When government officials consider whether to classify national security information, they should not aim for perfect security, according to new guidance from the Office of the Director of National Intelligence. Instead, classifiers should seek to limit unnecessary vulnerabilities, while keeping broader mission objectives in view.
“A Risk Avoidance strategy — eliminating risk entirely — is not an acceptable basis for agency [classification] guides because it encourages over-classification, restricts information sharing, [and] hinders the optimal use of intelligence information in support of national security and foreign policy goals,” the ODNI document said.
Rather, “All agencies should reflect in their classification decisions a Risk Management strategy — mitigating the likelihood and severity of risk — in protecting classified information over which they have [classification authority], including clear descriptions in their classification policies of how the strategy is used when making classification determinations.” See Principles of Classification Management for the Intelligence Community, ODNI, March 2017.
This risk management / risk avoidance dichotomy in classification policy has been batted around for a while. It was previously discussed at length in in the thoughtful but not very consequential 1994 report of the Joint Security Commission on Redefining Security in the post-cold war era.
“Some inherent vulnerabilities can never be eliminated fully, nor would the cost and benefit warrant this risk avoidance approach,” the Commission wrote. “We can and must provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making.”
In short, it is only realistic to admit that some degree of risk is unavoidable and must be tolerated, and classification policy should reflect that reality.
But the risk management construct is not as helpful as one would wish. That is because its proponents, including the Joint Security Commission and the authors of the new ODNI document, typically stop short of providing concrete examples of information that risk avoiders would classify but that risk managers would permit to be disclosed. Without such illustrative guidance, risk management is in the eye of the beholder, and we are back where we started.
Meanwhile, there is persistent dissatisfaction with current secrecy policy within the national security bureaucracy itself.
Classifying too much information is “an impediment to our ability to conduct our operations,” said Air Force Gen. John Hyten of U.S. Strategic Command at a symposium last week (as reported by Phillip Swarts in Space News on April 6).
“We have so many capabilities now,” Gen. Hyten said. “There are all these special classifications that I can’t talk about, and if you look at those capabilities you wonder why are they classified so high. So we’re going to push those down.”
Americans are paying too much for almost everything, because the United States has long treated its trucking industry as an artifact to be preserved rather than as an opportunity for innovation.
These ideas aim to advance the detailed policy solutions needed to foster public trust and implement fairness in the adoption of AI across diverse domains, from healthcare and government benefits to rural access, education, and worker protections.
The evidence is clear: algorithmic pay-setting is established in app-based work, and payroll/timekeeping failures show how software can produce systemic wage harm at scale
While a few states have taken steps to implement decision-making mechanisms for certain AI systems, too many leaders are simply accepting narratives about AI’s purported public benefit at face value – jumping to the “how” of AI implementation before thoroughly vetting potential systems and deciding whether they are appropriate to use at all.