The American Israel Public Affairs Committee (AIPAC), the pro-Israel lobby organization, has often received and distributed confidential government information, including classified materials, asserted former AIPAC official Steven J. Rosen in his pending lawsuit against the organization.

“There is evidence that the receipt and distribution of confidential foreign policy information is a common practice for AlPAC,” he argued in a December 14 legal filing (pdf).  The organization disputes that claim.

Mr. Rosen contends that he was wrongfully terminated by AIPAC after he and fellow AIPAC employee Keith Weissman became the subjects of a federal investigation for the unlawful receipt and disclosure of classified information they obtained from former Pentagon official Larry Franklin.  Rosen and Weissman were indicted in 2005 but the federal case against them was withdrawn by prosecutors in 2009.

On previous occasions, Mr. Rosen said in his current lawsuit, “AIPAC condoned the receipt and distribution of classified information.”  In 1984, Rosen recalled, he had received and shared classified information that members of the Libyan UN delegation had provided money to a US presidential candidate’s staff.  His conduct in that matter was supported by the organization, he said.

“There were in fact other situations before the 2004 Larry Franklin matter involving Steven Rosen and Keith Weissman in which AIPAC employees were involved in receiving classified material,” including the 1984 acquisition of a classified US Trade Representative document, some details of which been redacted from the public version of Mr. Rosen’s filing.

The latest developments in the case of Rosen v. AIPAC were reported in “Steve Rosen Fires Back in His Law Suit Against AIPAC” by Nathan Guttman, Forward, December 15. Selected case files are available from the Institute for Research: Middle Eastern Policy here.

An AIPAC spokesman told the Forward that it “strongly disagrees with Mr. Rosen’s portrayal of events and circumstances related to this litigation.” He said that “senior employees at AIPAC testified under oath during this litigation that they had never been involved with seeking or knowingly disclosing classified information as part of their jobs at AIPAC.”

AIPAC has stated that Rosen and Weissman were fired because their behavior “did not comport with standards that AIPAC expects of its employees.”

But Rosen’s December 14 pleading said that there were no AIPAC standards on handling classified information, and therefore he could not have violated them.  “At no time in the 23 years Steven Rosen was employed by AIPAC did the organization provide in writing or orally any guidance or standards that he and other employees were expected to follow regarding the receipt and sharing of secret, sensitive or ‘classified’ information that might be offered by government officials.”

Faced with release of hundreds of thousands of classified records by Wikileaks in recent months, what should the government do?  The best answer might be to release hundreds of millions of such records!  By stripping away the accretions of decades of overclassification, a wholesale reduction in classified records would restore some integrity to the classification system, bolster public confidence in its legitimacy, and strengthen the security of residual classified secrets.

In a recent exchange with a National Security Council official who deals with information policy, we suggested that the optimal response to unauthorized disclosures would be an accelerated program of authorized disclosures, leading to a sharp reduction in the size and scope of the classification system.  He wasn’t buying it.

“Unfortunately, for reasons you can imagine, this is not a good time to promote that bit of common sense,” he replied.  To the contrary, however, we think this is the best time to shrink the classification system, before it sputters into incoherence and ultimate irrelevance.

It is true that the past year has seen significant breakthroughs in reducing nuclear stockpile secrecy and intelligence budget secrecy, among other notable achievements.  But it is also true that systemic secrecy reform is lagging.  There are many illustrative problems that tell the tale:

**  Last December President Obama called for recommendations on ways to achieve a “fundamental transformation” of the security classification system.  A year later, no such recommendations have been formulated or submitted to the President for action.  (The Public Interest Declassification Board will hold a public meeting on the subject on January 20, 2011.)  The process of transformation appears to be stillborn.

**  It so happens that President Obama has already ordered the declassification of hundreds of millions of records.  These are not contemporary records, but a backlog of historical records more than 25 years old.  Some 400 million pages of them are  supposed to be declassified and made public by the end of 2013, the President said in December 2009.  But to meet that goal, it will be necessary to declassify an average of 100 million pages per year.  In the first six months of this year, less than 8 million were declassified, according to a report (pdf) from the National Declassification Center.  This modest beginning will make it difficult if not impossible to fulfill the task assigned by the President.

