" James J. Bagley

reposted with permission from
NCMS Viewpoints, Vol. 1, 1993
a publication of the National Classification Management Society

The need for controls on the dissemination of unclassified information and technical data is not new. This nation has made efforts to control its unclassified official information for many years. Even George Washington had problems protecting it. The battle over whether to release information, on the one hand, or to withhold it on the other, continues to rage.

I have long contended that the control of unclassified Government information is the most critical problem we now have, or will have in the future. I first expressed this view during my talk in 1967 at the third annual NCMS seminar, an event also marked by a keynote address given by Congressman John E. Moss, father of the Freedom of Information Act signed by President Lyndon B. Johnson on July 4, 1966.

Many readers remember the classic Abbot and Costello baseball comedy routine:

"Who's on First, What's on Second, and I Don't Know is on Third." One biographer called it "Abbot and Costello's immortal confrontation with the laws of logic." And that also characterizes the story of unclassified Government information: a confusing confrontation with logic--or illogic, if you prefer.

In this article I will try, and try is the operative word, to give you a flavor of the logic of chaos, because that describes the situation concerning unclassified official information--pure chaos. Whether deliberate or not, you can make your own judgement, but chaos it is.

I begin with basic definitions of unclassified official and classified information and give origins of the debate over the need to control unclassified information. Next, I present definitions for several other related terms, and propose adopting a pair of descriptive terms by adding modifiers to "unclassified" for the sake of clarity.

Next, I will explore the effects of the definitions on several organizations involved in international trade.

Then, in the context of current world trade and political realities, I discuss what is at stake and the U.S. role in unclassified technology transfer.

Last, I throw it all up in the air and say "I Don't Know." Perhaps this approach offers the possibility of moving our discussion from a state of pure chaos to controlled confusion. Finally, I will offer some suggestions.

Basic Working Definitions

Unclassified is a security classification assigned to official information that does not warrant the assignment of Confidential, Secret, or Top Secret markings but which is not publicly-releasable without authorization.

Classified information is defined in PL 96-456, the Classified Information Procedures Act:

This definition is identical with one proposed in the draft National Industrial Security Program Operating Manual (NISPOM), except that the latter does not include the words "or regulation." By adding those two words, one could argue that PL 96-456 gives us a statutory, as well as an executive, basis for the classification of U.S. information. We could thus resolve the longstanding debate as to whether the classification system has a basis in law.

Prior to 1953 the U.S. employed a Restricted classification that applied to information withheld from public dissemination. It was cancelled with the issuance of Executive Order 10501 on November 5, 1953.

Despite the cancellation, many people inside and outside Government expressed concern about the tremendous effort being made by the Soviet Bloc to collect U.S. industrial and military information. This concern led to the establishment of the Office of Strategic Information (OSI) in the Department of Commerce to provide a central Government office to work with the business community in voluntary efforts to prevent the loss to foreign interests of unclassified strategic data. It was aimed primarily at protecting defense information of the United States. The OSI did not stay in operation very long--it was disestablished in 1957. Note the word "voluntary" in its mission. This was not a sufficient statutory base to limit dissemination of some technical information.

A few years later, in 1960, the House Committee on Government Operations issued a report citing 842 Federal statutes controlling Goverrunent information. The study leading to publication of the report is still pertinent because it led to this finding:

So, what's new?

Still later, on January 10, 1963, the President's Science Advisory Committee concluded that:

In 1966 there was an important event, one that still stimulates debate as to its impact on the national security. That was the passage of the Freedom of Information Act (5 USC, 552 (b)). I will discuss it further later in the context of limitations on public release.

Considerable pressure, much of it political, was brought to bear and the Congress recognized the need to define terms and develop a statutory basis for exempting certain unclassified information from automatic public release. The question at issue was at once both simple and profound:

Many people took the position in 1966 that declassification equals public release. The debate on that point is historic and endless, continuing today even in the face of numerous statutes which limit or control the dissemination of unclassified data and information. A recent example is the article entitled "The Perils of Government Secrecy" published in the Summer 1992 edition of Issues in Science and Technology magazine.

