Discipline and Punishment at the Department of Defense

The Pentagon has prepared a newly updated compilation of infractions that might be committed and prohibitions that might be violated by Department of Defense employees, together with the recommended punishments.

“Mishandling or failing to safeguard information or documentation that is classified,” for example, can entail punishment ranging from written reprimand to removal. See Disciplinary and Adverse Actions, Administrative Instruction 8, December 16, 2016.

The document’s Table of Offenses and Penalties does not include overclassification, faulty compliance with the Freedom of Information Act, or some other readily imaginable forms of misconduct.

But proscribed (and punishable) activities do include retaliation against whistleblowers (conduct unbecoming a federal employee), discourtesy (abusive language or gestures), and lack of candor or truthfulness.

You Could Look It Up: DoD Dictionary Updated

The newly updated edition of the Department of Defense Dictionary of Military and Associated Terms includes a new entry for “Improvised Nuclear Device.”

It is defined as “A device incorporating fissile materials designed or constructed outside of an official government agency that has, appears to have, or is claimed to be a nuclear weapon that is no longer in the control of a competent authority or custodian or has been modified from its designated firing sequence.”

The 400-page DoD Dictionary, now updated through 15 October 2016, is a useful reference for interpreting specialized military terminology and for decoding current acronyms, which are listed in a 120-page Appendix. But it is also a reflection of current DoD concerns and priorities.

Another new entry in the latest edition is for “resilience,” which here means “The ability of an architecture to support the functions necessary for mission success with higher probability, shorter periods of reduced capability, and across a wider range of scenarios, conditions, and threats, in spite of hostile action or adverse conditions.”

The update replaces prior editions which were designated Joint Publication 1-02. For unknown reasons, the JP 1-02 document format has been abandoned in the new edition, which is simply entitled DOD Dictionary of Military and Associated Terms.

Fixing Pre-Publication Review

As a condition of gaining access to classified information, many government employees agree to submit to official pre-publication review of any public statement they wish to make that is related to their government employment.

This procedure has long been a source of conflict and controversy, but over time the pre-publication review process has become increasingly onerous, internally contradictory, and disruptive.

As part of an ongoing dialog on the subject, I offered some thoughts on “Fixing Pre-Publication Review: What Should Be Done?” on the Just Security blog.

“Controlled Unclassified Information” Is Coming

After years of preparation, the executive branch is poised to adopt a government-wide system for designating and safeguarding unclassified information that is to be withheld from public disclosure.

The new system of “controlled unclassified information” (CUI) will replace the dozens of improvised control markings used by various agencies that have created confusion and impeded information sharing inside and outside of government. A proposed rule on CUI was published for public comment on May 8 in the Federal Register.

While CUI is by definition unclassified, it is nevertheless understood to require protection against public disclosure on the basis of statute, regulation, or agency policy. In many or most cases, the categories of information that qualify as CUI are non-controversial, and include sensitive information related to law enforcement, nuclear security, grand jury proceedings, and so on.

Until lately, “more than 100 different markings for such information existed across the executive branch. This ad hoc, agency-specific approach created inefficiency and confusion, led to a patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information sharing,” the proposed rule said.

One of the striking features of the new CUI program is that it limits the prevailing autonomy of individual agencies and obliges them to conform to a consistent government-wide standard.

“CUI categories and subcategories are the exclusive means of designating CUI throughout the executive branch,” the proposed rule states. “Agencies may not control any unclassified information outside of the CUI Program.”

Nor do agencies get to decide on their own what qualifies as CUI. That status must be approved by the CUI Executive Agent (who is the director of the Information Security Oversight Office) based on an existing statutory or regulatory requirement, or on a legitimate agency policy. And it must be published in the online CUI Registry. There are to be no “secret” CUI categories.

Importantly, the CUI Program offers a way of validating agency information control practices pertaining to unclassified information. (A comparable procedure for externally validating agency classification practices does not exist.) But CUI status itself is not intended to become an additional barrier to disclosure.

“The mere fact that information is designated as CUI has no bearing on determinations pursuant to any law requiring the disclosure of information or permitting disclosure as a matter of discretion,” the new proposed rule said. The possibility that CUI information could or should be publicly disclosed on an authorized basis is not precluded.

More specifically, a CUI marking in itself does not constitute an exemption to the Freedom of Information Act, the rule said. However, a statutory restriction that justifies designating information as CUI would also likely make it exempt from release under FOIA.

One complication arises from the fact that simply removing CUI controls does not equate to or imply public release.

