The Air Force issued updated guidance (pdf) last week concerning its highly classified special access programs, including new language prohibiting unauthorized communications with Congress.

Special access programs (SAPs) involve access and safeguarding restrictions that are more extensive than those that apply to other classified programs. SAPs are nominally established “to protect the Nation’s most sensitive capabilities, information, technologies and operations.”

The new Air Force guidance emphatically limits contacts with Congress concerning SAPs.

“It is strictly forbidden for any employee of the Air Force or any appropriately accessed organization or company to brief or provide SAP material to any Congressional Member or staff without DoD SAPCO [Special Access Program Central Office] approval.  Additionally, the Director, SAF/AAZ will be kept informed of any interaction with Congress.”  See Air Force Policy Directive 16-7, “Special Access Programs,” December 29, 2010.

One aspect of the current crisis in classification policy is the growing discrepancy between what is secret and what is classified.  All too often, official classification controls are imposed (or retained) on information that is public, thereby generating confusion and loss of confidence in the integrity of the classification system.  The problem was underscored recently by the government’s response to the publication of classified State Department cables by Wikileaks, which was to insist that they remain classified despite their broad availability.  “So, my grandmother would be allowed to access the cables, but not me,” one official complained to us last month.

The increasing divergence between secrecy and classification is exacerbated by new media for disclosure and publication, and it is not at all limited to U.S. government secrecy policy.  A current controversy in Russia over the alleged publication of classified information provides a vivid illustration of the problem.

The Russian news magazine Kommersant-Vlast has twice been rebuked recently by the Russian Federal Service for Communications (Roskomnadzor) for publishing state secrets, placing the future of that publication in legal jeopardy.  But the purported secrets were all derived from open sources, the magazine explained (pdf), including sources such as Russian government websites.

One of the offending news stories, entitled “All About Missile Forces” and published in December 2009, described the deployment, composition and combat strength of Russian strategic missile forces.  The government said this story included Secret and Top Secret information, and therefore violated the Russian Federation Law on Mass Media.

But in its defense, Vlast-Kommersant argued that this Secret information was not, in fact, secret:  “One of the sources of ‘state secrets’ for Vlast was the official website of the RF President and Commander in Chief.”

In a discussion of “Where to Find ‘State Secrets’,” Vlast writer Mikhail Lukin provided a detailed account of how his publication assembled the story on Russian missile forces by using public databases, search engines, previous news stories and scholarly works, and the public statements of government officials.  “It turns out that the President of Russia, the Minister of Defense, the RVSN Commander-in-Chief, the commanders of missile armies [and others] number among the divulgers of [ostensibly secret] information about [missile] deployment….”

Vlast presented all of this information to the Moscow City Court in a legal challenge to the warnings that it had received from the Russian government.  But in October 2010, the Court ruled against the news magazine, and in favor of the government.

In paradoxical terms that would be familiar to U.S. classification officials, the Moscow Court held that “the fact of the information being published in open sources does not in any way impact on its level of secrecy.”

An appeal to the Russian Supreme Court is pending. See “The Obvious Becomes Secret” by Mikhail Lukin, Kommersant-Vlast, October 26, 2010, translated by the National Virtual Translation Center and obtained by Secrecy News. The Russian original is here.

The American Israel Public Affairs Committee (AIPAC), the pro-Israel lobby organization, has often received and distributed confidential government information, including classified materials, asserted former AIPAC official Steven J. Rosen in his pending lawsuit against the organization.

“There is evidence that the receipt and distribution of confidential foreign policy information is a common practice for AlPAC,” he argued in a December 14 legal filing (pdf).  The organization disputes that claim.

Mr. Rosen contends that he was wrongfully terminated by AIPAC after he and fellow AIPAC employee Keith Weissman became the subjects of a federal investigation for the unlawful receipt and disclosure of classified information they obtained from former Pentagon official Larry Franklin.  Rosen and Weissman were indicted in 2005 but the federal case against them was withdrawn by prosecutors in 2009.