**  In the Administration’s most direct response to the problem of overclassification, President Obama directed each classifying agency to perform a Fundamental Classification Guidance Review “to identify classified information that no longer requires protection and can be declassified.”  Agencies were given two years to complete the Review, from July 2010 to June 2012. Six months of that period have already elapsed.  But this week the Defense Department, the largest classifying agency, told Secrecy News that thus far it had no records concerning implementation of the Review.  In other words, it seems that no discernible progress has been made.

**  Meanwhile, it turns out that the Pentagon Papers that were famously leaked by Daniel Ellsberg in 1971 are still technically classified, observed historian John Prados of the National Security Archive this week.  The four volumes of diplomatic materials that Ellsberg withheld from release (because he considered them too sensitive) have been formally declassified.  But the forty-three volumes of leaked materials, though widely republished, have never undergone declassification review, Prados said.  This means that every public and private library that has a copy of the Papers is the unofficial (and unauthorized) custodian of Top Secret government records.  This is our classification system as it exists today.

**  And this week it emerged that zealous security officials had blocked Air Force computers from accessing the New York Times and other sites in order to prevent viewing of classified records.  This is the security policy equivalent of the gospel teaching “If thine eye offend thee, pluck it out.”  But presumably that biblical injunction was never meant to be taken literally.  Someone should tell the Air Force.

In short, national security classification policy is in a state of stagnation, confusion and disarray — and not because of leaks.  Bringing it to good order will require a clear statement of vision, some determined leadership, and concrete action.  An intensive declassification campaign that would slash the size of the classification system to manageable proportions would be the right move, now.

Last year, Senator Christopher Bond (R-MO) told reporters that there is “a far Left-wing fringe group that wants to disclose all our vulnerabilities. I don’t know what their motives are but I think they are very dangerous to our security.”

More hating on Wikileaks?  No, Senator Bond was actually talking about the Federation of American Scientists, after we disclosed the inadvertent publication on the Government Printing Office website of a draft declaration on U.S. nuclear facilities.

Needless to say, we did not recognize ourselves in any part of Senator Bond’s confused comment.  But he reminds us that much of what passes for political discourse is little more than pigeonholing of others into friends and enemies, heroes and villains.  It is hard to learn much that way.

Somehow it comes as no surprise to discover that Senator Bond is the last Senator to have been “slugged” on the Senate floor, as Senate Minority Leader Mitch McConnell pointed out on Tuesday. It is maybe a little surprising that the person whom he drove to violence was none other than the late Sen. Daniel Patrick Moynihan.

In his farewell remarks to the Senate, Sen. Bond briefly discussed the “little scuffle I had with Pat Moynihan. I never talked about it. We never said anything publicly until now. Later on, as we became fast friends, he used to  tease me about setting up boxing matches so we could raise money for charity. But when I looked at his height and his reach, I didn’t take him up on that.”

Many thanks to those readers who have already made contributions to help support Secrecy News.  If you are able and willing to join them, tax-deductible contributions can be made here (select “Government Secrecy” from the drop-down menu to direct your donation to Secrecy News).

You can also write a check payable to Federation of American Scientists and mail it here:

Secrecy News
Federation of American Scientists
1725 DeSales Street NW, Suite 600
Washington, DC  20036

Unless inspiration strikes hard, today’s Secrecy News posts will be the last of 2010.  See you next year.

“Cyber security is now critical to our survival but as a field of research [it] does not have a firm scientific basis,” according to the Department of Defense.  “Our current security approaches have had limited success and have become an arms race with our adversaries.  In order to achieve security breakthroughs we need a more fundamental understanding of the science of cyber security.”

To help advance that understanding, the DoD turned to the JASON defense advisory panel, which has just produced a new report (pdf) on the subject.

“There is a science of cyber security,” the JASONs said, but it “seems underdeveloped in reporting experimental results, and consequently in the ability to use them.”

The JASON report began by noting that “A science of cyber security has to deal with a combination of peculiar features that are shared by no other area of study.”

