Weaknesses in Classified Information Security Controls at DOE's Nuclear Weapon Laboratories.
Subcommittee on Oversight & Investigations
Committee on Commerce
U.S. House of Representatives
July 11, 2000
Prepared Statement of Mr. Steven Aftergood
Senior Research Analyst
Federation of American Scientists
307 Massachusetts Avenue, N.E.
Washington, DC 20002
Panel 2, Witness 5
Absolute security at the nuclear weapons laboratories has never been achieved in the past, and is not an attainable goal for the future. Security will always be limited by cost considerations and by the need to actually make use of the information that is being protected.
The following statement notes several past attempts by the Department of Energy to balance these competing factors, especially with respect to "accountability" of Secret documents and classification policy, including the DOE's Higher Fences Initiative.
The statement concludes with the observation that security is a means, not an end in itself, and that care should be taken not to further jeopardize the institutional health of the laboratories through reflexive, ill-considered or punitive security measures.
My name is Steven Aftergood and I am a senior research analyst at the Federation of American Scientists (FAS), which was founded in 1945 (as the Federation of Atomic Scientists) by Manhattan Project scientists at Los Alamos. FAS performs policy research and advocacy on a range of national security policy issues, with an emphasis on nuclear arms control. I direct the FAS Project on Government Secrecy, which studies government secrecy and information security policies, and generally advocates a reduction in the scope of the national security classification system. As required by Committee rules, I hereby state that neither I nor FAS has received any federal grants or contracts that are relevant to the subject of this hearing during the current fiscal year or the two preceding fiscal years.
Balancing Competing Interests
The basic conundrum for information security policy is how to balance security with other competing interests such as cost and mission performance. Security is "too good" if it precludes or significantly interferes with achievement of program goals. And since funding resources are finite, there are practical limits to security in any case.
It is necessary to accept the fact that there can be no absolute security. The best one can aim for is to manage the security risks, keeping them to a reasonable minimum, while optimizing mission performance and limiting costs.
The proper balance is not obvious, because it depends on multiple considerations, including threat level, resource availability, and other factors, all of which may change over time. In practice, a different balance has been proposed at different times over the last decade. Some benchmarks of shifting security policy positions, as they apply to document "accountability" and classification, follow.
a. The 1990 Freeze Report: Thousands of Unaccounted-For Secret Documents
In 1990, DOE conducted a major review of security policy, which raised many of the same issues of accountability for classified documents that have recently surfaced. The Report of the Secretary's Safeguards and Security Task Force, chaired by Major General James F. Freeze, USA(ret.), noted that DOE document accountability requirements had come and gone and come again:
Historically, the Department had not required Secret document inventories except for weapons data, and the Task Force was advised that requirement had been dropped "in the early 1970's for cost benefit reasons." However, weaknesses in the accountability for Secret documents were identified by a Classified Document Control Action Team in late 1986. Therefore, the requirement to conduct an "initial inventory" of Secret documents was included [for both Department elements and contractors]....
This new Secret document inventory requirement was not fully implemented. Even so, a partial inventory revealed that thousands of Secret documents were accounted for:
Failure to complete the required complex-wide 100% inventory of Secret documents on a timely basis has resulted in an unsatisfactory condition.... The estimated number of Secret documents throughout the complex was 6,165,969. The number of documents inventories at that time [October 1989] totaled 3,299,936, and there were 5,716 unreconciled or unaccounted for documents.
Interestingly, control of Top Secret documents was found to be satisfactory. No Top Secret documents were unaccounted for. [Endnote 1]
b. National Industrial Security Program Eliminates Secret Accountability
The National Industrial Security Program arose in response to President Bush's National Security Review 25 (4 April 1990). It was an attempt to develop uniform security policies for government contractors in the interests of cost efficiency. As President Bush put it: "The development of a single, coherent and integrated industrial security program should be explored to determine the extent of cost savings for industry and government while improving protection of our national security interests."
In the early post-cold war days, cost savings were given higher priority than improved protection, and requirements for Secret document accountability at contractor facilities were soon dispensed with. (Secret document accountability within most government agencies had been abandoned decades earlier.)
A DOE security official articulated DOE's opposition to document accountability at a 1993 meeting of the NISP steering committee :
Ed McCallum, DOE, advised that DOE does not concur with retention of SECRET accountability, stating that it is very expensive to account for SECRET when such a security requirement can so easily be circumvented. Moreover, Ed stated that in his opinion, such a security requirement dictates that an inspector spends a good portion of their time in an inspection "chasing paper," rather than concentrating on the real security vulnerabilities at the facility.
