Financial Accounts May Be “Modified” to Shield Classified Programs

In an apparent departure from “generally accepted accounting principles,” federal agencies will be permitted to publish financial statements that are altered so as to protect information on classified spending from disclosure.

The new policy was developed by the government’s Federal Accounting Standards Advisory Board (FASAB) in response to concerns raised by the Department of Defense and others that a rigorous audit of agency financial statements could lead to unauthorized disclosure of classified information.

In order to prevent disclosure of classified information in a public financial statement, FASAB said that agencies may amend or obscure certain spending information. “An entity may modify information required by other [accounting] standards if the effect of the modification does not change the net results of operations or net position.”

Agencies may also shift accounts around in a potentially misleading way. “A component reporting entity is allowed to be excluded from one reporting entity and consolidated into another reporting entity. The effect of the modifications may change the net results of operations and/or net position.” See Statement of Federal Financial Accounting Standards 56, FASAB, July 5, 2018 (final draft for sponsor review).

In response to an earlier draft of the new standard that was issued last December, most government agencies endorsed the move to permit modifying public financial statements.

“The protection of classified information and national security takes precedence over financial statements,” declared the Central Intelligence Agency in its comments (submitted discreetly under the guise of an “other government agency”).

“It is in the best interest of national security to allow for modification to the presentation of balances and reporting entity in the GPFFR [the publicly available General Purpose Federal Financial Report],” CIA wrote.

But in a sharply dissenting view, the Pentagon’s Office of Inspector General said the new approach was improper, unwise and unnecessary.

It “jeopardizes the financial statements’ usefulness and provides financial managers with an arbitrary method of reporting accounting information,” the DoD OIG said.

“We do not agree that incorporating summary-level dollar amounts in the overall statements will necessarily result in the release of classified information.”

“This proposed guidance is a major shift in Federal accounting guidance and, in our view, the potential impact is so expansive that it represents another comprehensive basis of accounting.”

“The Board should clarify whether this proposed standard, or subsequent Interpretations, could permit entities to record misstated amounts in the financial statements to mislead readers with the stated purpose of protecting classified information. We believe that no accounting guidance should allow this type of accounting entry.”

“We do not believe that… the Board’s proposed guidance would effectively protect classified information, comply with GAAP [generally accepted accounting principles], or serve the public interest,” the DoD OIG wrote.

The Kearney & Company accounting firm also objected, saying that it would be better to classify certain financial statements or redact classified spending than to misrepresent published information.

“Generally Accepted Accounting Principles (GAAP) should not be modified to limit reporting of classified activities. Rather, GAAP reporting should remain the same as other Federal entities and redacted for public release or remain classified.”

If a published account is modified “so material activity is no longer accurately presented to the reader of financial statements, its usefulness to public users is limited and subject to misinterpretation.”

“This approach limits the value, usefulness, and benefits of financial statements as currently defined by GAAP. Financial statements of classified entities should remain classified or redacted like other classified documents before release to the public.”

“The integrity of current GAAP as it applies to all Federal entities should be retained,” Kearney said in its comments.

But the FASAB ultimately rejected those views.

“The Board determined that options other than those permitted in this Statement may not always adequately resolve national security concerns,” according to the final draft of the policy, which the Board provided to Secrecy News.

“Without this Statement, there is a risk that reporting entities may need to classify their entire financial statements to comply with existing accounting standards, which would likely result in the need to classify a large portion of the government-wide financial statements.”

In practice, the Board suggested, “Modifications may not be needed to prevent the disclosure of certain classified information. Therefore, this Statement permits, rather than requires, modifications on a case-by-case basis.”

The new accounting standard is expected to be approved by the FASAB sponsors — namely the Secretary of Treasury, the Comptroller General, and the Director of the Office of Management and Budget — by the end of a 90 day review period in October.

Last month, the FASAB issued a separate classified “Interpretation” of the new standard that addressed the policy’s implementation in detail. The contents of that document are not publicly known.

