Cyber security is a “nebulous domain… that tends to resist easy measurement and, in some cases, appears to defy any measurement,” according to a report issued in March by Sandia National Laboratories.

In order to establish a common vocabulary for discussing cyber threats, and thereby to enable an appropriate response, the Sandia authors propose a variety of attributes that can be used to characterize cyber threats in a standardized and consistent way.

“Several advantages ensue from the ability to measure threats accurately and consistently,” the authors write. “Good threat measurement, for example, can improve understanding and facilitate analysis. It can also reveal trends and anomalies, underscore the significance of specific vulnerabilities, and help associate threats with potential consequences. In short, good threat measurement supports good risk management.”

See “Cyber Threat Metrics” by Mark Mateski, et al, Sandia National Laboratories, March 2012.

The Obama Administration is urging Congress to renew provisions of the Foreign Intelligence Surveillance Act (FISA) Amendments Act that are set to expire at the end of this year.

“Reauthorizing this authority is the top legislative priority of the Intelligence Community,” wrote Director of National Intelligence James Clapper and Attorney General Eric Holder in a February 8 letter to Congress.

One of the key provisions, they explained, would permit the electronic surveillance of entire categories of non-U.S. persons who are located abroad “without the need for a court order for each individual target.”

Under this provision, “instead of issuing individual court orders, the FISC [Foreign Intelligence Surveillance Court] approves annual certifications submitted by the Attorney General and the DNI that identify categories of foreign intelligence targets.”

“The provision contains a number of important protections for U.S. persons and others in the United States,” according to a background paper attached to the February 8 letter, including limitations on targeting, minimization procedures to exclude information about U.S. persons, and other guidelines on acquisition.

“Failure to reauthorize [this section] would result in a loss of significant intelligence and impede the ability of the Intelligence Community to respond quickly to new threats and intelligence opportunities,” the background paper stated.

Proposed legislative language to enact an extension of Title VII of the FISA Amendments Act was transmitted to Congress by the DNI in a March 26 letter.

The American Civil Liberties Union disputes the adequacy of the FISA Amendment Act’s protections for U.S. persons and is challenging the constitutionality of the Act in a lawsuit that is pending before the U.S. Supreme Court.  The ACLU is also asking Congress to “Fix FISA by prohibiting dragnet surveillance, mandating more transparency about the government’s surveillance activities, and strengthening safeguards for privacy.”

In 2011, the US Government submitted 1,745 applications to the Foreign Intelligence Surveillance Court for authorization to conduct electronic surveillance or physical searches under the Foreign Intelligence Surveillance Act (FISA), according to a new annual report to Congress. Of these, 1,676 included requests for authority for perform electronic surveillance, the report said.

That compares to 1,579 such applications in 2010 (including 1,511 for electronic surveillance).

As is usually the case, the FIS Court did not deny any electronic surveillance applications in whole or in part last year, though it made modifications to 30 of them.

The new report says that the government filed 205 applications for business records (including “tangible things”) for foreign intelligence purposes last year, compared to 96 in the previous year.

But the number of “national security letters” (a type of administrative subpoena) declined last year. In 2011, the FBI requested 16,511 national security letters pertaining to 7,201 U.S. persons, the new report said, compared to the 2010 total of 24,287 letter requests concerning 14,212 U.S. persons.

More than a thousand boxes of classified government records are believed to be missing from the Washington National Records Center (WNRC) of the National Archives and Records Administration (NARA), a three-year Inspector General investigation found.

But there are no indications of theft or espionage, an official said.

An inventory of the holdings at the Records Center determined that 81 boxes containing Top Secret information or Restricted Data (nuclear weapons information) were missing.  As of March 2011, an additional 1,540 boxes of material classified at the Secret or Confidential level also could not be located or accounted for, the Inspector General report on the matter said.  Each box can hold approximately 1.1 cubic feet or 2000 to 2500 sheets of paper.

The missing records “represent an ongoing failure at WNRC to protect some of the most sensitive information produced by the Federal Government,” wrote NARA Inspector General Paul Brachfeld in a 2009 letter to the Acting Archivist.

The IG report on the matter implied that it could constitute a violation of the Espionage Act, citing “alleged violations” of the espionage statues including prohibitions on “gathering, transmitting or losing defense information” (section 793), “disclosure of classified information” (section 798), and “unauthorized removal and retention of classified documents or material” (section 1924).

The results of the Inspector General investigation were first reported today in “Secret files missing at National Archives” by Jim McElhatton, The Washington Times, May 2.

The 2011 Inspector General report of investigation, released under the Freedom of Information Act, may be found here.

The missing records originated in the Office of the Secretary of Defense, the Army, the Navy, the Department of Energy, and other agencies.

The Inspector General report said that “At some point, the originating agency will have to make a determination on the effect the missing materials (from the missing 81 boxes) have on national security.”

In the meantime, “the Federal Bureau of Investigation has been notified of the missing classified materials per Department of Justice requirements.”