The Central Intelligence Agency representative at the meeting also expressed opposition to accountability for Secret documents. The Defense Department favored accountability, but "with a more liberalized approach to the administrative methodology employed by the contractor." Ultimately, a requirement for Secret accountability was eliminated government-wide by the National Industrial Security Program Operating Manual, published in 1995.
c. The Higher Fences Initiative: Increased Classification for the Most Sensitive Information
In 1993, then-Energy Secretary Hazel O'Leary established a "Fundamental Classification Policy Review" (FCPR), a comprehensive review of all DOE classification policies that was intended "to determine which information must continue to be protected and which no longer requires protection and should be made available to the public." It was endorsed by Congress in the conference report on the FY 1994 Energy and Water Appropriations Act. This was the first comprehensive review of DOE classification in fifty years, and was conducted by government scientists from DOE and DoD. To my knowledge, no other government agency has undertaken a comparable review of its own classification policies.
Along with numerous recommendations for declassification, the Review also include a call for increased classification of 137 categories of certain highly sensitive nuclear weapons information.  This recommendation became known as the Higher Fences Initiative, since it envisioned higher, Top Secret security "fences" around a small, select subset of very sensitive information.
Contrary to some erroneous news reports, the recommendations of the FCPR were accepted by Secretary O'Leary and formed the basis for ongoing negotiations with the Department of Defense beginning in 1997. However, the proposal to upgrade certain Secret information to Top Secret was rebuffed by DoD for cost reasons, even after DOE had significantly shortened the recommended list of 137 topics. DoD explained its opposition to Higher Fences in a 1999 letter :
Even working with this significantly shortened list, we anticipate that the costs of implementing such a program would be substantial. They would extend to such requirements as the upgrade of clearances with Single-Scope Background Investigations, the establishment or addition of TOP SECRET storage facilities at government and contractor facilities, the sanitization of SECRET-level computers and computer networks where this information currently resides and institution of new TS-level capabilities, etc....
In addition to purely financial considerations, the DoD is concerned that there may also be operational costs. For example, the ability to respond to urgent stockpile problems may be inhibited if it should happen that the necessary responders are not cleared at the appropriate level....
This DoD assessment provides a vivid illustration of how security professionals may balance the competing interests of security, cost, and ease of operational use in different ways. Neither DOE nor DoD is obviously wrong, nor is either agency clearly derelict or oblivious to security. They have simply reached different, and conflicting, professional judgments.
(It should be noted in passing that DOE's Secret-Restricted Data [SRD] category is comparable in some respects to "ordinary" [i.e. non-Restricted Data] Top Secret elsewhere in the government. So, for example, the "Q" clearance required for access to SRD is approximately as rigorous as the Top Secret clearance. For that reason, DOE relies heavily on SRD and has rarely used the classification category "Top Secret Restricted Data," which entails security measures beyond those required for ordinary Top Secret elsewhere in the government. The 1990 Freeze Report found that there were no more than 3,451 Top Secret documents throughout the entire DOE complex, a comparatively minuscule number.)
Declassification as a Security Measure
Neither the declassification measures nor the classification upgrades recommended by the Fundamental Classification Policy Review have been fully implemented by the Department of Energy. Both aspects of the Higher Fences Initiative deserve continued consideration.
Since the need for increased protection may seem obvious at the moment, I would like to stress the equal importance of relaxing protection in areas of lower sensitivity, i.e. declassification.
There is a tendency among some to believe that greater secrecy translates directly into greater security, and that declassification means increased vulnerability. This is not so.
Declassification is an indispensable component of a rational information security program. Removing information that is obsolete or no longer sensitive from security controls through declassification keeps security focused where it is most needed. It also preserves the credibility of classification, which can otherwise become simply a bureaucratic habit, instead of a vital instrument of national security. Any information security reform program that does not provide for appropriate declassification is incomplete.
Nuclear Secrecy in Perspective
The Department of Energy should make every reasonable effort to ensure the protection of sensitive nuclear weapons information. But no more than a reasonable effort. The limits of what information security can achieve should be understood by everyone concerned so that responsible security policies can be formulated and implemented.
In the first place, it should be obvious that information is only one ingredient in nuclear proliferation, and it is not the most important one. No nation or sub-national group can use classified information to build a bomb unless it also has access to sufficient quantities of suitable nuclear material, and an engineering and manufacturing infrastructure to produce the bomb. But if it has the latter two items -- the nuclear material and the engineering capacity -- then it can dispense with classified information.
Thus, "Access to classified information is not necessary for a potential proliferator to construct a nuclear weapon," according to a 1995 report of the National Academy of Sciences.  This is partly due to the fact that much information about nuclear weapons design has been declassified since 1945, and partly due to the fact that such information, classified or not, can be independently replicated.