The topic of accounting for classified spending has been a challenging one for the Board, said Assistant Director Monica R. Valentine on Monday. “This is the first time we’ve had to deal with this sort of issue.”

Classified Human Subjects Research Continues at DOE

dozen classified programs that involved research on human subjects were underway last year at the Department of Energy.

Human subjects research refers broadly to the collection of scientific data from human subjects. This could involve physical procedures that are performed on the subjects, or simply interviews and other forms of interaction with them.

Little information is publicly available about the latest DOE programs, most of which have opaque, non-descriptive names such as TristanIdaho Bailiff and Moose Drool. But a list of the classified programs was released this week under the Freedom of Information Act.

Human subjects research erupted into national controversy 25 years ago with reporting by Eileen Welsome of the Albuquerque Tribune on human radiation experiments that had been conducted by the Atomic Energy Commission, many of which were performed without the consent of the subjects. A presidential advisory committee was convened to document the record and to recommend appropriate policy responses.

In 2016, the Department of Energy issued updated guidelines on human subjects research, which included a requirement to produce a listing of all classified projects involving human subjects. It is that listing that has now been released.

“Research using human subjects provides important medical and scientific benefits to individuals and to society. The need for this research does not, however, outweigh the need to protect individual rights and interests,” according to the 2016 DOE guidance on protection of human subjects in classified research.

An extravagantly horrific example of fictional human subject research was imagined by Lindsay Anderson in his 1973 film O Lucky Man! which captured the zeitgeist for a moment.

BMD Flight Test Schedule Must Be Unclassified

Earlier this year, the Department of Defense classified the schedule of flight tests of ballistic missile defense systems, even though such information had previously been unclassified and publicly disclosed.

Rejecting that move, Congress has now told the Pentagon’s Missile Defense Agency that the flight test schedule must be unclassified.

A new provision in the FY2019 national defense authorization act (sect. 1681) would “require that MDA make the quarter and fiscal year for execution of planned flight tests unclassified.”

“Together with the release of each integrated master test plan of the Missile Defense Agency, and at the same time as each budget of the President is submitted to Congress…, the Director of the Missile Defense Agency shall make publicly available a version of each such plan that identifies the fiscal year and the fiscal quarter in which events under the plan will occur,” the provision states.

This legislative action will effectively override the classification judgment of the executive branch. That is something that Congress rarely does and that the executive branch regards as an infringement on its authority.

Bid to Rectify the “Black Budget” Fails

The so-called “black” budget — which refers to classified government spending on military procurement, operations, and intelligence — is not merely secret. It is actually deceptive and misleading, since it produces a distortion in the amount and the presentation of the published budget.

The amount of money that is purportedly appropriated for the US Air Force, for example, does not all go to the Air Force, the Senate Armed Services Committee recently observed.

“Each year, a significant portion of the Air Force budget contains funds that are passed on to, and managed by, other organizations within the Department of Defense. This portion of the budget, called ‘pass-through,’ cannot be altered or managed by the Air Force. It resides within the Air Force budget for the purposes of the President’s budget request and apportionment, but is then transferred out of the Service’s control,” according to a Senate report on the 2019 defense bill (S.Rept. 115-262).

Although the report does not say so, the Air Force budget may also include pass-through funding for the Central Intelligence Agency, which of course is not even part of the Department of Defense, as well as for other non-Air Force intelligence functions.

“In fiscal year 2018, the Air Force pass-through budget amounted to approximately $22.0 billion, or just less than half of the total Air Force procurement budget. The committee believes that the current Air Force pass-through budgeting process provides a misleading picture of the Air Force’s actual investment budget.”

The Senate therefore recommended that such “pass-through” funds be removed from the Air Force budget and included in Defense-wide appropriations.

But in the House-Senate conference on the FY2019 defense bill, this move was blocked and so the deceptive status quo will continue to prevail.

