THE OVER-CLASSIFICATION AND
PSEUDO-CLASSIFICATION:
PART I, II, AND III
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND
TERRORISM RISK ASSESSMENT
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
MARCH 22, 2007, APRIL 26, 2007, and JUNE 28, 2007
__________
Serial No. 110-20
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
35-279 PDF WASHINGTON : 2009
----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092104 Mail: Stop IDCC, Washington, DC 20402ÿ0900012009
COMMITTEE ON HOMELAND SECURITY
BENNIE G. THOMPSON, Mississippi, Chairman
LORETTA SANCHEZ, California, PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas
NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia
NITA M. LOWEY, New York DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama
Columbia BOBBY JINDAL, Louisiana
ZOE LOFGREN, California DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania
Islands GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
VACANCY
Jessica Herrera-Flanigan, Staff Director & General Counsel
Todd Gee, Chief Counsel
Rosaline Cohen, Chief Counsel,
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
______
SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK
ASSESSMENT
JANE HARMAN, California, Chair
NORMAN D. DICKS, Washington DAVID G. REICHERT, Washington
JAMES R. LANGEVIN, Rhode Island CHRISTOPHER SHAYS, Connecticut
CHRISTOPHER P. CARNEY, Pennsylvania CHARLES W. DENT, Pennsylvania
ED PERLMUTTER, Colorado PETER T. KING, New York (Ex
BENNIE G. THOMPSON, Mississippi (Ex Officio)
Officio)
Thomas M. Finan, Director and Counsel
Brandon Declet, Counsel
Natalie Nixon, Deputy Chief Clerk
Deron McElroy, Minority Senior Professional Staff Member
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Jane Harman, a Representative in Congress from the
State of California, and Chairman, Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk
Assessment..................................................... 1
The Honorable David G. Reichert, a Representative in Congress
from the State of Washington, and Ranking Member, Subcommittee
on Intelligence, Information Sharing, and Terrorism Risk
Assessment..................................................... 3
The Honorable Bennie G. Thompson, a Representative in Congress
from the State of Mississippi, and Chairman, Committee on
Homeland Security.............................................. 4
The Honorable Charles W. Dent, a Representative in Congress from
the State of Pennsylvania...................................... 22
The Honorable Christopher P. Carney, a Representative in Congress
from the State of Pennsylvania................................. 84
The Honorable James R. Langevin, a Representative in Congress
from the State of Rhode Island................................. 21
Witnesses
Thursday, March 22, 2007, Part I
Panel I
Mr. Scott Armstrong, Founder, Information Trust.................. 9
Ms. Meredith Fuchs, General Counsel, The National Security
Archive, George Washington University:
Oral Statement................................................. 11
Prepared Statement............................................. 14
Mr. J. William Leonard, Director, Information Security Oversight
Office, National Archives and Records Administration:
Oral Statement................................................. 5
Prepared Statement............................................. 7
Panel II
Mr. Michael P. Downing, Assistant Commanding Officer, Counter-
Terrorism/Criminal Intelligence Bureau, Los Angeles Police
Department:
Oral Statement................................................. 29
Prepared Statement............................................. 31
Chief Cathy L. Lanier, Metropolitan Police Department,
Washington, DC:
Oral Statement................................................. 24
Prepared Statement............................................. 26
Thursday, April 26, 2007, Part II
Panel I
Ambassador Thomas E. McNamara, Program Manager, Information
Sharing Environment, Office of the Director of National
Intelligence:
Oral Statement................................................. 46
Prepared Statement............................................. 48
Dr. Carter Morris, Director, Informational Sharing and Knowledge
Management, Office of Intelligence and Analysis, U.S.
Department of Homeland Security:
Oral Statement................................................. 52
Prepared Statement............................................. 54
Mr. Wayne M. Murphy, Assistant Director, Directorate of
Intelligence, Federal Bureau of Investigation:
Oral Statement................................................. 57
Prepared Statement............................................. 59
Panel II
Mr. Mark Zadra, Assistant Commissioner, Florida Department of Law
Enforcement:
Oral Statement................................................. 66
Prepared Statement............................................. 68
Thursday, June 28, 2007, Part III
Mr. Mark Agrast, Senior Fellow, Center for American Progress:
Oral Statement................................................. 94
Prepared Statement............................................. 95
Mr. Scott Armstrong, Founder, Information Trust:
Oral Statement................................................. 84
Prepared Statement............................................. 86
Mr. J. William Leonard, Director, Information Security Oversight
Office, National Archives and Record Administration............ 83
Ms. Suzanne E. Spaulding, Principal, Bingham Consulting Group
LLC:
Oral Statement................................................. 90
Prepared Statement............................................. 92
For the Record
March 22, 2009, Part I
Prepared Statements:
Hon. Jane Harman............................................... 111
Hon. Bennie G. Thompson........................................ 113
April 26, 2009, Part II
Prepared Statement:
Colonel Bart R. Johnson, New York State Police................. 40
THE IMPACT ON INFORMATION SHARING
PART I
----------
Thursday, March 22, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence, Information Sharing, and
Terrorism Risk Assessment,
Washington, DC.
The subcommittee met, pursuant to call, at 10:09 a.m., in
Room 311, Cannon House Office Building, Hon. Jane Harman
[chairwoman of the subcommittee] presiding.
Present: Representatives Harman, Langevin, Thompson,
Reichert, and Dent.
Ms. Harman. [Presiding.] The subcommittee will come to
order.
The chair apologizes for a late start. Even though my party
is in the majority, I don't run the schedule here, and there
was a conflicting hearing on emergency interoperability, and I
was asking questions of witnesses. And that subject, obviously,
is directly relevant to some of the tasks of this subcommittee,
so I hope you will forgive me.
A recurrent theme throughout the 9/11 Commission's report
was the need to prevent widespread over-classification by the
federal government. The commission found that over-
classification interferes with sharing critical information and
impedes efficient responses to threats.
The numbers tell us we are still not heeding the
commission's warning. Eight million new classification actions
in 2001 jumped to 14 million new actions in 2005, while the
quantity of declassified pages dropped from 100 million in 2001
to 29 million in 2005. In fact, some agencies were recently
discovered to be withdrawing archived records from public
access and reclassifying them.
Expense is also a problem. $4.5 billion spent on
classification in 2001 increased to $7.1 billion in 2004, while
declassification costs fell from $232 million in 2001 to $48.3
million in 2004.
In addition, an increasing number of policies to protect
sensitive but unclassified from a range of federal agencies and
departments has begun to have a dramatic impact. At the federal
level, over 28 distinct policies for the protection of this
information exists--28 distinct policies. That is almost as
many policies as we have watch lists--that was intended to be
humorous.
Unlike classified records, moreover, there is no monitoring
of, or reporting on, the use or impact of protective,
sensitive, unclassified information markings. The proliferation
of these pseudo-classifications is interfering with the
interagency information sharing, increasing the cost of
information security and limiting public access.
Case in point, this document from the Department of
Homeland Security. This document, which I cannot release to you
or the press, is called, ``Special Assessment: Radicalization
in the State of California,'' a survey, and it is dated the
22nd of November, 2006.
In a few weeks, I will be leading a field hearing to
Torrance, California to examine the issues of domestic
radicalization and homegrown terrorism, but this DHS document,
a survey, as I mentioned, is marked, ``unclassified, for
official use only.''
On page one, in a footnote, the survey states that it
cannot be released ``to the public, the media or other
personnel who do not have a valid need to know without prior
approval of an authorized DHS official.''
Our staff requested and was denied an approval. Staff also
asked for a redacted version of the document so we could use at
least some of its contents at the coming California hearing.
DHS was unable to provide one.
Let me be clear, and I say this as someone who served for 8
years on the House Intelligence Committee, I am not denying
that there may be sensitive information included in this survey
and in lots of products prepared by our government, but it
illustrates my point.
What good is unclassified information about threats to the
homeland if we can't even discuss them at a public hearing
where the public is supposed to understand what some of those
threats may be? How can we expect DHS and others to engage the
public on important issues like domestic radicalization if we
hide the ball?
Unfortunately, this is nothing new. In 1997, the Moynihan
Commission stated that the proliferation of these new
designations are often mistaken for a fourth classification
level, causing unclassified information with these markings to
be treated like classified information.
These continuing trends are an obstacle to information
sharing across the federal government and vertically with
state, local and tribal partners, including most especially
with our partners in the law enforcement community.
And in our second panel, we are going to hear from some of
those partners, including Chief Lanier, and I want to welcome
her today and congratulate her again on being one of the
youngest ever police chiefs in the nation and a very well-
qualified person to hold this position.
