The Aging Secrecy System Is “At a Crossroads”

Today’s national security classification system is unsustainable, says a new annual report to the President from the government’s Information Security Oversight Office (ISOO). It is “hamstrung by old practices and outdated technology” and a new, government-wide technology strategy will be required “to combat inaccurate classification and promote more timely declassification.”

The secrecy system has expanded to the point that it is effectively unmanageable and often counterproductive, ISOO indicated.

“Too much classification impedes the proper sharing of information necessary to respond to security threats, while too little declassification undermines the trust of the American people in their Government. Reforms will require adopting strategies that increase the precision and decrease the permissiveness of security classification decisions, improve the efficiency and effectiveness of declassification programs, and use modern technology in security classification programs across the Government,” the report said.

“We are at a crossroads” wrote ISOO director Mark Bradley in a May 31 letter to the President transmitting the report, which was made public today.

ISOO’s sense of urgency is reflected in the annual report itself, which strives to be more forward leaning and policy-relevant than many past ISOO reports. It goes beyond the recitation of (often questionable) statistics on classification activity to present a series of findings and recommended actions that it says are needed to restore the integrity of the system.

In addition to a call for development of a comprehensive new technology strategy for classification and declassification, ISOO specifically recommends adding a new budget line item for security classification in agency budget requests to help regulate and justify expenditures, and adding a public member to the Information Security Classification Appeals Panel to represent the broad public interest in that Panel’s work on declassification.

Some of the other recommendations in the report flag problem areas rather than advance solutions, and tend to do so in the passive voice: “Policies must be revised to improve the effectiveness and efficiency of automatic declassification.” How exactly should the policies be revised? Adopt a “drop-dead date” for classification? Eliminate agency referrals for older documents? Grant broad declassification authority to the National Declassification Center? The report doesn’t say.

Much of the data traditionally reported by ISOO regarding classification activity is suggestive but not truly informative. Just as one cannot judge the overall health of the economy from stock market averages, changes in the volume of classification activity say nothing about its quality or legitimacy. In 2017, ISOO found that original classification activity (production of new secrets) increased for the first time in four years. At the same time, derivative classification decreased. The significance of these developments, if any, is unclear.

But other ISOO findings in the new report are more interesting.

ISOO said that last year there were again hundreds of classification challenges presented by government employees who disputed the classification of particular items of information. Most of the challenges were denied, but in 8% of the cases (a small but non-negligible number) they were upheld and the classifications in question were overturned. Such classification challenges “serve a critical role by uncovering information improperly classified in the first instance,” the ISOO report said, providing “an internal check on the system.” Because the challenges are now mostly localized in just a few agencies, this practice has the potential to have far more impact in combating overclassification if it can be adopted and encouraged more widely across the executive branch.

The ISOO report summarized the results of the latest Fundamental Classification Guidance Review, which led to the cancellation of 221 security classification guides (out of 2,865 guides). The cancelled guides will no longer be available for use in classifying information.

ISOO also cast a favorable spotlight on the new approach to classification led by the National Geospatial-Intelligence Agency. NGA now requires written justifications for original classification decisions, along with a description of the damage that would result from unauthorized disclosure, and an unclassified paraphrase of the classified information. The resulting NGA classification guidance currently represents a “best practice” in classification policy, ISOO said. That is to say, it represents a model that could constructively be applied elsewhere in agencies that classify national security information.

The ISOO report also addressed escalating classification costs (which reached a new high in 2017), growing backlogs of mandatory declassification review requests, and the contentious implementation of Controlled Unclassified Information policy, among other topics.

Fixing the classification system is a slow and uncertain process, and some people don’t want to wait.

Sen. Doug Jones (D-Ala.) introduced legislation this week to accelerate the release of records concerning unsolved criminal civil rights cases from half a century ago. Some of those records, in his estimation, “remain classified unnecessarily.” So his bill (S. 3191) would work around that classification obstacle with an alternative approach. Modeled in part on the JFK Assassination Records Act of 1992, the bill would empower a panel of private citizens to review and decide on disclosure of the records.

Meanwhile, the Department of Defense recently issued a “request for information” about technology that could aid in the classification process. The desired technology “must be able to make real-time decisions about the classification level of the information and an individual’s ability to access, change, delete, receive or forward the information.” (FBO, NextGov, ArsTechnica)

Ethics in Intelligence, and More from CRS

What is the role of ethics in intelligence and at the CIA in particular?