“First, the background on which events occur is almost completely created by humans and is digital.  That is, people built all the pieces.  One might have thought that computers, their software, and networks were therefore completely understandable.  The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well [after the fact],” the report said.

“Second, cyber security has good guys and bad guys.  It is a field that has developed because people have discovered how to do things that other people disapprove of, and that break what is thought to be an agreed-upon social contract in the material world.  That is, in cyber security there are adversaries, and the adversaries are purposeful and intelligent.”

The JASON report went on to discuss the importance of definitions (including the definition of cyber security itself, which is “imprecise”), the need for a standard vocabulary to discuss the subject, and the necessity (and difficulty) of devising experimental protocols that would permit development of a reproducible experimental science of cyber security.

“There are no surprises in this report, nor any particularly deep insights,” the JASON authors stated modestly.  “Most people familiar with the field will find the main points familiar.”  Also, “There may be errors in the report, and substantive disagreements with it.”

In fact, however, the report is full of stimulating observations and is also, like many JASON reports, quite well written.  While cyber security fundamentally requires an understanding of computer science, the report explained that it “also share aspects of sciences such as epidemiology, economics, and clinical medicine;  all these analogies are helpful in providing research directions.”  An analogy between cyber security and the human immune system, with its “innate” and “adaptive” components, was found to be particularly fruitful.

“At the most abstract level, studying the immune system suggests that cyber security solutions will need to be adaptive, incorporating learning algorithms and flexible memory mechanisms…. [However,] adaptive solutions are expensive in terms of needed resources.  Approximately 1% of human cells are lymphocytes, reflecting a rather large commitment to immune defense.  [By analogy,] one should therefore expect that significant amount of computational power would be needed to run cyber security for a typical network or cluster.”

The report recommended DoD support for a network of cyber security research centers in universities and elsewhere.  With barely a hint of irony, the JASONs also endorsed an April 2010 statement by Wang Chen, China’s chief internet officer, that “Leaking of secrets via the Internet is posing serious threats to national security and interests.”

A copy of the new JASON report was obtained by Secrecy News.  See “Science of Cyber-Security,” November 2010.

How many government employees and contractors hold security clearances for access to classified information?  Remarkably, it is not possible to answer that question today with any precision. But it should be possible by next February, officials said at a House Intelligence Subcommittee hearing on December 1.

Currently there is no precise tally of the number of cleared persons, and there is no way to produce one, said John Fitzpatrick, Director of the ODNI Special Security Center.

“We can find definitively if any individual has a clearance at any one point in time,” he told Rep. Anna Eshoo, the subcommittee chair.  But “to take that point in time and define the number of all the people that do takes a manipulation of data in databases that weren’t intended to do that.”

“To give a precise [answer] requires, I think, due diligence in the way we collect that data and the way that data changes.”  And in fact, “we have a special data collection to provide a definitive answer on that in the February 2011 IRTPA report,” referring to an upcoming report required under the 2004 Intelligence Reform and Terrorism Prevention Act.

In the meantime, Mr. Fitzpatrick said, “To give a ballpark number [of total security clearances] is not difficult.”

Well then, Rep. Eshoo asked, “What would a ballpark figure today be?”

“Oh, I’d like to take that one for the record,” Mr. Fitzpatrick replied. “It’s — you know, I’d give you — I’d like to take that one for the record.”

Based on prior reporting by the Government Accountability Office, the ballpark figure that we use is 2.5 million cleared persons.  (“More Than 2.4 Million Hold Security Clearances,” Secrecy News, July 29, 2009).

The U.S. Government insists that the classification markings on many of the leaked documents being published by Wikileaks and other organizations are still in force, even though the documents are effectively in the public domain, and it has directed federal employees and contractors not to access or read the records outside of a classified network.

But by strictly adhering to the letter of security policy and elevating security above mission performance, some say the government may be causing additional damage.

“At DHS we are getting regular messages [warning not to access classified records from Wikileaks],” one Department of Homeland Security official told us in an email message. “It has even been suggested that if it is discovered that we have accessed a classified Wikileaks cable on our personal computers, that will be a security violation. So, my grandmother would be allowed to access the cables, but not me. This seems ludicrous.”