Until we have a robust intelligence and information-sharing
system in place in this country with a clear and understandable
system of classification, we run the risk of not being able to
prevent a terrorist attack on the scale of 9/11 or greater, and
I would even add on the scale of 9/11 or smaller. We are
hurting ourselves by the way we unnecessarily protect
information.
This is why this subcommittee will focus some of its
efforts in the 110th Congress on improving information sharing
with our first preventers, the men and women of state, local
and tribal law enforcement who are the eyes and ears on our
frontlines. We will do this work in the right way, partnering
with our friends in the privacy and civil liberties community
who want to protect America while serving our cherished rights.
I would like to extend a warm welcome to our witnesses who
will be talking about these issues, first, some organizations,
and then, two, on the frontlines in our law enforcement
organizations.
On our first panel, we have assembled an array of experts
who will be testifying about the extent of these problems and
where are things are trending, and, as I mentioned, our second
panel will give us some real-life experiences where
classification--and I don't want to put words in their mouths,
but I have read their testimony--is an obstacle rather than
some form of benefit to them in their role to prevent, disrupt
and protect the American public.
In addition, I hope witnesses will provide some
constructive suggestions about how we might solve this problem,
with the goal of ensuring the flow of information, the
unfettered flow of necessary information between the federal
government and state, local and tribal governments.
Welcome to all.
I now yield to the ranking member for opening remarks.
Mr. Reichert. Thank you, Madam Chair, and thank you for
organizing this hearing. It is a pleasure to be here this
morning.
And thank all of you for being here in time from your busy
schedule to come and testify before us.
We are all here this morning to discuss one of the
subcommittee's major priorities, this over-classification and
pseudo-classification. Over-classification, as most of you
know, refers to decisions by the federal government to
routinely restrict access to information using the designation,
``confidential,'' ``secret'' or ``top-secret.''
Pseudo-classification is a similar practice applied to
sensitive but unclassified information. This practice involves
federal, state or local entities adding restrictions based on
internal policies. The GAO has found that there are at least 56
different sensitive but unclassified designations at the
federal level--56.
Common examples include, ``for official use only,''
``sensitive but unclassified,'' ``sensitive security
information,'' and ``law enforcement sensitive.'' Some of these
designations make sense; some don't. Some, there is a real need
to protect classified and sensitive information from
disclosure.
In a world where virtually piece of unclassified
information is available on the Internet, we need to ensure
that what needs to be protected remains protected. The lives of
our federal, state and local agents in the field often depend
on it.
But as a classic military strategist once said, ``If you
try to protect everything, you wind up protecting nothing.''
The more secrets you keep, the harder they are to keep. I can't
tell you how many times I have emerged from a secret briefing
only to find out that everything that I have just learned has
already been in the newspaper.
As a former sheriff, I have vivid memories of the federal
government telling me that I could not access information that
I needed to do my job because it was classified or otherwise
restricted. And I have also watched as the federal government
has taken sensitive information from the state and local law
enforcement and treated it without regard for its sensitivity.
I am just going to share a real brief story with you. Years
ago, when we arrested our suspect in the Green River murder
case, a serial murder case nationally known, internationally
known as one of the worst serial murder cases in the world of
50 victims, the FBI was a part of that team. They produced
paperwork connected and associated with that case.
Once the person was arrested and charged, of course, there
was a request by the defense attorney for information. The FBI
would not release the information to substantiate and help our
case because they said it was classified.
The fear there was this: Of course, they had information
that we would have lost our case. Eventually, they came
forward, presented the information for discovery; however, the
fear was that because of the state laws that existed in the
state of Washington, everything they disclosed then would be
subject to public disclosure laws. So anything they released to
us, the sheriff's office is required by state law to give that
to the news media. So that was their concern.
We have a lot of issues here to discuss today. I am not
going to finish the rest of my statement. We are just happy to
have you here, and you know that we understand the problem, and
we are looking to help you find solutions.
Thank you.
Ms. Harman. I thank the ranking member and note that his
experience as a sheriff is extremely useful to this
subcommittee as we pursue issues like this.
The chair now recognizes the chairman of the full
committee, the gentleman from Mississippi, Mr. Thompson, for an
opening statement.
Mr. Thompson. Thank you, Madam Chair. I join you in
welcoming our distinguished witnesses today to this important
hearing on the problem of over-and pseudo-classification of
intelligence.
Information sharing between the federal government and its
state, local and tribal partners is critical to making America
safer, but we won't get there if all we have is more and more
classification and more and more security clearances for people
who need access to that classified information.
The focus should be different. The federal government
instead must do all it can to produce intelligence products
that are unclassified. Unclassified intelligence information is
what our nation's police officers, first responders and private
sector partners need most. They have told me time and time
again that what they don't need is information about
intelligence sources and methods.
And I think all of us have been in enough briefings that
were somehow classified at varying levels only to see it on the
evening news and be shocked that, well, why would you keep it
from members of Congress when all we have to do is delay the
briefing 6 hours and we can see it? That occurred last week.
I am sure Mr. Langevin understands very well. We had a
briefing that we were told that was top-secret, took the
BlackBerrys, took the cell phones, and, lo and behold, it was
on the 5 p.m. news.
So to some degree, the over-classification is a problem.
If we are going to successfully address terrorism, then we
have to share the information in real time and trust our
partners to some degree. If we can't trust law enforcement, if
we can't trust first responders, who can we trust?
So I think it is a hearing that is pertinent to the
challenge that we face. I look forward to the testimony of the
witnesses, and, obviously, this is one of many, Madam Chair. I
am sure we will be participating in over this session.
I yield back.
Ms. Harman. I thank the chairman and would point out that
other members of the subcommittee can submit opening statements
for the record, under our rules.
I now welcome our first panel of witnesses.
Our first witness, Mr. Bill Leonard, is the director of the
Information Security Oversight Office at the National Archives.
Mr. Leonard's office has policy oversight of the entire federal
government-wide security classification system--that is a
mouthful--and he reports directly to the president.
His office receives his policy and program guidance from
the national Security Council. More than 60 executive branch
agencies create or handle classified national security
information, and Mr. Leonard's work in this capacity impacts
all of them.
Welcome, Mr. Leonard.
Our second witness is my Washington, D.C., neighbor and
good friend, Scott Armstrong. Mr. Armstrong is the executive
director of Information Trust, a nonprofit group that works
toward opening access to government information.
He has been inducted into the FOIA Hall of Fame--
congratulations--and was awarded the James Madison Award by the
American Library Association in 1992. Mr. Armstrong has been a
Washington Post reporter and is the founder of the National
Security Archive at George Washington University.
Our third witness, Meredith Fuchs, serves as the general
counsel to the nongovernmental National Security Archives. At
the Archives, she overseas Freedom of Information Act, called
FOIA, and anti-secrecy litigation and frequently lectures on
access to government information.
She has supervised five government-wide audits of federal
agency FOIA performance and one focused on the proliferation of
sensitive but unclassified information labels.
Without objection, the witnesses' full statements will be
inserted in the record, and I would hope you could summarize in
5 minutes or less--we have a little timer for your benefit--
your written testimony, and then hopefully we can have a lively
exchange of views.
Let's start with Mr. Leonard.
STATEMENT OF J. WILLIAM LEONARD, DIRECTOR, INFORMATION SECURITY
OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION
Mr. Leonard. Chairwoman Harman, Mr. Reichert, Chairman
Thompson and members of the subcommittee, I wish to thank you
for holding this hearing this morning on issues relating to the
very real challenge of over-classification.
The classification system and its ability to restrict the
dissemination of information, the unauthorized disclosure of
which would result in harm to our nation and its citizens.
represents a fundamental tool at the government's disposal to
provide for the common defense.
As with any tool, the classification system is subject to
misuse and misapplication. When information is improperly
declassified or not classified in the first place, although
clearly warranted, our citizens, our democratic institutions,
our homeland security and our interactions with foreign nations
can be subject to potential harm.
Conversely, too much classification or the failure to
declassify information as soon as it no longer satisfies the
standards for continued classification unnecessarily obstructs
effective information sharing and impedes an informed
citizenry, the hallmark of our democratic form of government.
In the final analysis, inappropriate classification
activity of any nature undermines the integrity of the entire
process and diminishes the effectiveness of this critical
national security tool.
In this time of constant and unique challenges to our
national security, it is the duty of all of us engaged in
public service to do everything possible to enhance the
effectiveness of this tool. To be effective, the classification
process is a tool that must be wielded with precision. Few, if
any, both within and outside of government, would deny that too
much of the information produced by our agencies is classified.
In an audit of agency classification activity conducted by
my office approximately one year ago, we discovered that even
trained classifiers, with ready access to the latest
classification and declassification guides, and trained in
their use, got it clearly right only 64 percent of the time in
making determinations as to the appropriateness of
classification. This is emblematic of the daily challenges
confronting agencies when ensuring that the 3 million plus
cleared individuals with at least a theoretical ability to
derivatively classify information get it right each and every
time.
