National Security Reform and Classification Policy

"The [U.S. national security] system fails to know what it knows, to make sense of information and trends in order to understand an increasingly complex global environment, to make effective and informed decisions, and to learn over time what works—and what does not work."

In a blog posted to the FAS Project on Government Secrecy, Stephen Aftergood refers to the Project for National Security Reform (PNSR) - specifically the work conducted by my team, the Knowledge Management Working Group, in the area of classification reform.  Mr. Aftergood raises some important points, and I will try to respond to them here.  

It is important to make clear that I am not speaking on behalf of the Project, but instead clarifying and discussing the analysis my team has already completed. This is my personal blog, and not sponsored or sanctioned by the Project for National Security Reform.

I appreciate the opportunity to discuss our work, as we worked against a compressed timeline and the report would have benefited greatly from additional time and resources.  My team's sections on knowledge management probably need more explanation than most, and I hope to expand on the ideas we put in that paper soon.  I am hopeful that through conversations such as these I can add detail - but also learn from all of you how to improve our thinking on this important topic.

From the Secrecy News blog:

“'Sharing information across organizational boundaries is difficult… [because] agency cultures discourage information sharing,' the report states.  But this is a restatement of the problem, not an explanation of it."

If that were all we stated in our problem statement, Mr. Aftergood would have a more valid case in finding our work shallow.  In addition to his reference regarding impediments to information sharing, however, we also discuss (pp. 331-362):

- Poor interoperability on the classified side

- Overclassification

- The proliferation of the “sensitive but unclassified” designation

- Confusing technical connections with collaboration

- Information systems are missing common data abstraction, protocols, and compatible business logic

- Inability of systems to understand business limitations and context of data

The recommendations we make in the report on this topic are likewise truncated in Mr. Aftergood's treatment.

"And so the real upshot of the report’s argument is that the classification system cannot be fixed at all, at least not in isolation or on its own existing terms. ..

They vaguely advocate a “common [government-wide] approach for information classification [that] will increase transparency, improve accessibility, and reinforce the overall notion that personnel in the national security system are stewards of the nation’s information, not owners thereof.”

We didn't intent to be vague, and apologize if the reader is left believing that we believed that the "teams" recommendation was sufficient to resolve classification issues.  In fact, we recommend (p.450) the establishment of an Office for Decision Support within the NSC Executive Secretariat, which would include the functions within ODNI (Special Security Center)  that are currently working to establish a common security classification across the national security system.  We believe the work this office is already doing is valuable, and seek to give it budgetary and enforcement mechanisms to ensure they succeed.  From our recommendations:

"[T]he Special Security Center within the Office of the Director of National Intelligence currently works to establish uniformity and reciprocity across the intelligence community, but this approach should be expanded to include the entire national security system."

Mr. Aftergood is correct that we believe a systemic approach to resolving the problems of the national security system  is appropriate.  Hence, while we recommend the above for classification issues, we recognize that without the reforms mentioned in the human capital, strategy, and resources sections - the 'knowledge management' problems will not be resolved.  

For example, the fact that information security professionals are free to assert controls that hamper information sharing and other business functions remains a problem.

"There is often a tension between information security and operational effectiveness. The latter is enabled by easy access to information and the free flow of information both within and across organizational boundaries. The former often requires tight controls on information access and sharing based on a wide range of parameters (e.g., classification level, organizational affiliation, 'need to know' requirements, etc.) in order to minimize risks such as unauthorized access to data, data theft, and data manipulation. Historically, national security organizations have placed more emphasis on information security requirements than on the imperatives of information access and sharing. The result has been a culture of 'risk avoidance' that has limited the ability of key people and organizations to work collaboratively."

I appreciate the discussion and review of our work; which we view as the beginning of a conversation.  My thanks to Mr. Aftergood for engaging with us.