we will do our best effort to ensure that it does not continue.”

But it has continued. Despite preventive efforts, the 2018 total of 88 leak referrals was still higher than any reported pre-Trump figure. (The previous high in recent decades had been 55 referrals in 2013 and in 2007. The lowest was 18 in 2015.)

*

Not all leaks of classified information generate such criminal referrals. Disclosures that are inadvertent, insignificant, or officially authorized would not be reported to the Justice Department as suspected crimes.

Meanwhile, only a fraction of the classified leaks that are reported by agencies ever result in an investigation, and only a portion of those lead to identification of a suspect and even fewer to a prosecution.

“While DOJ and the FBI receive numerous media leak referrals each year, the FBI opens only a limited number of investigations based on these referrals,” the FBI told Congress in 2009. “In most cases, the information included in the referral is not adequate to initiate an investigation.”

The newly released aggregate data on classified leak referrals serve as a reminder that leaks of classified information are a “normal,” predictable occurrence. There is not a single year in the past decade and a half for which data are available when there were no such criminal referrals.

But the data as released leave several questions unanswered. They do not reveal how many of the referrals actually triggered an FBI investigation. They do not indicate whether the leaks are evenly distributed across the national security bureaucracy or concentrated in one or more “problem” agencies (or congressional committees). And they do not distinguish between leaks that simply “hurt our country,” as the Attorney General put it, and those that are complicated by a significant public interest in the information that was disclosed.

Classified Anti-Terrorist Ops Raise Oversight Questions

Last February, the Secretary of Defense initiated three new classified anti-terrorist operations intended “to degrade al Qaeda and ISIS-affiliated terrorists in the Middle East and specific regions of Africa.”

A glimpse of the new operations was provided in the latest quarterly report on the U.S. anti-ISIS campaign from the Inspectors General of the Department of Defense, Department of State, and US Agency for International Development.

The three classified programs are known as Operation Yukon Journey, the Northwest Africa Counterterrorism overseas contingency operation, and the East Africa Counterterrorism overseas contingency operation.

Detailed oversight of these programs is effectively led by the DoD Office of Inspector General rather than by Congress.

“To report on these new contingency operations, the DoD OIG submitted a list of questions to the DoD about topics related to the operations, including the objectives of the operations, the metrics used to measure progress, the costs of the operations, the number of U.S. personnel involved, and the reason why the operations were declared overseas contingency operations,” the joint IG report said.

DoD provided classified responses to some of the questions, which were provided to Congress.

But “The DoD did not answer the question as to why it was necessary to designate these existing counterterrorism campaigns as overseas contingency operations or what benefits were conveyed with the overseas contingency operation designation.”

Overseas contingency operations are funded as “emergency” operations that are not subject to normal procedural requirements or budget limitations.

“The DoD informed the DoD OIG that the new contingency operations are classified to safeguard U.S. forces’ freedom of movement, provide a layer of force protection, and protect tactics, techniques, and procedures. However,” the IG report noted, “it is typical to classify such tactical information in any operation even when the overall location of an operation is publicly acknowledged.”

“We will continue to seek answers to these questions,” the IG report said.

Accounting Board Okays Deceptive Budget Practices

Government agencies may remove or omit budget information from their public financial statements and may present expenditures that are associated with one budget line item as if they were associated with another line item in order to protect classified information, the Federal Accounting Standards Advisory Board concluded last week.

Under the newly approved standard, government agencies may “modify information required by other [financial] standards” in their public financial statements, omit otherwise required information, and misrepresent the actual spending amounts associated with specific line items so that classified information will not be disclosed. (Accurate and complete accounts are to be maintained separately so that they may be audited in a classified environment.)

See Classified Activities, Statement of Federal Financial Accounting Standards (SFFAS) 56, Federal Accounting Standards Advisory Board, October 2018.

The new policy was favored by national security agencies as a prudent security measure, but it was opposed by some government overseers and accountants.

Allowing unacknowledged modifications to public financial statements “jeopardizes the financial statements’ usefulness and provides financial managers with an arbitrary method of reporting accounting information,” according to comments provided to the Board by the Department of Defense Office of Inspector General.