In response to the findings of this audit, last year I
wrote to all agency heads and made a number of recommendations
for their consideration. Collectively, these recommendations
help preserve the integrity of the classification system while
at the same time reduce inefficiencies and cost. I have
included a list of these recommendations in my prepared formal
testimony.
Recognizing that a focus of this hearing includes policies
and procedures for handling sensitive, unclassified
information, it is important to articulate recent initiatives
by the president to ensure the robust and effective sharing of
terrorism information vital to protecting Americans and the
homeland from terrorist attacks.
To that end, the president has mandated the standardization
of procedures for designated marking and handling sensitive but
unclassified information across the federal government. Once
implemented, our nation's defenders will be able to share
controlled, unclassified information more rapidly and
confidently.
The existence of such an option should significantly reduce
the incentive to over-classify information. That happens now,
in part, due to the absence of a dependable regime for the
proper protection of sensitive information which should not be
classified.
Again, thank you for inviting me here this morning, Madame
Chair, and I would be happy to answer your questions or those
that the subcommittee might have.
[The statement of Mr. Leonard follows:]
Prepared Statement of J. William, Leonard
March 22, 2007
Chairwoman Harman, Mr. Reichert, and members of the subcommittee, I
wish to thank you for holding this hearing on issues relating to the
very real challenge of overclassification of information within the
Federal Government as well as for inviting me to testify today.
By section 5.2 of Executive Order 12958, as amended, ``Classified
National Security Information'' (the Order), the President established
the organization I direct, the Information Security Oversight Office,
often called ``ISOO.'' We are within the National Archives and Records
Administration and by law and Executive order (44 U.S.C. 2102 and sec.
5.2(b) of E.O. 12958) are directed by the Archivist of the United
States, who appoints the Director of ISOO, subject to the approval of
the President. We also receive policy guidance from the Assistant to
the President for National Security Affairs. Under the Order and
applicable Presidential guidance, ISOO has substantial responsibilities
with respect to the classification, safeguarding, and declassification
of information by agencies within the executive branch. Included is the
responsibility to develop and promulgate directives implementing the
Order. We have done this through ISOO Directive No. 1 (32 CFR Part
2001) (the Directive).
The classification system and its ability to restrict the
dissemination of information the unauthorized disclosure of which would
result in harm to our nation and its citizens represents a fundamental
tool at the Government's disposal to provide for the ``common
defense.'' The ability to surprise and deceive the enemy can spell the
difference between success and failure on the battlefield. Similarly,
it is nearly impossible for our intelligence services to recruit human
sources who often risk their lives aiding our country or to obtain
assistance from other countries' intelligence services, unless such
sources can be assured complete and total confidentiality. Likewise,
certain intelligence methods can work only if the adversary is unaware
of their existence. Finally, the successful discourse between nations
often depends upon confidentiality and plausible deniability as the
only way to balance competing and divergent national interests.
As with any tool, the classification system is subject to misuse
and misapplication. When information is improperly declassified, or is
not classified in the first place although clearly warranted, our
citizens, our democratic institutions, our homeland security, and our
interactions with foreign nations can be subject to potential harm.
Conversely, too much classification, the failure to declassify
information as soon as it no longer satisfies the standards for
continued classification, or inappropriate reclassification,
unnecessarily obstructs effective information sharing and impedes an
informed citizenry, the hallmark of our democratic form of government.
In the final analysis, inappropriate classification activity of any
nature undermines the integrity of the entire process and diminishes
the effectiveness of this critical national security tool.
Consequently, inappropriate classification or declassification puts
today's most sensitive secrets at needless increased risk.
The challenge of overclassification is not new. Over 50 years ago,
Congress established the Commission on Government Security (known as
the ``Wright Commission''). Among its conclusions, which were put forth
in 1955, at the height of the Cold War, was the observation that
overclassification of information in and of itself represented a danger
to national security. This observation was echoed in just about every
serious review of the classification systems since to include: the
Commission to review DoD Security Policies and Practices (known as the
``Stillwell Commission'') created in 1985 in the wake of the Walker
espionage case; the Joint Security Commission established during the
aftermath of the Ames espionage affair; and the Commission on
Protecting and Reducing Government Secrecy (otherwise known as the
``Moynihan Commission''), which was similarly established by Congress
and which issued its report in 1997.
More recently, the National Commission on Terrorist Attacks on the
United States (the ``9-11 Commission''), and the Commission on the
Intelligence Capabilities of the United States Regarding Weapons of
Mass Destruction (the ``WMD Commission'') likewise identified
overclassification of information as a serious challenge
It is Executive Order 12958, as amended, that sets forth the basic
framework and legal authority by which executive branch agencies may
classify national security information. Pursuant to his constitutional
authority, and through the Order, the President has authorized a
limited number of officials to apply classification to certain national
security related information. In delegating classification authority
the President has established clear parameters for its use and certain
burdens that must be satisfied.
Specifically, every act of classifying information must be
traceable back to its origin as an explicit decision by a responsible
official who has been expressly delegated original classification
authority. In addition, the original classification authority must be
able to identify or describe the damage to national security that could
reasonably be expected if the information was subject to unauthorized
disclosure. Furthermore, the information must be owned by, produced by
or for, or under the control of the U. S. Government; and finally, it
must fall into one or more of the categories of information
specifically provided for in the Order.\1\
---------------------------------------------------------------------------
\1\ Pursuant to Sec. 1.4 of the Order, information shall not be
considered for classification unless it concerns: (a) military plans,
weapons systems, or operations; (b) foreign government information; (c)
intelligence activities (including special activities), intelligence
sources or methods, or cryptology; (d) foreign relations or foreign
activities of the United States, including confidential sources; (e)
scientific, technological, or economic matters relating to the national
security, which includes defense against transnational terrorism; (f)
United States Government programs for safeguarding nuclear materials or
facilities; (g) vulnerabilities or capabilities of systems,
installations, infrastructures, projects, plans, or protection services
relating to the national security, which includes defense against
transnational terrorism; or (h) weapons of mass destruction.
---------------------------------------------------------------------------
The President has also spelled out in the Order some very clear
prohibitions and limitations with respect to the use of classification.
Specifically, for example, in no case can information be classified in
order to conceal violations of law, inefficiency, or administrative
error, to restrain competition, to prevent embarrassment to a person,
organization, or agency, or to prevent or delay the release of
information that does not require protection in the interest of
national security.
It is the responsibility of officials delegated original
classification authority to establish at the time of their original
decision the level of classification (Top Secret, Secret, and
Confidential), as well as the duration of classification, which
normally will not exceed ten years but in all cases cannot exceed 25
years unless an agency has received specific authorization to extend
the period of classification.
As I stated earlier, the ability and authority to classify national
security information is a critical tool at the disposal of the
Government and its leaders to protect our nation and its citizens. In
this time of constant and unique challenges to our national security,
it is the duty of all of us engaged in public service to do everything
possible to enhance the effectiveness of this tool. To be effective,
the classification process is a tool that must be wielded with
precision. Few, if any, both within and outside Government, would deny
that too much of the information produced by our agencies is
classified. In an audit of agency classification activity conducted by
my office approximately one year ago, we discovered that even trained
classifiers, with ready access to the latest classification and
declassification guides, and trained in their use, got it clearly right
only 64 percent of the time in making determinations as to the
appropriateness of classification. This is emblematic of the daily
challenges confronting agencies when ensuring that the 3 million plus
cleared individuals with at least theoretical ability to derivatively
classify information get it right each and every time.
In response to the findings of this audit, last year I wrote to all
agency heads and made a number of recommendations for their
consideration. Collectively, these recommendations help preserve the
integrity of the classification system while at the same time reduce
inefficiencies and cost. They included:
Emphasizing to all authorized holders of classified
information the affirmative responsibility they have under the
Order to challenge the classification status of information
that they believe is improperly classified (Sec. 1.8(a) of the
Order).
Requiring the review of agency procedures to ensure
that they facilitate classification challenges (Sec. 1.8(b) of
the Order). In this regard, agencies were encouraged to
consider the appointment of impartial officials whose sole
purpose is to seek out inappropriate instances of
classification and to encourage others to adhere to their
individual responsibility to challenge classification, as
appropriate.
Ensuring that quality classification guides of
adequate specificity and clarity are prepared and updated to
further accurate and consistent derivative classification
decisions (Sec. 2.2 of the Order).
Ensuring the routine sampling of recently classified
information to determine the propriety of classification and
the application of proper and full markings (Sec. 5.4(d)(4) of
the Order). Consideration should be given to reporting the
results of these reviews to agency personnel as well as to the
officials designated above who would be responsible to track
trends and assess the overall effectiveness of the agency's
efforts and make adjustments, as appropriate.