The problem of wayward official records, both classifed and unclassified, is not a new one. “In 1998 and 2004, WNRC conducted inventories of its classified holdings,” the Inspector General noted. “Both inventories revealed missing classified records.”

But more precisely, the inventories revealed discrepancies between the agency catalogs and the records on the shelf.  It is not entirely certain that any records have actually left official custody.  Today’s archival catalogs are pre-populated with the contents of a legacy hardcopy card catalog system that dates back many decades and that is inherently prone to error.

While poor records management practices are always problematic, there are several factors that would tend to mitigate the significance of the problem.

Many of the purportedly missing records are more than fifty years old, including one collection of pre-WWII records on “hydraulics.”  Almost all the records are more than 25 years old, and should have been declassified long ago.  The Washington National Records Center is not cleared for compartmented (SCI) intelligence records, and no such records are thought to be missing.

New and updated reports from the Congressional Research Service that have not been made readily available to the public include the following.

United States v. Jones: GPS Monitoring, Property, and Privacy, April 30, 2012

China’s Rare Earth Industry and Export Regime: Economic and Trade Implications for the United States, April 30, 2012

Federal Agency Actions Following the Supreme Court’s Climate Change Decision in Massachusetts v. EPA: A Chronology, May 1, 2012

The U.S.-Colombia Free Trade Agreement: Background and Issues, April 27, 2012

Issues and Challenges for Federal Geospatial Information, April 27, 2012

 

New and updated Congressional Research Service reports that Congress has withheld from direct public access include the following.

Cybersecurity: Authoritative Reports and Resources, April 26, 2012

The Budget Control Act of 2011: The Effects on Spending and the Budget Deficit When the Automatic Spending Cuts Are Implemented, April 23, 2012

Budget “Sequestration” and Selected Program Exemptions and Special Rules, April 27, 2012

U.S. Solar Photovoltaic Manufacturing: Industry Trends, Global Competition, Federal Support, April 27, 2012

Foreign Assistance to North Korea, April 26, 2012

Chile: Political and Economic Conditions and U.S. Relations, April 6, 2012

Canada-U.S. Relations, April 5, 2012

An Army field manual published last week explains the Army’s conduct of information collection activities in military operations.

“In this manual, the term ‘information collection’ is introduced as the Army’s replacement for ‘intelligence, surveillance, and reconnaissance’ (also known as ISR),” the manual says.

“This publication clarifies how the Army plans, prepares, and executes information collection activities within or between echelons.”

“As the Army fields new formations and equipment with inherent and organic information collection capabilities, it needs a doctrinal foundation to ensure their proper integration and use to maximize their capabilities.”

See Information Collection, U.S. Army Field Manual (FM) 3-55, April 23, 2012.

Government attorneys said yesterday that they would appeal an extraordinary judicial ruling that required the release of a classified document in response to a Freedom of Information Act request.

The document in question is a one-page position paper produced by the U.S. Trade Representative (USTR) concerning the U.S. negotiating position in free trade negotiations.  It was classified Confidential and was not supposed to be disclosed before 2013.

But immediate disclosure of the document could not plausibly cause damage to the national security, said DC District Judge Richard W. Roberts in a February 29, 2012 opinion, and so its continued classification, he said, is not “logical.”  He ordered the government to release the document to the Center for International Environmental Law, which had requested it under FOIA.  (Court Says Agency Classification Decision is Not ‘Logical’, Secrecy News, March 2, 2012.)

This kind of independent review of the validity of classification decisions, which is something that judges normally refrain from doing, offers one way to curb galloping overclassification.

While the substance of the USTR document is likely to be of little general interest, the court’s willingness to disregard the document’s ill-founded classification and to require its disclosure seems like a dream come true to critics of classification policy.  If the decision serves as a precedent and a spur to a more broadly skeptical judicial approach to classification matters, so much the better.

But what may be a dream to some is a nightmare to others.  The bare possibility of such an emerging challenge to executive classification authority was evidently intolerable to the Obama Administration, which will now seek to overturn Judge Roberts’ ruling in the DC Circuit Court of Appeals.

In response to congressional direction, the U.S. Patent and Trademark Office is considering whether to expand the scope of patent secrecy orders — which prohibit the publication of affected patent applications — in order to enhance “economic security” and to protect newly developed inventions against exploitation by foreign competitors.

Currently, patent secrecy orders are applied only to patent applications whose disclosure could be “detrimental to national security” as prescribed by the Invention Secrecy Act of 1951.  At the end of Fiscal Year 2011, there were 5,241 such national security secrecy orders in effect.

But now the Patent Office is weighing the possibility of expanding national security patent secrecy into the “economic security” domain.

“The U.S. Patent and Trademark Office is seeking comments as to whether the United States should identify and bar from publication and issuance certain patent applications as detrimental to the nation’s economic security,” according to a notice that was published in the Federal Register on April 20.

That would be a mistake, I wrote in my own comments submitted to the Patent Office yesterday.