Properly classified information should be redacted, not misrepresented, said the accounting firm Kearney & Company. “Generally Accepted Accounting Principles (GAAP) should not be modified to limit reporting of classified activities. Rather, GAAP reporting should remain the same as other Federal entities and redacted for public release or remain classified.”

The new policy, which extends deceptive budgeting practices that have long been employed in intelligence budgets, means that public budget documents must be viewed critically and with a new degree of skepticism.

A classified signals intelligence program dubbed “Vesper Lillet” that recently became the subject of a fraud indictment was ostensibly sponsored by the Department of Health and Human Services, but in reality it involved a joint effort of the National Reconnaissance Office and the National Security Agency.

See “Feds allege contracting fraud within secret Colorado spy warehouse” by Tom Roeder, The Gazette (Colorado Springs), October 5, 2018.

Remembering Steve Garfinkel

We were very sad to learn that Steve Garfinkel, the former director of the Information Security Oversight Office (ISOO), passed away on September 24.

Appointed by President Carter in 1980, Mr. Garfinkel served as the second ISOO director for two decades until his retirement in January 2002. In that position, he played an influential role in the evolution of the national security classification system during its rapid expansion in the Reagan years and through the ambitious declassification initiatives of the Clinton era.

The ISOO director’s job of supervising the operation of the government’s classification system is an all but impossible one, since ISOO’s resources and authorities are not commensurate with its assigned responsibilities.

But Garfinkel made the whole system better than it was with the tools that he had available. He instituted training programs for classifiers, he restrained some of the excesses of agency officials, and he cultivated a rational approach to the diverse challenges that the late cold war classification system produced.

He made “many contributions to the well-being of our nation,” said J. William Leonard, his successor. “While I had the honor to follow in Steve’s footsteps as ISOO Director, from the very beginning I recognized that I would never be able to fill his shoes,” wrote Mr. Leonard, whose own shoes are quite large.

“He was a monumental man, a man of great honor and integrity,” wrote Roger Denk, the former director of the Defense Personnel and Security Research Center. “His sense of humor, combined with his brilliance, made him a joy to be around.”

During his years at ISOO, Mr. Garfinkel welcomed with some surprise the growing attention of public interest groups to classification policy. (“Notwithstanding you, very few people give a tinker’s damn about the security classification system,” he had told me in a 1993 interview.) The mounting volume of public complaints seemed to give him greater leverage in his own internal policy debates.

Yet he typically resisted the specific prescriptions offered by critics. After Tom Blanton and I wrote an op-ed in the New York Times 25 years ago criticizing a Clinton draft executive order on classification and comparing it unfavorably to President Nixon’s policy, Garfinkel lamented that we had been “too effective”: the final Clinton order shortened the duration of classification for most documents, as we had urged, but it also included “a lot more exceptions than I would have wanted,” he said. “Aftergood and Blanton hoisted themselves on their own petard.” Years later, Garfinkel continued to believe that we had made a fateful error.

Garfinkel brought a deep humanity to what was essentially a bureaucratic role. He was warm, kind, funny and not afraid of an argument or an opposing view.

When he “retired” from ISOO in 2002, he took on what might have been an even more challenging task — teaching high school students in suburban Maryland.

“I have no desire whatsoever to return to the government in any capacity, save public high school teacher, which is doing everything necessary to leave me ragged,” he told me. As for secrecy policy, “I hope we never get to the point where we quit trying [to do better], although I have personally quit worrying about it and I think you will inevitably reach that point also.”

Many of the qualities that made him a great public servant also made him a beloved teacher of a generation of students, some of whom remembered him on Twitter last week.

Financial Accounts May Be “Modified” to Shield Classified Programs

In an apparent departure from “generally accepted accounting principles,” federal agencies will be permitted to publish financial statements that are altered so as to protect information on classified spending from disclosure.

The new policy was developed by the government’s Federal Accounting Standards Advisory Board (FASAB) in response to concerns raised by the Department of Defense and others that a rigorous audit of agency financial statements could lead to unauthorized disclosure of classified information.