I have always believed that this debate is healthy. It resembles and extends another closely-related debate about whether there is too much classified information. I firmly believe that any original classification authority or releasing official must have a solid justification for classifying, limiting dissemination, or withholding information. Furthermore, any decision to restrict the dissemination of or to withhold information from public release must be made by an official with authority and be time limited.

In the late 1960s Congress charged that the Department of Defense (DoD) was releasing too much unclassified but critical or sensitive information to the Department of Commerce's National Technical Information Service (NTIS) via the Defense Technical Information Center (DTIC). In 1970 the DoD Director of Research and Engineering established a DoD committee to approve or disapprove the transfer of reports from DTIC to NTIS. I was the chairman of the committee as well as the DoD and Navy representative. The committee had the authority to prevent document transfers and to question the military commander or civilian director why his organization had authorized the release of a particular item to NTIS, that is, to the public.

Our procedure was to call the official and ask him why he had released "Report X." Obviously, he often could not justify the action, but he usually went on the offensive, asking who we were to question his judgement. Our response was to ask him whether he was prepared to defend his decision to his agency as well as to the Secretary of Defense. This approach did get the official's attention. Over time there was a considerable reduction of critical information being released via NTIS. I recommended that our committee be disestablished in 1975.

During this time one vaguely-defined question continued to nag us:

The question caused us to focus on the distinction between technical information and technology. There has long been confusion as to what unclassified technical information or technology should be controlled. Resolving this conundrum hinges upon explaining the difference between research and development, test and evaluation, and other efforts that are the precursors to production.

Fred Bucy, then president of Texas Instruments, took the lead in advocating that technology, and not the broader research and development information, must be controlled. His advocacy led to codification of that distinction in law and regulation in what is now called the Militarily Critical Technologies List. Next, Congress passed a law to control unclassified controlled nuclear information (UCNI) originated by the Department of Energy. Later, another law exempted DoD UCNI from release under the FOIA.

Technological information is identified as a separate category of unclassified information. It is generated during exploratory development, advanced development, and test and evaluation.

Note that the term research does not appear in this definition. Research produces knowledge, which, in turn, creates the need for development and technological information. Development also produces knowledge that can be applied to a specific defense problem or other defined need.

Other statutes added to our understanding and confusion about unclassified official information:

As you can see, we are awash in definitions. If you are not already confused, you should be.

Examples of Limitations on Unclassified Information

(Figure 1)

Proposed Descriptive Terms for Unclassified Information

It may surprise some readers to learn that the DoD has no official definition of Unclassified in DoD Regulation 5200.1-R (Information Security Program Regulation), DoD Manual 5220-22-M (industrial Security Manual for Safeguarding Classified Information), or DoD Directive 5220.22 (DoD Industrial Security Program). The initial draft NISPOM sets forth a proposed definition that, to me, is misleading. So, to make discussion clear, I will use several old terms which modify Unclassified. The distinction shown here is currently out of fashion, but I believe that it is still useful.

Unclassified-Unlimited: Approved for public release.

Unclassified-Limited: Information exempt from public release by the Freedom of Information Act or other statutory authority. Figure 1 (above) gives examples.

A DoD directive issued in 1970 established distribution limitations on technical reports which used the term. Unclassified Unlimited applied to information which was approved for public release by competent authority--an individual or organization authorized to release the information to the public, whether foreign or domestic.

Unclassified Limited meant that some official reason supported withholding information in technical reports from public release without approval by appropriate authority. The directive also provided reasons why a report should not be released to the public except upon approval by the contracting agency. The current directive that governs distribution limitation for technical reports is DoD 5230.24, Distribution Statements on Technical Documents.

Many people overlooked a caveat in the 1970 directive warning against applying distribution statements on technical reports resulting from technical work on approved and funded technical intelligence, cryptology, communications security, and logistics documents.

The 1987 edition of the DoD directive broadens the areas of limitation and applies to "newly created technical documents generated by all DoD-funded research, development, test and evaluation programs".

As previously, the recent edition avoids applying distribution statements to documents containing cryptographic and communications security, electronic intelligence, and so on.

