RECOMMENDATIONS:
STRATEGIES AND BEST PRACTICES TO SECURE AND SHARE SENSITIVE
INFORMATION
Our research and appraisal of current agency
practice shows a system that is seriously flawed. The diversity
of policies, ambiguous or incomplete guidelines, lack of
monitoring, and decentralized administration of information
controls on unclassified information is troubling from the
perspectives of safety, security, and democracy.
MONITORING
OF PROTECTED DOCUMENTS
Arguably the most significant problem with agencies' protection
of unclassified information is the lack of data concerning
how many protected documents exist and the unavailability
of any means to find out. The absence of reporting systems
makes any assessment of the extent to which a policy is
being used difficult, if not impossible. In written questions
from the House Subcommittee on National Security, Emerging
Threats, and International Relations, in conjunction with
its recent hearing on pseudo-classification, Rear Admiral
Christopher McMahon of the Department of Transportation,
Office of Intelligence, Security, and Emergency Response,
was asked how many FOUO, SSI, or similar designation decisions
were made by DOT and its components. Admiral McMahon responded,
"During the period in question, we did not keep records
of restricted information designations other than national
security classifications. Since January 2005, we have kept
records of SSI designations, of which there have been two.
Information has also been designated as 'For Official Use
Only' this year, but we have no record of how many times."
(Note 1)
In comparison, it is useful to look to the
formal classification system, which is governed by Executive
Order 12958, as amended, and is managed and monitored by
the Information Security Oversight Office (ISOO) of the
National Archives and Records Administration (NARA). ISOO
publishes an annual report to the President in which they
quantify the number of classification and declassification
decisions, the number of individuals with authority to classify
material, and the type of information that is being classified.
(Note 2) Such reports enable the Executive
Branch and Congress to monitor the costs and benefits of
the classification system and to identify trends that may
suggest the need to reform the system.
Because safeguarding sensitive unclassified
information impacts safety, security, budget and information
disclosure-all important national concerns-some form of
overarching monitoring of all information control
would be valuable. Agencies should be required to maintain
a record of who can use sensitive unclassified information
designations and how many documents they designate for protection.
Furthermore, the agencies should be required to maintain
a record of how often FOIA officials release or withhold
documents that have been marked as sensitive. Such data
would make it possible for Congress and the public to be
able to assess agency secrecy.
The Government Accountability Office (GAO) recently conducted
a study of TSA's new Sensitive Security Information (SSI)
policy at the request of members of Congress. GAO's report
concluded that the omission of oversight mechanisms of any
sort was a serious problem: "internal control policies
and procedures for monitoring the compliance with regulations
governing the SSI designation process, including internal
controls for ongoing monitoring, communicated to all staff,
would help ensure accountability and consistency in the
implementation of TSA's SSI regulations." (Note
3)
THE
BLACK HOLE OF
INFORMATION SAFEGUARDING
For classified information, the security classification
system provides precise limits on the extent and duration
of classification as well as a system for declassification,
including public requests for declassification. For non-security
sensitive information, the FOIA provides a relatively clear
and user-friendly process for the public to seek access
to information held by the government. Sensitive unclassified
information, however, falls into a black hole. As this Study
shows, it is likely that information previously available
under FOIA or on unrestricted Web sites may no longer be
available to the public. Yet, there is virtually no opportunity
for the public or other government personnel to challenge
a decision to mark a document for protection as SBU,
FOUO, or SSI. Accordingly,
in order to protect the important role that public access
has played in government accountability, it is important
that a system for challenging the use of sensitive unclassified
information markings be established at each agency or, alternatively,
that FOIA procedures be adjusted to counteract the chilling
effect that these markings may have on disclosure under
FOIA. Moreover, classified information is subject to limits
on the duration of protection, but few such limits exist
for SUI. Thus, once marked may mean forever marked.
THE
HIDDEN COSTS
ISOO reports annually on the estimated costs of classification
and declassification activities throughout the government.
