Peter Saderholm, Director, Security Policy Board Staff
Dan Jacobson, Deputy Director, Security Policy Board Staff
Terry Thompson, Security Policy Board Staff Officer
Vicki LaBarre, Security Policy Board Staff Officer
Numerous members of the private sector attended and participated. In all, 23 individuals were present.
General Welch discussed Presidential Decision Directive 29 (PDD-29) as it articulates the role of the SPAB. He presented the objectives of the SPAB which are:
Ms. LaBarre then provided background as to why the SPB has not formed a committee on Information Assurance/Security. While a complex issue, the underlying reason the SPB and the SPB Staff has not been able to move forward in this arena has to do with the discomfort on the part of the civil agencies with the SPB's reporting relationship to the President through the National Security Advisor. There also exists some discomfort with the chair and co-chair residing within CIA and DOD.
Ms. Cindy Conlon, Director, Special Security, Rand Corporation, representing the six MOU's [industry associations that are party to a Memorandum of Understanding], expressed the frustration of industry that there does not yet exist a Chapter 8 of the NISPOM. Ms. Conlon stated that the MOU's believe the policy portion of the IAD could be combined with the industry draft of the performance based chapter to create a new NISPOM Chapter 8--as long as it does not increase security costs or security requirements. She encouraged the SPB to establish a formal schedule with benchmarks so that all, and especially industry, have a target completion date. Ms. Conlon stated the SPB should have the lead in replacing Chapter 8, and that all parallel efforts underway elsewhere should be eliminated. She emphasized that ISWG would like to play an active part in the IAD development process. (see Ms. Conlon's prepared comments.)
General Welch asked for some clarification of Ms. Conlon's comment that industry supports the IAD, save the addition of costs or requirements. He asked if industry believes the current information security systems in place are adequate. Ms. Conlon responded in the negative and asked Mr. Rich Grau to articulate their concerns.
Mr. Grau, Security Director, Rincon Research, explained industry's concerns with the existing version of NISPOM Chapter 8. He described it as inflexible and incapable of allowing for expanding technology. Mr. Grau acknowledged that industry is not omniscient with respect to information systems security, but that the current Chapter 8 is so inflexible that it does not enable them to even explore potential solutions. The drafters of the IAD need to learn from this and not make the same mistake. Moreover, industry is concerned about unforeseen security costs that are not threat based and consequently, have no real value. Flexibility is a critical element in addressing the needs of both large and small organizations. Industry prefers the IAD to address classified information only, and not have annexes. Mr. Grau concluded that data availability and integrity is of great concern to industry, and both could be adversely impacted by a new layer of security. This additional security stratum ought not to be implemented in the absence of a well defined and articulated threat. "Show us a threat and we'll protect," was the essence of Mr. Grau's position.
General Welch asked Mr. Peter Saderholm, SPB Staff Director, if a process was in place to address these concerns. Mr. Saderholm advised that the IAD is being drafted in the open with both industry and government. However, it is his educated opinion that those within the government who inspect the requirements may not be sufficiently "cerebral" to operate within flexible guidelines. Mr. Grau echoed that sentiment and explained what is needed is an arbitration board to resolve disputes. Industry would welcome a government entity staffed by personnel knowledgeable of the issues which could provide needed guidance and expertise on information security matters.
General Welch asked Mr. Grau for further amplification of his statement that the current NISPOM is non-user friendly. Mr. Grau responded that the current NISPOM is a reasonably good start but that it requires fixing and we (industry and the government) should sustain our efforts to do so.
Admiral Thomas Brooks inquired as to how many other efforts at creating a new Chapter 8 are underway. Mr. Saderholm described two: a DIS effort in Melbourne, Florida being conducted in concert with Harris Corporation, and the National Reconnaissance Office (NRO) continuing its work toward "freshening up" their ASH 300. Admiral Brooks indicated it doesn't make much sense to have multiple efforts. He asked the industry representatives if the current IAD draft would, in their opinion, create extra burden and cost to industry. Mr. Grau responded that certain areas no, while for the protection of SECRET, the answer is yes. Admiral Brooks then asked if industry believes it has had an adequate voice in the development of the IAD. Mr. Grau responded that industry has only one voice out of the 34 voices involved in the process. He also expressed the belief that government representatives don't always grasp the cost issue.