On previous occasions, Mr. Rosen said in his current lawsuit, “AIPAC condoned the receipt and distribution of classified information.”  In 1984, Rosen recalled, he had received and shared classified information that members of the Libyan UN delegation had provided money to a US presidential candidate’s staff.  His conduct in that matter was supported by the organization, he said.

“There were in fact other situations before the 2004 Larry Franklin matter involving Steven Rosen and Keith Weissman in which AIPAC employees were involved in receiving classified material,” including the 1984 acquisition of a classified US Trade Representative document, some details of which been redacted from the public version of Mr. Rosen’s filing.

The latest developments in the case of Rosen v. AIPAC were reported in “Steve Rosen Fires Back in His Law Suit Against AIPAC” by Nathan Guttman, Forward, December 15. Selected case files are available from the Institute for Research: Middle Eastern Policy here.

An AIPAC spokesman told the Forward that it “strongly disagrees with Mr. Rosen’s portrayal of events and circumstances related to this litigation.” He said that “senior employees at AIPAC testified under oath during this litigation that they had never been involved with seeking or knowingly disclosing classified information as part of their jobs at AIPAC.”

AIPAC has stated that Rosen and Weissman were fired because their behavior “did not comport with standards that AIPAC expects of its employees.”

But Rosen’s December 14 pleading said that there were no AIPAC standards on handling classified information, and therefore he could not have violated them.  “At no time in the 23 years Steven Rosen was employed by AIPAC did the organization provide in writing or orally any guidance or standards that he and other employees were expected to follow regarding the receipt and sharing of secret, sensitive or ‘classified’ information that might be offered by government officials.”

Noteworthy new products of the Congressional Research Service include the following reports (all pdf).

“The EU-South Korea Free Trade Agreement and Its Implications for the United States,” December 17, 2010.

“Deepwater Horizon Oil Spill: The Fate of the Oil,” December 16, 2010.

“Keeping America’s Pipelines Safe and Secure: Key Issues for Congress,” December 13, 2010.

“American Jihadist Terrorism: Combating a Complex Threat,” updated December 7, 2010.

Faced with release of hundreds of thousands of classified records by Wikileaks in recent months, what should the government do?  The best answer might be to release hundreds of millions of such records!  By stripping away the accretions of decades of overclassification, a wholesale reduction in classified records would restore some integrity to the classification system, bolster public confidence in its legitimacy, and strengthen the security of residual classified secrets.

In a recent exchange with a National Security Council official who deals with information policy, we suggested that the optimal response to unauthorized disclosures would be an accelerated program of authorized disclosures, leading to a sharp reduction in the size and scope of the classification system.  He wasn’t buying it.

“Unfortunately, for reasons you can imagine, this is not a good time to promote that bit of common sense,” he replied.  To the contrary, however, we think this is the best time to shrink the classification system, before it sputters into incoherence and ultimate irrelevance.

It is true that the past year has seen significant breakthroughs in reducing nuclear stockpile secrecy and intelligence budget secrecy, among other notable achievements.  But it is also true that systemic secrecy reform is lagging.  There are many illustrative problems that tell the tale:

**  Last December President Obama called for recommendations on ways to achieve a “fundamental transformation” of the security classification system.  A year later, no such recommendations have been formulated or submitted to the President for action.  (The Public Interest Declassification Board will hold a public meeting on the subject on January 20, 2011.)  The process of transformation appears to be stillborn.

**  It so happens that President Obama has already ordered the declassification of hundreds of millions of records.  These are not contemporary records, but a backlog of historical records more than 25 years old.  Some 400 million pages of them are  supposed to be declassified and made public by the end of 2013, the President said in December 2009.  But to meet that goal, it will be necessary to declassify an average of 100 million pages per year.  In the first six months of this year, less than 8 million were declassified, according to a report (pdf) from the National Declassification Center.  This modest beginning will make it difficult if not impossible to fulfill the task assigned by the President.

**  In the Administration’s most direct response to the problem of overclassification, President Obama directed each classifying agency to perform a Fundamental Classification Guidance Review “to identify classified information that no longer requires protection and can be declassified.”  Agencies were given two years to complete the Review, from July 2010 to June 2012. Six months of that period have already elapsed.  But this week the Defense Department, the largest classifying agency, told Secrecy News that thus far it had no records concerning implementation of the Review.  In other words, it seems that no discernible progress has been made.