“Some former employees and others with experience at the agency have been critical of CIA’s ethics program as focusing too much on legal compliance in a reactive, ad hoc manner that falls short of a comprehensive approach to ethics education at the CIA,” the Congressional Research Service said in a recent discussion of the topic.

But “Others are skeptical of introducing training on morality into what is often viewed as the inherently amoral environment of covert action or clandestine foreign intelligence.” See CIA Ethics Education: Background and Perspectives, CRS In Focus, June 11, 2018.

Other new and updated reports from the Congressional Research Service include the following.

United States Special Operations Command Acquisition Authorities, July 9, 2018

Defense Acquisitions: How and Where DOD Spends Its Contracting Dollars, updated July 2, 2018

Mexico: Organized Crime and Drug Trafficking Organizations, updated July 3, 2018

China-U.S. Trade Issues, updated July 6, 2018

Navy Force Structure and Shipbuilding Plans: Background and Issues for Congress, July 6, 2018

The Army’s Modular Handgun Procurement, CRS In Focus, June 19, 2018

President Trump Nominates Judge Brett Kavanaugh: Initial Observations, CRS Legal Sidebar, July 10, 2018

Who Interprets Foreign Law in U.S. Federal Courts?, CRS Legal Sidebar, July 9, 2018

The Designation of Election Systems as Critical Infrastructure, CRS In Focus, July 6, 2018

Section 232 Investigations: Overview and Issues for Congress, July 5, 2018

The Congressional Review Act: Determining Which “Rules” Must Be Submitted to Congress, July 5, 2018

Federal Quantum Information Science: An Overview, CRS In Focus, July 2, 2018

Pentagon Audit: “There Will Be Unpleasant Surprises”

For the first time in its history, the Department of Defense is now undergoing a financial audit.

The audit, announced last December, is itself a major undertaking that is expected to cost $367 million and to involve some 1200 auditors. The results are to be reported in November 2018.

“Until this year, DoD was the only large federal agency not under full financial statement audit,” Pentagon chief financial officer David L. Norquist told the Senate Budget Committee in March. Considering the size of the Pentagon, the project is “likely to be the largest audit ever undertaken,” he said.

The purpose of such an audit is to validate the agency’s financial statements, to detect error or fraud, to facilitate oversight, and to identify problem areas. Expectations regarding the outcome are moderate.

“DOD is not generally expected to receive an unqualified opinion [i.e. an opinion that affirms the accuracy of DoD financial statements] on its first-ever, agency-wide audit in FY2018,” the Congressional Research Service said in a new report last week. See Defense Primer: Understanding the Process for Auditing the Department of Defense, CRS In Focus, June 26, 2018.

In fact, “It took the Department of Homeland Security, a relatively new and much smaller enterprise, about ten years to get to its first clean opinion,” Mr. Norquist noted at the March Senate hearing.

In the case of the DoD audit, “I anticipate the audit process will uncover many places where our controls or processes are broken. There will be unpleasant surprises. Some of these problems may also prove frustratingly difficult to fix.”

“But the alternative is to operate in ignorance of the challenge and miss the opportunity to reform.  Fixing these vulnerabilities is essential to avoid costly or destructive problems in the future,” Mr. Norquist said.

Justice Kennedy Retires, and More from CRS

With the announcement of Justice Kennedy’s retirement from the US Supreme Court, the Congressional Research Service issued several new and updated reports on the nomination process and related issues.

Justice Kennedy Retires: Initial Considerations for Congress, CRS Legal Sidebar, January 28, 2018

President’s Selection of a Nominee for a Supreme Court Vacancy: Overview, CRS Insight, June 27, 2018

Supreme Court Nomination: CRS Products, CRS Legal Sidebar, June 29, 2018

Other noteworthy CRS products published last week include the following.

Cyber Supply Chain Risk Management: An Introduction, CRS In Focus, June 29, 2018

Global Research and Development Expenditures: Fact Sheet, updated June 27, 2018

U.S. Research and Development Funding and Performance: Fact Sheet, updated June 29, 2018

Trade Deficits and U.S. Trade Policy, June 28, 2018

Organizing Executive Branch Agencies: Who Makes the Call?, CRS Legal Sidebar, June 27, 2018

Efforts to Preserve Economic Benefits of the Iran Nuclear Deal, CRS In Focus, June 27, 2018

A Leak Prosecution That Didn’t Happen

Government prosecutors have been aggressively pursuing suspected leakers of classified information:

Reality Winner, accused of disclosing a document “information relating to the national defense” to a news outlet, changed her plea this week from “not guilty” to “guilty.”