Economic security — which could conceivably implicate all new inventions — is not analogous to the more limited domain of national security-related inventions, “so the use of secrecy orders is inappropriate to protect economic security,” I suggested.

Instead, the existing option for an applicant to request nonpublication of his or her patent application up to the point that the patent is issued is a superior alternative to a mandatory secrecy order, I wrote.  “The inventor is likely to be better qualified than any third party to assess the economic significance of the invention, and is also likely to be best motivated to protect his or her own financial interests.”

“The USPTO has not taken a position” on these questions, the Patent Office said in its April 20 notice, “nor is it predisposed to any particular views.”

Noteworthy new and updated reports from the Congressional Research Service that Congress has not made readily available to the public include the following.

Carbon Capture and Sequestration: Research, Development, and Demonstration at the U.S. Department of Energy, April 23, 2012

Members of Congress Who Die in Office: Historic and Current Practices, April 25, 2012

Hydraulic Fracturing and the National Environmental Policy Act (NEPA): Selected Issues, April 25, 2012

Domestic Content Legislation: The Buy American Act and Complementary Little Buy American Provisions, April 25, 2012

The STOCK Act, Insider Trading, and Public Financial Reporting by Federal Officials, April 19, 2012

Data Security Breach Notification Laws, April 10, 2012

Requiring Individuals to Obtain Health Insurance: A Constitutional Analysis, April 6, 2012

The Senate Intelligence Committee has been reviewing the post-9/11 detention and interrogation practices of the Central Intelligence Agency for four years and is still not finished.  But the end appears to be in sight.

“The review itself is nearing completion — before the end of summer — but is not over yet,” a spokesperson for the Committee said.  “The release date should be not too far thereafter, but is not set.”

“This review is the only comprehensive in-depth look at the facts and documents pertaining to the creation, management, and effectiveness of the CIA detention and interrogation program,” according to Sen. Jay Rockefeller, who was chairman of the Intelligence Committee when the review began in 2008.

Committee staff are said to have reviewed millions of pages of classified documents pertaining to the CIA program.

In newly published questions for the record following his confirmation hearing last year to be Director of the CIA, Gen. David Petraeus was asked by Senator Rockefeller if he would cooperate with the Committee review.

“I believe that a holistic and comprehensive review of the United States Government’s detention and interrogation programs can lead to valuable lessons that might inform future policies,” Petraeus replied.

“The best way to gain a common set of facts would be to reach out to the intelligence and military communities responsible for detentions and interrogations and for implementing future policies,” he added.  “[T]o gain the proper insights from a series of actions or decisions, we cannot separate the review process from the public servants undertaking the actions,” he said.

Gen. Petraeus also responded to questions concerning interrogation in the “ticking time bomb” scenario (he says “research is required now”), and the applicability of official U.S. government statements on the use of drones to CIA operations (which he declined to confirm), among other topics.

His responses to these questions were published earlier this month in the record of his June 23, 2011 confirmation hearing.

Sen. Dianne Feinstein, the current chair of the Senate Intelligence Committee, provided a preview of the Committee’s findings on CIA interrogation practices in a November 29, 2011 floor statement during the debate on the FY2012 defense authorization act (also noted by Jeffrey Kaye in The Public Record).

“As chairman of the Select Committee on Intelligence, I can say that we are nearing the completion a comprehensive review of the CIA’s former interrogation and detention program, and I can assure the Senate and the Nation that coercive and abusive treatment of detainees in U.S. custody was far more systematic and widespread than we thought,” Sen. Feinstein said.

“Moreover, the abuse stemmed not from the isolated acts of a few bad apples but from fact that the line was blurred between what is permissible and impermissible conduct, putting U.S. personnel in an untenable position with their superiors and the law.”

Government attorneys yesterday asked a court for an extension of time to respond to two Freedom of Information Act lawsuits seeking disclosure of records pertaining to “alleged targeted lethal operations” conducted by the Central Intelligence Agency, including the killing of Anwar al-Awlaki.

The attorneys’ request seems to portend a possible change in the government’s persistent refusal to acknowledge the widely reported fact of the CIA’s use of drones in targeted killing operations.

“Attorney General Eric H. Holder, Jr. has personally directed us to seek this additional time to allow the Government to finalize its position with regard to the sensitive national security matters presented in this case,” the Justice Department attorneys told the judge.

“Given the significance of the matters presented in this case, the Government’s position is being deliberated at the highest level of the Executive Branch.”

At issue are two FOIA lawsuits brought by the New York Times and the American Civil Liberties Union.  The request for an extension until May 21, 2012 was granted by Judge Colleen McMahon.

Meanwhile, the Justice Department has just released its 2011 report on FOIA litigation and compliance.  Among other things, the report notes that the so-called “Glomar” response — by which an agency refuses to confirm or deny the existence of responsive records — was invoked by the government in three cases that were decided in 2011.  In each of those cases, the court ruled in favor of the government.