The vulnerabilities of critical energy infrastructure installations to potential cyber attack are normally treated as restricted information and are exempt from public disclosure.  But a recent Department of Energy report was able to openly catalog and describe the typical vulnerabilities of energy infrastructure facilities because it did not reveal the particular locations where they were discovered.

“Although information found in individual… vulnerability assessment reports is protected from disclosure, the security of the nation’s energy infrastructure as a whole can be improved by sharing information on common security problems,” the DOE report (pdf) said. “For this reason, vulnerability information was collected, analyzed, and organized to allow the most prevalent issues to be identified and mitigated by those responsible for individual systems without disclosing the identity of the associated… product.”

The specific vulnerabilities that were found are no big surprise — open ports, unsecure coding practices, and poor patch management.  But by describing the issues in some detail, the new report may help to demystify the cyber security problem and to provide a common vocabulary for publicly addressing it.  See “NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses,” Idaho National Laboratory, May 2010.

The Wikileaks publication of tens of thousands of classified U.S. military records last week is inevitably prompting a review of information security practices to identify remedial steps.  I have been arguing that one of those steps ought to be a rethinking of classification policy.  “The reform that may be needed more urgently than any other is a careful reduction in the size of the secrecy system.”  See “Afghan Leaks: Is the U.S. Keeping Too Many Secrets?” by Alex Altman, Time, July 30.

The Department of Defense has updated its doctrine on “foreign internal defense,” which refers to actions taken to support a foreign government’s efforts to combat domestic subversion, insurgency or terrorism.  See Joint Publication 3-22, “Foreign Internal Defense,” July 12, 2010.

“The Army in Multinational Operations” is the subject of a newly updated U.S. Army Field Manual, FM 3-16, May 2010.

Michel de Montaigne (1533-1592), whose essays transformed Western consciousness and literature, was not capable of solving basic arithmetic problems.  And most other people would not be able to do so either, if not for the invention of decimal notation by an unknown mathematician in India 1500 years ago.  That is the contention of a neat little essay recently published by the Department of Energy (based in part on a book by Georges Ifrah).  See “The Greatest Mathematical Discovery?” by David H. Bailey and Jonathan M. Borwein, May 12, 2010.

Congress should eliminate the classification category known as “Formerly Restricted Data” in order to simplify and streamline classification policy, the Public Interest Declassification Board was told last week.

While most national security information (NSI) is classified by executive order, information related to nuclear weapons is classified under the Atomic Energy Act.  And such classified nuclear weapons information in turn falls into two categories:  Restricted Data (RD), which deals mainly with weapons design and production of nuclear material, and Formerly Restricted Data (FRD), which typically concerns the storage, maintenance and utilization of nuclear weapons.  (Despite its somewhat misleading name, FRD is still classified information and cannot be shared with uncleared persons.)

Incredibly, each component of this three-part classification system — NSI, RD, and FRD — has different criteria for classifying, handling, and declassifying information within its scope.  So, for example, RD can be declassified by the Secretary of Energy only when it poses no “undue risk.”  But FRD can be declassified only when doing so presents no “unreasonable risk,” and only by joint action of the Secretary of Energy and the Department of Defense. And so on.  When items from different classification categories are intermingled within the same document or records group, the processing of records for declassification all but grinds to a halt.

“The entire FRD classification category should be eliminated,” I told the Board (pdf), “because it adds needless complexity to an already baroque classification system, and it poses an unnecessary obstacle to the efficient functioning of the declassification process.”

In the past, policymakers have considered transferring FRD to the regular classification system, or partitioning FRD partly into RD and partly into NSI, but they decided against it. “The cost and effort to manage such a partition, the judgment that it was unlikely for Congress [to make the needed legislative changes], and the problems discovered at NARA [where some unmarked RD and FRD were found in declassified files] resulted in no changes in the FRD category,” said Andrew Weston-Dawkes, the Director of the Office of Classification at the Department of Energy, in a statement (pdf) to the Board.

But the “no change” approach has significant long-term costs of its own, because the current three-tiered classification system is a massive impediment to the efficient production, handling and ultimate declassification of classified government records.

“A workable classification system of the future will be simple in design, easy to implement and to correct, and modest in scale,” I suggested to the PIDB.  “The Formerly Restricted Data category is not consistent with that goal, and so it needs to go.”

Dr. William Burr of the National Security Archive and Dr. Robert S. Norris of the Natural Resources Defense Council described to the PIDB the historical importance of information currently withheld as FRD, the often irrational barriers to its disclosure, and the benefits of careful declassification of historically significant FRD.  Steve Henry of the Department of Defense said that the Pentagon is currently reviewing the possible declassification of historical nuclear weapons storage locations.

