SUBJECT: PROPOSED SECURITY CONTROLS ON DEFENSE RESEARCH
(1) OSD Memorandum, "Research and Technology Protection Within the DoD," 25 March 2002
(2) DEPSECDEF Memorandum, "Technology Protection," 17 February 2000
(3) DoD Directive 5200.39, "Research and Technology Protection within the Department of Defense"
(4) DoD 5200.39-R, "Mandatory Procedures for Research and Technology Protection within the DoD"
(5) ASD(C3I) Memorandum, "Research and Technology Protection within the Defense Department, 30 January 2002
(6) National Security Decision Directive 189, "National Policy on the Transfer of Scientific, Technical and Engineering Information," 21 September 1985BACKGROUND
Enclosure (1) underscores the strong role that technology plays in the nation's defense and economic competitiveness. The memorandum's three signatories (Hon. E.C. Aldridge, Hon. J.P. Stenbit, and Hon. T.P. Christie) therefore resolve to protect U.S. research and technology from America's military adversaries and industrial rivals, and agree to work together to accomplish that goal.
In short, the memorandum expresses a commitment to protect what is critical to national security. It therefore reinforces long-standing national policy that requires the Departrnent of Defense (DoD) to protect research-- when national security requires it-- through the classification process, and to protect technology through a number of means, one of which is classification. The key point in the memorandum is a request that the Office of the Secretary of Defense (OSD) and the Military Departments complete coordination, within 30 days, on two directives sponsored by the Counter-Intelligence (CI)/Security community. Unlike the memorandum, those documents advocate sharp deviations from existing policies.
As currently written the draft directives contradict national policy on scientific information stipulating the use of the classification process when national security requires it. They contradict existing DoD policy that specifically prohibits gathering counter-intelligence "lists" for Science and Technology (S&T) projects. They propose a CI/Security database that duplicates the functions of the Militarily Critical Technologies List, an existing database used extensively by the Defense Security Service's Counter-Intelligence Office to develop its annual threat assessments. And, they create the possibility for criminal sanctions to be brought against individuals publishing unclassified research.
This paper is intended to: (1) help meet the commitment of OSD's tripartite memorandum, (2) assist the CI/Security community in its legitimate and important role to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel, (3) correct two misleading inaccuracies that are being used to justify changes in national policy, and (4) ensure that defense S&T will not be harmed by the very measures designed to protect it.
On 17 February 2000, the former Deputy Secretary of Defense (DEPSECDEF), Dr. John Hamre, issued a series of memoranda addressing security and counterintelligence (CI) in DoD's laboratories and Test & Evaluation centers. These memoranda conveyed a number of proposals for improving security procedures. An Overarching Integrated Process Team (OIPT), composed of executive-level officials1, developed the proposals. Dr. D. Etter, the former DUSD (S&T), chaired the group.
1 Dr. A. Michael Andrews, II (HQ Army (SARD-ZT), Dr. William 0. Berry (ARFL/DC), RADM Paul G. Gaffney, II (Chief of Naval Research), W. John Gehrig (DOT&E(R&R)), Mr. Walter W. Hollis (DUSA Operations Research), Mr. David Crane (DODIG/OIR), Mr. Peter Batten (OUSD(P)PS), Mr. Ronald G. Garant (OUSD(C)), Mr. Peter Lennon (USD(AT&L)ARA), and Mr. Bill Leonard (DASD(S&IO)).One of the actions directed by Dr. Hamre in enclosure (2) was for the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD C3I) and the Under Secretary of Defense for Acquisition, Technology & Logistics (USD AT&L) to create a directive requiring the services to develop "site-specific lists of critical program information for non-Science and Technology (S&T) programs." Critical program information (CPI) is a designator used to control information in some acquisition category (ACAT) programs, therefore the effect of Dr. Hamre's memo was to expand its use into other ACAT programs and into non-ACAT RDT&E Programs, excepting S&T (i.e., 6.1, 6.2, and 6.3). In short, Dr. Hamre's memo-- from its title to its text-- pertained only to "technology" protection.