Ensuring that information is declassified as soon as
it no longer meets the standards for classification (?3.1(a) of
the Order).
Ensuring that prior to exercising the national
security exemption as set forth in 5 U.S.C. 552b(1) when
responding to FOIA requests, that agency personnel verify that
the information involved clearly meets the standards for
continued classification irrespective of the markings, to
include declassification instructions, contained on the
document.
Recognizing that a focus of this hearing includes policies and
procedures for handling sensitive unclassified information, it is
important to articulate recent initiatives by the President to ensure
the robust and effective sharing of terrorism information vital to
protecting Americans and the Homeland from terrorist attacks. To that
end, the President has promulgated a set of guidelines and requirements
that represent a significant step in the establishment of the
Information Sharing Environment (ISE) called for by section 1016 of the
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).
Specifically, to promote and enhance the effective and efficient
acquisition, access, retention, production, use, management, and
sharing of Sensitive But Unclassified (SBU) information, including
homeland security information, law enforcement information, and
terrorism information, the President has mandated the standardization
of procedures for designating, marking, and handling SBU information
across the Federal Government. A clear mandate for achieving this goal
has been laid out for the entire Executive branch and significant
progress is underway to develop for the President's consideration
standardized procedures for handling controlled unclassified
information. Once implemented, our nation's defenders will be able to
share controlled unclassified information more rapidly and confidently.
The existence of such an option should significantly reduce the
incentive to overclassify information. This happens now, in part, due
to the absence of a dependable regime for the proper protection of
sensitive information which should not be classified.
Again, I thank you for inviting me here today, Madame Chairwoman,
and I would be happy to answer any questions that you or the
subcommittee might have at this time.
Ms. Harman. I thank the witness.
Now, we will hear from Mr. Armstrong.
STATEMENT OF SCOTT ARMSTRONG, FOUNDER, INFORMATION TRUST
Mr. Armstrong. Thank you, Madam Chair. Thank you. I am
pleased to be able to discuss these issues with this
subcommittee, given the membership of the subcommittee and the
full committee include many of the people that have provided
the leadership, or attempted to provide the leadership, to dig
into these difficult questions on this committee and other
committees of the Congress.
I am here on my own, of course, but I also would like to
note that I participate in a dialogue, which is presently
sponsored by the Aspen Institute, between the senior
journalists, editors, publishers and high-level U.S. government
officials from various national security intelligence agencies.
The purpose of the dialogue has been to address recurring
concerns about the handling of classified information, the fact
that sensitive information can find its way into the major
media and could potential cause damage.
The discussions have included the attorney general, the
director of Central Intelligence, the deputy director of
National Intelligence, ranking members from the National
Security Council, the Department of Defense, the National
Security Agency, the FBI, the CIA, the Department of Homeland
Security and the Department of Justice.
The dialogue is continuing with a variety of initiatives
that I hope will further involve members of this committee and
your colleagues and members of your staff, and we will be in
consultation with you on that issue.
I would like to note three major areas today out of my
testimony. Twenty-two years ago, in 1985, when I left the
Washington Post, to found the National Security Archive, I went
to the man who was then considered the maven of secrecy in the
Reagan administration, General Richard Stillwell, and I
developed an interesting and productive dialogue with General
Stillwell who was chairing a commission to examine systemic
vulnerabilities in the classification system.
At that time, the Reagan administration's concern was not
so much news media leaks but the fact that there were
significant leaks in the form of espionage. General Stillwell
not only quoted, and usually misquoted, a sentence in Supreme
Court Justice Potter Stewart's concurrence in the Pentagon
Papers case, ``When everything is classified, then nothing is
classified,'' but he finished that sentence, ``And the system
becomes one to be disregarded by the cynical or the careless
and to be manipulated by those intent on self-protection or
self-promotion.''
Like Justice Stewart, General Stillwell believed that the
hallmark of a truly effective internally security system would
be the maximum possible disclosure, recognizing that secrecy
can best be preserved only when credibility is maintained.
Regrettably, the system then pertained a systemic use of
special access programs and other compartmented intelligence
controls by those that have now been extended even on
classified information and created a labyrinth of security
measures, often unaccountable and sometimes wholly
unauthorized. That situation has not changed in the ensuing 20
years.
My experience has reinforced the notion that government
needs to spend less energy on calculating how to punish
unauthorized disclosures of politically sensitive information
to the news media and more on distinguishing the truly
sensitive information which must be protected. Once that
information is identified as properly warranting protection,
government officials and the news media have shown a
willingness to honor reasonable requirements.
The second issue is the question that this Congress
addressed--the House addressed in 2002 when it passed the
Homeland Security Information Sharing Act, which became part of
the Homeland Security Act of 2004. It mandated the creation of
a unique category of information, known as sensitive homeland
security information, which was sensibly designed to allow this
necessary sharing of information with state and local officials
while withholding it from the general public.
This designation has proven difficult for the executives to
implement, so difficult that in fact it went in a different
direction and the mandate instead became to disperse
information control authority across of broad range of
executive agencies. This resulted in a disjointed and
uncoordinated proliferation of sensitive but unclassified
designations to protect poorly defined categories of
information.
In one instance, the Department of Homeland Security
drafted a draconian nondisclosure agreement designed to apply
the restrictions on tens of thousands of federal employees and
hundreds of thousands, potentially, of state and local first
responders.
Although it was only enforced briefly, this NDA was more
severe than NDA's effect for sensitive, compartmented
information and for a variety of controls over the most
sensitive intelligence information the government has.
While it has been withdrawn, it is an indicator of the
extent to which there has been little progress.
Lastly, the National Intelligence Reform Act of 2004
provided another challenge which the administration found
wanting. Congress provided a broad, centralized power for the
new director of national intelligence and urged the new DNI to
create a tearline report system by which intelligence gathered
by an agency is prepared with the information relating to
intelligence sources and methods is easily severed but for the
report to protect such sources and methods from disclosure.
The prospect of such a tearline encouraged many observers
to believe the classification system could be improved by
concentrating on the guidelines for protecting well-defined
sources and methods. By making the refined decisions to protect
that which truly requires protection, more of the remaining
information would be available for sharing within the
intelligence community, as well as with state and local
officials charged with homeland security responsibilities. They
were naturally a benefit for the public and the press as this
information, other information, was decontrolled.
Ms. Harman. Mr. Armstrong, if you could summarize now, we
would appreciate it.
Mr. Armstrong. Increasingly, officials in certain
departments must greatly risk their security clearances and
potentially their careers and their family's financial security
in order to correct and guide public-to-public record.
It is my hope that rather than attempt to repair the
present system of over-classification to the public, that the
public, the news media, the Congress and the intelligence
community would benefit more from the specification of rigorous
and tight definitions of sources and methods in accord with the
tear-line processing of intelligence in order to maximize
information sharing while protecting the nation's secrets.
Ms. Harman. Thank you very much.
Ms. Fuchs?
STATEMENT OF MEREDITH FUCHS, GENERAL COUNSEL, THE NATIONAL
SECURITY ARCHIVE, GEORGE WASHINGTON UNIVERSITY
Ms. Fuchs. Thank you.
Chairman Harman, Ranking Member Reichert and members of the
subcommittee, thank you for having me appear today.
After the September 11th attacks on the United States,
there were many signs that official secrecy would increase.
Some of it was legitimate, out of concern about risks posed by
poorly safeguarded government information. In addition, in
March 2002, White House Chief of Staff Andrew Card issued a
directive to federal agencies, requesting a review of all
records and policies concerning the protection of sensitive but
unclassified information, also called SBU.
This memorandum spurred agencies to increase controls on
information.
Mr. Leonard and Ms. Harman have already talked about the
classification system and some of the statistics regarding
that. I am going to focus on the SBU system where while we
identified 28 different information labeling standards and GAO
identified 56, I have heard from the Office of the Program
Manager of the information-sharing environment that they have
identified at least 100 different so-called safeguarding
labels.
There is no way to determine how many records are labeled
with these safeguarding controls, because agencies do not track
their use of these labels.
When we issued our report a year ago, we identified a
number of problems posed by these policies. Since that time,
the Government Accountability Office and the program manager of
the Information Sharing Environment themselves have expressed
the same concerns. I am going to quickly list them, and my
written testimony gives some additional detail.
First, there is no monitoring of the use of safeguard
labels. At many agencies, there are no limits on who can put a
safeguard label on the information, and, indeed, at some
agencies, that means hundreds of thousands of people are able
to put these labels on. There is no time limit for how long the
label lasts. Few agencies provide any procedure for the labels
to be removed. Few agencies include restrictions that prohibit
the use of labels for improper purposes, including to conceal
embarrassing or illegal agency actions. Agencies have
conflicting policies on the intersection of these labels and
the Freedom of Information Act, but evidence certainly suggests
that these labels are used to increase withholding of
information.
