Crisis of Credibility in Secrecy Policy

Obsolete secrecy procedures and growing political abuse have left the national security classification system in a state of disarray and dysfunction.

Most government agencies “still rely on antiquated information security management practices,” according to a new annual report from the Information Security Oversight Office (ISOO). “These practices have not kept pace with the volume of digital data that agencies create.”

“Agencies are not applying or testing advanced technologies that would enable more precise classification and declassification, facilitate information sharing, and improve national security,” the ISOO report to the President said. “Classification and declassification actions are still performed manually, which is neither sustainable nor desirable in the digital age.”

“As the volume of records requiring [declassification] review increases, agencies are making more errors, putting Classified National Security Information at risk and eroding trust in the system,” ISOO said.

As damning as these and other ISOO findings may be, they hardly begin to capture the crisis of credibility that is facing the classification system today.

An effective classification system depends on a presumption of good faith on the part of classifiers, checked by independent oversight, and some consensual understanding of the meaning of national security. All of these factors are in doubt, absent, or undergoing swift transformation. Meanwhile, classification today is openly wielded as an instrument of political power.

“Conversations with me, they’re highly classified,” said President Trump last week. “I told that to the Attorney General before. I will consider every conversation with me, as President, highly classified.”

That remark is a wild departure from previous policy. However broadly it may have been construed in the past, classification was always supposed to apply to information that was plausibly related to national security (a necessary condition, though not a sufficient one). Even the most sensitive conversations with the President about tax policy or health care, for example, could not have been considered classified information.

In this case, President Trump was objecting to the publication of the new book by former national security adviser John Bolton, which he dismissed at the same time as a “compilation of lies and made-up stories.”

But Bolton’s lies, if that’s what they were, would not normally qualify as classified information either.

In principle, it’s possible that “lies and made-up stories” could be classified, though only to the extent that they were generated by the government itself (perhaps in the form of cover stories, or other official statements of misdirection). But any lies that Bolton might tell on his own are beyond the scope of classification, since they are not “owned by, produced by or for, or. . . under the control of” the US Government, as required by the executive order on classification.

President Trump may or may not understand such rudiments of national security classification. But by twisting classification policy into a weapon for political vendettas, the President is discrediting the classification system and accelerating its disintegration.

As for Bolton, the astonishing fact is that he is the second of Trump’s national security advisors (after Gen. Michael Flynn) to be accused of lying and criminal activity.

“If the [Bolton] book gets out, he’s broken the law,” the President said. “And I would think that he would have criminal problems.” Indeed, a court said on Saturday that Bolton might have “expose[d] himself to criminal liability.”

Second only to the President, the national security advisor is really the principal author and executor of classification policy. So when NSAs like Flynn and Bolton are disgraced (or worse), their disrepute reflects upon and attaches to the classification system to some degree.

Ironically, Mr. Bolton was more attentive to and more engaged in classification policy than many of his predecessors. He makes a tacit appearance (unnamed) in the new ISOO annual report, which notes: “In FY 2018, the ISCAP [Interagency Security Classification Appeals Panel] received a request from the National Security Advisor to resolve a declassification dispute between the Departments of Defense and State.” That action, to Bolton’s credit, freed up all or parts of 60 documents for publication in the Foreign Relations of the United States series, over the objections of the Department of Defense.

The way to begin restoring credibility to classification policy is not hard to envision, though it may be difficult or impossible to implement under current circumstances. Like law enforcement, the classification system needs to be insulated from partisan political interference. Classification policy needs to adhere to well-defined national security principles (though the scope and application of these principles will be debatable). A properly functioning classification and declassification system will prove its integrity by sometimes producing outcomes that are politically unwelcome or inconvenient to the Administration. And since errors are inevitable, the classification system also requires a robust oversight and error-correction process.

*    *    *

Last week, the Senate Intelligence Committee blocked an effort by Senator Ron Wyden to restructure and strengthen the declassification system. A Wyden amendment to the FY 2021 intelligence authorization act would have designated the Director of National Intelligence as the Executive Agent for declassification, tasking him to establish and carry out government-wide declassification requirements. The Wyden amendment failed 7-8 with all Republican members opposed.