“As someone who has spent many years with the USG dealing with senior officials of foreign governments, it seems to me that the problem faced by CRS researchers (and raised by you) is going to be widespread across our government if we follow this policy.”

“Part of making informed judgments about what a foreign government or leader will do or think about something is based on an understanding and analysis of what information has gone into their own deliberative processes. If foreign government workers know about something in the Wikileaks documents, which clearly originated with the U.S., then they will certainly (and reasonably) assume that their US counterparts will know about it too, including the staffers. If we don’t, they will assume that we simply do not care, are too arrogant, stupid or negligent to find and read the material, or are so unimportant that we’ve been intentionally left out of the information loop. In any such instance, senior staff will be handicapped in their preparation and in their inter-governmental relationships,” the DHS official said.

“I think more damage will be done by keeping the federal workforce largely in the dark about what other interested parties worldwide are going to be reading and analyzing. It does not solve the problem to let only a small coterie of analysts review documents that may be deemed relevant to their own particular ‘stovepiped’ subject area. Good analysis requires finding and putting together all the puzzle pieces.”

So far, however, this kind of thinking is not finding a receptive audience in government. There has been no sign of leadership from any Administration official who would stand up and say:  “National security classification is a means, and not an end in itself.  What any reader in the world can discover is no longer a national security secret. We should not pretend otherwise.”

The Department of the Treasury has recently produced a consolidated classification guide, detailing exactly what kinds of Treasury information may be classified at what level and for how long.  It is in such agency classification guides, not in high-level government-wide policy statements, that the nuts and bolts of government secrecy policy are to be found, and perhaps to be changed.  See “Security Classification Guide” (pdf), Department of the Treasury, December 2010.

The Congressional Research Service yesterday offered its assessment of the Stuxnet worm, which was evidently designed to damage industrial control systems such as those used in Iran’s nuclear program.  See “The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability” (pdf), December 9, 2010.

Intelligence historian Jeffrey Richelson has written what must be the definitive account of the rise and fall of the National Applications Office, the aborted Department of Homeland Security entity that was supposed to harness intelligence capabilities for domestic security and law enforcement applications. The article, which is not freely available online, is entitled “The Office That Never Was: The Failed Creation of the National Applications Office.”  It appears in the International Journal of Intelligence and Counter Intelligence, vol. 24, no. 1, pp. 65-118 (2011).

The latest issue of the Journal of National Security Law & Policy (vol. 4, no. 2) is now available online.  Entitled “Liberty, terrorism and the laws of war,” it includes several noteworthy and informative papers on intelligence and security policy.

“There appears to be no statute that generally proscribes the acquisition or publication of diplomatic cables,” according to a newly updated report (pdf) from the Congressional Research Service, “although government employees who disclose such information without proper authority may be subject to prosecution.”

But there is a thicket of statutes, most notably including the Espionage Act, that could conceivably be used to punish unauthorized publication of classified information, such as the massive releases made available by Wikileaks.  See “Criminal Prohibitions on the Publication of Classified Defense Information”, December 6, 2010.

The updated CRS report sorts through those statutes, provides an account of recent events, presents a new discussion of extradition of foreign nationals who are implicated by U.S. law, and summarizes new legislation introduced in the Senate (S. 4004).

A previous version (pdf) of the CRS report, issued in October, was cited by Sen. Dianne Feinstein in a Wall Street Journal op-ed yesterday in support of prosecuting Wikileaks, though the report did not specifically advise such a course of action.  Sen. Feinstein also seemed to endorse the view that the State Department cables being released by Wikileaks are categorically protected by the Espionage Act and should give rise to a prosecution under the Act.

But the Espionage Act only pertains to information “relating to the national defense,” and only a minority of the diplomatic cables could possibly fit that description.

The new CRS report put it somewhat differently: “It seems likely that most of the information disclosed by WikiLeaks that was obtained from Department of Defense databases [and released earlier in the year] falls under the general rubric of information related to the national defense. The diplomatic cables obtained from State Department channels may also contain information relating to the national defense and thus be covered under the Espionage Act, but otherwise its disclosure by persons who are not government employees does not appear to be directly proscribed. It is possible that some of the government information disclosed in any of the three releases does not fall under the express protection of any statute, despite its classified status.”

