THREAT ASSESSMENTS - THE BASIS FOR SMART SECURITY DECISIONS
Asleep at the Wheel
While our broad national security agenda helps set the stage for determining what to protect, the actions of other states and individuals define more precisely where security must be focused. The Commission has frequently been reminded that the United States is the single biggest intelligence target in the world. Traditional, long-range intelligence threat predictions are now of reduced value in a world of evolving alliances and volatile political, socioeconomic, cultural, and regional crises. (Footnote 10) Threats must be reassessed frequently. The Commission found many instances, discussed throughout this report, where security countermeasures currently employed appear to be excessive in terms of the threats or are not linked to threats at all.
A critical element necessary to make smart security decisions is reliable, usable, intelligence data defining the threat. Currently, there are efforts underway in the Defense and Intelligence Communities to incorporate threat assessments when developing security policies. For example, the DoD's Acquisition Systems Protection Program (ASPP), designed to protect leading-edge technology, calls for incorporating threat assessments in each phase of advanced weapon systems development. Defector information and espionage lessons learned are taken into account in updating personnel security procedures. Physical and technical security policies and countermeasures, traditionally based on vulnerability assessments, are now being developed using threat information. As a result, security policies are being revised and dramatically changed. The Commission applauds these efforts.
However, getting from the Intelligence Community-specifically the counterintelligence organizations-the threat information necessary to support coherent, risk-based security countermeasures policies, military operations, and industry is an ad hoc rather than a systematic process. In the absence of access to threat assessment information, security policies have been based on risk avoidance, constrained primarily by the availability of resources.
The reasons for the failure to incorporate intelligence and counterintelligence information into security policies are numerous. Traditionally, the intelligence and counterintelligence communities have been separate and distinct from their security counterparts. Intelligence and counterintelligence activities are discrete programs where budgets are built and justified in terms of collection and production against specific targets. Security programs, on the other hand, are normally funded from base operating or administrative funds of various agencies and are difficult to link to specific programs. These programs and funds, when accounted for at all, generally have not had to face the scrutiny of cost-risk analysis (with some individual exceptions).
Security officials do not always know how to task the Intelligence Community for threat information. They have neither the necessary clearances and contacts within the Intelligence Community nor an understanding of the contribution that intelligence producers can make. The counterintelligence community, for its part, focuses on its mission of conducting investigations and collecting, analyzing, and exploiting information to identify and neutralize the intelligence activities of foreign powers that adversely affect US national security. Yet the security policy community has not been viewed as a primary customer. Consequently, intelligence and counterintelligence requirements are not defined to support rational security decision making. The Commission believes that the security community must work closely with the National Advisory Group for Counterintelligence and the newly appointed Issue Coordinators to develop collection and production strategies that address security consumers needs.
When security officials do task for threat information, support is not always timely and frequently is overclassified. Department of Defense customers often wait months while counterintelligence requirements are forwarded through several operational levels for approval, and to service headquarters elements for validation. The requirement is then forwarded to analysis centers for drafting, which requires an additional 120 days. Some DoD personnel reported to the Commission response times longer than a year for critically needed requests. Roadblocks are also encountered if classified information needs to be disseminated in an unclassified form. The counterintelligence community seems unable to provide unclassified analyses.
One senior DoD official requested an unclassified report to use in a contractor security awareness briefing. The report arrived six months later-stamped Secret, Not Releasable to Contractors.
In the absence of a comprehensive threat assessment process, some security organizations have performed their own. The Air Force's Special Access Program (SAP) has created dedicated analytic cells to provide timely assessments. Air Force SAP intelligence specialists directly contact the scientific community and perform independent assessments on cutting edge Air Force technologies and developmental weapon systems. Navy and Army SAP programs draw upon cleared service analysts. Not possessing a cadre of analysts, DoD field elements postulate the local threat using worst case scenarios until finished assessments arrive. This results in employing stringent, expensive countermeasures to prevent the loss of critical technologies information. The field elements note that when the much awaited reports do show up, they are either too general to be applicable, or they contradict other services or the Defense Intelligence Agency's assessments, often regarding the same technology.
A DoD program manager requested an assessment of the foreign intelligence threat to a city, with particular emphasis on whether there was targeting of the advanced technology system that was being developed at a facility. Eighteen months later, the program manager received from one DoD element an assessment, stating that the threat to his area was low, with no particular foreign interest in the technology. Another DoD element had already informed him, six months earlier, that there was an established, aggressive foreign intelligence collection program targeting the developing technology.