Former FBI agent Terry J. Albury likewise pleaded guilty last April to unauthorized retention and disclosure of national defense information.

Former Senate Intelligence Committee security officer James A. Wolfe was indicted this month for allegedly lying to the FBI in the course of a leak investigation.

And also this month, Joshua Adam Schulte was indicted for allegedly disclosing national defense information to a certain “organization that purports to publicly disseminate classified, sensitive, and confidential information.”

But not every leak results in an official leak investigation. And not every leak investigation produces a suspect. Nor is every leak suspect prosecuted.

In its latest semi-annual report, the Office of the Intelligence Community Inspector General describes one recent case of an acknowledged leaker of classified information who was allowed to resign without prosecution.

The IC Inspector General “substantiated allegations that an ODNI cadre officer disclosed classified information without authorization, transmitted classified information via unauthorized means, and disclosed classified information to persons not authorized to receive it.”

“During a voluntary interview, the ODNI cadre officer admitted to transmitting classified information over unclassified (internet) email to recipients not authorized to receive classified national security information.”

But the matter was resolved outside of the criminal justice system.

“The U.S. Attorney’s Office for the Eastern District of Virginia declined prosecution. The officer, who was retirement eligible, retired before termination,” the IC IG report said.

No other details about the episode were disclosed. But the case illustrates that a variety of responses to leak incidents are available to the government short of criminal prosecution.

A House bill to authorize intelligence spending for FY 18 and 19 (HR 6237), introduced yesterday, would require expanded reporting to Congress on unauthorized disclosures of classified information.

To Fix FOIA, “Best Practices” Will Not Be Enough

Many executive branch agencies have significant backlogs of Freedom of Information Act requests that could be reduced by adopting procedural improvements. And some agencies have made such improvements, a new report from the Government Accountability Office says. Yet substantial backlogs remain.

See Freedom of Information Act: Agencies Are Implementing Requirements but Additional Actions Are Needed, GAO-18-365, June 25.

All of the agencies reviewed had “implemented request tracking systems, and provided training to FOIA personnel.” Most of the agencies had also “provided online access to government information, such as frequently requested records…, designated chief FOIA officers, and… updated their FOIA regulations on time to inform the public of their operations.”

Nevertheless, FOIA is still not functioning well system-wide.

What the GAO report should have said but did not explicitly say is that even if all agencies adopted all of the recommended “best practices” for FOIA processing, they would still face substantial backlogs of unanswered requests.

The simple reason for that is that there is a mismatch between the growing demand from individual FOIA requesters — with 6 million requests filed in the past 9 years — and the resources that are available to satisfy them.

In order to bring the system into some rough alignment, it would be necessary either to increase the amount of agency funding appropriated and allocated for FOIA, or else to regulate the demand from requesters by imposing or increasing fees, limiting the number of requests from individual users, or some other restrictive measure.

None of these steps is appealing and none may be politically feasible. Other than a cursory reference to “available resources,” the GAO report does not address these core issues.

But in the absence of some such move to reconcile the “supply and demand” for FOIA, overall system performance is being degraded and seems unlikely to recover any time soon.

Meanwhile, government agencies have identified no fewer than 237 statutes that they say can be used to withhold information under the Freedom of Information Act, according to the GAO report, which tabulated the statutes. Since 2010, agencies have actually used 75 of those statutes. GAO did not venture an opinion as to whether the exemption statutes were properly and justifiably employed.

Another new report from Open the Government finds that “FOIA lawsuits grew steadily across the government by 57 percent overall for a ten year period, from 2006-15, and increased sharply by 26 percent in FY 2017.”

Immigration, Trade, and More from CRS

During FY 2016, the Department of Homeland Security detained 352,880 noncitizens, the Congressional Research Service noted in a newly updated report, citing the most recent DHS statistics. See A Primer on U.S. Immigration Policy, June 22, 2018.

Other recently issued CRS reports include the following.

