WHITE PAPER

SUBJECT: PROPOSED SECURITY CONTROLS ON DEFENSE RESEARCH

Enclosures:

OVERVIEW

Enclosure (1) underscores the strong role that technology plays in the nation's defense and economic competitiveness. The memorandum's three signatories (Hon. E.C. Aldridge, Hon. J.P. Stenbit, and Hon. T.P. Christie) therefore resolve to protect U.S. research and technology from America's military adversaries and industrial rivals, and agree to work together to accomplish that goal.

In short, the memorandum expresses a commitment to protect what is critical to national security. It therefore reinforces long-standing national policy that requires the Departrnent of Defense (DoD) to protect research-- when national security requires it-- through the classification process, and to protect technology through a number of means, one of which is classification. The key point in the memorandum is a request that the Office of the Secretary of Defense (OSD) and the Military Departments complete coordination, within 30 days, on two directives sponsored by the Counter-Intelligence (CI)/Security community. Unlike the memorandum, those documents advocate sharp deviations from existing policies.

As currently written the draft directives contradict national policy on scientific information stipulating the use of the classification process when national security requires it. They contradict existing DoD policy that specifically prohibits gathering counter-intelligence "lists" for Science and Technology (S&T) projects. They propose a CI/Security database that duplicates the functions of the Militarily Critical Technologies List, an existing database used extensively by the Defense Security Service's Counter-Intelligence Office to develop its annual threat assessments. And, they create the possibility for criminal sanctions to be brought against individuals publishing unclassified research.

This paper is intended to: (1) help meet the commitment of OSD's tripartite memorandum, (2) assist the CI/Security community in its legitimate and important role to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel, (3) correct two misleading inaccuracies that are being used to justify changes in national policy, and (4) ensure that defense S&T will not be harmed by the very measures designed to protect it.

BACKGROUND

On 17 February 2000, the former Deputy Secretary of Defense (DEPSECDEF), Dr. John Hamre, issued a series of memoranda addressing security and counterintelligence (CI) in DoD's laboratories and Test & Evaluation centers. These memoranda conveyed a number of proposals for improving security procedures. An Overarching Integrated Process Team (OIPT), composed of executive-level officials1, developed the proposals. Dr. D. Etter, the former DUSD (S&T), chaired the group.

One of the actions directed by Dr. Hamre in enclosure (2) was for the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD C3I) and the Under Secretary of Defense for Acquisition, Technology & Logistics (USD AT&L) to create a directive requiring the services to develop "site-specific lists of critical program information for non-Science and Technology (S&T) programs." Critical program information (CPI) is a designator used to control information in some acquisition category (ACAT) programs, therefore the effect of Dr. Hamre's memo was to expand its use into other ACAT programs and into non-ACAT RDT&E Programs, excepting S&T (i.e., 6.1, 6.2, and 6.3). In short, Dr. Hamre's memo-- from its title to its text-- pertained only to "technology" protection.

ISSUE

The ASD(C3I) has formally submitted two Directives, enclosures (3) and (4), for coordination among the Military Departments and the Office of the Secretary of Defense. Contrary to the stated DEPSECDEF policy, they require that all acquisition programs identify CPI throughout all RDT&E budget categories--including S&T. All non-acquisition activities are required to use a CPI-like designator, called Critical Research Technology (CRT), and likewise apply it to "all seven subcategories of RDT&E" -- including S&T (Encl. 3, p.2). The stated objective is to "protect DoD-funded research and technology." An ASD(C3I) memo, provided as enclosure (5), specifically urges protection "beginning with the idea phase within DoD-funded basic research."

PROPOSED PROCESS FOR PROTECTING RESEARCH

Once a project is designated as CPI, or CRT, specific requirements and procedures become mandatory. For example:

This last requirement is not trivial because universities, industry, federally funded R&D centers, and nonprofits perform 64% of all DoD-funded research (6.1 and 6.2).2 The actual figure is higher because the DoD laboratories outsource a significant amount of their work.

Finally, it should be noted that the CRT designation is applicable to unclassified information. Therefore, these procedures create the possibility for criminal sanctions to be brought against individuals publishing unclassified research, or failing to control it according to the measures prescribed.

ANALYSIS AND FINDINGS

A. THE DIRECTIVES CONTRADICT NATIONAL AND DOD RESEARCH POLICY

Enclosure (6), National Security Decision Direclive (NSDD) 189, codifies national policy on the transfer of scientific, technical and engineering information. Research is defined by the 16-year-old policy as basic and applied research (6.1 and 6.2) in science and engineering. It stipulates that,

In other words, when research requires protection, classification is the only tool permitted by national policy. NSDD 189 endorsed this approach because the strength of American science requires "an environment in which the free exchange of ideas is a vital component."

However, the Directives require that research be protected by means in addition to classification, i.e., the CPI and CRT control procedures. The Directives state that they "recognize the normally unrestricted nature of fundamental research, as identified in National Security Decision Directive 189" (Encl. 3, p.2), and have "implemented relevant portions" of it (Encl. 3, p.1). That claim is misleading because the Directives clearly violate national policy.

Another misleading claim is made by enclosure (5), an ASD(C3I) memo being circulated to justify the controls on research. It states that Dr. Hamre's memorandum (i.e., enclosure (2), "directed the ASD(C3I), with support from the USD(P) and the USD(AT&L), to revise or create a DoD directive and define a new process or discipline of integrating support for protecting research and technology... "(Encl. 5, p. 1).