These labels likely increase the cost of information
security, and there is no consistency among agencies about how
to use these labels. So it seems likely that they inhibit
information sharing.
Focusing just on the three major concerns that my
organization has, the absence of reporting mechanisms for
sensitive but uncontrolled markings makes any assessment of the
extent to which a policy is being used difficult, if not
impossible.
Because safeguarding sensitive unclassified information
impacts safety, security, budget and information disclosure,
all of which are important national concerns, there ought to be
some sort of overarching monitoring.
Second, in order to protect the important role that public
access has played in government accountability, it is important
that a system for challenging the use of these labels be
established.
Third, this unregulated use of safeguarding labels inhibits
information sharing. Because the systems are sprawling in their
scope and uncoordinated, they set up roadblocks for sharing.
Lack of trust in the system likely leads to more
classification, which also limits dissemination of the
information.
I would like to quickly touch on what progress has been
made within the government. Mr. Leonard referred to this in his
statement. As you know, Congress required the president to
implement and information-sharing environment with the
Intelligence Reform and Terrorist Prevention Act of 2004.
Pursuant to that, the Office of the Program Manager of the
Information Sharing Environment was established to assist in
the development of the environment.
A report and implementation plan for the information-
sharing environment was required within one year of enactment
of the law. President Bush issued a memorandum on December 16,
2005 that set up this office, and specifically directed
departments and agencies to standardized procedures for
handling SBU.
The resulting working group completed an inventory of
designations in March 2006, and there should have been a
recommendation for submission to the president by June 2006 on
standardization of SBU procedures. Well, it is now March 2007,
and, as far as I know, that hasn't happened.
Part of the problem may be that these legislative mandates
are imposed on an executive branch that does not want Congress
to interfere and is not as concerned as I would hope about
government accountability. And while I am reluctant to express
that sort of a sentiment, the lack of willingness by the
executive branch to respond is evidenced by the refusal of the
Office of the Director of National Intelligence to participate
in a March 2006 report by the Government Accountability Office
about this very matter.
In its report, GAO noted that the ODNI, the Office of the
Director of National Intelligence, declined to comment on the
draft, stating that review of intelligence activities is beyond
GAO's purview.
I know that we are running short of time. I am going to
just quickly raise three concerns about the process. I met,
along with several other people, with Ambassador McNamara, who
is now the program manager, and I was very impressed by him and
the work that they have done, and I think that they have done a
great analysis. However, there is nothing in the process that
suggests to me that we are quickly moving to standardization of
SBU labels.
While they have done an analysis, they were supposed to
have submitted a recommendation to the White House in January
2007. That may have occurred. If it did, it hasn't been made
public, and having public review of that is absolutely
critical.
Secondly, the program manager's effort is focused on
information related to homeland security, law enforcement and
terrorism, but this problem of SBU is far broader, and the
category of information that affects our security is even
broader than that.
Placement of the program manager at the Office of the
Director of National Intelligence possibly limits the
likelihood that a governmentwide solution will be considered.
And, finally, there just doesn't seem to be a schedule in
place. They have collected and analyzed scores of information
control policies, they have many ideas about how to fix the
problem, but they have been perpetually behind schedule.
I am hopeful my testimony today has been helpful, and I am
happy to take any questions.
Thank you.
[The statement of Ms. Fuchs follows:]
Prepared Statement of Meredith Fuchs
March 22, 2007
Chairwoman Harman, Ranking Member Reichert and Members of the
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk
Assessment, I am honored to appear before you today to talk about the
growing problem of government secrecy and the danger it poses to our
security.
I am testifying on behalf of the National Security Archive (the
``Archive''), a non-profit research institute and leading user of the
Freedom of Information Act (FOIA). We publish a wide range of document
sets, books, articles, and electronic briefing books, all of which are
based on records obtained under the FOIA. In 1999, we won the
prestigious George Polk journalism award for ``piercing self-serving
veils of government secrecy'' and, in 2005, an Emmy award for
outstanding news research.
In my five years at the Archive, I have overseen five audits of
federal agency FOIA processing. Most relevant to this hearing is the
report we issued in March 2006 entitled: ``Pseudo-Secrets: A Freedom of
Information Audit of the U.S. Government's Policies on Sensitive
Unclassified Information.''
After the September 11, 2001, attacks on the United States, there
were many signs that official secrecy would increase. The attacks
themselves led to a wave of legitimate concern about the risks posed by
poorly safeguarded government information. Additionally, in March 2002
White House Chief of Staff Andrew H. Card issued a directive to federal
agencies requesting a review of all records and policies concerning the
protection of ``sensitive but unclassified'' information. This
memorandum spurred agencies to increase controls on information.
Further, during times of war or national crisis, the government's
tendency to keep secrets always becomes more pronounced and pervasive.
Thus, the U.S. entry into hostilities in Afghanistan and Iraq as part
of the Global War on Terrorism necessarily led to an increase in the
creation of secrets.
The available statistics show that since the September 11 attacks
on the United States, there has been a dramatic upsurge in government
secrecy. Classification has multiplied, reaching 14.2 million
classification decisions in 2005, nearly double the number in 2001.
Officials throughout the military and intelligence sectors have
admitted that much of this classification activity is unnecessary.
Former Secretary of Defense Donald Rumsfeld acknowledged the problem in
a 2005 Wall Street Journal op-ed: ``I have long believed that too much
material is classified across the federal government as a general rule.
. . .'' \1\ The extent of over-classification is significant. Under
repeated questioning from members of Congress at a hearing concerning
over-classification, Deputy Secretary of Defense for
Counterintelligence and Security Carol A. Haave eventually conceded
that approximately 50 percent of classification decisions are over-
classifications.\2\ These opinions echoed that of then-Chair of the
House Permanent Select Committee on Intelligence Porter Goss, who told
the 9/11 Commission, ``we overclassify very badly. There's a lot of
gratuitous classification going on, and there are a variety of reasons
for them.'' \3\
---------------------------------------------------------------------------
\1\ Donald Rumsfeld, War of the Worlds, Wall St. J., July 18, 2005,
at A12.
\2\ Subcommittee on National Security, Emerging Threats and
International Relations of the House Committee on Gov't Reform Hearing,
108th Cong. (2004) (testimony of Carol A. Haave), http://www.fas.org/
sgp/congress/2004/082404transcript.pdf; See id., (Testimony of J.
William Leonard, Director of ISOO) (``It is my view that the government
classifies too much information.'').
\3\ 9/11 Commission Hearing, (Testimony of then Chair of the House
Permanent Select Committee on Intelligence Porter Goss) (2003), http://
www.9-11commission.gov/archive/hearing2/9-11Commission_Hearing_2003-05-
22.htmpanel_two.
---------------------------------------------------------------------------
Alongside traditional classification are a plethora of new non-
statutory labels that are being applied to protect information that is
deemed sensitive but unclassified. Some estimates count over 100
different so-called ``safeguarding'' labels for records. There is no
way to determine how many records are labeled with safeguarding
controls, however, because agencies do not track their use of these
labels.
At the same time that the indicators all started to point to
increasing secrecy, the numerous investigations into the September 11
attacks on the United States each concluded that excessive secrecy
interfered with the detection and prevention of the attacks.\4\ Other
reports, including one by the Government Accountability Office and one
by the successor body to the 9/11 Commission, have decried the delay in
establishing a workable information sharing environment.\5\
---------------------------------------------------------------------------
\4\ As the staff director of the Congressional Joint Inquiry on 9/
11 found, ``[t]he record suggests that, prior to September 11th, the
U.S. intelligence and law enforcement communities were fighting a war
against terrorism largely without the benefit of what some would call
their most potent weapon in that effort: an alert and informed American
public. One need look no further for proof of the latter point than the
heroics of the passengers on Flight 93 or the quick action of the
flight attendant who identified shoe bomber Richard Reid.'' Similarly,
the entire 9/11 Commission report includes only one finding that the
attacks might have been prevented: ``publicity about Moussaoui's arrest
and a possible hijacking threat might have derailed the plot.'' Final
Report of the National Commission on Terrorist Attacks Upon the United
States, at 276 (emphasis added).
\5\ In January 2005, the Government Accountability Office (GAO)
added ``Establishing Appropriate and Effective Information-Sharing
Mechanisms to Improve Homeland Security'' to its High Risk List,
stating that they were ``designating information sharing for homeland
security as a government-wide high-risk area because this area, while
receiving increased attention, still faces significant challenges''
(GAO-05-207). On December 5, 2005, the 9/11 Public Discourse Project,
the successor body of the 9/11 Commission, issued its Final Report on
9/11 Commission Recommendations. Important areas on information
sharing, including ``incentives for information sharing'' and
``government-wide information sharing,'' received a D in the scheme of
letter grade assessments.