In order to prevent disclosure of classified information in a public financial statement, FASAB said that agencies may amend or obscure certain spending information. “An entity may modify information required by other [accounting] standards if the effect of the modification does not change the net results of operations or net position.”

Agencies may also shift accounts around in a potentially misleading way. “A component reporting entity is allowed to be excluded from one reporting entity and consolidated into another reporting entity. The effect of the modifications may change the net results of operations and/or net position.” See Statement of Federal Financial Accounting Standards 56, FASAB, July 5, 2018 (final draft for sponsor review).

In response to an earlier draft of the new standard that was issued last December, most government agencies endorsed the move to permit modifying public financial statements.

“The protection of classified information and national security takes precedence over financial statements,” declared the Central Intelligence Agency in its comments (submitted discreetly under the guise of an “other government agency”).

“It is in the best interest of national security to allow for modification to the presentation of balances and reporting entity in the GPFFR [the publicly available General Purpose Federal Financial Report],” CIA wrote.

But in a sharply dissenting view, the Pentagon’s Office of Inspector General said the new approach was improper, unwise and unnecessary.

It “jeopardizes the financial statements’ usefulness and provides financial managers with an arbitrary method of reporting accounting information,” the DoD OIG said.

“We do not agree that incorporating summary-level dollar amounts in the overall statements will necessarily result in the release of classified information.”

“This proposed guidance is a major shift in Federal accounting guidance and, in our view, the potential impact is so expansive that it represents another comprehensive basis of accounting.”

“The Board should clarify whether this proposed standard, or subsequent Interpretations, could permit entities to record misstated amounts in the financial statements to mislead readers with the stated purpose of protecting classified information. We believe that no accounting guidance should allow this type of accounting entry.”

“We do not believe that… the Board’s proposed guidance would effectively protect classified information, comply with GAAP [generally accepted accounting principles], or serve the public interest,” the DoD OIG wrote.

The Kearney & Company accounting firm also objected, saying that it would be better to classify certain financial statements or redact classified spending than to misrepresent published information.

“Generally Accepted Accounting Principles (GAAP) should not be modified to limit reporting of classified activities. Rather, GAAP reporting should remain the same as other Federal entities and redacted for public release or remain classified.”

If a published account is modified “so material activity is no longer accurately presented to the reader of financial statements, its usefulness to public users is limited and subject to misinterpretation.”

“This approach limits the value, usefulness, and benefits of financial statements as currently defined by GAAP. Financial statements of classified entities should remain classified or redacted like other classified documents before release to the public.”

“The integrity of current GAAP as it applies to all Federal entities should be retained,” Kearney said in its comments.

But the FASAB ultimately rejected those views.

“The Board determined that options other than those permitted in this Statement may not always adequately resolve national security concerns,” according to the final draft of the policy, which the Board provided to Secrecy News.

“Without this Statement, there is a risk that reporting entities may need to classify their entire financial statements to comply with existing accounting standards, which would likely result in the need to classify a large portion of the government-wide financial statements.”

In practice, the Board suggested, “Modifications may not be needed to prevent the disclosure of certain classified information. Therefore, this Statement permits, rather than requires, modifications on a case-by-case basis.”

The new accounting standard is expected to be approved by the FASAB sponsors — namely the Secretary of Treasury, the Comptroller General, and the Director of the Office of Management and Budget — by the end of a 90 day review period in October.

Last month, the FASAB issued a separate classified “Interpretation” of the new standard that addressed the policy’s implementation in detail. The contents of that document are not publicly known.

The topic of accounting for classified spending has been a challenging one for the Board, said Assistant Director Monica R. Valentine on Monday. “This is the first time we’ve had to deal with this sort of issue.”

Classified Human Subjects Research Continues at DOE

dozen classified programs that involved research on human subjects were underway last year at the Department of Energy.

Human subjects research refers broadly to the collection of scientific data from human subjects. This could involve physical procedures that are performed on the subjects, or simply interviews and other forms of interaction with them.