But the former DEPSECDEF's statements are very different from those offered by the ASD(C3I) memo. Not only is the word "research" never used by Dr. Hamre, but he specifically excluded S&T from any controls. Quoting from the same source cited by the ASD(C3I) memo, Dr. Hamre in fact stated:

B. THE PROPOSED ASD(C3I) DATABASE DUPLICATES FUNCTIONS OF THE MILITARILY CRITICAL TECHNOLOGIES LIST

The MCTL identifies emerging militarily critical technologies. In fact, the MCTL process reviewed over 6,000 technologies and identified 2,O60 militarily significant technologies that were then entered into the MCTL database. A total of 656 were selected as Militarily Critical. In short, the MCTL process appears to identify the very technologies that the CI/Security community seeks to protect from compromise.

The general features of the MCTL process are as follows.3

Based on these features, the MCTL process appears to be a cost-effective alternative to the proposed database. In fact, the Defense Security Service (DSS) Counter-Intelligence Office uses the MCTL to compile its annual report, "Technology Collection Trends in the U.S. Defense Industry." Its 2000 report stated that the "DSS documents and reviews foreign interest in U.S. defense technology in categories described by the MCTL."4 Its use by the DSS CI office indicates that the MCTL can likely satisfy the CI/Security community's need to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel.

However, if the MCTL has inadequacies that lead to doubts about its efficacy, perhaps DoD's resources would be better spent modifying the MCTL process instead of creating a new and duplicative process. Moreover, the avoidance of unnecessary investment costs would meet an objective of the USD (AT&L) Business Initiative Council (BIC), which is to identify and implement business reforms that allow the reallocation of savings to higher priorities.

C. CRT'S DEFINITION IS BROAD ENOUGH TO INCLUDE ALL DEFENSE RDT&E

CRT5 is defined as "RDT&E information identified and prioritized by site directors and managers that may (emphasis added) be important to maintaining the U.S. warfighters' operational advantage when the resulting capability becomes part of a future DoD acquisition program or system." (Encl. 3, p. 12)

This definition is expansive enough to apply to all DoD-funded work. Hopefully all DoD-funded RDT&E "may be important to maintaining the U.S. warfighters operational advantage." Logically, the definition is worded in a way that excludes only RDT&E that will not be important. Moreover, in a competitive budget environment, there will be a strong propensity for managers to designate their projects as critical. To manage work that is not critical is to risk having your funding cut for work that is.

For these reasons the CRT data gathered for the HAPD would likely be much less discriminating than that derived from the MCTL's systematic, expert-driven process.

D. THE CASE FOR CHANGING CURRENT RESEARCH PROTECTION POLICY LACKS CREDIBILITY

Perhaps the key question is-- what event(s) have occurred that support more rigorous control of scientific information than the security measures used during the Cold War? Enclosure (5), an ASD(C3I) memo, bases the CI/Security community's argument for more stringent research protections on:

But in all five cases the stated concern is technology, not research. The CI/Security community has clearly not made a credible argument to support strict new measures beyond existing national policy codified in NSDD 189-- which is to use the classification process when a need arises for protecting scientific information.

AN OLD DEBATE

The question of how far to go in protecting research was debated throughout the Cold War. In an article published in the Wall Street Journal in 1982, Secretary of Defense C. Weinberger stated that the Soviets had "organized a massive, systematic effort to get advanced technology from the West." ADM B. Inman, then Deputy Director of the CIA, followed that article by suggesting to an American Association for the Advancement of Science (AAAS) conference that the scientific connnunity should be more cooperative by voluntarily submitting research results to prepublication review by appropriate government agencies.

In the wake of those remarks, a study sponsored by the DoD, National Science Foundation, AAAS, and National Academy of Sciences, was conducted to examine the relationship between scientific communication and national security in light of the growing concern that foreign nations were gaining military advantage from such research.6 Two central conclusions of the "Corson Study" were as follows.

Another DoD report voiced similar findings.

The second report's strong advocacy of scientific openness, in particular with Russia, sounds like post-Cold War policy. Instead, the above quote is from a briefing given before the National Security Council (NSC) on 31 May 1956-- less than seven months after the Soviet Union's first successful test of an aircraft-dropped hydrogen bomb.

It is interesting to contrast the tone of those two Cold War reports with that of the ASD(C3I) memorandum, which states:

SUMMARY

Both the 1982 Corson Study and the 1956 NSC briefing were conducted when there was a clear and present danger. Even in an atmosphere of urgency, defense experts found no reason to abandon America's reliance on "security by accomplishment" as a strategy for the S&T environment. Therefore, a strong case can be made that national security is best served by maintaining a balance between security by accomplishment and security by control. The former is the appropriate strategy for the DoD's S&T process, and the latter is effective for the subsequent stages of systems development, acquisition, and commercial production.

With this balance in mind, the three recommendations offered by this paper are intended to:

By incorporating this paper's recommendations, the Directives would meet the above objectives by: protecting research in an appropriate manner by conforming to national policy codified in NSDD 189; implementing former DEPSECDEF Hamre's directive to expand the use of CPI into non-S&T programs; and by considering the MCTL (already used extensively by the CI/Security community) as a cost-effective alternative to the proposed ASD(C3I) database. Moreover, if the ASD(C3I) database is found to be as duplicative as it appears, then the USD(AT&L) BIC might explore it as an area for cost savings.

By contrast-- as currently written-- the ASD(C3I) Directives: contradict national policy stipulating the use of the classification process when there is a need to protect research; contradict existing DEPSECDEF policy that specifically prohibits control "lists"8 for S&T projects; propose a database that appears to duplicate the functions of the existing MCTL, which is used extensively by the CI/Security community; and create the possibility for criminal sanctions to be brought against individuals publishing unclassified research.

If approved in their present form, the Directives can be expected to have a chilling effect on the defense research conducted by the nation's universities, industrial centers, and military laboratories.


Source: Hardcopy original
HTML by FAS