General Welch tasked the SPB Staff to provide the SPAB with a paper on the multiple efforts underway to address Chapter 8 with recommendations as to what needs to occur.
Mr. Gianelli then discussed legal issues associated with the proposed financial disclosure requirement. He stated there may be a possible conflict between the California constitution and the federal requirement. He concluded by stating that industry is opposed to the use of a financial disclosure form. In his judgment, the application of a cost benefit analysis to this issue tabulates greater losses as opposed to gains. He said this is particularly pointless in light of the government's authority to review individual financial records.
General Welch asked if Mr. Gianelli believed there is anyone at Hughes who occupied a sensitive enough position to warrant the completion of a financial disclosure form. Mr. Gianelli responded that candidates for such a requirement may exist depending upon the totality of the context. General Welch then asked Mr. Gianelli if he objected to any level of financial disclosure. He stated he does not unilaterally object to all forms of financial disclosure, but believes that the current proposals pushes the limits of personal privacy.
Ms. Conlon interjected her belief that all changes should be collaborative and conducted within the SPB process. According to Ms. Conlon, industry does not want to see organizations working outside of process.
General Welch observed that the important goal of reciprocity may cost in the short run, but will save money in the long run.
Admiral Brooks inquired about the proliferation of requirements in the SAP world. Mr. Saderholm responded that only now do we have a sense of how multitudes of SAPs cause a proliferation of rules and regulations. Mr. Saderholm stated the problem lies in that the SAP community has not had a trust in the clearances and other forms of security at the SECRET and TOP SECRET collateral level. Once a reciprocally accepted baseline is established, then only unique requirements need be applied by the SAP programs. The SPB Staff has maintained a good dialogue with OSD (Policy) personnel regarding this. It is incumbent upon OSD Policy and the services to demonstrate they are managing these programs in an effective manner. The SAP world contends, however, they are hampered because they are not provided a reciprocally acceptable baseline. Despite that handicap, they are working to enhance uniformity among various packages.
In describing the significant progress made to date, Mr. Saderholm explained that the term "accountability" is gone. However, while accounting for documents is no longer a routine tool, supplemental administrative controls can be applied when physical, personnel and technical security controls are insufficient. Ms. Nina Stewart inquired as to whether accountability is still a factor in inspections. Mr. Saderholm responded that some use of receipts will continue but that the contractor will no longer be required to locate individual documents even for inspections. Ms. Stewart then asked if this was also true for the SAP world. Mr. Saderholm responded in the affirmative with regard to the SCI world, but acknowledged that the issue was still evolving within the DoD SAP world. He reiterated, however, that in both areas the trend is away from document control.
Mr. Saderholm further explained that the new safeguards directive will have standards for open storage construction as well as security in depth. Waivers to the requirement can be made by the program manager with notification to ISOO. General Welch then inquired whether program managers have the authority to waive the reciprocal use of SCIFs. Mr. Saderholm responded that, in the event the manager is waiving the requirement for one SCIF, the answer is yes; if for a group of SCIFS, the answer is no.
General Welch expressed his concern about requirements for buildings containing private SCIFS. Admiral Brooks observed that numerous private SCIFS still exist, but that he believes the situation is improving. This sentiment was echoed by industry representatives in attendance. General Welch expressed some skepticism about actual improvement in the joint use of SCIFs. Admiral Brooks observed that establishing a trustworthy baseline is critical in the hope for improvement in this area.
Ms. Stewart inquired about incorporating FGI [Foreign Government Information] concerns into the Directive and asked how we are addressing these concerns. Mr. Saderholm replied that the US standard will be the starting point for negotiating all new treaties, while the old treaties set the standard until then. Ms. Stewart observed that foreign governments have other concerns and inquired how they are being addressed. Mr. Saderholm replied that he wasn't certain as to the specifics but that those concerns are currently being addressed via the process.