Incredibly, CRS was unable to meaningfully analyze for Congress the significance of the newest releases because of a self-defeating security policy that prohibits CRS access to the leaked documents.

The CRS report concludes that any prosecution of Wikileaks would be unprecedented and challenging, both legally and politically.  “We are aware of no case in which a publisher of information obtained through unauthorized disclosure by a government employee has been prosecuted for publishing it. There may be First Amendment implications that would make such a prosecution difficult, not to mention political ramifications based on concerns about government censorship.”

For our part, we would oppose a criminal prosecution of Wikileaks under the Espionage Act.

After its access to the Wikileaks web site was blocked by the Library of Congress, the Congressional Research Service this week asked Congress for guidance on whether and how it should make use of the leaked records that are being published by Wikileaks, noting that they could “shed important light” on topics of CRS interest.

CRS “has informed our House and Senate oversight committees, and solicited their guidance, regarding the complexities that the recent leaks of classified information present for CRS,” wrote CRS Director Daniel Mulhollan in a December 6 email message (pdf) to all CRS staff.  “I have also contacted the majority and minority counsels of select committees in the House and Senate requesting guidance on the appropriate boundaries that CRS should recognize and adhere to in summarizing, restating or characterizing open source materials of uncertain classification status in unclassified CRS reports and memoranda for Congress.”

“Our challenge is how to balance the need to provide the best analysis possible to the Congress on current legislative issues against the legal imperative to protect classified national security information. This is especially a problem in light of the massive volume of recently released documents, which may shed important light on research and analysis done by the Service,” Mr. Mulhollan wrote.

“As guidance becomes available from Congress, I will follow-up with additional information.  At present, it seems clear that the republication of known classified information by CRS in an unclassified format (e.g., CRS reports or congressional distribution memoranda) is prohibited. We believe this prohibition against the further dissemination of classified information in an unclassified setting applies even if a secondary source (e,g., a newspaper, journal, or website) has reprinted the classified document. The laws and applicable regulations are decidedly less clear, however, when it comes to referencing and citing secondary sources that refer to, summarize, or restate classified information.”

A copy of Mr. Mulhollan’s email message was obtained by Secrecy News.

The Library of Congress confirmed on Friday that it had blocked access from all Library computers to the Wikileaks web site in order to prevent unauthorized downloading of classified records such as those in the large cache of diplomatic cables that Wikileaks began to publish on November 28.

Since the Congressional Research Service is a component of the Library, this means that CRS researchers will be unable to access or to cite the leaked materials in their research reports to Congress.  Several current and former CRS analysts expressed perplexity and dismay about the move, and they said it could undermine the institution’s research activities.

“It’s a difficult situation,” said one CRS analyst. “The information was released illegally, and it’s not right for government agencies to be aiding and abetting this illegal dissemination.  But the information is out there.  Presumably, any Library of Congress researcher who wants to access the information that Wikileaks illegally released will simply use their home computers or cellphones to do so.  Will they be able to refer directly to the information in their writings for the Library?  Apparently not, unless a secondary source, like a newspaper, happens to have already cited it.”

“I can understand LOC blocking the public’s access to Wikileaks,” a former CRS analyst said.  “It would have no control over someone from the public using classified information for impermissible or improper purposes.  [But] the connection between LOC and CRS has always been somewhat fuzzy because Congress intended CRS to have a certain amount of autonomy.  There should be room for CRS to adopt a different policy, particularly for specialists who have security clearances, know how to protect classified information, and can be entrusted to use Wikileaks appropriately.  To me, it is a wrong course to simply close the door tightly without searching for a compromise needed to continue providing Congress with high-level professional analysis.”

In fact, if CRS is “Congress’s brain,” then the new access restrictions could mean a partial lobotomy.

“I don’t know that you can make a credible argument that CRS reports are the gold standard of analytical reporting, as is often claimed, when its analysts are denied access to information that historians and public policy types call a treasure trove of data,” another former CRS employee said.