Freedom of Information Act (5 USC 552) (b)

(Figure 2)

(b) This section does not apply to matters that are -
(1) specifically required by Executive Order to be kept secret in the interest of the national defense or foreign policy;
(2) related solely to the internal personnel rules and practices of an agency;
(3) specifically exempted from disclosure by statute;
(4) trade secrets and commercial or financial information obtained from a person and privileged or confidential;
(5) inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency;
(6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy;
(7) investigatory files compiled for law enforcement purposes except to the extent available by law to a party other than the agency;
(8) contained in or related to examination, operating, or conditional reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions;
(9) geological or geophysical information and data, including maps, concerning wells.
(c) This section does not authorize withholding of information or limit the availability of records to the public except as specifically stated in the section. This section is not authority to withhold information from Congress.

Freedom of Information Act (FOIA) Limitations

Almost everyone in this country knows about the FOIA as one of the most common reasons for limiting access to unclassified official information. Whether or not one agrees with the Act, it is the law of the land. It has been amended over the years as justifications for new exemptions were accepted.

Today, the problems we face in controlling Unclassified-Limited information are enormous. This state of affairs exists because declassification efforts have not kept pace with public pressures to declassify more information, and because the Government has failed to take the next step in reviewing unclassified information for public release.

Many legislative or regulatory authorities exist restricting dissemination of unclassified information. Figure 2 displays a number of the well known exemptions from public release, and the basis for them. While the list is not exhaustive, it does suggest the desire to prevent public access to certain unclassified official information.

Complications Deriving from Global International Business

There are hundreds of international agreements that involve the exchange of unclassified official U.S. information: Government to Government, Government to Government with industry participation, and industry to industry agreements.

Most security specialists are acquainted with the North Atlantic Treaty Organization and agreements among its 16 members to protect classified information. Additionally, the Coordinating Committee for Multi-lateral Export Control (COCOM), Australian Group, and Missile Technology Regime illustrate U.S. Government commitments with foreign governments to control certain unclassified information.

Not all such agreements take the form of treaties. There are also memoranda of understanding (MOU) with other governments, with and without industry participation; MOUs between the U.S. Government and foreign companies; and bilateral and multilateral ventures with foreign governments.

Industry, whether defense or commercial, or both, is global. That is a fact. Furthermore, such interaction with foreign entities has grown rapidly and is expected to continue to grow. The U.S. does not dominate unclassified (or classified) technology. In fact, it is fair to conclude that the U.S. is not capable of dominating the world technologically.

If we look at Operation Desert Shield/Storm as the most recent example, we see a multinational force that worked together, fought together, and operated together. Its national components communicated with each other, conducted a combined command and control system, and operated a common identification friend or foe warning system. They did this on land, on the sea, and in the air. That is the wave of the future.

Future operations will be combined operations, conducted with other nations regardless of whether the U.S. is the lead nation. Let us also remember that in Operation Desert Shield/Storm the U.S. citizen military reserve forces played a critical assistance role, which I will discuss later.

There is also a popular misconception that memoranda of understanding/agreement (MOUs/MOAs) cause the loss of technology. This is simply not true. MOUs contain provisions for the protection of classified and unclassified information, trade secrets, proprietary information, and bid packages. I quote from a recent report by the General Accounting Office:

Because of its concern about the problems of fairness in defense, the NATO partners are considering a NATO code of conduct in defense trade which sets out a moral and political, rather than a legally binding, commitment by members of the alliance to improve the fundamental conditions of defense trade. There is a need for a coherent U.S. policy on exports. A statement by the Director, International Trade and Finance Issues of the General Accounting Office observed that:

Only recently has the U.S. State Department issued a directive to its foreign missions to encourage and assist U.S. businesses.

Here we are, U.S. industry is falling behind in its ability to be competitive in many areas of technology. Foreign involvement is vitally important. Foreign companies are not always the bad guys. They provide many of the items needed to remain productive. Remember that we can no longer dominate technology.

It is fair to say that the U.S. has dominated militaey technology from World War II up to the recent past. But the U.S. has depended on foreign participation in armaments throughout our history, and today that is true more than ever before. So we must accept the fact of foreign participation in armaments.