The issue of lockbar containers engendered a great deal of discussion. Ms. Stewart inquired as to why a sunset clause of 1 October 2012 had been established. Mr. Saderholm responded that lockbar safes are not reliable and the government representatives want them culled out. Ms. Stewart then asked if cost had been factored into this decision. Mr. Saderholm responded that any cost data was unreliable in the absence of real threat information. General Welch inquired as to why the DoD sunset clause is for 2002 vice 2012. Mr. Saderholm indicated DoD has been working this issue five years longer than the community. Admiral Brooks questioned whether two standards are advisable. General Welch agreed and observed that DoD needs to work with the community. This question of a sunset clause in 2002 or 2012 must be reconciled and the SPAB feels 2012 is the better option.
Ms. Conlon observed that no cost benefit analysis has been accomplished regarding the elimination of lockbar safes. She termed the new requirement as being "ludicrous" as it is not based upon threat. She advised that security officials stretch credibility when trying to explain to upper management that a lockbar container cannot be replaced with another lockbar container, especially when a lockbar container is $200 and a new safe is $3,000. The SPAB then queried the audience as to the number of lockbar containers currently being used in industry and the results were rather high. One company representative indicated his company still had 6,000 lock bar containers. General Welch then asked who is responsible for this requirement. Mr. Saderholm responded that Congress and government security officials have levied this requirement.
Mr. Thompson then discussed the weaknesses relative to a financial disclosure form. Intrusiveness is the most commonly heard objection and it is perceived by most as self evidently true that the completion of such a form infringes on privacy. There are absolutely no guarantees that a financial disclosure program will work and catch spies. There is no precedent that can be studied and, consequently, projections of success are only inference. A financial disclosure form is not a lie detector; the filer can merely falsify or omit data and, thereby, defeat the purpose of disclosure. Affluence, whether attained by espionage or other misdeeds, can be concealed) a safe deposit box is but one example of a concealment methodology. A program of financial disclosure would be quite costly and the information collected must be carefully protected with the potential for misuse always present. Lastly, the completion and collection of financial disclosure forms promises to be a tedious process.
Mr. Thompson then discussed the arguments in support of a form. A financial disclosure form may provide a starting point for investigators, much like a Personnel History Statement now functions. Because investigators will have more information, false positive investigations may actually be reduced. For example, should a filer inherit a large sum, his statement to that effect might save enormous investigative efforts that would otherwise be necessary to verify the source of the new found affluence. This might make the process less invasive. The completion of a form might serve as something of a deterrent to potential wrongdoers. While it is true that cash can be concealed, it is also true that most spies spent the proceeds of their espionage and the purchase of assets is traceable. Finally, the filers statement might serve as the beginnings of an evidentiary trail should the case go to court.
Ms. Conlon inquired as to who will pay for the program and is there sufficient resources within government to analyze the forms once collected. Mr. Thompson responded that it will require the retraining of investigators and adjudicators to appropriately manage the information. Beyond that, the US Government must pay for it.
Admiral Brooks inquired about the use of the current CIA form. Carl Darby, CMS, advised that the CIA forms are being used selectively during the reinvestigation process.
Admiral Brooks then characterized the requirement as "a bureaucratic response that is dumb." He further stated that the government does not appear to have a clear picture of the overall issue. He allowed that the values of assets and accounts change daily. He urged that a financial disclosure program become part of an overall process, not just the composition of a form. Mr. Saderholm responded that the form has not been the sole emphasis; rather, we have been looking at the issue from a holistic view. General Welch observed that monetary values are not required by the President or the Congress. It is the Deputy Attorney General who supports values and those values would not have helped in the Ames case. Admiral Brooks also expressed the opinion that the financial disclosure requirement will upset a great number of honest people who have independent wealth, particularly among senior people in industry. He also indicated a large number of false positives would seem inevitable. Mr. Saderholm interjected that there is little support in the security community for a form; Congress and the White House have mandated it. General Welch countered with the impression that the SPB Staff is proceeding "pelf mell" to develop a form. Mr. Saderholm responded that that is simply not the case. He opined that the CIA form leads many to conclude that a form and a program are already in place for the whole community. Instead, the SPB Staff is exploring all possibilities and the favored option is the expansion and enhancement of the financial aspects of the background investigation.