By rejecting his amendment (without offering any alternative), the Committee “failed to reform a broken, costly declassification system,” Sen. Wyden said in a dissenting statement appended to the June 17 report on the intelligence bill.

*    *    *

While dismissing concerns about classification policy, the Senate Intelligence Committee roused itself to address the threat from unidentified flying objects, an issue that it said requires more focused government attention.

The Committee called on the Director of National Intelligence to provide detailed reporting on “unidentified aerial phenomena (also known as ‘anomalous aerial vehicles’), including observed airborne objects that have not been identified.”

“The Committee remains concerned that there is no unified, comprehensive process within the Federal Government for collecting and analyzing intelligence on unidentified aerial phenomena, despite the potential threat,” the new Committee report said.

PIDB Urges Modernization of Classification System

How can the national security classification and declassification system be fixed?

That depends on how one defines the problem that needs fixing. To the authors of a new report from the Public Interest Declassification Board (PIDB), the outstanding problem is the difficulty of managing the expanding volume of classified information and declassifying a growing backlog of records.

“There is widespread, bipartisan recognition that the Government classifies too much information and keeps it classified for too long, all at an exorbitant and unacceptable cost to taxpayers,” said the PIDB, a presidential advisory board. Meanwhile, “Inadequate declassification contributes to an overall lack of transparency and diminished confidence in the entire security classification system.”

The solution to this problem is to employ technology to improve the efficiency of the classification and declassification processes, the PIDB said.

“The time is ripe for envisioning a new approach to classification and declassification, before the accelerating influx of classified electronic information across the Government becomes completely unmanageable,” the report said. “The Government needs a paradigm shift, one centered on the adoption of technologies and policies to support an enterprise-level, system-of-systems approach.”

See A Vision for the Digital Age: Modernization of the U.S. National Security Classification and Declassification System, Public Interest Declassification Board, May 2020.

The report’s diagnosis is not new and neither is its call for employing new technology to improve classification and declassification. The PIDB itself made similar recommendations in a 2007 report.

Recognizing the persistent lack of progress to date, the new report therefore calls for the appointment of an Executive Agent who would have the authority and responsibility for designing and implementing a newly transformed classification system. (The Director of National Intelligence, who is already Security Executive Agent for security clearance policy, would be a likely choice.)

Those who care enough about these issues to read the PIDB report will find lots of interesting commentary along with plenty to doubt or disagree with. For example, in my opinion:

*    The useful idea of appointing an Executive Agent is diminished by making him or her part of an Executive Committee of agency leaders. The whole point of creating a “czar”-like Executive Agent is to reduce the friction of collective decision making and to break through the interagency impasse. An Executive Committee would make that more difficult.

*    The PIDB report would oddly elevate the Archivist of the United States, who is not even an Original Classification Authority, into a central role “in modernizing the systems used across agencies for the management of classified records.” That doesn’t make much sense. (An official said the intended purpose here was merely to advance the mission of the Archives in preserving historical records.)

*    The report equivocates on the pivotal question of whether or not (or for how long) agencies should retain “equity” in, or ownership of, the records they produce.

*    The report does not address resource issues in a concrete way. How much money should be invested today to develop the recommended technologies in order to reap savings five and ten years from now? It doesn’t say. Who should supply the classified connectivity among classifying agencies that the report says is needed? Exactly which agency should request the required funding in next year’s budget request? That is not discussed, and so in all likelihood it is not going to happen.

But the hardest, most stubborn problem in classification policy has nothing to do with efficiency or productivity. What needs updating and correcting, rather, are the criteria for determining what is properly classified and what must be disclosed. And since there is disagreement inside and outside government about many specific classification actions — e.g., should the number of US troops in Afghanistan be revealed or not? — a new mechanism is needed to adjudicate such disputes. This fundamental issue is beyond the scope of the PIDB report.

The Public Interest Declassification Board will hold a virtual public meeting on June 5 at 11 am.

Modernization of Secrecy System is Stalled

Today’s national security classification system “relies on antiquated policies from another era that undercut its effectiveness today,” the Information Security Oversight Office told the President in a report released yesterday.