In response to a request from the Department of Justice, the Senate yesterday authorized the Senate Intelligence Committee to cooperate with a pending investigation of an unauthorized disclosure of classified information.

“The Chairman and Vice Chairman of the Senate Select Committee on Intelligence, acting jointly, are authorized to provide to the United States Department of Justice, under appropriate security procedures, copies of Committee documents sought in connection with a pending investigation into the unauthorized disclosure of classified national security information, and former and current employees of the Committee are authorized to testify in proceedings arising out of that investigation,” according to Senate Resolution 600 that was passed yesterday.

The target of the leak investigation was not specified, but Senate Majority Leader Harry Reid said it involved “someone not connected with the committee.”

The Office of the Director of National Intelligence recently released a copy of Intelligence Community Directive (ICD) Number 700 on “Protection of National Intelligence” (pdf), which was issued on September 21, 2007.  Among other things, the Directive mandated the establishment of “fora for the identification and solution of issues affecting the protection of national intelligence and intelligence sources and methods.”

“I believe we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind,” said Sen. Sheldon Whitehouse (D-RI), referring to the penetration and compromise of U.S. information systems by foreign nations and criminal entities.

In a statement on the Senate floor on Tuesday, Sen. Whitehouse described some of the findings of a classified Task Force that he chaired and that recently reported to the Senate Intelligence Committee.

The defense of U.S. information networks “is the greatest unmet national security need facing the United States,” he said. “The intelligence community is keenly aware of the threat and is doing all it can within existing laws and authorities to counter it.  The bad news is the rest of our country–including the rest of the Federal Government–is not keeping pace with the threat.”

Part of the problem, he said, is that “threat information affecting the dot.gov and the dot.mil domains is largely classified–often very highly classified” and so “the public knows very little about the size and scope of the threat their Nation faces…. If they knew how vulnerable America’s critical infrastructure is and the national security risk that has resulted, they would demand action.  It is hard to legislate in a democracy when the public has been denied so much of the relevant information.”

Among several proposed responses that he described, he said “we must more clearly define the rules of engagement for covert action by our country against cyber-threats.  This is an especially sensitive subject and highly classified.  But for here, let me just say that the intelligence community and the Department of Defense must be in a position to provide the President with as many lawful options as possible to counter cyber-threats, and the executive branch must have the appropriate authorities, policies, and procedures for covert cyber-activities, including how to react in real time when the attack comes at the speed of light.  This all, of course, must be subject to very vigilant congressional oversight.”

More than 40 bills on cyber security are currently pending in Congress, Sen. Whitehouse noted.

The release of some 90,000 classified records on the Afghanistan War by Wikileaks is the largest single unauthorized disclosure of currently classified records that has ever taken place, and it naturally raises many questions about information security, the politics of disclosure, and the possible impact on the future conduct of the war in Afghanistan.

But among those questions is this:  Can the national security classification system be fixed before it breaks down altogether in a frenzy of uncontrolled leaks, renewed barriers against information dissemination, and a growing loss of confidence in the integrity of the system?

That the classification system needs fixing is beyond any doubt.

“I agree with you, sir,” Gen. James R. Clapper, Jr., told Sen. Ron Wyden at his DNI confirmation hearing last week, “we do overclassify.”

That makes it more or less unanimous.  What has always been less clear is just what to do about the problem.

In what may be the last opportunity to systematically correct classification policy and to place it on a sound footing, the Obama Administration has ordered all classifying agencies to perform a Fundamental Classification Guidance Review.  The purpose of the Review is to evaluate current classification policies based on “the broadest possible range of perspectives” and to eliminate obsolete or unnecessary classification requirements.  Executive Order 13526, section 1.9 directed that such reviews must be completed within the next two years.

“There is an executive order that we, the [intelligence] community, are in the process of gearing up on how to respond to this, because this is going to be a more systematized process, and a lot more discipline to it,” Gen. Clapper said.

“Having been involved in this, I will tell you my general philosophy is that we can be a lot more liberal, I think, about declassifying, and we should be,” Gen. Clapper said.

It is unclear at this point whether the Fundamental Review will be faithfully implemented by executive branch agencies, whether it will have the intended effect of sharply reducing the scope of the national security classification system, or whether the system itself is already beyond repair.

There are probably many reasons why people may become motivated to break ranks, to violate their non-disclosure agreements, and to disclose classified information to unauthorized persons.  One of the most compelling reasons for doing so is to expose perceived wrongdoing, i.e. to “blow the whistle.”