Enforcing U.S. Trade Laws: Section 301 and China, CRS In Focus, June 25, 2018

Debates over Exchange Rates: Overview and Issues for Congress, updated June 22, 2018

U.S. Global Health Assistance: FY2001-FY2019 Request, updated June 22, 2018

The G-7 Summit in Charlevoix, Canada: Changing U.S. Leadership in Global Forums, CRS Insight, June 25, 2018

The United Arab Emirates (UAE): Issues for U.S. Policy, updated June 22, 2018

Hemp as an Agricultural Commodity, updated June 22, 2018

CRS Previews Public Release of its Reports

The Congressional Research Service said this week that it will begin publishing some of its non-confidential reports on a publicly accessible congressional website by September 18, as required by the Consolidated Appropriations Act that was signed into law last March 23.

“For the initial public release, the Library will make available in PDF format all of CRS’s R-series of ‘active’ reports that were published since the enactment date, as well as the Appropriations Status Table,” CRS said in a new memorandum for congressional staff.

The “R-series” refers to the primary CRS reports that have a report number beginning with R. It does not include CRS Insights, Legal Sidebars, or In Focus reports.

Over time, older R-series reports as well as some other product lines will be added to the public collection, CRS said.

“The Library and CRS are additionally committed to presenting the full inventory of reports appearing on CRS.gov on the public website as soon as is practicable (with a full migration targeted for completion by spring 2019). After the R-series reports are published, the Library will work to make other written products, such as In Focus products, available.”

The public website, which is not yet live, will be at www.congress.gov/crsreports. Update 09/18/18: The CRS public portal is now here: https://crsreports.congress.gov/.

The official public versions of the CRS reports will be lightly redacted to exclude contact information for the CRS authors.

See Public Release of CRS Reports: FAQ for Congressional Staff, June 2018.

The pending policy change applies only to non-confidential CRS reports. Research projects that are performed for individual offices or on a confidential basis will not be posted on the public website.

In recent report language, the Senate Appropriations Committee directed CRS to perform outreach “to ensure that the Congressional community is aware that… longstanding confidentiality assurances will continue unchanged.”

The new FAQ fulfills that directive with a statement that “The law does not change the mission or focus of CRS. The law does not affect the confidentiality of congressional requests or responses (such as confidential memoranda). It does not allow congressional requests or confidential responses to be made available to the public.”

Since with few exceptions most non-confidential CRS reports are already in the public domain, the new policy is somewhat anti-climactic at this point. But it is fitting and proper that CRS reports should also be available on a congressional website.

Meanwhile, new and updated reports from the Congressional Research Service that have not yet been officially disclosed include the following.

Recent Violent Crime Trends in the United States, June 20, 2018

Indexing Capital Gains Taxes for Inflation, June 18, 2018

Renewable Energy R&D Funding History: A Comparison with Funding for Nuclear Energy, Fossil Energy, Energy Efficiency, and Electric Systems R&D, updated June 18, 2018

Lebanon, updated June 19, 2018

Economic and Fiscal Conditions in the U.S. Virgin Islands, June 20, 2018

The Purple Heart: Background and Issues for Congress, updated June 21, 2018

Military Enjoined from Transferring American ISIS Suspect to Foreign Country–at Least for NowCRS Legal Sidebar, June 20, 2018

Superiority in Cyberspace Will Remain Elusive

Military planners should not anticipate that the United States will ever dominate cyberspace, the Joint Chiefs of Staff said in a new doctrinal publication. The kind of supremacy that might be achievable in other domains is not a realistic option in cyber operations.

“Permanent global cyberspace superiority is not possible due to the complexity of cyberspace,” the DoD publication said.

In fact, “Even local superiority may be impractical due to the way IT [information technology] is implemented; the fact US and other national governments do not directly control large, privately owned portions of cyberspace; the broad array of state and non-state actors; the low cost of entry; and the rapid and unpredictable proliferation of technology.”

Nevertheless, the military has to make do under all circumstances. “Commanders should be prepared to conduct operations under degraded conditions in cyberspace.”

This sober assessment appeared in a new edition of Joint Publication 3-12, Cyberspace Operations, dated June 8, 2018. (The 100-page document updates and replaces a 70-page version from 2013.)

The updated DoD doctrine presents a cyber concept of operations, describes the organization of cyber forces, outlines areas of responsibility, and defines limits on military action in cyberspace, including legal limits.

“DOD conducts CO [cyberspace operations] consistent with US domestic law, applicable international law, and relevant USG and DOD policies.” So though it may be cumbersome, “It is essential commanders, planners, and operators consult with legal counsel during planning and execution of CO.”