Modernizing the system is a “government-wide imperative,” the new ISOO annual report said.

But that is a familiar refrain by now. It is much the same message that was delivered with notable urgency by ISOO in last year’s annual report which found that the secrecy system is “hamstrung by old practices and outdated technology.”

The precise nature of the modernization that is needed is a subject of some disagreement. Is it a matter of improving efficiency in order to cope with expanding digital information flows? Or have the role of secrecy and the proper scope of classification changed in a fundamental way?

Whatever the goal, no identifiable progress has been made over the past year in overcoming those obsolete practices, and no new investment has been made in a technology strategy to help modernize national security information policy. In fact, ISOO’s own budget for secrecy oversight has been reduced.

Even agencies that are making use of advanced technologies such as artificial intelligence, machine learning, and predictive analytics in other areas have not considered their application to classification or declassification, ISOO said. “These technologies remain untapped in this area.”

At some point, the failure to update secrecy policy becomes a choice to let the secrecy system fail.

“We’re ringing the alarm bells as loud as we can,” said ISOO director Mark A. Bradley.

Leaks of Classified Info Surge Under Trump

The number of leaks of classified information reported as potential crimes by federal agencies reached record high levels during the first two years of the Trump Administration, according to data released by the Justice Department last week.

Agencies transmitted 120 leak referrals to the Justice Department in 2017, and 88 leak referrals in 2018, for an average of 104 per year. By comparison, the average number of leak referrals during the Obama Administration (20092016) was 39 per year.


There are a “staggering number of leaks,” then-Attorney General Jeff Sessions said at an August 4, 2017 briefing about efforts to prevent the unauthorized disclosures.

“Referrals for investigations of classified leaks to the Department of Justice from our intelligence agencies have exploded,” AG Sessions said at that time. He outlined several steps that the Administration would take to combat leaks of classified information, including tripling the number of active leak investigations by the FBI.

“We had about nine open investigations of classified leaks in the last 3 years,” he told the House Judiciary Committee at a November 2017 hearing. “We have 27 investigations open today.” (Some of those investigations pertain to leaks that occurred before President Trump took office.)

“We intend to get to the bottom of these leaks. I think it reached—has reached epidemic proportions. It cannot be allowed to continue,” Sessions said then, “and we will do our best effort to ensure that it does not continue.”

But it has continued. Despite preventive efforts, the 2018 total of 88 leak referrals was still higher than any reported pre-Trump figure. (The previous high in recent decades had been 55 referrals in 2013 and in 2007. The lowest was 18 in 2015.)

*

Not all leaks of classified information generate such criminal referrals. Disclosures that are inadvertent, insignificant, or officially authorized would not be reported to the Justice Department as suspected crimes.

Meanwhile, only a fraction of the classified leaks that are reported by agencies ever result in an investigation, and only a portion of those lead to identification of a suspect and even fewer to a prosecution.

“While DOJ and the FBI receive numerous media leak referrals each year, the FBI opens only a limited number of investigations based on these referrals,” the FBI told Congress in 2009. “In most cases, the information included in the referral is not adequate to initiate an investigation.”

The newly released aggregate data on classified leak referrals serve as a reminder that leaks of classified information are a “normal,” predictable occurrence. There is not a single year in the past decade and a half for which data are available when there were no such criminal referrals.

But the data as released leave several questions unanswered. They do not reveal how many of the referrals actually triggered an FBI investigation. They do not indicate whether the leaks are evenly distributed across the national security bureaucracy or concentrated in one or more “problem” agencies (or congressional committees). And they do not distinguish between leaks that simply “hurt our country,” as the Attorney General put it, and those that are complicated by a significant public interest in the information that was disclosed.

Classified Anti-Terrorist Ops Raise Oversight Questions

Last February, the Secretary of Defense initiated three new classified anti-terrorist operations intended “to degrade al Qaeda and ISIS-affiliated terrorists in the Middle East and specific regions of Africa.”

A glimpse of the new operations was provided in the latest quarterly report on the U.S. anti-ISIS campaign from the Inspectors General of the Department of Defense, Department of State, and US Agency for International Development.