The ASD(C3I) has formally submitted two Directives, enclosures (3) and (4), for coordination among the Military Departments and the Office of the Secretary of Defense. Contrary to the stated DEPSECDEF policy, they require that all acquisition programs identify CPI throughout all RDT&E budget categories--including S&T. All non-acquisition activities are required to use a CPI-like designator, called Critical Research Technology (CRT), and likewise apply it to "all seven subcategories of RDT&E" -- including S&T (Encl. 3, p.2). The stated objective is to "protect DoD-funded research and technology." An ASD(C3I) memo, provided as enclosure (5), specifically urges protection "beginning with the idea phase within DoD-funded basic research."
PROPOSED PROCESS FOR PROTECTING RESEARCH
Once a project is designated as CPI, or CRT, specific requirements and procedures become mandatory. For example:
This last requirement is not trivial because universities, industry, federally funded R&D centers, and nonprofits perform 64% of all DoD-funded research (6.1 and 6.2).2 The actual figure is higher because the DoD laboratories outsource a significant amount of their work.
- Any incidents of loss, compromise, or theft of identified CPI or CRT must be reported (Encl.3, p.4).
- All CRT must be appropriately marked with the following warning (Encl. 4, p. 28):
"This material contains critical research technology as defined by DODD 5200.39. Unauthorized disclosure subject to administrative and/or criminal sanctions (emphasis added). Requires specific formal authorization for foreign dissemination."
- Foreign travel of personnel with access to CPI or CRT must be reported to security and CI organizations (Encl. 3, p.4).
- The ASD(C3I) will maintain a "Horizontal Assessment and Protection Database" that identifies all CPI and CRT requiring protection. Horizontal assessment and protection refers to a process ensuring that research in more than one organization is protected to the same degree by all organizations (Encl. 3, p. 13).
- A Defense Research and Technology Protection Council will provide oversight for seamless integration of CPI and CRT protection within DoD (Encl.3, p.4).
- DoD Components are required to include appropriate requirements to protect research in external contracts and grants (Encl. 3, p.9), and the Defense Security Service must conduct periodic security assessments at contractor facilities (Encl. 3, p.7).
2 AAAS Report XXVI: Research & Development FY2002Finally, it should be noted that the CRT designation is applicable to unclassified information. Therefore, these procedures create the possibility for criminal sanctions to be brought against individuals publishing unclassified research, or failing to control it according to the measures prescribed.
ANALYSIS AND FINDINGS
A. THE DIRECTIVES CONTRADICT NATIONAL AND DOD RESEARCH POLICY
Enclosure (6), National Security Decision Direclive (NSDD) 189, codifies national policy on the transfer of scientific, technical and engineering information. Research is defined by the 16-year-old policy as basic and applied research (6.1 and 6.2) in science and engineering. It stipulates that,
"where the national security requires control, the mechanism for control of information generated during federally-funded fundamental research in science, technology, and engineering at colleges, universities and laboratories is classification."In other words, when research requires protection, classification is the only tool permitted by national policy. NSDD 189 endorsed this approach because the strength of American science requires "an environment in which the free exchange of ideas is a vital component."
However, the Directives require that research be protected by means in addition to classification, i.e., the CPI and CRT control procedures. The Directives state that they "recognize the normally unrestricted nature of fundamental research, as identified in National Security Decision Directive 189" (Encl. 3, p.2), and have "implemented relevant portions" of it (Encl. 3, p.1). That claim is misleading because the Directives clearly violate national policy.
Another misleading claim is made by enclosure (5), an ASD(C3I) memo being circulated to justify the controls on research. It states that Dr. Hamre's memorandum (i.e., enclosure (2), "directed the ASD(C3I), with support from the USD(P) and the USD(AT&L), to revise or create a DoD directive and define a new process or discipline of integrating support for protecting research and technology... "(Encl. 5, p. 1).