It is equally fair to say that foreign components exist in practically all our major weapons systems. This is true in much the same way as foreign components exist in U.S. automobiles. Regardless of what politicians or car makers may say, there is no such thing as a purely U.S. automobile. Figure 3 shows other recent examples of U.S.-foreign collaboration.

Examples of Recent U.S. Foreign Collaboration

(Figure 3)

1. U.S. Air Force to Examine Feasibility of F-22 Exports (Defense News, June 22-28, 1992)
2. G.E.-Led Consortium Torpedo Study-U.S.-UK Ship Torpedo Defense Project (DefenseNews, June 8-14)
3. U.S. Cuts Spur Sonobuoy Firms to look Overseas (Defense News, June 8-14)
4. ITT, Harris Join BAe to Bid for Bowman (Battlefield Radios) (Defense News, May 18-24)
5. U.S., Germany want Ex-Soviet Nations in COCOM (W.P. , May 31, 1992)
6. United Technologies, Siemens Reach pact (Defense News, March 30-April 5,1992)
7. LTV Aerospace, Inversa (Spain) Reach Pact (Defense News, March 30-April 5, 1992)
8. Lucas Aerospace (UK) GE, Ink Pact for Huey Gearboxes (Defense News, March 16, 1992)
9. When Corporate Lab goes to Japan (Eastern Kodak to Japan) to Conduct Research in Japan and Transfer Method to U.S. (NY Times, April 28, 1991)
10. Technology Forecast Post 2000 System Concepts, R&D Programmes and Key Technologies for the Security of Europe in the Coming Decades (NIAG - D (92) 1, Feb 1992)
11. Navy Hopes to Sell Europeans on Worldwide ASW Plan (Defense News, June 24, 1991)
12. Fujitsu Takes 44 PCT in Silicon Valley Company (W.P., August 29, 1991)

We Will Need to Exchange Information in the Future

The U.S. economy depends on foreign investment to operate. Much of the U.S. deficit is the result of borrowing from foreign investors. U. S. business depends on foreign banks for working capital, a fact that the DoD and the Defense Investigative Service have only recently become aware of. The U.S. dollar is cheap, and U.S. labor rates are among the lowest in the industrial world.

Why should foreigners steal U. S. technology? True, some countries are making the effort. But the industrialized nations are not the primary culprits. It is primarily third world countries that want and need U.S. technology--Saddam Hussein being a notorious case in point. It must be said, however, that many of the U.S. technology transfers were legal. The industrialized countries compete among themselves, and will go pretty far to get a sale, as "Ill-Wind" demonstrated. Finding out the plans, programs, and cost factors of competitors is merely good business. The U.S. is not without sin. We do, however, draw the line at bribes, as many malefactors have learned the hard way.

Why should foreigners steal from the U.S., when we do not lead in developing technology, especially when one looks at the rating sheets for critical technologies? Obviously, there are areas where the U.S. is ahead, such as software development and basic and applied research. But we do not lead in robotics, even though the principles were developed in this country. We do not lead in quality control, even though quality control principles originally were developed in the U.S. We do not lead in manufacturing technology. Unfortunately, we develop but we fail to fund long term investment in new ideas.

The point is, we are the idea people, the intellectual entrepreneurs, but we do not back risky development. And we even shun the vast amount of Japanese technology that is available. A National Security Council director for Asian affairs said recently that "the U.S. has not been active in pursuing Japanese technologies." Are we seeing an epidemic of the N.I.H. (not invented here) syndrome?

Up to now, our universities have been the best. But how long will that continue when our primary and secondary schools are in their current condition.

Can and Should Technology be Controlled?

Frankly, I take a simplistic approach to control. If research, regardless of the type, is bought and paid for, the payer has the right to control distribution of the results. Therefore, distribution can be controlled by the owner of the information. Note that I am not talking about shared ownership, patents, or licensing here; that is another issue that deserves to be addressed separately.

The issue is whether it is worth the time, money, and effort to control research for a given technology. Thus, the questions to be answered include the following:

What I am proposing is that, at a critical point in a project, we make an assessment to determine project effectiveness.

Obviously, every scientific and technical discipline is different. However, all must be examined critically at pre-determined check points. After all, projects must be funded; research and development is expensive; and money does not yet grow on trees.