Ms. Conlon, speaking for industry, expressed the view that there is no support for this requirement and she queried why there has not been a dialogue with Congress on this issue. Mr. Saderholm suggested that there is no will on anyone's part to do so. Admiral Brooks then inquired if there was a way to more carefully divide this issue i.e., what is the goal and what are the operational means of accomplishing the goal. He then opined that the government simply needs to determine the financial lifestyle of cleared individuals and incorporate that datum into the adjudication. General Welch agreed. He then observed that many people knew Ames had unexplained wealth, they just didn't know how to act upon it. Mr. Saderholm reminded them that government investigative resources have been substantially reduced.
Mr. Grau advised that financial disclosure will cause recruitment problems and this issue needs to be factored into the overall picture. Mr. Darby offered that the credibility of the security professional is also at issue. Progress has been made post Ames in improving the image of the security officer, however, the financial disclosure process holds the prospect of tainting that now improved image.
General Welch expressed reservation about the flexibility afforded individual agencies in selecting and using an oversight mechanism. The SPAB prefers the IG style oversight or an entirely external mechanism be implemented. Mr. Saderholm will ensure that this sentiment is carried forward in the policymaking process.
The Board also had reservations about lifestyle polygraphs for contractors, particularly as the requirements relate to contractors at the CIA and NSA with staff-like access. The Polygraph Working Group indicated such people should get expanded scope coverage. The Board has questions about the definition of "staff-like access." Are only those with actual access to classified information and computer systems granted staff-like access? The Board would like the term clearly defined. Admiral Brooks related that many contractors working at facilities in the intelligence community have little to no access to classified information yet they are nevertheless required to undergo lifestyle polygraphs. He characterized this as an "absurd utilization of government resources." He further advised that many employees have been waiting a year for their examinations. The Board wants a sharper definition of "staff-like access" and believes that definition should not be just access to a building. Several industry reps indicated CIA still requires a expanded scope polygraph simply for building access.
Ms. Conlon also observed that at no time has industry been involved in deliberations on polygraph matters. She observed that industry is impacted heavily by the requirement and, therefore, needs a mechanism to address grievances. Mr. Saderholm stated the industry representative on the Personnel Security Committee can express their views. He also advised that the polygraph issues are next scheduled for the Policy Integration Committee which also has industry representation.
Admiral Brooks asked that the record reflect that he supports some sort of an appeal mechanism.
General Welch observed that the polygraph is an investigative tool and, therefore, it would be imprudent to train people on how to take a polygraph.
An industry representative inquired as to whether the number of polygraphs conducted by Defense will be increasing. The response was in the negative.
Ms. Stewart inquired as to the number of complaints filed annually with ISOO. Mr. Grau advised that Mr. Steve Garfinkel, Director, ISOO, suggested all complaints go through the parent agency first. Ms. Conlon observed that complaints eventually come through the NISPPAC. Many departments, however, prefer their own implementation which undermines the effectiveness of the NISPOM. Ms. Conlon again emphasized that, due to resource constraints, the fulfillment of the ISOO mission in this respect is difficult. She cited for example, the recent ISOO inspection of the Air Force in which ISOO visited the Air Force with three people for two days. According to Ms. Conlon, ISOO resource limitations mandate such abbreviated endeavors and result in minimal productivity.
Ms. Stewart charged the SPB Staff to ascertain the number of complaints that have been filed with ISOO. General Welch directed the Staff to provide a paper on the history and mission of ISOO as it relates to the NISPOM.