But the former DEPSECDEF's statements are very different from those offered by the ASD(C3I) memo. Not only is the word "research" never used by Dr. Hamre, but he specifically excluded S&T from any controls. Quoting from the same source cited by the ASD(C3I) memo, Dr. Hamre in fact stated:
"I direct action on the following initiatives designed to improve technology (emphasis added) protection of acquisition programs...implement a new program of integrated support to tailor technology (emphasis added) protection for individual RDT&E sites, including development of site-specific lists of critical program information for non-S&T (emphasis added) programs."B. THE PROPOSED ASD(C3I) DATABASE DUPLICATES FUNCTIONS OF THE MILITARILY CRITICAL TECHNOLOGIES LIST
Recommendation #1. Delete the requirement to protect research outside of the classification process (e.g., eliminate CRT), and reorient the Directives' focus toward protecting critical technologies (as required by enclosure (2)). This would ensure that the Directives are in conformance with national and DoD policy, as well as avoid the possibility of criminal sanctions being brought against individuals publishing unclassified research. This reorientation also raises the option of using the Militarily Critical Technologies List (MCTL) as a vehicle to accomplish the goals of the CI/Security community (see following section).
The MCTL identifies emerging militarily critical technologies. In fact, the MCTL process reviewed over 6,000 technologies and identified 2,O60 militarily significant technologies that were then entered into the MCTL database. A total of 656 were selected as Militarily Critical. In short, the MCTL process appears to identify the very technologies that the CI/Security community seeks to protect from compromise.
Example. The MCTL identifies "Automatic Target Recognition (ATR) Algorithms" as an emerging militarily critical technology. Two pages in the manual are devoted to explaining the technology, its applications, and why it is important. A worldwide technology assessment is included, which shows the U.S., United Kingdom, Sweden, and France to be leaders, with China and Russia engaging in limited R&D. Finally, a list of countries and their respective organizations conducting this work are identified. The U.S. sites engaged in ATR algorithms include the Massachusetts Institute of Technology, Boeing, Air Force Research Laboratory, Washington University, Naval Research Laboratory, Raytheon, University of Missouri, SRI, Carnegie Mellon University, Lockheed Martin, etc.The general features of the MCTL process are as follows.3
Based on these features, the MCTL process appears to be a cost-effective alternative to the proposed database. In fact, the Defense Security Service (DSS) Counter-Intelligence Office uses the MCTL to compile its annual report, "Technology Collection Trends in the U.S. Defense Industry." Its 2000 report stated that the "DSS documents and reviews foreign interest in U.S. defense technology in categories described by the MCTL."4 Its use by the DSS CI office indicates that the MCTL can likely satisfy the CI/Security community's need to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel.
- The process is a systematic and ongoing assessment of technologies to determine which technologies are militarily critical.
- Technologies are selected by working groups of technical experts from government, industry and academia.
- Domestic performers of the work are identified, including government laboratories, industrial firms, and universities.
- Other countries performing work in the same area are identified and the extent of their work is assessed.
4 Defense Security Service, "2000 Technology Collection Trends in the U.S. Defense Industry," p.4.However, if the MCTL has inadequacies that lead to doubts about its efficacy, perhaps DoD's resources would be better spent modifying the MCTL process instead of creating a new and duplicative process. Moreover, the avoidance of unnecessary investment costs would meet an objective of the USD (AT&L) Business Initiative Council (BIC), which is to identify and implement business reforms that allow the reallocation of savings to higher priorities.