“I understand the rationale behind the policy decision to preclude government agencies from making the information available via their sites as a matter of pure principle.  On the other hand (as CRS is famous for saying), in some cases it would clearly diminish the weight of some of the analysis CRS does on policy issues, particularly on foreign affairs and military strategy where it is widely known that key information that would help inform thoughtful and comprehensive analysis was released on Wikileaks.”

“As an example, when [CRS Middle East analyst] Ken Katzman writes on U.S. policy towards Iran I don’t know how he could meet the high professional standards for completeness and accuracy he routinely meets if he can’t refer to the information in the [leaked] diplomatic notes that express the thoughts of key leaders in the region on the need to strike Iran’s nuclear program.  The same with North Korea; how do you provide Congress complete and accurate analysis to inform their decision making that ignores the [leaked] information on China’s increasing frustration with Pyongyang?  The examples could go on and on.”

“I’m sure public policy analysts from other organizations are going to use the [Wikileaks] information and their reports may prove more valuable to decision makers than CRS reports,” the former CRS employee said.

Another former analyst questioned the legal basis for the Library of Congress’s action.

“In its press release, LOC seems to be saying that it is following OMB advice regarding the obligation of federal agencies and federal employees to protect classified information and to otherwise protect the integrity of government information technology systems.  But LOC is statutorily chartered as the library of the House and the Senate.  It is a legislative branch agency.  I don’t recall either chamber directing the blocking of access to Wikileaks for/or by its committees, offices, agencies, or Members.”

Interestingly, the OMB guidance did not require federal agencies to block access to Wikileaks, only to warn employees against downloading classified information.  So by imposing such blocks, the Library of Congress has actually exceeded the instructions of OMB.

The Library did not reply to an inquiry from Secrecy News over the weekend concerning the impact of its restricted access policy on CRS.  If a reply is forthcoming, it will be posted here.

On December 3, I participated in an interesting, somewhat testy discussion about Wikileaks on the show Democracy Now along with Glenn Greenwald of Salon.com, who is a passionate defender of the project.  The ultimate victory of Wikileaks (or something like it) is guaranteed, Mr. Greenwald suggested, so any criticism of it is basically irrelevant.

“We can debate WikiLeaks all we want,” he said, “but at the end of the day, it doesn’t really matter, because the technology that exists is inevitably going to subvert these institutions’ secrecy regimes. It’s too easy to take massive amounts of secret [material] and dump it on the internet….  And I think that what we’re talking about is inevitable, whether people like Steven Aftergood or Joe Lieberman or others like it or not.”

This seems like wishful thinking.  It is true that Wikileaks offers the most direct public access to the diplomatic cables and other records that it has published, most of which could not be obtained any time soon through normal channels.  But instead of subverting secrecy regimes, Wikileaks appears to be strengthening them, as new restrictions on information sharing are added and security measures are tightened.  (Technology can be used to bolster secrecy as well as subvert it.)

In fact, Wikileaks may deliberately be attempting, in a quasi-Marxist way, to subvert secrecy by provoking governments to strengthen it.  But please try this in your own country first.

It was ordinary political advocacy, not leaks, that produced reversals of longstanding U.S. government secrecy policies this year on nuclear stockpile secrecy and intelligence budget secrecy.  It was also political advocacy, not leaks, that led to the declassification of more than a billion pages of classified records since 1995.  Obviously, much more remains to be done, and the tools available to transparency advocates are not as powerful as one would wish.  Leaks that serve the public interest have their honored place;  more would be welcome.  Advocacy may fail, and often does.  Nothing is inevitable, as far as I know.  But so far it is still politics, not the subversion or repudiation of politics, that has produced the greater impact on U.S. secrecy policy.  (The calculation may well be different in other countries.)

The susceptibility of secrecy policy to political action was discussed in a paper I wrote on “National Security Secrecy: How the Limits Change” (pdf). It will appear in the forthcoming Fall 2010 issue of the journal Social Research that is devoted to the topic of “Limiting Knowledge in a Democracy.”