Little information is publicly available about the latest DOE programs, most of which have opaque, non-descriptive names such as TristanIdaho Bailiff and Moose Drool. But a list of the classified programs was released this week under the Freedom of Information Act.

Human subjects research erupted into national controversy 25 years ago with reporting by Eileen Welsome of the Albuquerque Tribune on human radiation experiments that had been conducted by the Atomic Energy Commission, many of which were performed without the consent of the subjects. A presidential advisory committee was convened to document the record and to recommend appropriate policy responses.

In 2016, the Department of Energy issued updated guidelines on human subjects research, which included a requirement to produce a listing of all classified projects involving human subjects. It is that listing that has now been released.

“Research using human subjects provides important medical and scientific benefits to individuals and to society. The need for this research does not, however, outweigh the need to protect individual rights and interests,” according to the 2016 DOE guidance on protection of human subjects in classified research.

An extravagantly horrific example of fictional human subject research was imagined by Lindsay Anderson in his 1973 film O Lucky Man! which captured the zeitgeist for a moment.

BMD Flight Test Schedule Must Be Unclassified

Earlier this year, the Department of Defense classified the schedule of flight tests of ballistic missile defense systems, even though such information had previously been unclassified and publicly disclosed.

Rejecting that move, Congress has now told the Pentagon’s Missile Defense Agency that the flight test schedule must be unclassified.

A new provision in the FY2019 national defense authorization act (sect. 1681) would “require that MDA make the quarter and fiscal year for execution of planned flight tests unclassified.”

“Together with the release of each integrated master test plan of the Missile Defense Agency, and at the same time as each budget of the President is submitted to Congress…, the Director of the Missile Defense Agency shall make publicly available a version of each such plan that identifies the fiscal year and the fiscal quarter in which events under the plan will occur,” the provision states.

This legislative action will effectively override the classification judgment of the executive branch. That is something that Congress rarely does and that the executive branch regards as an infringement on its authority.

Bid to Rectify the “Black Budget” Fails

The so-called “black” budget — which refers to classified government spending on military procurement, operations, and intelligence — is not merely secret. It is actually deceptive and misleading, since it produces a distortion in the amount and the presentation of the published budget.

The amount of money that is purportedly appropriated for the US Air Force, for example, does not all go to the Air Force, the Senate Armed Services Committee recently observed.

“Each year, a significant portion of the Air Force budget contains funds that are passed on to, and managed by, other organizations within the Department of Defense. This portion of the budget, called ‘pass-through,’ cannot be altered or managed by the Air Force. It resides within the Air Force budget for the purposes of the President’s budget request and apportionment, but is then transferred out of the Service’s control,” according to a Senate report on the 2019 defense bill (S.Rept. 115-262).

Although the report does not say so, the Air Force budget may also include pass-through funding for the Central Intelligence Agency, which of course is not even part of the Department of Defense, as well as for other non-Air Force intelligence functions.

“In fiscal year 2018, the Air Force pass-through budget amounted to approximately $22.0 billion, or just less than half of the total Air Force procurement budget. The committee believes that the current Air Force pass-through budgeting process provides a misleading picture of the Air Force’s actual investment budget.”

The Senate therefore recommended that such “pass-through” funds be removed from the Air Force budget and included in Defense-wide appropriations.

But in the House-Senate conference on the FY2019 defense bill, this move was blocked and so the deceptive status quo will continue to prevail.

Earlier this month, the Director of National Intelligence and the Pentagon Comptroller wrote to Congress to present their views on the Senate provision. A copy of their letter, which presumably objected to the proposed move, has been requested but not yet released.

The logic of the Senate proposal was explained by Mackenzie Eaglen of the American Enterprise Institute in “Time to Get the Black Out of the Blue,” Real Clear Defense, June 13.

The Aging Secrecy System Is “At a Crossroads”

Today’s national security classification system is unsustainable, says a new annual report to the President from the government’s Information Security Oversight Office (ISOO). It is “hamstrung by old practices and outdated technology” and a new, government-wide technology strategy will be required “to combat inaccurate classification and promote more timely declassification.”