There is a schism concerning threat information between security policy officials and the Intelligence Community that widens greatly when it comes to a supportive relationship between counterintelligence organizations and security professionals. At the national level, counterintelligence funding is under the purview of the DCI's National Foreign Intelligence Program. But the counterintelligence community is a loose confederation of separate activities held together by budgetary convenience, not centralized management. The five major counterintelligence organizations (FBI, CIA, Army, Navy, and Air Force) can work together collegially, but frequently strike out on their own. Some of these organizations have difficulty identifying their customers. Indeed, one senior counterintelligence official points with pride to the fact that "we (counterintelligence organizations) are our own best customer." Counterintelligence information is collected, analyzed, produced, and disseminated separately from normal intelligence channels. Critics charge that this process ignores national strategy and policymakers' needs.
This fragmented counterintelligence organizational structure has also created large gaps in knowledge. For example, there is no common counterintelligence data base, either within the Department of Defense itself or among the counterintelligence organizations generally, from which threat assessments might be drawn. This shortfall may contribute to the difficulty counterintelligence organizations have had in supporting clearly defined customers, like the National Industrial Security Program (NISP). Despite two years of work by counterintelligence representatives within the NISP, no mechanism was created to communicate threat data to industry.
For senior policymakers, while there is an interagency coordination process to support them, the products fall short. National counterintelligence assessments, such as the "Winds of Change" and the "Triennial Threat Assessment of the Foreign Intelligence Threat and Effectiveness of US Counterintelligence and Security Countermeasures," need to use more current data, be made more policy-relevant, and provide a clearer picture for the reader. As now written, these assessments do not respond, in a timely manner, directly to national-level requirements, aid resource allocation, or meet the needs of program managers and military commanders. Future editions, if any, require a keen understanding of senior policymakers' requirements and tighter analytic presentation and packaging.
The Commission heard from many individuals within the Department of Defense about the need to streamline the counterintelligence structure and we understand that the Deputy Secretary of Defense and the Director of Central Intelligence the are considering options to do this. The Commission believes such restructuring can bring savings and better service, but we would expand the discussion to include the Attorney General and the Director of the FBI so as to incorporate other major counterintelligence organizations.
A Wake-Up Call
Information about the dangers posed by foreign governments and organizations does not come solely from counterintelligence assets. Much of it comes from human sources or defectors, signals intelligence, imagery assets, our diplomatic corps, and other sources that need to be more actively tasked by security officials. In other areas of intelligence production, consumers have a single place to go for analytic assistance. For example, counterterrorism and nonproliferation consumers have individual points of contact that respond, in a coordinated fashion, to their needs. The DCI's Counterterrorism Center (CTC) and Nonproliferation Center (NPC) personnel reportedly broker timely responses to policymakers' requests. These offices do not compete with established production elements. They serve as facilitators, drawing on information and substantive expertise from within the community.
The Commission recommends that the Secretary of Defense and the Director of Central Intelligence appoint the DCI's Counterintelligence Center as executive agent for "one-stop shopping" for counterintelligence and security countermeasures threat analysis.
The Commission does not intend by this recommendation to create a counterintelligence "czar" or to supplant existing authority for counterintelligence investigations, operations, or the unique, individual analytic efforts in support of specific law enforcement or military operations. Rather, we seek a national-level focal point for threat analysis that is easily accessible by government and industry to support broad security management decisions. This "one-stop shopping" office must operate as a corporate information asset of benefit to all government and industry customers. The Counterterrorism Center customer response office can serve as a model.
While the Counterintelligence Center lacks the expertise in domestic threats that the Federal Bureau of Investigation has, it provides an established, credible intelligence production office with professional analysts able to tap into the full range of intelligence and operational reporting. It also has the most experience in providing analysis for senior policymakers.
However, the Commission notes that the current analytic and community elements of the Counterintelligence Center must expand and change dramatically to include a broader community and industry flavor and to incorporate expertise in the security countermeasures areas that it lacks currently, such as threats to information systems security. The Commission expects that the Counterintelligence Center will draw upon the experience and knowledge of other agencies when preparing responses for risk management decisionmaking and coordinate the products extensively. This includes drawing upon the NSA's and the DISA's ongoing efforts that focus on threats to information systems security. Existing interagency analytic efforts, such as the National Advisory Group for Counterintelligence's Analytic Working Group, will fold into this initiative.
Further, dissemination procedures need to be restructured, allowing customers to pull the information they need from the system, instead of having it pushed to them in restricted formats. Threat information needs to get out to users at all levels in the Defense and Intelligence Communities and in industry.
The Commission is aware of and applauds a recent decision by the counterintelligence agencies to create an interagency data base. However, the data base needs to expand to allow for users with varying classification levels. The Commission also urges the community to take advantage of the counterintelligence data base program now under way within the Department of Defense and ensure that the two data bases are compatible. This interagency data base initiative should be undertaken and a prototype fielded immediately.
The Commission recommends that the DCI's Counterintelligence Center serve as the executive agent to spearhead the rapid creation of a communitywide counterintelligence and security countermeasures data base for government and industry use.