Fundamentally, it is not within the power of any classification system or any information security policy to prevent the proliferation of nuclear weapons. The most that classification of scientific or technological information can generally accomplish is to delay the independent achievement of any particular scientific discovery or technological feat. But discovery or duplication cannot be prevented.
Thus, according to a DOE report, "The considerable progress of Iraq toward becoming a nuclear power was largely independent of U.S. classification policy." 
Finally, everyone should understand that the number of nuclear weapons secrets is diminishing and will, in time, approach zero. The "economics" of nuclear secrecy favor disclosure, not continued secrecy: Secrets that took hundreds of person-years and billions of dollars to invent can be disclosed by a single individual and disseminated around the world in an instant at no cost -- whether through official declassification, independent discovery, foreign disclosure, espionage, malice, dissent, or error. In short, it is far easier to disclose nuclear secrets than to create them. And unlike the secrets of diplomacy or intelligence, nuclear secrets are not replenished on a daily basis. There aren't many fundamentally new ones being created. As a result, we must anticipate that, whether in five years or twenty-five years, there will be no appreciable nuclear secrets left to protect. Some would say we are there already.
Conclusion: Ends and Means
Information security is a means to a larger end, and is not an end in itself. The frustration generated by recurring security failures at the weapons labs tends to obscure this distinction. So, for example, a proposal recently offered in the Senate would "short-circuit" the necessary balancing of security, costs, and mission performance discussed above by simply declaring that "the protection of sensitive and classified information" should be "the highest priority of the National Nuclear Security Administration."  But in the real world, the NNSA must have higher priorities than protecting information. Sometimes, one or more of its mission priorities -- including the promotion of international nuclear reactor safety and nonproliferation, for example -- will require the sharing or disclosure of classified information, not its protection.
The biggest risk of all concerns the institutional health of the DOE national laboratories. Whether one is committed to stockpile stewardship, to deep cuts in the U.S. nuclear arsenal, or to dismantlement and eventual abolition of nuclear weapons, the availability of a cadre of skilled nuclear weapons professionals is a prerequisite for the foreseeable future. These professionals are becoming an endangered species, and the laboratories are becoming a deeply unattractive place to work.
Whatever the defects of current security policy, and whatever reforms are ultimately determined to be necessary, the viability of the national laboratories is an even larger and more important issue. The labs should not be sacrificed in the name of an unachievable absolute security.
1. Report of the Secretary's Safeguards and Security Task Force (the "Freeze Report"), December 1990, pp. 17, 70-71, emphasis added.
2. Minutes of the NISP Steering Committee Meeting of 20 July 1993 (unpublished).
3. Report of the Fundamental Classification Policy Review Group, Dr. Albert Narath, Chair, unclassified version, December 1997, page 26. An initial draft report was published for public comment on February 1, 1996.
4. Letter to General Eugene E. Habiger, Director, Office of Security and Emergency Operations, U.S. Department of Energy, from Hans Mark, DDRE and Arthur Money, ASD(C3I), Office of the Secretary of Defense, December 17, 1999.
5. "A Review of the Department of Energy Classification Policy and Practice," National Academy Press, 1995, p. 19.
6. "Classification Policy Study," prepared for the Department of Energy by Meridian Corporation, July 4, 1992, p. 35.
7. "Implementation of Security Reforms at the Department of Energy," a sense of the Senate resolution introduced by Senators Kyl and Domenici, June 21, 2000, Congressional Record, pp. S5573-4.
Steven Aftergood is a senior research analyst at the Federation of American Scientists. He directs the FAS Project on Government Secrecy, which works to reduce the scope of government secrecy, to accelerate the declassification of cold war documents, and to promote reform of official secrecy practices.
In 1997, Mr. Aftergood was the plaintiff in a Freedom of Information Act lawsuit against the Central Intelligence Agency which successfully led to the declassification and publication of the total intelligence budget ($26.6 billion in 1997) for the first time in fifty years.
Mr. Aftergood is an electrical engineer by training (B.Sc., 1977) and has published research in solid state physics. He joined the FAS staff in 1989.
He has authored or co-authored papers in Scientific American, Journal of Geophysical Research, Journal of the Electrochemical Society, New Scientist, and Issues in Science and Technology, on topics including space nuclear power, atmospheric effects of launch vehicles, intelligence oversight, and government information policy. From 1992-1998, he served on the Aeronautics and Space Engineering Board of the National Research Council.
The Federation of American Scientists, founded in 1945 by Manhattan Project scientists, is a non-profit national organization of scientists and engineers concerned with issues of science and national security policy.
FAS | Government Secrecy | Congress ||| Index | Search | Join FAS