It obviously follows that the government has an interest in providing safe, secure and meaningful channels for government employees (and contractors) to report misconduct without feeling that they need to go outside the system to get a fair hearing for their concerns.  Unfortunately, would-be whistleblowers today cannot have much confidence in those official channels.

To the contrary, “most employees who reported disclosing wrongdoing or filing a grievance believe that they experienced negative repercussions for doing so,” according to a recent report to the President from the Merit Systems Protection Board.  See “Prohibited Personnel Practices—A Study Retrospective,” June 2010 (at page 16).

“Morale, organizational performance, and (ultimately) the public suffer unnecessarily when employees are reluctant to disclose wrongdoing or to seek redress for inequities in the workplace,” said the MSPB report, which did not specifically address whistleblowing involving classified information.

“Work remains to be done in creating a workplace where employees can raise concerns about organizational priorities, work processes, and personnel policies and decisions without fear of retaliation, and where managers can respond to such concerns openly and constructively,” the Board report said.

See, relatedly, “Whistleblowers have nowhere to turn to challenge retaliatory suspensions” by Mike McGraw, the Kansas City Star, July 24.

The size of the annual budget for the Military Intelligence Program (MIP), which has been classified up to now, will be publicly disclosed, said Gen. James R. Clapper, Jr., the nominee to be the next Director of National Intelligence.  He said that he had personally advocated and won approval for release of the budget figure.

“I pushed through and got Secretary [of Defense Robert M.] Gates to approve revelation of the Military Intelligence Program budget,” Gen. Clapper told Senator Russ Feingold at his confirmation hearing before the Senate Intelligence Committee yesterday.

Since 2007, the DNI has declassified and disclosed the size of the National Intelligence Program (NIP) at the end of each fiscal year, in response to a legislative requirement.  But despite its name, the NIP is not literally the whole “national intelligence program.”  Rather, it is one of the two budget constructs, along with the MIP, that make up the total U.S. intelligence budget.

Thus, when former DNI Dennis Blair said last September that the total intelligence budget was around $75 billion, he was referring to the sum of the NIP (which was $49.8 billion at that time) plus the MIP.

“I thought, frankly, we were being a bit disingenuous by only releasing or revealing the National Intelligence Program, which is only part of the story,” said Gen. Clapper.  “And so Secretary Gates has agreed that we could also publicize that [i.e., the MIP budget]. I think the American people are entitled to know the totality of the investment we make each year in intelligence.”

The MIP budget figure has not yet been formally disclosed.  A Freedom of Information Act request for the number that was filed in October 2009 by the Federation of American Scientists remains open and pending.

Open government advocates believe that intelligence budget disclosure is good public policy and may even be required by the Constitution’s statement and account clause.  But what makes it potentially interesting to policymakers is that it would permit the intelligence budget to be directly appropriated, rather than being secretly funneled through the Pentagon budget as it is now.

“I would support and I’ve also been working [on] actually taking the National Intelligence Program out of the DoD budget,” said DNI-nominee Gen. James R. Clapper at his confirmation hearing yesterday, “since the original reason for having it embedded in the Department’s budget was for classification purposes.  Well, if it’s going to be publicly revealed, that purpose goes away.”

Removing classified NIP funding from the DoD budget would be appealing to the Pentagon since it would make the DoD’s total budget appear smaller.  “It serves the added advantage of reducing the topline of the DoD budget, which is quite large, as you know, and that’s a large amount of money that the Department really has no real jurisdiction over,” Gen. Clapper said.

The primary obstacle to such a change in the structure of the intelligence budget may now lie in Congress, not in the intelligence community.

The Senate Intelligence Committee has just weakened an amendment to require annual disclosure of the NIP budget request at the start of the budget process — which is a prerequisite to an open intelligence budget appropriation — by making disclosure subject to a presidential waiver.

The original amendment, offered by Senators Feingold, Bond and Wyden, “was intended to make possible a recommendation of the 9/11 Commission to improve congressional oversight by passing a separate intelligence appropriations bill,” explained Senator Feingold.  But the effort to implement that recommendation “would be seriously complicated by the year-to-year uncertainty of a presidential waiver,” he said in the revised markup (pdf) of the FY2010 intelligence authorization act, released yesterday (at p. 76).

The Government Accountability Office (GAO), the investigative arm of Congress, won plaudits for its contributions to intelligence oversight from Gen. James R. Clapper at his July 20 confirmation hearing to be the next Director of National Intelligence.  But in the latest version of the intelligence authorization bill, the Senate Select Committee on Intelligence yielded to White House opposition and abandoned a provision that would have enhanced GAO’s role in intelligence oversight.