Recommendation #2. Consider the MCTL as a cost-effective alternative to the proposed ASD(C3I) Horizontal Assessment and Protection Database (HAPD). If the HAPD is already in existence, then evaluate the merits of pursuing its elimination as a cost-reduction initiative under the auspices of the USD(AT&L) BIC.C. CRT'S DEFINITION IS BROAD ENOUGH TO INCLUDE ALL DEFENSE RDT&E
CRT5 is defined as "RDT&E information identified and prioritized by site directors and managers that may (emphasis added) be important to maintaining the U.S. warfighters' operational advantage when the resulting capability becomes part of a future DoD acquisition program or system." (Encl. 3, p. 12)
5 Before the CI/Security community decided to call it Critical Research Technology, the designator went through many evolutions: Critical Research Information (12 July 00), RDT&E Information (26 July 00), Critical Technology (6 September 00), and Critical Research Information and Technology (23 October 00). The almost interchangeable manner in which the terms research and technology are used here, in the Directives, and in the ASD(C3I) memo, suggest the possibility that the CI/Security community does not fully understand what it seeks to control.This definition is expansive enough to apply to all DoD-funded work. Hopefully all DoD-funded RDT&E "may be important to maintaining the U.S. warfighters operational advantage." Logically, the definition is worded in a way that excludes only RDT&E that will not be important. Moreover, in a competitive budget environment, there will be a strong propensity for managers to designate their projects as critical. To manage work that is not critical is to risk having your funding cut for work that is.
For these reasons the CRT data gathered for the HAPD would likely be much less discriminating than that derived from the MCTL's systematic, expert-driven process.
Recommendation #3. Use the MCTL to identify candidate CPI and expand use of CPI only to non-S&T projects at 6.4 and above (per DEPSECDEF guidance in enclosure (2)).D. THE CASE FOR CHANGING CURRENT RESEARCH PROTECTION POLICY LACKS CREDIBILITY
Perhaps the key question is-- what event(s) have occurred that support more rigorous control of scientific information than the security measures used during the Cold War? Enclosure (5), an ASD(C3I) memo, bases the CI/Security community's argument for more stringent research protections on:
But in all five cases the stated concern is technology, not research. The CI/Security community has clearly not made a credible argument to support strict new measures beyond existing national policy codified in NSDD 189-- which is to use the classification process when a need arises for protecting scientific information.
- Three classified reports in 1994 detailing the loss of technologies (emphasis added) in the RDT&E community (Encl. 5, p.2).
- A November 2001 GAO letter to the SECDEF citing a Congressional tasking to evaluate, "U.S. efforts to restrict foreign national access to sensitive echnologies (emphasis added)..." (Encl. 5, p.3)
- Executive Order 13222 that stated, "the unrestricted access of foreign parties to U.S. goods and technology (emphasis added)... constitute an unusual and extraordinary threat to national security, foreign policy, and the economy of the U.S." (Encl. 5, p.3)
- The Defense Production Act of 1950, as amended, Section 310, states "the Secretary of Defense shall identify critical components and critical technology items (emphasis added) for each item on the Critical Items list of the Commanders-in-Chief... " (Encl. 5, p.3)
- CI inspections that identified practices at RDT&E sites that would improve DoD's ability to protect dual-use and leading edge military technologies (emphasis added)... "(Encl. 5, p.2)
AN OLD DEBATE
The question of how far to go in protecting research was debated throughout the Cold War. In an article published in the Wall Street Journal in 1982, Secretary of Defense C. Weinberger stated that the Soviets had "organized a massive, systematic effort to get advanced technology from the West." ADM B. Inman, then Deputy Director of the CIA, followed that article by suggesting to an American Association for the Advancement of Science (AAAS) conference that the scientific connnunity should be more cooperative by voluntarily submitting research results to prepublication review by appropriate government agencies.
In the wake of those remarks, a study sponsored by the DoD, National Science Foundation, AAAS, and National Academy of Sciences, was conducted to examine the relationship between scientific communication and national security in light of the growing concern that foreign nations were gaining military advantage from such research.6 Two central conclusions of the "Corson Study" were as follows.
"The technological leadership of the U.S. is based in no small part on a scientific foundation whose vitality in turn depends on effective communication among scientists and between scientists and engineers. Thus, the short-term security achieved by restricting the flow of information is purchased at a price."Another DoD report voiced similar findings.