“Decontrolling CUI relieves authorized holders from requirements to handle the information under the CUI Program, but does not constitute authorization for public release,” the rule said. Instead, disclosure is only permitted “in accordance with existing agency policies on the public release of information.”

The upshot is that while there can be “controlled unclassified information” that is publicly releasable, there can also be non-CUI (or former CUI) information that is not releasable. The latter category might include unclassified deliberative materials, for example, that are not controlled as CUI but are still exempt from disclosure under the Freedom of Information Act.

More subtly, noted John P. Fitzpatrick, the director of the Information Security Oversight Office, there is a large mass of material that is neither CUI nor non-CUI– until someone looks at it and makes an assessment. In all such cases (other than voluntary disclosure by an agency), public access would be governed by the provisions and exemptions of the FOIA.

The genealogy of the CUI Program dates back at least to a December 16, 2005 memorandum in which President George W. Bush directed that procedures for handling what was called “sensitive but unclassified” information “must be standardized across the Federal Government.”

At that time, the impetus for standardization (which never came to fruition) was based on the need for improved sharing of homeland security and terrorism-related information. The initiative was broadened and developed in the 2010 Obama executive order 13556, which eventually led to the current proposed rule. Public comments are due by July 7.

New DNI Guidance on Polygraph Testing Against Leaks

Updated below

Director of National Intelligence James R. Clapper issued guidance this month on polygraph testing for screening of intelligence community personnel. His instructions give particular emphasis to the use of the polygraph for combating unauthorized disclosures of classified information.

Counterintelligence scope polygraph examinations “shall cover the topics of espionage, sabotage, terrorism, unauthorized disclosure or removal of classified information (including to the media), unauthorized or unreported foreign contacts, and deliberate damage to or misuse of U.S. Government information systems or defense systems,” the guidance states.

Such examinations “shall specifically include the issue of unauthorized disclosures of classified information during pre-examination explanations by incorporating a definition that explicitly states that an unauthorized disclosure means unauthorized communication or physical transfer of classified information to an unauthorized recipient.”

The polygraph administrator is further instructed to explain that an unauthorized recipient is any person without an appropriate clearance or need to know, “including any member of the media.”

See Conduct of Polygraph Examinations for Personnel Security Vetting, Intelligence Community Policy Guidance 704.6, February 4, 2015.

The use of polygraph testing to combat leaks has been a recurring theme in security policy for decades. Yet somehow neither leaks nor polygraph tests have gone away.

President Reagan once issued a directive (NSDD 84) to require all government employees to submit polygraph testing as an anti-leak measure.

In response, Secretary of State George P. Shultz famously declared in 1985 that he would quit his job rather than take the test. “The minute in this government I am told that I’m not trusted is the day that I leave,” Shultz told reporters.

Having forthrightly declared his position, Secretary Shultz was never compelled to undergo the polygraph test or to resign. “Management through fear and intimidation,” he said in 1989, “is not the way to promote honesty and protect security.”

From another perspective, the problem with polygraph testing has nothing to do with intimidation but with accuracy and reliability. There is at least a small subset of people who seem unable to “pass” a polygraph exam for reasons that neither they nor their examiners can discern. And there are others, such as the CIA officer and Soviet spy Aldrich Ames, who have been able to pass the polygraph test while in the espionage service of a foreign government.

Update: The polygraph provisions of NSDD 84 were quietly modified in 1984 and were never implemented.

DNI Issues Directive on “Critical Information”

The Director of National Intelligence last week issued a new directive on “critical information,” also denominated “CRITIC,” which refers to national security information of the utmost urgency.

“Critical information is information concerning possible threats to U.S. national security that are so significant that they require the immediate attention of the President and the National Security Council,” the directive explains.

“Critical information includes the decisions, intentions, or actions of foreign governments, organizations, or individuals that could imminently and materially jeopardize vital U.S. policy, economic, information system, critical infrastructure, cyberspace, or military interests.”

See “Critical Information (CRITIC),” Intelligence Community Directive 190, February 3, 2015.

Interestingly, any intelligence community official can designate information as “critical,” thereby hotlining it for Presidential attention. “Critical information may originate with any U.S. government official in the IC,” the DNI directive says.

Moreover, “CRITIC reporting may be based on either classified or unclassified information.” However, “CRITIC reporting should be based solely on unclassified information only if that information is unlikely to be readily available to the President and the National Security Council.”

The threshold for critical information is fairly high. It includes such things as a terrorist act against vital U.S. interests, the assassination or kidnapping of officials, a cyberspace attack that produces effects of national security significance, and so on.