**  Meanwhile, it turns out that the Pentagon Papers that were famously leaked by Daniel Ellsberg in 1971 are still technically classified, observed historian John Prados of the National Security Archive this week.  The four volumes of diplomatic materials that Ellsberg withheld from release (because he considered them too sensitive) have been formally declassified.  But the forty-three volumes of leaked materials, though widely republished, have never undergone declassification review, Prados said.  This means that every public and private library that has a copy of the Papers is the unofficial (and unauthorized) custodian of Top Secret government records.  This is our classification system as it exists today.

**  And this week it emerged that zealous security officials had blocked Air Force computers from accessing the New York Times and other sites in order to prevent viewing of classified records.  This is the security policy equivalent of the gospel teaching “If thine eye offend thee, pluck it out.”  But presumably that biblical injunction was never meant to be taken literally.  Someone should tell the Air Force.

In short, national security classification policy is in a state of stagnation, confusion and disarray — and not because of leaks.  Bringing it to good order will require a clear statement of vision, some determined leadership, and concrete action.  An intensive declassification campaign that would slash the size of the classification system to manageable proportions would be the right move, now.

Noteworthy new reports from the Congressional Research Service that have not been made readily available to the public include the following (all pdf).

“Classified Information Policy and Executive Order 13526,” December 10, 2010.

“Screening and Securing Air Cargo: Background and Issues for Congress,” December 2, 2010.

“Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress,” November 15, 2010.

“Reorganization of the Minerals Management Service in the Aftermath of the Deepwater Horizon Oil Spill,” November 10, 2010.

Last year, Senator Christopher Bond (R-MO) told reporters that there is “a far Left-wing fringe group that wants to disclose all our vulnerabilities. I don’t know what their motives are but I think they are very dangerous to our security.”

More hating on Wikileaks?  No, Senator Bond was actually talking about the Federation of American Scientists, after we disclosed the inadvertent publication on the Government Printing Office website of a draft declaration on U.S. nuclear facilities.

Needless to say, we did not recognize ourselves in any part of Senator Bond’s confused comment.  But he reminds us that much of what passes for political discourse is little more than pigeonholing of others into friends and enemies, heroes and villains.  It is hard to learn much that way.

Somehow it comes as no surprise to discover that Senator Bond is the last Senator to have been “slugged” on the Senate floor, as Senate Minority Leader Mitch McConnell pointed out on Tuesday. It is maybe a little surprising that the person whom he drove to violence was none other than the late Sen. Daniel Patrick Moynihan.

In his farewell remarks to the Senate, Sen. Bond briefly discussed the “little scuffle I had with Pat Moynihan. I never talked about it. We never said anything publicly until now. Later on, as we became fast friends, he used to  tease me about setting up boxing matches so we could raise money for charity. But when I looked at his height and his reach, I didn’t take him up on that.”

Many thanks to those readers who have already made contributions to help support Secrecy News.  If you are able and willing to join them, tax-deductible contributions can be made here (select “Government Secrecy” from the drop-down menu to direct your donation to Secrecy News).

You can also write a check payable to Federation of American Scientists and mail it here:

Secrecy News
Federation of American Scientists
1725 DeSales Street NW, Suite 600
Washington, DC  20036

Unless inspiration strikes hard, today’s Secrecy News posts will be the last of 2010.  See you next year.

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.

How many government employees and contractors hold security clearances for access to classified information?  Remarkably, it is not possible to answer that question today with any precision. But it should be possible by next February, officials said at a House Intelligence Subcommittee hearing on December 1.

Currently there is no precise tally of the number of cleared persons, and there is no way to produce one, said John Fitzpatrick, Director of the ODNI Special Security Center.

“We can find definitively if any individual has a clearance at any one point in time,” he told Rep. Anna Eshoo, the subcommittee chair.  But “to take that point in time and define the number of all the people that do takes a manipulation of data in databases that weren’t intended to do that.”