The new cyber doctrine reiterates the importance and the difficulty of properly attributing cyber attacks against the US to their source.

“The ability to hide the sponsor and/or the threat behind a particular malicious effect in cyberspace makes it difficult to determine how, when, and where to respond,” the document said. “The design of the Internet lends itself to anonymity and, combined with applications intended to hide the identity of users, attribution will continue to be a challenge for the foreseeable future.”

The changing role of “information” in warfare was addressed in a predecisional draft Joint Concept for Operating in the Information Environment (Joint Chiefs of Staff, December 2017).

“Integrating physical and informational power across geographic boundaries and in multiple domains could lead to campaigns and operations with enormous complexity,” the document warns. “The fog and friction of war punishes unnecessary complexity.”

Another concern is that a “focus on informational power could be misread by Congress and other resource allocators to suggest there is little need for a well-equipped and technologically-advanced Joint Force capable of traditional power projection and decisive action.”

Secrecy About Secrecy: The State Secrets Privilege

The Justice Department has not reported to Congress on the government’s use of the state secrets privilege since 2011, the Department acknowledged this week, contrary to a policy promising regular reporting on the subject.

In a 2009 statement of policy and procedures concerning the state secrets privilege, then-Attorney General Eric Holder said that “The Department will provide periodic reports to appropriate oversight committees of Congress with respect to all cases in which the Department invokes the privilege on behalf of departments or agencies in litigation, explaining the basis for invoking the privilege.”

In April 2011, the first such report was produced. It was one of several steps that were “intended to ensure greater accountability and reliability in the invocation of the privilege. They were developed in the wake of public criticism concerning the propriety of the Government’s use of the state secrets privilege.”

But the first periodic report on the state secrets privilege has turned out to be the last.

In 2014, John Carlin of the Department’s National Security Division affirmed the policy during his confirmation. “I understand that the Department’s policy remains to provide periodic reports to appropriate oversight committees of Congress regarding invocations of the State Secrets Privilege in litigation, and the Department provided its initial report to Congress on April 29, 2011,” he told the Senate Intelligence Committee. “I believe that the Department plans to submit another report in the near future.”

But no such report was ever submitted.

“No records responsive to your request were located,” the Justice Department stated this week in response to a FOIA request for any subsequent reports.

While Congress could request and require such a report at any time, it has not done so. And because the 2009 Holder policy on state secrets was “voluntarily” adopted by the Justice Department in response to public controversy, there was nothing to stop the policy from being unilaterally abandoned.

Laws on Aliens at the Border, and More from CRS

“The situation at the border and U.S. immigration authorities’ response to it has prompted significant attention and, in some cases, confusion regarding the governing laws and policies,” the Congressional Research Service said with some understatement in a new brief.

The CRS document reviews the laws on admission and exclusion of aliens at the U.S. border, including detention, asylum, and treatment of unaccompanied children. See An Overview of U.S. Immigration Laws Regulating the Admission and Exclusion of Aliens at the Border, CRS Legal Sidebar, June 15, 2018.

Other new and updated publications from the Congressional Research Service include the following.

North Korea: Legislative Basis for U.S. Economic Sanctions, updated June 11, 2018

Ebola: Democratic Republic of Congo, CRS Insight, June 12, 2018

The Committee on Foreign Investment in the United States (CFIUS), updated June 19, 2018

Intelligence Community Spending: Trends and Issues, updated June 18, 2018

DHS Moves to Protect US Against Threats from Canada

With exquisitely strange timing, the Department of Homeland Security today unveiled a “Northern Border Strategy” to protect the United States against threats originating in Canada.

The new Trump Administration strategy acknowledges that “the Northern Border remains an area of limited threat in comparison to the U.S. Southern Border.”

“However,” it goes on to say, “the Northern Border is not without safety, security, and resiliency challenges.  The most common threat to U.S. public safety along the Northern Border continues to be the bi-directional flow of illicit drugs.”

The strategy also warns of “homegrown violent extremists in Canada who are not included in the U.S. Government’s consolidated terrorist watch list and could therefore enter the United States legally.” (h/t Infodocket.com)

See Northern Border Strategy, Department of Homeland Security, June 12, 2018.

See also Canada-U.S. Relations, Congressional Research Service, updated June 6, 2018.