Congress Tells DoD to Report on Leaks, Insider Threats

For the next two years, Congress wants to receive quarterly reports from the Department of Defense on how the Pentagon is responding to leaks of classified information. The reporting requirement was included in the pending National Defense Authorization Act for FY 2015 (Sec. 1052).

“Compromises of classified information cause indiscriminate and long-lasting damage to United States national security and often have a direct impact on the safety of warfighters,” the Act states.

“In 2010, hundreds of thousands of classified documents were illegally copied and disclosed across the Internet,” it says, presumably referring to the WikiLeaks disclosures of that year.

“In 2013, nearly 1,700,000 files were downloaded from United States Government information systems, threatening the national security of the United States and placing the lives of United States personnel at extreme risk,” the Act states, in a presumed reference to the Snowden disclosures. “The majority of the information compromised relates to the capabilities, operations, tactics, techniques, and procedures of the Armed Forces of the United States, and is the single greatest quantitative compromise in the history of the United States.”

The Secretary of Defense will be required to report on changes in policy and resource allocations that are adopted in response to significant compromises of classified information.

The defense authorization act does not address irregularities in the classification system, such as overclassification or failure to timely declassify information.

It does call for additional reporting on the Department of Defense “insider threat” program (Sec. 1628), and on “the adoption of an interim capability to continuously evaluate the security status of the employees and contractors of the Department who have been determined eligible for and granted access to classified information.”

By definition, this continuous evaluation approach does not focus on suspicious individuals or activities, but rather is designed to monitor all security-cleared personnel.