Earlier this month, the Director of National Intelligence and the Pentagon Comptroller wrote to Congress to present their views on the Senate provision. A copy of their letter, which presumably objected to the proposed move, has been requested but not yet released.

The logic of the Senate proposal was explained by Mackenzie Eaglen of the American Enterprise Institute in “Time to Get the Black Out of the Blue,” Real Clear Defense, June 13.

The Aging Secrecy System Is “At a Crossroads”

Today’s national security classification system is unsustainable, says a new annual report to the President from the government’s Information Security Oversight Office (ISOO). It is “hamstrung by old practices and outdated technology” and a new, government-wide technology strategy will be required “to combat inaccurate classification and promote more timely declassification.”

The secrecy system has expanded to the point that it is effectively unmanageable and often counterproductive, ISOO indicated.

“Too much classification impedes the proper sharing of information necessary to respond to security threats, while too little declassification undermines the trust of the American people in their Government. Reforms will require adopting strategies that increase the precision and decrease the permissiveness of security classification decisions, improve the efficiency and effectiveness of declassification programs, and use modern technology in security classification programs across the Government,” the report said.

“We are at a crossroads” wrote ISOO director Mark Bradley in a May 31 letter to the President transmitting the report, which was made public today.

ISOO’s sense of urgency is reflected in the annual report itself, which strives to be more forward leaning and policy-relevant than many past ISOO reports. It goes beyond the recitation of (often questionable) statistics on classification activity to present a series of findings and recommended actions that it says are needed to restore the integrity of the system.

In addition to a call for development of a comprehensive new technology strategy for classification and declassification, ISOO specifically recommends adding a new budget line item for security classification in agency budget requests to help regulate and justify expenditures, and adding a public member to the Information Security Classification Appeals Panel to represent the broad public interest in that Panel’s work on declassification.

Some of the other recommendations in the report flag problem areas rather than advance solutions, and tend to do so in the passive voice: “Policies must be revised to improve the effectiveness and efficiency of automatic declassification.” How exactly should the policies be revised? Adopt a “drop-dead date” for classification? Eliminate agency referrals for older documents? Grant broad declassification authority to the National Declassification Center? The report doesn’t say.

Much of the data traditionally reported by ISOO regarding classification activity is suggestive but not truly informative. Just as one cannot judge the overall health of the economy from stock market averages, changes in the volume of classification activity say nothing about its quality or legitimacy. In 2017, ISOO found that original classification activity (production of new secrets) increased for the first time in four years. At the same time, derivative classification decreased. The significance of these developments, if any, is unclear.

But other ISOO findings in the new report are more interesting.

ISOO said that last year there were again hundreds of classification challenges presented by government employees who disputed the classification of particular items of information. Most of the challenges were denied, but in 8% of the cases (a small but non-negligible number) they were upheld and the classifications in question were overturned. Such classification challenges “serve a critical role by uncovering information improperly classified in the first instance,” the ISOO report said, providing “an internal check on the system.” Because the challenges are now mostly localized in just a few agencies, this practice has the potential to have far more impact in combating overclassification if it can be adopted and encouraged more widely across the executive branch.

The ISOO report summarized the results of the latest Fundamental Classification Guidance Review, which led to the cancellation of 221 security classification guides (out of 2,865 guides). The cancelled guides will no longer be available for use in classifying information.

ISOO also cast a favorable spotlight on the new approach to classification led by the National Geospatial-Intelligence Agency. NGA now requires written justifications for original classification decisions, along with a description of the damage that would result from unauthorized disclosure, and an unclassified paraphrase of the classified information. The resulting NGA classification guidance currently represents a “best practice” in classification policy, ISOO said. That is to say, it represents a model that could constructively be applied elsewhere in agencies that classify national security information.

The ISOO report also addressed escalating classification costs (which reached a new high in 2017), growing backlogs of mandatory declassification review requests, and the contentious implementation of Controlled Unclassified Information policy, among other topics.