The three classified programs are known as Operation Yukon Journey, the Northwest Africa Counterterrorism overseas contingency operation, and the East Africa Counterterrorism overseas contingency operation.

Detailed oversight of these programs is effectively led by the DoD Office of Inspector General rather than by Congress.

“To report on these new contingency operations, the DoD OIG submitted a list of questions to the DoD about topics related to the operations, including the objectives of the operations, the metrics used to measure progress, the costs of the operations, the number of U.S. personnel involved, and the reason why the operations were declared overseas contingency operations,” the joint IG report said.

DoD provided classified responses to some of the questions, which were provided to Congress.

But “The DoD did not answer the question as to why it was necessary to designate these existing counterterrorism campaigns as overseas contingency operations or what benefits were conveyed with the overseas contingency operation designation.”

Overseas contingency operations are funded as “emergency” operations that are not subject to normal procedural requirements or budget limitations.

“The DoD informed the DoD OIG that the new contingency operations are classified to safeguard U.S. forces’ freedom of movement, provide a layer of force protection, and protect tactics, techniques, and procedures. However,” the IG report noted, “it is typical to classify such tactical information in any operation even when the overall location of an operation is publicly acknowledged.”

“We will continue to seek answers to these questions,” the IG report said.

Accounting Board Okays Deceptive Budget Practices

Government agencies may remove or omit budget information from their public financial statements and may present expenditures that are associated with one budget line item as if they were associated with another line item in order to protect classified information, the Federal Accounting Standards Advisory Board concluded last week.

Under the newly approved standard, government agencies may “modify information required by other [financial] standards” in their public financial statements, omit otherwise required information, and misrepresent the actual spending amounts associated with specific line items so that classified information will not be disclosed. (Accurate and complete accounts are to be maintained separately so that they may be audited in a classified environment.)

See Classified Activities, Statement of Federal Financial Accounting Standards (SFFAS) 56, Federal Accounting Standards Advisory Board, October 2018.

The new policy was favored by national security agencies as a prudent security measure, but it was opposed by some government overseers and accountants.

Allowing unacknowledged modifications to public financial statements “jeopardizes the financial statements’ usefulness and provides financial managers with an arbitrary method of reporting accounting information,” according to comments provided to the Board by the Department of Defense Office of Inspector General.

Properly classified information should be redacted, not misrepresented, said the accounting firm Kearney & Company. “Generally Accepted Accounting Principles (GAAP) should not be modified to limit reporting of classified activities. Rather, GAAP reporting should remain the same as other Federal entities and redacted for public release or remain classified.”

The new policy, which extends deceptive budgeting practices that have long been employed in intelligence budgets, means that public budget documents must be viewed critically and with a new degree of skepticism.

A classified signals intelligence program dubbed “Vesper Lillet” that recently became the subject of a fraud indictment was ostensibly sponsored by the Department of Health and Human Services, but in reality it involved a joint effort of the National Reconnaissance Office and the National Security Agency.

See “Feds allege contracting fraud within secret Colorado spy warehouse” by Tom Roeder, The Gazette (Colorado Springs), October 5, 2018.

Remembering Steve Garfinkel

We were very sad to learn that Steve Garfinkel, the former director of the Information Security Oversight Office (ISOO), passed away on September 24.

Appointed by President Carter in 1980, Mr. Garfinkel served as the second ISOO director for two decades until his retirement in January 2002. In that position, he played an influential role in the evolution of the national security classification system during its rapid expansion in the Reagan years and through the ambitious declassification initiatives of the Clinton era.

The ISOO director’s job of supervising the operation of the government’s classification system is an all but impossible one, since ISOO’s resources and authorities are not commensurate with its assigned responsibilities.

But Garfinkel made the whole system better than it was with the tools that he had available. He instituted training programs for classifiers, he restrained some of the excesses of agency officials, and he cultivated a rational approach to the diverse challenges that the late cold war classification system produced.