The secrecy system has expanded to the point that it is effectively unmanageable and often counterproductive, ISOO indicated.

“Too much classification impedes the proper sharing of information necessary to respond to security threats, while too little declassification undermines the trust of the American people in their Government. Reforms will require adopting strategies that increase the precision and decrease the permissiveness of security classification decisions, improve the efficiency and effectiveness of declassification programs, and use modern technology in security classification programs across the Government,” the report said.

“We are at a crossroads” wrote ISOO director Mark Bradley in a May 31 letter to the President transmitting the report, which was made public today.

ISOO’s sense of urgency is reflected in the annual report itself, which strives to be more forward leaning and policy-relevant than many past ISOO reports. It goes beyond the recitation of (often questionable) statistics on classification activity to present a series of findings and recommended actions that it says are needed to restore the integrity of the system.

In addition to a call for development of a comprehensive new technology strategy for classification and declassification, ISOO specifically recommends adding a new budget line item for security classification in agency budget requests to help regulate and justify expenditures, and adding a public member to the Information Security Classification Appeals Panel to represent the broad public interest in that Panel’s work on declassification.

Some of the other recommendations in the report flag problem areas rather than advance solutions, and tend to do so in the passive voice: “Policies must be revised to improve the effectiveness and efficiency of automatic declassification.” How exactly should the policies be revised? Adopt a “drop-dead date” for classification? Eliminate agency referrals for older documents? Grant broad declassification authority to the National Declassification Center? The report doesn’t say.

Much of the data traditionally reported by ISOO regarding classification activity is suggestive but not truly informative. Just as one cannot judge the overall health of the economy from stock market averages, changes in the volume of classification activity say nothing about its quality or legitimacy. In 2017, ISOO found that original classification activity (production of new secrets) increased for the first time in four years. At the same time, derivative classification decreased. The significance of these developments, if any, is unclear.

But other ISOO findings in the new report are more interesting.

ISOO said that last year there were again hundreds of classification challenges presented by government employees who disputed the classification of particular items of information. Most of the challenges were denied, but in 8% of the cases (a small but non-negligible number) they were upheld and the classifications in question were overturned. Such classification challenges “serve a critical role by uncovering information improperly classified in the first instance,” the ISOO report said, providing “an internal check on the system.” Because the challenges are now mostly localized in just a few agencies, this practice has the potential to have far more impact in combating overclassification if it can be adopted and encouraged more widely across the executive branch.

The ISOO report summarized the results of the latest Fundamental Classification Guidance Review, which led to the cancellation of 221 security classification guides (out of 2,865 guides). The cancelled guides will no longer be available for use in classifying information.

ISOO also cast a favorable spotlight on the new approach to classification led by the National Geospatial-Intelligence Agency. NGA now requires written justifications for original classification decisions, along with a description of the damage that would result from unauthorized disclosure, and an unclassified paraphrase of the classified information. The resulting NGA classification guidance currently represents a “best practice” in classification policy, ISOO said. That is to say, it represents a model that could constructively be applied elsewhere in agencies that classify national security information.

The ISOO report also addressed escalating classification costs (which reached a new high in 2017), growing backlogs of mandatory declassification review requests, and the contentious implementation of Controlled Unclassified Information policy, among other topics.

Fixing the classification system is a slow and uncertain process, and some people don’t want to wait.

Sen. Doug Jones (D-Ala.) introduced legislation this week to accelerate the release of records concerning unsolved criminal civil rights cases from half a century ago. Some of those records, in his estimation, “remain classified unnecessarily.” So his bill (S. 3191) would work around that classification obstacle with an alternative approach. Modeled in part on the JFK Assassination Records Act of 1992, the bill would empower a panel of private citizens to review and decide on disclosure of the records.

Meanwhile, the Department of Defense recently issued a “request for information” about technology that could aid in the classification process. The desired technology “must be able to make real-time decisions about the classification level of the information and an individual’s ability to access, change, delete, receive or forward the information.” (FBO, NextGov, ArsTechnica)