Fixing the classification system is a slow and uncertain process, and some people don’t want to wait.

Sen. Doug Jones (D-Ala.) introduced legislation this week to accelerate the release of records concerning unsolved criminal civil rights cases from half a century ago. Some of those records, in his estimation, “remain classified unnecessarily.” So his bill (S. 3191) would work around that classification obstacle with an alternative approach. Modeled in part on the JFK Assassination Records Act of 1992, the bill would empower a panel of private citizens to review and decide on disclosure of the records.

Meanwhile, the Department of Defense recently issued a “request for information” about technology that could aid in the classification process. The desired technology “must be able to make real-time decisions about the classification level of the information and an individual’s ability to access, change, delete, receive or forward the information.” (FBO, NextGov, ArsTechnica)

Hundreds of CIA Email Accounts Deemed Permanent Records

In a significant expansion of intelligence record preservation, email from more than 426 Central Intelligence Agency email accounts will now be captured as permanent historical records. A plan to that effect was approved by the National Archives last week.

In 2014, the CIA had said that it intended to preserve the emails of only 22 senior officials, a startlingly low number considering the size and importance of the Agency. The National Archives initially recommended approval of the CIA proposal.

But as soon as the CIA proposal was made public, it generated a wave of opposition from members of Congress and public interest groups.

“In our experience, email messages are essential to finding CIA records that may not exist in other so-called permanent records at the CIA,” wrote Senators Dianne Feinstein and Saxby Chambliss in November 2014, when they were chair and vice chair of the Senate Intelligence Committee. “Applying the new proposal to all but the 22 most senior CIA officials means the new policy would allow the destruction of important records and messages of a number of top CIA officials.”

In light of such objections, NARA agreed to reassess the CIA plan. It was officially withdrawn by CIA in 2016.

The new plan, submitted by CIA in July 2017 and approved by NARA on April 24, extends email record preservation much deeper into the CIA bureaucracy, requiring retention of the email of many program managers and office directors that were missing from the original plan.

The newly approved plan identifies 426 accounts subject to capture as permanent records. However, a number of other email accounts covered by the new plan are classified “due to the names of some offices noted on the form as well as the number of accounts in certain categories,” said Meg Phillips, external affairs liaison for NARA. The total number is therefore greater than 426.

The CIA’s new plan “resolves the majority of comments or concerns raised during the public comment period” regarding the previous plan, Ms. Phillips said.

Court Rules in Favor of Selective Disclosure

The Central Intelligence Agency can selectively disclose classified information to reporters while withholding that very same information from a requester under the Freedom of Information Act, a federal court ruled last month.

The ruling came in a FOIA lawsuit brought by reporter Adam Johnson who sought a copy of emails sent to reporters Siobhan Gorman of the Wall Street Journal, David Ignatius of the Washington Post, and Scott Shane of the New York Times that the CIA said were classified and exempt from disclosure.

“The Director of Central Intelligence is free to disclose classified information about CIA sources and methods selectively, if he concludes that it is necessary to do so in order to protect those intelligence sources and methods, and no court can second guess his decision,” wrote Chief Judge Colleen J. McMahon of the Southern District of New York in a decision in favor of the CIA that was released last week with minor redactions.

The Freedom of Information Act is a tool that can change as it is used, whether for the better or the worse, especially since FOIA case law rests on precedent. That means that a FOIA lawsuit that is ill-advised or poorly argued or that simply fails for any reason can alter the legal landscape to the disadvantage of future requesters. In particular, as anticipated a few months ago, “a lawsuit that was intended to challenge the practice of selective disclosure could, if unsuccessful, end up ratifying and reinforcing it.” That is what has now happened.

The shift is starkly illustrated by comparing the statements of Judge McMahon early in the case, when she seemed to identify with the plaintiff’s perspective, and her own final ruling that coincided instead with the CIA’s position.