“The GAO has produced very useful studies,” Gen. Clapper said. “I would cite as a specific recent case in point the ISR [intelligence, surveillance, and reconnaissance] road map that we’re required to maintain and the GAO has critiqued us on that.”

“I’ve been very deeply involved in personnel security clearance reform,” he said. “The GAO has held our feet to the fire on ensuring compliance with IRTPA [intelligence reform legislation] guidelines on timeliness of clearances and of late has also insisted on the quality metrics for ensuring appropriate clearances.”

“So I think the GAO serves a useful purpose for us,” Gen. Clapper told Sen. Feingold.

But under pressure from the Obama White House, the Senate Committee stripped out a provision that would have ensured authorized GAO access to the intelligence community.

Paradoxically, executive branch opposition to GAO involvement in intelligence oversight may be a positive sign.  It implies that GAO oversight would represent a meaningful change in the status quo and that it could usefully destabilize entrenched bad habits.

On the other hand, congressional reluctance to embrace GAO oversight is somewhat scandalous.  If there is a single policy issued raised by the Washington Post’s sprawling account of the sprawling intelligence industrial complex this week, it is the questionable adequacy of intelligence oversight.

Simply put, the size of the intelligence bureaucracy has more than doubled since 2001, but intelligence oversight capacity has not increased accordingly.  A focused use of GAO assets offers one immediate way to correct that oversight deficit.

But in its new report (pdf) on the intelligence authorization act, the Senate Intelligence Committee said further study was needed before it could endorse GAO oversight.

“The Committee believes it is important to explore further the scope of current GAO arrangements with the Intelligence Community, the history of GAO’s work on classified matters outside of the Intelligence Community, existing GAO procedures for working with classified information, and the extent to which future GAO investigations and audits of the Intelligence Community can be conducted by mutual agreement,” the Committee said (at p. 71).

But the case in favor of GAO oversight is already quite strong and clear.  General Clapper’s personal testimony aside, there is a solid record on the subject thanks especially to Senator Daniel Akaka, who held a hearing on it in 2008.  And a new DoD Directive specifies a role for GAO in oversight of DoD intelligence programs.

Legislation endorsing GAO oversight of intelligence sponsored by Rep. Anna Eshoo and colleagues remains pending in the House, and is strongly supported by Speaker Pelosi.  I discussed the subject in a July 12 interview with Federal News Radio.

The new Senate markup of the intelligence authorization bill has some features that would improve accountability, said Sen. Feingold in a statement appended to the Committee report, but it “removes many other important provisions … that were aimed at improving oversight and transparency, as well as accountability.”

More than a trillion dollars has been appropriated since September 11, 2001 for U.S. military operations in Iraq, Afghanistan and elsewhere.  This makes the “war on terrorism” the most costly of any military engagement in U.S. history in absolute terms or, if correcting for inflation, the second most expensive U.S. military action after World War II.

A newly updated report from the Congressional Research Service estimated the financial costs of major U.S. wars from the American Revolution ($2.4 billion in FY 2011 dollars) to World War I ($334 billion) to World War II ($4.1 trillion) to the second Iraq war ($784 billion) and the war in Afghanistan ($321 billion).  CRS provided its estimates in current year dollars (i.e. the year they were spent) and in constant year dollars (adjusted for inflation), and as a percentage of gross domestic product.  Many caveats apply to these figures, which are spelled out in the CRS report.

In constant dollars, World War II is still the most expensive of all U.S. wars, having consumed a massive 35.8% of GDP at its height and having cost $4.1 trillion in FY2011 dollars.  See “Costs of Major U.S. Wars,” June 29, 2010.

The Department of Defense has more contractors in Iraq and Afghanistan than it has uniformed military personnel, another newly updated report from the Congressional Research Service reminds us.

“The Department of Defense increasingly relies upon contractors to support operations in Iraq and Afghanistan, which has resulted in a DOD workforce that has 19% more contractor personnel (207,600) than uniformed personnel (175,000),” said the CRS report — which forms a timely counterpoint to this week’s Washington Post “Top Secret America” series on the tremendous expansion of the intelligence bureaucracy, including the increased and often unchecked reliance on contractors.

The explosive growth in reliance on contractors naturally entails new difficulties in management and oversight.  “Some analysts believe that poor contract management has also played a role in abuses and crimes committed by certain contractors against local nationals, which may have undermined U.S. counterinsurgency efforts in Iraq and Afghanistan,” the CRS said.  See “Department of Defense Contractors in Iraq and Afghanistan: Background and Analysis,” July 2, 2010.

And see, relatedly, “U.S. Special Operations Forces (SOF): Background and Issues for Congress,” July 16, 2010.