SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2008, Issue No. 102
October 23, 2008

Secrecy News Blog: http://www.fas.org/blog/secrecy/

Support Secrecy News:
http://www.fas.org/sgp/donate.html

INSPECTOR GENERAL CONFRONTS OVERCLASSIFICATION

Executive branch agencies often classify information inconsistently or unnecessarily. But when challenged, they will sometimes modify their practices.

These elementary but important facts were illustrated recently by Justice Department Inspector General Glenn A. Fine, who described the process by which his office's investigative reports are reviewed by agency officials prior to release.

"We have seen a lot of times where [agency officials] said, well, that is too sensitive, that is classified, and then we will look and in another forum they have publicly released it," Mr. Fine said at a recent congressional hearing.

"I have been in situations where the FBI told me you can't say that, that is classified. I said okay. And then a week later, an FBI employee will come to [to Congress] and say the same thing. And I say to myself why can't we say it if they can?"

"A lot of times FBI will give a report to one person and they will say this is classified, and then the FBI will give it to another person and different amounts are classified," Mr. Fine said. "It is not a precise science."

"I have to say, this is not just restricted to the Department of Justice," concurred Rep. William D. Delahunt, "it is throughout the executive branch.... I have seen what you just articulated happen time and time again."

"It is my own belief that the classification process has become a tool, if you will, for the avoidance of embarrassment," the Congressman said.

The good news is that, at least at the Justice Department, the Inspector General does not simply yield to the whims of the classifiers, but insists on a sensible rationale for secrecy.

"We push for explanations to make sure that it [classification] is not being used as a way to avoid embarrassment," Mr. Fine said. "And I think generally, in our case, we have been pretty successful."

The relative success of Mr. Fine's office in limiting classification of Inspector General reports points to an untapped opportunity for curtailing overclassification more broadly. That is, agency inspectors general could be assigned to conduct regular audits of classification activity and to "push for explanations" of dubious secrets.

The inspectors general are already on site throughout most of the executive branch and they have the security clearances they need to get the job done (though in some cases they may lack adequate funding for this and other purposes). They could provide an enormous force multiplier for the small staff of the Information Security Oversight Office which is nominally responsible for classification oversight government-wide. If the classification system is worth fixing, the Inspectors General could have an important role to play.

Mr. Fine's remarks on classification appeared in a newly published hearing record entitled "City on the Hill or Prison on the Bay? Part III: Guantanamo--The Role of the FBI," House Foreign Affairs Committee, June 4, 2008 (at pp. 28-29):


DOD FAILS TO CONTROL "CONTROLLED UNCLASSIFIED INFO"

Pentagon officials say that the Department of Defense and its contractors are failing to adequately protect "controlled unclassified information" (CUI) that may have significant military or technological value to adversaries or competitors.

"Simply stated, hostile actors can exfiltrate large volumes of unclassified program information in a single attack that can potentially net enough information to enable adversaries to narrow a capability gap," according to a recent Army information paper (marked "for official use only").

Digital information in the hands of Defense Industrial Base (DIB) contractors is said to be particularly vulnerable.

"Exfiltrations of unclassified data from DIB unclassified systems have occurred and continue to occur, potentially undermining and even neutralizing the technological advantage and combat effectiveness of the future force," the paper stated.

See "U.S. Army's Concerns with Protection of Controlled Unclassified Information," August 15, 2008.

The paper was obtained by Inside the Army and first reported in "Army Cyber Task Force To Manage Growing Industrial Espionage Risk" by Daniel Wasserbly, Inside the Army, October 20, 2008.

A similar concern about protection of controlled unclassified information was expressed last month by DoD Chief Information Officer John G. Grimes.

He reiterated "the importance of properly protecting controlled unclassified information placed on information systems connected to the Internet, especially those that use file transfer protocol (FTP), peer-to-peer (P2P), and other protocols that are inherently insecure and pose significant security risks."

"DoD is currently hosting thousands of such sites and, in spite of previous direction, far too much CUI data is still publicly available from these DoD sites," he wrote.

The Grimes memo was first reported by Sebastian Sprenger in Inside Defense on October 22. See "Protection of Controlled Unclassified Information on DoD Information Systems Connected to the Internet," September 22, 2008:

The Department of Defense Inspector General recently reported that defense contractors had failed to properly manage, recover or revoke thousands of Common Access Cards that permit the holder to access controlled defense information on DoD information systems.

This presents "a potential national security risk that may result in unauthorized access to DoD resources, installations, and sensitive information worldwide," the DoD IG said.

See "Controls Over the Contractor Common Access Card Life Cycle" (large pdf), DoD Inspector General, October 10, 2008:

Among other things, a failure to reliably protect restricted information that is unclassified produces an undesirable incentive to classify such information.


IN OTHER NEWS

"Why are Docs From the Bailout Being Redacted?" by Ben Protess, ProPublica, October 22:

"U.S. Army delays, alters medical studies under little-known scientific censorship program" by Bryant Furlow, EPINews, October 21:

"GeoEye's New Satellite Offers Unprecedentedly Sharp Images" by William Matthews, Defense News, October 20:

"IG: Army is lax in overseeing issuance of contractor ID cards" by Bob Brewin, Government Executive NextGov, October 16:

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://www.fas.org/blog/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://www.fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://www.fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
      http://www.fas.org/sgp/news/secrecy/index.html

SUPPORT Secrecy News with a donation here:
      http://www.fas.org/sgp/donate.html