He made “many contributions to the well-being of our nation,” said J. William Leonard, his successor. “While I had the honor to follow in Steve’s footsteps as ISOO Director, from the very beginning I recognized that I would never be able to fill his shoes,” wrote Mr. Leonard, whose own shoes are quite large.

“He was a monumental man, a man of great honor and integrity,” wrote Roger Denk, the former director of the Defense Personnel and Security Research Center. “His sense of humor, combined with his brilliance, made him a joy to be around.”

During his years at ISOO, Mr. Garfinkel welcomed with some surprise the growing attention of public interest groups to classification policy. (“Notwithstanding you, very few people give a tinker’s damn about the security classification system,” he had told me in a 1993 interview.) The mounting volume of public complaints seemed to give him greater leverage in his own internal policy debates.

Yet he typically resisted the specific prescriptions offered by critics. After Tom Blanton and I wrote an op-ed in the New York Times 25 years ago criticizing a Clinton draft executive order on classification and comparing it unfavorably to President Nixon’s policy, Garfinkel lamented that we had been “too effective”: the final Clinton order shortened the duration of classification for most documents, as we had urged, but it also included “a lot more exceptions than I would have wanted,” he said. “Aftergood and Blanton hoisted themselves on their own petard.” Years later, Garfinkel continued to believe that we had made a fateful error.

Garfinkel brought a deep humanity to what was essentially a bureaucratic role. He was warm, kind, funny and not afraid of an argument or an opposing view.

When he “retired” from ISOO in 2002, he took on what might have been an even more challenging task — teaching high school students in suburban Maryland.

“I have no desire whatsoever to return to the government in any capacity, save public high school teacher, which is doing everything necessary to leave me ragged,” he told me. As for secrecy policy, “I hope we never get to the point where we quit trying [to do better], although I have personally quit worrying about it and I think you will inevitably reach that point also.”

Many of the qualities that made him a great public servant also made him a beloved teacher of a generation of students, some of whom remembered him on Twitter last week.

Financial Accounts May Be “Modified” to Shield Classified Programs

In an apparent departure from “generally accepted accounting principles,” federal agencies will be permitted to publish financial statements that are altered so as to protect information on classified spending from disclosure.

The new policy was developed by the government’s Federal Accounting Standards Advisory Board (FASAB) in response to concerns raised by the Department of Defense and others that a rigorous audit of agency financial statements could lead to unauthorized disclosure of classified information.

In order to prevent disclosure of classified information in a public financial statement, FASAB said that agencies may amend or obscure certain spending information. “An entity may modify information required by other [accounting] standards if the effect of the modification does not change the net results of operations or net position.”

Agencies may also shift accounts around in a potentially misleading way. “A component reporting entity is allowed to be excluded from one reporting entity and consolidated into another reporting entity. The effect of the modifications may change the net results of operations and/or net position.” See Statement of Federal Financial Accounting Standards 56, FASAB, July 5, 2018 (final draft for sponsor review).

In response to an earlier draft of the new standard that was issued last December, most government agencies endorsed the move to permit modifying public financial statements.

“The protection of classified information and national security takes precedence over financial statements,” declared the Central Intelligence Agency in its comments (submitted discreetly under the guise of an “other government agency”).

“It is in the best interest of national security to allow for modification to the presentation of balances and reporting entity in the GPFFR [the publicly available General Purpose Federal Financial Report],” CIA wrote.

But in a sharply dissenting view, the Pentagon’s Office of Inspector General said the new approach was improper, unwise and unnecessary.

It “jeopardizes the financial statements’ usefulness and provides financial managers with an arbitrary method of reporting accounting information,” the DoD OIG said.

“We do not agree that incorporating summary-level dollar amounts in the overall statements will necessarily result in the release of classified information.”

“This proposed guidance is a major shift in Federal accounting guidance and, in our view, the potential impact is so expansive that it represents another comprehensive basis of accounting.”

“The Board should clarify whether this proposed standard, or subsequent Interpretations, could permit entities to record misstated amounts in the financial statements to mislead readers with the stated purpose of protecting classified information. We believe that no accounting guidance should allow this type of accounting entry.”