The Threat -- A Personal View

Having been involved in the technical assessment on a world-wide basis for many years, and having been an active participant in the development of many of the control programs that are now in effect, I feel qualified to pontificate:


Yes, you. You are developers and implementers of policy, such as it is. But what have you done? Do you know the effects of your orders? Do you know what is going on at the next desk, the next office, or the other offices in your organization involved in the technical information process? Do you assume that if it is unclassified it is unimportant?

Do you know the laws on the books and the relation of those laws to your work? Can you make a judgement whether there is a justification to approve or deny a license application? Or whether to classify or not classify information? And do you know or are you aware of which company is doing what? Whether the end-user of the information is a good guy or a bad guy?

Here is an example from the public domain: The developer of the Iraqi long range rifle, parts of which were made in the U.K., was one Dr. Bull, an artillery specialist, a U.S. Government employee, who in the 1960s was working in a program with Canada to use a 16 inch rifle as a satellite launch vehicle. And this was long before he proposed a long range rifle to the Iraqis.

Unclassified information is your most important product. If it is worthwhile to fund a program, the results should be protected for as long as it is economically practical and feasible.

There are many impractical and unrealistic regulations and laws in effect to control information. And there is little real oversight. Unclassified technical information is the most critical. However, there is so much confusion on the issue that there have been few efforts to bring the subject under control. And there is still too much information that is classified, and the costs of protecting it are horrendous.

If you will examine carefully the list of existing directives, you will note that there is little effort to control basic research and applied research, whether in universities or in Government laboratories. Apparently, little effort has been made to establish a review mechanism, even though the research has been funded for a military purpose. After all, prior review is a "grievous sin." On the other hand, there is the example of total control, which generally does not work, either.

You will note that I have not discussed the differences between "secrecy" and "privacy" because they are difficult and contentious subjects unto themselves. Nor have I discussed "patents" and "patent secrecy," other subjects covered under Title 37, Code of Federal Regulations which need attention.

For you, the days ahead will not be easy. You will be faced with enormous demands from industry and the public to downgrade, declassify, and release to the public the mountains of classified information originated by the Government and contractors which has been ignored for many years.

I offer these points as guidelines for your deliberations:

In the final analysis, however, international cooperation is a fact of life, a fact that will continue to grow as far as we can see in the future. Donald Atwood, Deputy Secretary of Defense, made this clear in a speech in January 1992:

Note also that joint programs will not be limited to NATO partners, but will be extended to U.S. allies in East Asia, and perhaps elsewhere.

Figure 4 summarizes international cooperative activities that have expanded greatly in the past, and will continue to grow.

Summary of International Cooperation Activities

(Figure 4)

You must face the security challenge that international cooperation presents. You have the means, but need the will. There are enough laws and regulations now in effect. Enforce them, or cancel them. You must be able to make clear, rational decisions based on fact, not myth. Base your decisions on a knowledge of what is important and why, of where the U.S. fits in each technical and manufacturing discipline. Remember also that companies must know in detail why an export is denied. Pious statements such as "Trust us, because we cannot tell you" will not suffice. They simply will not fly. There must be valid, provable reasons why dissemination is denied. And you must know what should be protected, why it should be protected, the level of protection, how to protect it, and for how long.

My greatest gripe is that the Government does not comply with its own rules. There is no information security program that works. Government personnel are the principal violators of security regulations, and have done the most damage to the national security. Government personnel have committed most of the crimes. Government operates a two-track regulatory system:

"Do as I Say, Not What I Do"

There must be greater cooperation between Government and industry for the national good. No longer can it remain "Us" versus "Them." Unlike the old days, Government can no longer by itself build a ship, tank, airplane, or other platform. It must and does depend on industry. And Government must wake up to the face that this partnership, so called, is more like 51-49 and not 80-20.

On the other hand, industry must accept the fact that Government is the classifier. The intelligence producer must, under our laws, be number one. Like the old adage about the "Golden Rule," he who controls the purse controls the action.

I want to end on an optimistic note:

So, this is the end of my sermon. I would be delighted to hear contrary views, and to be proven wrong on any point.

James J. Bagley is one of the NCMS founders. He retired ftom the Navy and now is President of R. B. Associates.