---------------------------------------------------------------------------
Against this background, the National Security Archive conducted an
extensive audit of the actual policies used by agencies to
``safeguard'' information.\6\ We filed targeted FOIA requests that
identified information protection policies of 37 major agencies and
components. We obtained and reviewed 28 distinct policies for
protection of sensitive unclassified information, many of which allow
any employee in the agency to designate sensitive unclassified
information for protection, but few that provide any procedure for the
labels to be removed. Only a small number of policies included
restrictions that prohibit the use of the labels for improper purposes,
including to conceal embarrassing or illegal agency actions, or
inefficiency. Further, and perhaps most troubling from a security
perspective, was the remarkable lack of consistency among agencies as
to how to use these labels. Most of the policies were vague, open-
ended, or broadly applicable, thus raising concerns about information
sharing, the impact of such designations on access to information, free
speech, and citizen participation in governance. Given the wide
variation of practices and procedures as well as some of their
features, it is probable that these policies interfere with interagency
information sharing, increase the cost of information security, and
limit public access to vital information.
---------------------------------------------------------------------------
\6\ The complete audit report is available at http://www.gwu.edu/
nsarchiv/NSAEBB/NSAEBB183/press.htm.
---------------------------------------------------------------------------
Further, we concluded that there are almost no incentives to
control the use or misuse of these safeguarding labels. Unlike
classified records or ordinary agency records subject to FOIA, there is
no monitoring of or reporting on the use or impact of protective
sensitive unclassified information markings. In comparison, it is
useful to look to the formal classification system, which is governed
by Executive Order 12958, as amended, and is managed and monitored by
the Information Security Oversight Office (ISOO) at the National
Archives and Records Administration (NARA). ISOO publishes an annual
report to the President in which it quantifies the number of
classification and declassification decisions, the number of
individuals with authority to classify material, and the type of
information that is being classified. Such reports enable the Executive
Branch and Congress to monitor the costs and benefits of the
classification system and to identify trends that may suggest the need
to reform the system.
The absence of reporting mechanisms for sensitive but unclassified
control markings makes any assessment of the extent to which a policy
is being used difficult, if not impossible. Because safeguarding
sensitive unclassified information impacts safety, security, budget and
information disclosure--all important national concerns--some form of
overarching monitoring of all information control would be valuable.
Nor is there a procedure for the public to challenge protective
markings. For classified information, the security classification
system provides precise limits on the extent and duration of
classification as well as a system for declassification, including
public requests for declassification. For non-security sensitive
information, the FOIA provides a relatively clear and user-friendly
process for the public to seek access to information held by the
government. Sensitive unclassified information, however, falls into a
black hole. Based on anecdotal information, we believe that information
previously available under FOIA or on unrestricted Web sites may no
longer be available to the public. Yet, there is virtually no
opportunity for the public or other government personnel to challenge a
decision to mark a document for protection as SBU, FOUO, or SSI.
Accordingly, in order to protect the important role that public access
has played in government accountability, it is important that a system
for challenging the use of sensitive unclassified information markings
be established at each agency or, alternatively, that FOIA procedures
be adjusted to counteract the chilling effect these markings may have
on disclosure under FOIA.
Congress began to respond to these problems from the outset. Both
the Homeland Security Act of 2002 and the Intelligence Reform and
Terrorism Prevention Act of 2004 (IRTPA) directed the development of
policies for sharing classified and sensitive but unclassified
information. IRTPA requires the rapid implementation of an information
sharing environment (ISE) to facilitate the government-wide sharing of
information about terrorist threats. As the subcommittee is aware, the
office of the Program Manager of the ISE was established pursuant to
IRPTA to assist, in consultation the Information Sharing Council (ISC),
in the development of the ISE. A report and implementation plan for the
ISE was required within one year of enactment of IRTPA. President Bush
issued a Memorandum on December 16, 2005, directing federal departments
and agencies to standardize procedures for handling SBU information.
The President's December 2005 Memorandum setting up the office of
the Program Manager contained specific direction related to the
standardization of Sensitive But Unclassified (SBU) information.
Specifically, Guideline 3 required each department and agency to
inventory existing SBU procedures and their underlying authorities
across the Federal government, and to assess the effectiveness of these
procedures and provide this inventory and assessment to the Director of
National Intelligence (DNI) for transmission to the Secretary of
Homeland Security and the Attorney General. The working group completed
an initial inventory of SBU designations in March 2006. The original
schedule would have resulted in recommendations for submission to the
President regarding the standardization of SBU procedures by June 2006.
More than 5 years after the September 11 attacks, however, there still
is no government-wide plan to standardize information controls and
ensure government accountability.
Part of the problem may be that these legislative mandates are
being imposed on an executive branch that does not appreciate
Congressional interference and does not seem concerned about government
accountability. I am reluctant to express such strong sentiments, but
the lack of willingness by the Executive Branch to respond to
Congress's mandates is strongly evidenced by the refusal of the Office
of the Director of National Intelligence to participate in a March 2006
report by the Government Accountability Office about this very matter.
In its report, GAO noted that the ODNI ``declined to comment on [GAO's]
draft report, stating that review of intelligence activities is beyond
GAO's purview.''
Further, the responsibility for overseeing the development of a
comprehensive plan has been shifted from office to office; it was first
lodged at the Office of Management and Budget, then at the Department
of Homeland Security and now in the Office of the Director of National
Intelligence. Thus, despite the urgent need to better coordinate
information sharing, it has taken some time for the program to find a
home. Whether the ODNI is the proper home remains to be seen,
especially in light of that office's unwillingness to be subjected to
congressional scrutiny. Another delay was caused by the quick departure
of the first Program Manager for the Information Sharing Environment
(ISE) in January 2006. He was replaced by Ambassador Thomas McNamara.
I had the opportunity, along with several other open government
advocates, to meet with Ambassador McNamara on November 20, 2006.
Ambassador McNamara described for our group the challenges that the
office of the Program Manager is facing in rationalizing the system for
safeguarding records. They must obtain the cooperation of many
communities of interest, consider multiple users of information, and
consider the concerns of both governmental and non-governmental
entities. To date, they have only analyzed the problem. The November
16, 2006, Report of the Program Manager, Information Sharing
Environment, indicates that the interagency Information Sharing Council
(ISC) created to develop an implementation plan for the ISE, along with
standardizing procedures for sensitive but unclassified information,
has now created a Coordinating Committee which will submit
recommendations for SBU standardization through the White House policy
process. We were told that a recommendation would be transmitted to the
White House in January 2007, but I am not aware whether this has
happened or whether the recommendation will ever be made public.
For my own part, I was impressed with Ambassador McNamara's work to
date, but I was not left with any strong impression that a transparent,
government-wide information-sharing plan will emerge any time soon.
First, there are many steps in the process that do not yet appear to
have taken place. A recommendation has yet to be circulated for review
by interested parties. Any recommendations should be made available to
the public for comment. Even the general outline of a program, which
was previewed to me and others in November 2006, raised several
concerns about transparency, government accountability, and appropriate
procedures. Once a recommendation is accepted, then an implementation
plan will be necessary. It is possible that there will need to be
statutory or regulatory changes to facilitate implementation. There
certainly will be budgetary issues raised by any recommendation and
plan for standardization.
Second, the focus of the Program Manager's effort is solely on
information related to homeland security, law enforcement and
terrorism. The problem of sensitive unclassified information is far
broader, and even the category of information that affects our security
is likely more extensive than is covered by the Program Manager's
mandate. Placement of the Program Manager at the ODNI further limits
the likelihood that a government-wide solution will be considered or
emerge as an outgrowth of the process. Because of the placement within
the ODNI, the program manager is likely to face great challenges in
implementing an information sharing network that includes agencies
outside the intelligence community. Issues of information security,
information sharing, and public access to information should not be
addressed in a piecemeal manner. There are best practices in some
agencies that should be shared, as well as lessons to be learned about
the costs and benefits of secrecy and disclosure. If the problem of
information controls interfering with information sharing is ever to be
solved, it will require a government-wide commitment.
Third, there does not appear to be any schedule in place for moving
the process forward. The fact that the Program Manager has collected
and analyzed scores of information control policies is progress. That
analysis surely offers insight into what works and what does not. Now
the analysis must be translated into a plan with strict deadlines and
funding in order to make implementation a reality. Given that the
project has been perpetually behind schedule, there is cause for
concern about the development of an actionable plan and implementation.