“We do not believe that… the Board’s proposed guidance would effectively protect classified information, comply with GAAP [generally accepted accounting principles], or serve the public interest,” the DoD OIG wrote.

The Kearney & Company accounting firm also objected, saying that it would be better to classify certain financial statements or redact classified spending than to misrepresent published information.

“Generally Accepted Accounting Principles (GAAP) should not be modified to limit reporting of classified activities. Rather, GAAP reporting should remain the same as other Federal entities and redacted for public release or remain classified.”

If a published account is modified “so material activity is no longer accurately presented to the reader of financial statements, its usefulness to public users is limited and subject to misinterpretation.”

“This approach limits the value, usefulness, and benefits of financial statements as currently defined by GAAP. Financial statements of classified entities should remain classified or redacted like other classified documents before release to the public.”

“The integrity of current GAAP as it applies to all Federal entities should be retained,” Kearney said in its comments.

But the FASAB ultimately rejected those views.

“The Board determined that options other than those permitted in this Statement may not always adequately resolve national security concerns,” according to the final draft of the policy, which the Board provided to Secrecy News.

“Without this Statement, there is a risk that reporting entities may need to classify their entire financial statements to comply with existing accounting standards, which would likely result in the need to classify a large portion of the government-wide financial statements.”

In practice, the Board suggested, “Modifications may not be needed to prevent the disclosure of certain classified information. Therefore, this Statement permits, rather than requires, modifications on a case-by-case basis.”

The new accounting standard is expected to be approved by the FASAB sponsors — namely the Secretary of Treasury, the Comptroller General, and the Director of the Office of Management and Budget — by the end of a 90 day review period in October.

Last month, the FASAB issued a separate classified “Interpretation” of the new standard that addressed the policy’s implementation in detail. The contents of that document are not publicly known.

The topic of accounting for classified spending has been a challenging one for the Board, said Assistant Director Monica R. Valentine on Monday. “This is the first time we’ve had to deal with this sort of issue.”

Classified Human Subjects Research Continues at DOE

dozen classified programs that involved research on human subjects were underway last year at the Department of Energy.

Human subjects research refers broadly to the collection of scientific data from human subjects. This could involve physical procedures that are performed on the subjects, or simply interviews and other forms of interaction with them.

Little information is publicly available about the latest DOE programs, most of which have opaque, non-descriptive names such as TristanIdaho Bailiff and Moose Drool. But a list of the classified programs was released this week under the Freedom of Information Act.

Human subjects research erupted into national controversy 25 years ago with reporting by Eileen Welsome of the Albuquerque Tribune on human radiation experiments that had been conducted by the Atomic Energy Commission, many of which were performed without the consent of the subjects. A presidential advisory committee was convened to document the record and to recommend appropriate policy responses.

In 2016, the Department of Energy issued updated guidelines on human subjects research, which included a requirement to produce a listing of all classified projects involving human subjects. It is that listing that has now been released.

“Research using human subjects provides important medical and scientific benefits to individuals and to society. The need for this research does not, however, outweigh the need to protect individual rights and interests,” according to the 2016 DOE guidance on protection of human subjects in classified research.

An extravagantly horrific example of fictional human subject research was imagined by Lindsay Anderson in his 1973 film O Lucky Man! which captured the zeitgeist for a moment.

BMD Flight Test Schedule Must Be Unclassified

Earlier this year, the Department of Defense classified the schedule of flight tests of ballistic missile defense systems, even though such information had previously been unclassified and publicly disclosed.

Rejecting that move, Congress has now told the Pentagon’s Missile Defense Agency that the flight test schedule must be unclassified.

A new provision in the FY2019 national defense authorization act (sect. 1681) would “require that MDA make the quarter and fiscal year for execution of planned flight tests unclassified.”

“Together with the release of each integrated master test plan of the Missile Defense Agency, and at the same time as each budget of the President is submitted to Congress…, the Director of the Missile Defense Agency shall make publicly available a version of each such plan that identifies the fiscal year and the fiscal quarter in which events under the plan will occur,” the provision states.

This legislative action will effectively override the classification judgment of the executive branch. That is something that Congress rarely does and that the executive branch regards as an infringement on its authority.