"In the view of the Panel, security by accomplishment may have more to offer as a general national strategy. The long-term security of the U.S. depends in large part on its economic, technical, scientific and intellectual vitality, which in turn depends on the vigorous research and development effort that openness helps to nurture."
6 National Academy of Sciences, "Scientific Communication and National Security" (1982), p. ix. Study members included Dale Corson, Chairman, (at that time President Emeritus, Cornell), James Killian (former Presidential Science Advisor), Wolfgang Panofsky (former member President's Science Advisory Committee), William Perry (former SECDEF), and Samuel Phillips (former Director, NSA).
"A vast and growing amount of important work is being done by scientists in all countries. This is grist for our technological mill, and we can substantially benefit by making possible the free interchange of ideas, by publication and in person... Nor can we ignore the fact that maintenance of communications of research findings with other countries, including Russia, can be highly beneficial to advancement of scientific knowledge (emphasis added)."7The second report's strong advocacy of scientific openness, in particular with Russia, sounds like post-Cold War policy. Instead, the above quote is from a briefing given before the National Security Council (NSC) on 31 May 1956-- less than seven months after the Soviet Union's first successful test of an aircraft-dropped hydrogen bomb.
7 Office of the Assistant Secretary of Defense (Research and Development), "Maintenance of Technological Superiority: Presentation Before the National Security Council," (31 May 1956).
It is interesting to contrast the tone of those two Cold War reports with that of the ASD(C3I) memorandum, which states:
"based on their ongoing open exchange relationships and shared methodologies with foreign scientists, the RDT&E community may be reluctant to be accountable for actions / inactions to protect leading edge military research... (Encl. 5, p.3)"SUMMARY
Both the 1982 Corson Study and the 1956 NSC briefing were conducted when there was a clear and present danger. Even in an atmosphere of urgency, defense experts found no reason to abandon America's reliance on "security by accomplishment" as a strategy for the S&T environment. Therefore, a strong case can be made that national security is best served by maintaining a balance between security by accomplishment and security by control. The former is the appropriate strategy for the DoD's S&T process, and the latter is effective for the subsequent stages of systems development, acquisition, and commercial production.
With this balance in mind, the three recommendations offered by this paper are intended to:
By incorporating this paper's recommendations, the Directives would meet the above objectives by: protecting research in an appropriate manner by conforming to national policy codified in NSDD 189; implementing former DEPSECDEF Hamre's directive to expand the use of CPI into non-S&T programs; and by considering the MCTL (already used extensively by the CI/Security community) as a cost-effective alternative to the proposed ASD(C3I) database. Moreover, if the ASD(C3I) database is found to be as duplicative as it appears, then the USD(AT&L) BIC might explore it as an area for cost savings.
- Support the commitment of the USD(AT&L), ASD(C3I), and DOT&E, to protect research and technology critical to national security, and achieve coordination of the Directives within 30 days,
- Help meet the CI/Security community's legitimate and important need to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel,
- Explore existing means of meeting the CI/Security community's needs, and
- Ensure that defense S&T will not be harmed by measures designed to protect it.
By contrast-- as currently written-- the ASD(C3I) Directives: contradict national policy stipulating the use of the classification process when there is a need to protect research; contradict existing DEPSECDEF policy that specifically prohibits control "lists"8 for S&T projects; propose a database that appears to duplicate the functions of the existing MCTL, which is used extensively by the CI/Security community; and create the possibility for criminal sanctions to be brought against individuals publishing unclassified research.
8 Discussions with the OIPT's membership and staff confirmed that the DEPSECDEF's prohibition extended to any lists. At the time of the DEPSECDEF memo, CPI was a designator in use for ACAT programs; CRT was developed by the CI/Security community well after the DEPSECDEF policy was established on 17 February 2000.If approved in their present form, the Directives can be expected to have a chilling effect on the defense research conducted by the nation's universities, industrial centers, and military laboratories.
Don J. DeYoung
U.S. Naval Research Laboratory
2 April 2002