“There is absolutely no statutory provision that authorizes limited disclosure of otherwise classified information to anyone, including ‘trusted reporters,’ for any purpose, including the protection of CIA sources and methods that might otherwise be outed,” she had previously stated in a January 30 order.

“In the real world, disclosure to some who are unauthorized operates as a waiver of the right to keep information private as to anyone else,” which was exactly the plaintiff’s point.

“I suppose it is possible,” she added in a cautionary footnote, “that the Government does not consider members of the press to be part of ‘the public.’ I do.”

But this congenial (to the plaintiff) point of view would soon be abandoned by the court. By the end of the case, the mere act of disclosure to one or more members of the press would no longer be deemed equivalent to “public disclosure” for purposes of waiving an exemption from disclosure under FOIA.

Instead, Judge McMahon would come to accept, as the CIA argued in a February 14 brief, that “a limited disclosure of information to three journalists does not constitute a disclosure to the public. Where, as here, the record shows that the classified and statutorily protected information at issue has not entered the public domain, there is no waiver of FOIA’s exemptions.”

Plaintiff Johnson objected that “the Government cannot define ‘public’ to mean members of the public it is not disclosing information to.”

“The Government’s position that it may selectively disclose without waiver, if it has the best of intentions, knows no logical limits and would render the FOIA waiver doctrine a nullity,” he wrote. “The CIA’s motive in releasing the information is irrelevant under FOIA. Whether good reason, bad reason, or no reason at all, what matters is that an authorized disclosure took place. If the CIA does not wish to waive its secrecy prerogative, it cannot authorize a disclosure to a member of the public.”

In an amicus brief, several FOIA advocacy groups presented a subtle technical argument in support of the plaintiff. Under the circumstances, they concluded, the court had no choice but to order disclosure. “It does not matter… how much alleged damage the release of the information could cause.”

But these counterarguments proved unpersuasive to the court, and Judge McMahon ended up with a new conception of what constitutes the kind of prior “public disclosure” that would compel release of information under FOIA. Selective disclosure to individual reporters would not qualify.

“For something to be ‘public,’ it has to, in some sense, be accessible to members of the general public,” she now held in her final opinion.

“Selective disclosure of protectable information to an organ of the press… does not create a ‘truly public’ record of that information.” So CIA cannot be forced to disclose it to others. This was exactly the opposite of the view expressed by Judge McMahon earlier in the case.

The ruling was a defeat for the FOIA in the sense that it affirmed and strengthened a barrier to disclosure.

But it might also be considered a victory for the press, to the extent that it enables exchange of classified information with reporters off the record. Had the court compelled disclosure of the classified CIA emails to reporters Gorman, Ignatius and Shane, that would likely have reduced or eliminated the willingness of agencies to share classified information with reporters, as they occasionally do.

But the practice of selective disclosure has risks of its own, wrote plaintiff’s attorney Dan Novack last year. It “allow[s] the government to hypocritically release sensitive national security information when it suits its public relations interests without fear of being held to its own standard later.”

Missile Defense Flight Test Secrecy May Be Reversed

Some members of the House Armed Services Committee want the Pentagon’s Missile Defense Agency to return to its previous practice of publicly disclosing information about planned flight tests of ballistic missile defense (BMD) systems and components.

Earlier this year, the Department of Defense said that information about BMD flight tests, objectives and schedules was now classified, even though such information had routinely been made public in the past. (DOD Classifies Missile Defense Flight Test Plans, Secrecy News, March 5, 2018).

But in their initial markup of the FY2019 National Defense Authorization Act, members of the House Armed Services Strategic Forces Subcommittee said that the new secrecy was unacceptable, at least with respect to the test schedule.

They directed that “Together with the release of each integrated master test plan of the Missile Defense Agency, the Director of the Missile Defense Agency shall make publicly available a version of each such plan that identifies the fiscal year and the fiscal quarter in which events under the plan will occur.”