“To give a precise [answer] requires, I think, due diligence in the way we collect that data and the way that data changes.”  And in fact, “we have a special data collection to provide a definitive answer on that in the February 2011 IRTPA report,” referring to an upcoming report required under the 2004 Intelligence Reform and Terrorism Prevention Act.

In the meantime, Mr. Fitzpatrick said, “To give a ballpark number [of total security clearances] is not difficult.”

Well then, Rep. Eshoo asked, “What would a ballpark figure today be?”

“Oh, I’d like to take that one for the record,” Mr. Fitzpatrick replied. “It’s — you know, I’d give you — I’d like to take that one for the record.”

Based on prior reporting by the Government Accountability Office, the ballpark figure that we use is 2.5 million cleared persons.  (“More Than 2.4 Million Hold Security Clearances,” Secrecy News, July 29, 2009).

The U.S. Government insists that the classification markings on many of the leaked documents being published by Wikileaks and other organizations are still in force, even though the documents are effectively in the public domain, and it has directed federal employees and contractors not to access or read the records outside of a classified network.

But by strictly adhering to the letter of security policy and elevating security above mission performance, some say the government may be causing additional damage.

“At DHS we are getting regular messages [warning not to access classified records from Wikileaks],” one Department of Homeland Security official told us in an email message. “It has even been suggested that if it is discovered that we have accessed a classified Wikileaks cable on our personal computers, that will be a security violation. So, my grandmother would be allowed to access the cables, but not me. This seems ludicrous.”

“As someone who has spent many years with the USG dealing with senior officials of foreign governments, it seems to me that the problem faced by CRS researchers (and raised by you) is going to be widespread across our government if we follow this policy.”

“Part of making informed judgments about what a foreign government or leader will do or think about something is based on an understanding and analysis of what information has gone into their own deliberative processes. If foreign government workers know about something in the Wikileaks documents, which clearly originated with the U.S., then they will certainly (and reasonably) assume that their US counterparts will know about it too, including the staffers. If we don’t, they will assume that we simply do not care, are too arrogant, stupid or negligent to find and read the material, or are so unimportant that we’ve been intentionally left out of the information loop. In any such instance, senior staff will be handicapped in their preparation and in their inter-governmental relationships,” the DHS official said.

“I think more damage will be done by keeping the federal workforce largely in the dark about what other interested parties worldwide are going to be reading and analyzing. It does not solve the problem to let only a small coterie of analysts review documents that may be deemed relevant to their own particular ‘stovepiped’ subject area. Good analysis requires finding and putting together all the puzzle pieces.”

So far, however, this kind of thinking is not finding a receptive audience in government. There has been no sign of leadership from any Administration official who would stand up and say:  “National security classification is a means, and not an end in itself.  What any reader in the world can discover is no longer a national security secret. We should not pretend otherwise.”

The Department of the Treasury has recently produced a consolidated classification guide, detailing exactly what kinds of Treasury information may be classified at what level and for how long.  It is in such agency classification guides, not in high-level government-wide policy statements, that the nuts and bolts of government secrecy policy are to be found, and perhaps to be changed.  See “Security Classification Guide” (pdf), Department of the Treasury, December 2010.

The Congressional Research Service yesterday offered its assessment of the Stuxnet worm, which was evidently designed to damage industrial control systems such as those used in Iran’s nuclear program.  See “The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability” (pdf), December 9, 2010.

Intelligence historian Jeffrey Richelson has written what must be the definitive account of the rise and fall of the National Applications Office, the aborted Department of Homeland Security entity that was supposed to harness intelligence capabilities for domestic security and law enforcement applications. The article, which is not freely available online, is entitled “The Office That Never Was: The Failed Creation of the National Applications Office.”  It appears in the International Journal of Intelligence and Counter Intelligence, vol. 24, no. 1, pp. 65-118 (2011).

The latest issue of the Journal of National Security Law & Policy (vol. 4, no. 2) is now available online.  Entitled “Liberty, terrorism and the laws of war,” it includes several noteworthy and informative papers on intelligence and security policy.