Unnecessary secrecy has been on the rise since September 11, with
the result of threatening our safety and national security while
impeding the process of democracy and the effective functioning of
government. There is no time for turf wars or bureaucratic inertia. We
are long overdue for solving the challenges of information sharing and
overcoming the strain on government accountability brought about by
excessive secrecy. SBU designations have been noted by government
authorities as a major impediment to information sharing, yet no
solution to the problem has been developed. I am hopeful that my
testimony today offers a rationale and a sense of urgency for
instituting stronger measures to encourage needed reforms in
information-control programs across the federal government. I am
grateful for your interest in these issues and am happy to respond to
any questions.
Ms. Harman. I thank the three witnesses. Your testimony is
very helpful.
And, Mr. Leonard, nobody doubts your good faith and hard
work, but I do question whether we are making much progress
rolling a big rock up a steep hill.
Let me start there. As I said, I spent 8 years on the House
Intelligence Committee, and I spent many years on virtually
every security committee in this House since being elected in
1992. I do respect the need to protect sources and methods. I
have never, so far as I know, ever compromised a source or a
method, and I understand that real people die if that happens,
and we close down our ability to get sensitive information in
the future, so we should never do that.
But that is the purpose of our classification system. The
purpose of our classification system is not to deprive the
public of information it should have, and, surely, it is not to
deprive our first preventers on the ground of information they
need to know what to look for and what to do.
Does anyone disagree with what I just said?
Mr. Leonard. Absolutely not, Madam Chair.
Ms. Harman. I am sure you don't.
I also share Ms. Fuchs's opinion of Ambassador Ted
McNamara, with whom I have met. His title is program manager,
Information Sharing Environment, and he reports to the director
of national intelligence, Mike McConnell. He is a good man, and
he is trying to shift a lot of information out of the
classification system into this SBU system.
But, again, I am worried that we are just going to replace
one protection system with another protection system.
Does anyone disagree with that thought?
No. Okay. Well, now I am really getting discouraged.
So where do I come out? I am intrigued by Mr. Armstrong's
suggestion at the conclusion of his testimony--and I know I was
rushing you, but I am trying to be fair all our members and
here and to our second panel. I think what you said is, we need
to start over. We can't take this jerry-rig system and fix it.
It is too complicated, and we aren't going to fix it, we are
just going to move the boxes around. We really ought to think
through what our goals and objectives are and start over.
Is that what you said?
Mr. Armstrong. Precisely. That is the lesson of 50 years of
national security controls, 35 years since the Pentagon Papers,
34 years since Watergate and 22 years, 25 years of these three
commissions that have ensued. All have come back to the same
thing: If we want to protect important information, we must
identify it, isolate it, understand why it needs to be
protected and communicate that to government employees. They
will respect it, the press will respect it, in turn, and you
will not have dangerous leaks of national security information.
You will also have an enormous amount of information that
is not contained in those categories that will freely available
for public policy debate and discussion. That is what we need.
Ms. Harman. Well, let me ask the other two witnesses to
respond to this innovative and, I think, potentially visionary
suggestion. I am not sure we are up to this, but I just want to
ask what you think about it. It is basically to start over, to
identify what we need to protect.
And, as I heard you, Mr. Armstrong, you were saying if we
do this right, then we actually discourage and stop leaks
because information that should be in the public domain gets
there, and we should presume we have patriots in our press
corps who work for government, who serve in Congress and
elsewhere who will protect secrets that they understand clearly
need to be protected.
So my question, let's start with you, Mr. Leonard, is, what
do you think about this idea of starting over to isolate what
truly needs to be protected?
Mr. Leonard. Well, clearly, the challenge of over-
classification, as I included in my prepared testimony. As long
ago as the 1950s, the Wright commission, established by
Congress at the height of the Cold War, found that over-
classification was a threat to national security.
The largest problem, as I see, with the current framework
is that it is tilted toward encouraging people to withhold.
Everyone is very mindful of the fact that they can be
disciplined, fired, maybe even criminally prosecuted for
unauthorized disclosure. Even though the policy makes an
affirmative--at least the classification imposes an affirmative
responsibility on cleared individuals to challenge
inappropriate classifications, quite frankly, I am never aware
of that ever happening.
And, to me, it is the flipside of the coin: Yes, we have to
hold people accountable for inappropriate disclosures, but
unless we similarly have a system to hold people accountable
for inappropriate withholding or hoarding of information, the
system will remain dysfunctional.
Ms. Harman. Thank you very much.
My time is expiring, so, Ms. Fuchs, if you have any
comments, please make them now.
Ms. Fuchs. Right. I mean, I would second what Mr. Leonard
said. I think that the secrecy is a reflexive response by
people within the government, and it is going to be hard to
fight that. There should be better training, and the incentives
have to be changed. And the incentives are changed, I think, by
doing oversight, having audits of secrecy decision making,
making legal remedies available to the public, having
whistleblower protection and having leadership on the issue.
Ms. Harman. Thank you very much.
The chair now recognizes Mr. Reichert for 5 minutes.
Mr. Reichert. Thank you, Madam Chair, and, again, thank you
for being here this morning.
Mr. Leonard, you made a statement, I think it was you, that
said that trained people only get it right 64 percent of the
time. Why is that?
Mr. Leonard. It harkens back to the point I just made, Mr.
Reichert. I was in a similar forum with a very senior official
from the Defense Department once and she indicated, I think, a
very prevalent line of thought, and that is, especially in time
of war, people want to err on the side of caution.
And I am dumfounded by that approach, because, first of
all, I never understand why we want to have error as part of
any implementation strategy. But besides that, if we are ever
going to get it right, to me, in time of war is the time we
have to get it right.
As Ms. Fuchs says, we have to change the incentives and
have people recognize that the inappropriate withholding or
hoarding of information can have just as much as a deleterious
impact on the national security as any unauthorized disclosure
can.
Mr. Reichert. Mr. Armstrong, would you say that that is
true? In your statement, you mentioned sensitive homeland
security information for state and locals don't get to the
state and locals. Is that part of the problem that Mr. Leonard
is talking about?
Mr. Armstrong. I believe it is. I think there are two
reasons. One is the bureaucratic default to caution, that it is
easier to control than it is to release. But, secondly, control
has its own value and purpose. It allows a manipulation of the
debate. It prevents people from having a more open and
participatory discussion about the allocation of resources,
about priorities.
We heard in the dialogue from the Department of Homeland
Security at one point that they were considering the
prosecution or restraint on journalists publishing information
about chlorine plants and their danger in metropolitan areas.
Now, the plant doesn't become more dangerous because there is a
publication of it. It is possible that some terrorist might
learn that there is something there that they could blow up,
but it is unlikely that they haven't already identified it.
What happens is the public learns about it, and as that
information is openly discussed, precautions are taken,
political actors are held accountable, and those political
actors who become decisions makers during crisis begin to take
appropriate action.
Mr. Reichert. Now, for all three of you, there has been--
Mr. Armstrong, you especially mentioned that you have been
involved in discussions with just about every member of the
intelligence community. I didn't hear you say that state and
local agencies were involved in discussions that you were
having. Did I incorrectly--
Mr. Armstrong. No, that is correct. Our primary purpose was
when the equivalent of an Official Secrets Act was passed in
the year 2000 and the vetoed and then came up again the
following year, we wanted to learn, in the press, we wanted to
learn what the concern was in the federal government and how we
might best meet that. But we have not had that discussion at
the local level.
Mr. Reichert. For all three of you, quickly, state or local
public disclosure laws, have you been trying to connect with
state officials and local officials to find out how to work
through that problem?
Ms. Fuchs. If I could respond, I wanted to mention(it is a
big problem what happens at the state and local level, and
there is going to have to be some coordination. I wanted to
draw the subcommittee's attention to a report that was done by
the American Society of Newspaper Editors that was released
last week where they did an audit where they went to state and
local offices to get copies of the Comprehensive Emergency
Response Plan in each of those places.
That is something that is mandated to be made public by the
Emergency Planning and Community Right to Know Act of 1986, and
it is something that, for instance, tells you escape routes
that the public should be aware of if something happens in
their community.
More than a third of the public officials refused to
provide the report. It is sort of the opposite of--a variation
on the story that you told, Mr. Reichert at the outset----
Mr. Reichert. Yes.
Ms. Fuchs. --about not sharing information.
But it is the kind of thing, for instance, I know that in
D.C. that K Street divides which way you get out of the city if
something happens. Well, I work on one side of K Street and my
kid goes to school on the other side of K Street. Knowing that
information is important to me as a member of the public.
Mr. Reichert. Yes. I would make one last point. We can come
up, devise the greatest system in the world, which we don't
have right now, obviously, but if we start over, it could
hopefully end up being better, but the system is made up of
people, and that is going to be our major problem.
I know on a number of occasions in my 33 years in the
sheriff's office we were going to serve a search warrant and I
showed up at an address to serve a search warrant on a suspect
in that major serial case I was talking about earlier only to
find a reporter standing on the front porch waiting for me. So
we can build a great system, but it all boils down to the
people and the responsibility that they take.