Confusingly, the term critical information (CRITIC) is used differently in the Department of Defense.

According to the latest DoD Dictionary of Military Terms, “critical information” means “Specific facts about friendly intentions, capabilities, and activities needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment. Also called CRITIC.”

Military Terms and Symbols

The U.S. Army has updated and doubled the size of its lexicon of military terminology. This is a fluid and rapidly evolving field. In fact, “changes to terminology occur more frequently than traditional publication media can be updated.”

The new Army publication extends beyond words to the use of symbols, including “hand drawn and computer-generated military symbols for situation maps, overlays, and annotated aerial photographs for all types of military operations.”

Though intended primarily for military personnel, this work is also useful for others who are seeking to understand and interpret Army records and military culture.

A “clandestine operation,” the Army document explains, is “an operation sponsored or conducted by governmental departments or agencies in such a way as to assure secrecy or concealment. A clandestine operation differs from a covert operation in that emphasis is placed on concealment of the operation rather than on concealment of the identity of the sponsor.”

However, “In special operations, an activity may be both covert and clandestine and may focus equally on operational considerations and intelligence-related activities.”

An “unauthorized commitment,” which surprisingly merits its own entry, is defined as “An agreement that is not binding solely because the United States Government representative who made it lacked the authority to enter into that agreement on behalf of the United States Government.”

See Army Doctrine Reference Publication (ADRP) 1-02, Terms and Military Symbols, February 2, 2015.

Sen. Markey to DoE: What About the James Doyle Case?

Senator Edward J. Markey asked the Secretary of Energy this week to expedite the investigation of the firing of James Doyle from Los Alamos National Laboratory, which occurred after Doyle published an analysis critical of U.S. nuclear weapons policy.

“I write to urge you in the strongest possible terms to quickly conclude your investigation into the recent termination of Dr. James E. Doyle, a nuclear security and non-proliferation specialist who had been employed at the Los Alamos National Laboratory (LANL) for 17 years,” Sen. Markey wrote.

“Dr. Doyle was terminated after an article he published crticizing the deterrence value of nuclear weapons was retroactively classified. At best, the Department of Energy’s (DOE) classification procedures are too vague to be uniformly applied. At worst, it appears that these classification procedures were used to silence and retaliate against those who express dissenting opinions,” he wrote.

The Doyle case generated significant controversy among his colleagues and others concerned with nuclear security policy.

In response to public concerns, the Department of Energy said it had initiated an Inspector General review of the case. But there has been no known follow-up to date.

Insider Threat Program Advances, Slowly

Nearly two years after President Obama issued a National Insider Threat Policy “to strengthen the protection and safeguarding of classified information” against espionage or unauthorized disclosure, the effort is still at an early stage of development.

Only last week, the U.S. Air Force finally issued a directive to implement the 2012 Obama policy. (AF Instruction 16-1402, Insider Threat Program Management). And even now it speaks prospectively of what the program “will” do rather than what it has done or is doing.

The new Air Force Instruction follows similar guidance issued last year by the Army and the Navy.

The Air Force Insider Threat Program includes several intended focus areas, including continuous evaluation of personnel, auditing of government computer networks, and procedures for reporting anomalous behavior.

“Procedures must be in place that support continuous evaluation of personnel to assess their reliability and trustworthiness,” the AF Instruction says.

Such continuous evaluation procedures may eventually sweep broadly over many domains of public and private information, but they are not yet in place.

“There are a number of ongoing pilot studies to assess the feasibility of select automated records checks and the utility of publicly available electronic information, to include social media sites, in the personnel security process,” said Brian Prioletti of the Office of the Director of National Intelligence in testimony before the House Homeland Security Committee last November.

The Air Force directive also encourages reporting of unusual behavior by potential insider threats.

“Insider threat actors typically exhibit concerning behavior,” the directive says. But this is not self-evidently true in all cases, and the directive does not provide examples of “concerning behavior.”

A Department of Defense training module recently identified expressions of “unhappiness with U.S. foreign policy” as a potential threat indicator, the Huffington Post reported last week. (“Pentagon Training Still Says Dissent Is A Threat ‘Indicator'” by Matt Sledge, August 4.) If so, that criterion would not narrow the field very much.

The “CORRECT Act” (HR5240) that was introduced last month by Rep. Bennie Thompson and Sen. Ron Wyden would require any insider threat program to meet certain standards of fairness and employee protection, and “to preserve the rights and confidentiality of whistleblowers.”

That message may have been partially internalized already. The terms “civil liberties” and “whistleblowers” are each mentioned four times in the eight-page Air Force Instruction.