During FY 2003, agencies spent a total of $6.5 billion on
information security generally, including classification
and declassification management and security for information
systems; an additional $536 million was spent on physical
security for buildings and storage of classified information.
(Note 4) By referring to the chart on page
19, which depicts the range of safeguarding methods that
are applied to unclassified information by some agencies,
it is apparent that many of the measures mirror those applied
to classified information. It is possible, therefore that
some portion of the spending ISOO reported was in fact used
for unclassified information protection. Convenience, resource
constraints, or established practices may lead to the commingling
of classified and sensitive unclassified materials in order
to ensure both are properly safeguarded. If this occurs,
it could potentially undermine the security of the classification
system. Accordingly, agencies should be required to take
steps to assess the cost of their sensitive unclassified
information systems and ensure that safeguards do not undermine
the security of classified information.
Moreover, the cost of an impaired information sharing system
cannot by quantified. There are two aspects to this problem.
The first, which has been well-documented, is the problem
of inter-agency information sharing. The second is the problem
of public-private sector information sharing; if private
industry is unable to learn information and is required
to adopt restrictions on information from the government,
it may be well inhibit the willingness of private industry
to engage in activities that could benefit the public good.
A
UNIFIED SYSTEM
This Study suggests that a great deal of non-sensitive information
is being withheld today that should be or previously would
have been released under the FOIA. It is also likely, however,
that the current system of diverse and unregulated safeguard
mechanisms is not actually succeeding in shielding much
of the information that could be useful to terrorists or
others desiring to undermine the security of the United
States. Even Secretary of Defense Rumsfeld has recognized
that FOUO is not working properly at the
Department of Defense (Note 5), and similar
policies are probably not achieving their goals elsewhere
across the federal government.
Although classification is centrally managed, agencies
implement their own classification programs according to
central guidance and criteria, in a way that makes sense
within the function and mission of their particular organization.
ISOO Director J. William Leonard has recommended that a
unified framework be instituted to both simplify and supervise
control of unclassified information as well. In his proposed
structure, Leonard offers several suggestions that seem
appropriate, particularly in light of our findings. He advocates
for: "Strict limitations as to who can designate information
as falling under the system of controls"; "Built-in
criteria that must be satisfied in order to place controls
on dissemination"; "Uniform 'due-diligence' standards
with respect to how to handle and protect controlled information";
and "A process . . . whereby both authorized holders
and outsiders can appeal the application of dissemination
controls." (Note 6)
This Study suggests that issues of information security,
information sharing, and public access to information should
not be addressed in a piecemeal manner. There are best practices
in agencies that should be shared, as well as lessons to
be learned about the costs and benefits of secrecy and disclosure.
Unnecessary secrecy has been on the rise since September
11, with the result of threatening our safety and national
security while impeding the process of democracy and the
effective functioning of the government. In presenting markers
of possible successes and failures of sensitive unclassified
information programs among the federal agencies, this Study
seeks to offer a rationale and a sense of urgency for initiating
reforms, in these and other information-control programs
government-wide.
Note
1. McMahon letter to Representative Christopher
Shays, Chairman, Subcommittee on National Security, Emerging
Threats, and International Relations, Committee on Government
Reform, U.S. House of Representatives (May 9, 2005).
2. See, e.g., Information Security Oversight
Office (ISOO), "Report to the President 2004"
(March 31, 2005), http://www.archives.gov/isoo/reports/2004-annual-report.html.
3. GAO, supra note 20, at 7.
4. ISOO, 2003 Report on Cost Estimates
for Security Classification Activities (July 2004),
http://www.archives.gov/isoo/reports/2003-cost-report.html.
5. Sec. of Defense Donald Rumsfeld, Cable:
"Web site OPSEC discrepancies," January 14, 2003,
http://www.fas.org/sgp/news/2003/01/dodweb.html.
6. Leonard remarks, supra note 21.