The pending provision would “require that MDA make the quarter and fiscal year for execution of planned flight tests unclassified.” (h/t Kingston Reif)

Aside from the merits of the House language, it represents a noteworthy legislative intervention in national security classification policy.

Under other circumstances, the executive branch might consider it an intolerable infringement on its authority for Congress to require information to be unclassified over and against an agency’s own judgment or preference.

But in the context of the context of the ambitious and contentious defense authorization act — which among other things would establish a new U.S. Space Command under U.S. Strategic Command — this particular dispute over classification authority recedes into comparative insignificance.

Somewhat relatedly, the Joint Chiefs of Staff have updated DoD doctrine on space operations, with an expanded discussion of natural and man-made threats.

“Our adversaries’ progress in space technology not only threatens the space environment and our space assets but could potentially deny us an advantage if we lose space superiority.”

The doctrine describes general approaches to defending against threats to space-based assets, including defensive operations, reconstitution, and enhanced resilience through distribution, proliferation and deception. See Joint Publication (JP) 3-14, Space Operations, 10 April 2018.

A Forum for Classified Research on Cybersecurity

By definition, scientists who perform classified research cannot take full advantage of the standard practice of peer review and publication to assure the quality of their work and to disseminate their findings. Instead, military and intelligence agencies tend to provide limited disclosure of classified research to a select, security-cleared audience.

In 2013, the US intelligence community created a new classified journal on cybersecurity called the Journal of Sensitive Cyber Research and Engineering (JSCoRE).

The National Security Agency has just released a redacted version of the tables of contents of the first three volumes of JSCoRE in response to a request under the Freedom of Information Act.

JSCoRE “provides a forum to balance exchange of scientific information while protecting sensitive information detail,” according to the ODNI budget justification book for FY2014 (at p. 233). “Until now, authors conducting non-public cybersecurity research had no widely-recognized high-quality secure venue in which to publish their results. JSCoRE is the first of its kind peer-reviewed journal advancing such engineering results and case studies.”

The titles listed in the newly disclosed JSCoRE tables of contents are not very informative — e.g. “Flexible Adaptive Policy Enforcement for Cross Domain Solutions” — and many of them have been redacted.

However, one title that NSA withheld from release under FOIA was publicly cited in a Government Accountability Office report last year:  “The Darkness of Things: Anticipating Obstacles to Intelligence Community Realization of the Internet of Things Opportunity,” JSCoRE, vol. 3, no. 1 (2015)(TS//SI//NF).

“JSCoRE may reside where few can lay eyes on it, but it has plenty of company,” wrote David Malakoff in Science Magazine in 2013. “Worldwide, intelligence services and military forces have long published secret journals” — such as DARPA’s old Journal of Defense Research — “that often touch on technical topics. The demand for restricted outlets is bound to grow as governments classify more information.”

DOD Classifies Missile Defense Flight Test Plans

The Department of Defense has decided to classify previously public information regarding future flight tests of ballistic missile defense systems and components.

Information about pending missile defense flight tests, their objectives, and their timing had previously been included in each year’s budget request documents. But that is no longer the case, and such information was withheld from the FY 2019 Missile Defense Agency RDT&E budget book that was published last month.

“Due to the need to safeguard critical defense information, the DOD will not provide timing or test details in advance beyond the required safety notifications for any planned flight tests,” Lt. Gen. Sam Greaves told Jason Sherman of InsideDefense, who noticed the newly restrictive disclosure practice. See “DOD now treating missile defense flight test plans — once public — as classified” by Jason Sherman, Inside the Pentagon, March 1 (subscription req’d).

Classification of flight test information makes it harder for outside observers and overseers — not just foreign intelligence services — to monitor the progress of US ballistic missile defense programs. The Missile Defense Agency’s specific justification for classifying previously unclassified categories of flight test information has not been publicly explained.