Thank you. I yield.
Ms. Harman. I thank the ranking member for yielding.
The chair now recognizes Mr. Langevin for 5 minutes.
Mr. Langevin. Thank you, Madam Chair.
I want to thank our witnesses for testifying here today.
Can you just walk me through the process of how people get
access to this sensitive but unclassified information? Does
this come down to the fact that we needed better information-
sharing environment among people like law enforcement, and one
of the things I know that DHS is struggling through right now
is creating an information-sharing environment for terrorism-
related issues, similar to the type of information sharing that
law enforcement--that type of a system that law enforcement has
right now.
For example, in New England, we have RISNet, Regional
Information Sharing Network, so that information on law
enforcement issues can get out there to those that need it. DHS
is struggling with creating that kind of a system. I think
Charles Allen at DHS is doing a very good job of moving in the
right direction, but we are certainly not there yet.
So is that the model that we have right now? I just want to
get an understanding of when something is sensitive but
unclassified, can anybody in the law enforcement realm--you
know, is that in the need-to-know category?
Mr. Leonard. Although not in my official realm of
responsibilities, I can address that and that is the bottom
line. The challenge is, there is no one model. With over 100
types of systems, I dare say there is no one individual in the
entire federal bureaucracy who knows how to leverage access to
all these types of controlled information.
And the challenge then, of course, is, when agencies want
to leverage technology to help disseminate this information,
and there are all different types of controls and constraints
on it, you are somewhat restricted in terms of what you can put
into a technology system if you don't know the rules for
handling and disseminating and access, because there currently
are no systems. And this is what Ambassador McNamara's office
is in fact trying to address.
Mr. Armstrong. One issue you might consider, congressman,
is the fact that the Department of Homeland Security does not
seem to have a risk assessment matrix that allows them to put
value on particular information and figure out what it is they
are trying to control and from whom.
When they issued, in 2004, a nondisclosure agreement, which
I included a copy of, attached to my statement, they included
the long list of things and then the words, ``and other
identifier used by other government agencies to categorize
information as sensitive but unclassified,'' and gave authority
to any supervisor to create any such category. So people have
millions of different interpretations.
It requires leadership, it requires some identification of
what the dangers are and what the purpose of controlling
information is. If they can't identify that, don't control it.
Mr. Langevin. Let's kind of elaborate on that, if we could,
a little more. How might we go about creating a standardized
system for sharing sensitive but unclassified information? And
would a standard approach be a net positive? And furthermore,
to what extent do you think there will be any resistance to
such an effort and from whom?
Ms. Fuchs. Well, I think that standardizing would be a
benefit. I mean, we see it in the classification system, there
is some regularity, there are reporting requirements, there is
way to challenge classification decisions. It may not happen
that often, but at least there is some transparency to the
system and there is some control.
What is happening in the SBU system is it is all over the
place, and the absence of any type of regulation means that it
is an interference with information sharing.
But I want to also add that part of making information
sharing work means including the public in information sharing,
because the public has just as much concern as the government
in protecting ourselves.
I mean, we all know the story of the sniper in Washington,
D.C. It was only because the license plate on that car got out
and a trucker who stopped at the side of the street saw the car
and reported it. The public has a role to play as well, so any
kind of system should consider the importance of sharing
information with the public.
Mr. Leonard. And being a lifelong bureaucrat, I find rules
can be empowering as well. Because, right now, with the mass
confusion, people on the frontlines and the federal bureaucracy
who have to make decisions, there is such confusion that the
default is, well, I don't know if I am going to default.
If we have clearly articulated rules, that can be
empowering as well, because then it removes the uncertainty in
people's minds. They know exactly what they can disclose, under
what circumstances and who. And also then if people want to
challenge those controls, we know what it is we are
challenging.
Mr. Armstrong. I think the standardization needs to be of
the risk assessment process and of the process of engaging the
partners with whom you want to share information. If you build
it, they will come, but it has to be truly understood, as
Meredith mentioned, those partners include the public. The
chlorine plant situation, people who own chlorine plants do not
want information distributed about them, particularly when
there are risks from them.
Ms. Harman. The time of the gentleman has expired.
The chair now recognizes the very patient Mr. Dent of
Pennsylvania for 5 minutes.
Mr. Dent. Thank you, Madam Chairman.
Mr. Leonard, the president directed that the designation of
sensitive but unclassified information be standardized. In
response, an interagency working group, led by DHS, DOJ and the
program manager for the Information Sharing Environment,
initiated an effort to address these issues. I understand that
your office is part of that effort and that the working group
has submitted recommendations to the president regarding the
standardization of sensitive but unclassified procedures.
When do you expect these recommendations to be approved by
the president? And what outstanding issues are there?
Mr. Leonard. Sure.
Congressman I serve as an advisor to the working group that
Ambassador McNamara heads up. Being an observer and an advisor
to that group, I can attest that significance progress has been
made. Those recommendations actually have not yet been passed
up to the president as of yet, but my understanding is that the
timeline is a matter of months of get it through the process.
Mr. Dent. To get it to the president.
Mr. Leonard. To get it to the president; yes, sir.
Mr. Dent. Okay. Then what can we do to assist you through
this process? I mean, what can Congress do?
Mr. Leonard. Well, one of the challenges that I have always
took note of is that many of the controls that agencies have
placed on unclassified information are actually based in
statute. And one of my observations has been is that each and
every time we create one of these new homegrown controlled
items, that we seem to do it from scratch and we don't pay
homage to what has gone before.
And I believe whenever Congress makes the observation that
certain types of information needs to be controlled from a
statutory point of view, that to whatever extent including in
those mandates is the need to ensure that it is being done in a
consistent manner, I think would be highly effective.
Mr. Dent. More specifically, Mr. Leonard, I know you
testified before that the classification authority is pursuant
to the president's article 2 authorities under the
Constitution, and that certainly complicates these legislative
remedies.
So, I guess, what, in your opinion, would a legislative
remedy to the problem of over-classification and pseudo-
classification look like?
Mr. Leonard. Well, my reference to the president's article
2 authority, of course, is with respect to the classification
for a national security information system, which I oversee.
The pseudo-classification system, as I said, that has its
origins in a number of different areas.
Anything that we can do to change--the observation was made
about ultimately it is people who make the system works, and
anything that we can do to encourage people to recognize the
need that inappropriate withholding of information is similarly
deleterious and change that culture is, I think, ultimately
what is required in this area.
Mr. Dent. Thank you.
And, finally, in August of 2004, you testified,
essentially, that the creation of a director of national
intelligence would be a good thing if the DNI could overcome
all of the nuances in the classification system.
Has this been the case, or does the DNI need more
authorities to iron out the classification system, in your
opinion?
Mr. Leonard. The DNI has taken a leading role, from my
observation, in terms of trying to establish greater
consistency with respect to how the intelligence sources,
methods and activities are handled across the board. That is
obviously a work in progress, but my observation is that the
DNI has taken a much needed leadership role in this area.
Mr. Dent. Thanks, Madam Chairman. I yield back.
Ms. Harman. I thank the gentleman.
As this panel exits, I would just like to note that I was
one of the godmothers for the creation of the Department of
Homeland Security, and I was a coauthor of the legislation
establishing the Office of the Director of National
Intelligence, and our clear intent, on a bipartisan basis, was
to simplify, not complicate, this system.
So I am hopeful that this subcommittee, on a bipartisan
basis, will take up Mr. Armstrong's challenge and see if we can
accomplish that goal, which is a lot later than we intended but
very timely.
The first panel is excused, and as the second panel comes
up, I would note that we are expecting votes between 11:15 and
11:30. Mr. Reichert and I want to hear from both witnesses and
ask our questions very promptly, because we don't want you to
have to stay around for the half hour or more that we will have
to recess.
Thank the witnesses very much.
Okay. Let's have the second panel takes your seats. Even
without nametags, we know who you are.
Our first witness, Cathy Lanier, is the chief of the
Metropolitan Police Department here in Washington, D.C. She was
named police chief by D.C. Mayor Adrian Fenty and assumed her
position on January 2nd of this year. Before her appointment,
she was tapped to be the first commanding officer for the
police department's Office of Homeland Security and
Counterterrorism, which was established in 2006.
A highly respected professional in the areas of homeland
security and community policing, Chief Lanier took the lead
role in developing and implementing coordinated
counterterrorism strategies for all units within the
Metropolitan Police Department and launched Operation TIPP,
which is D.C.'s Terrorist Incident and Prevention Program.
Our second witness, Michael Downing, serves as the
assistant commanding officer, Counterterrorism Criminal
Intelligence Bureau, where he assists two regional operations,
which command the Los Angeles Joint Regional Intelligence
Center, called the JRIC.
And we welcome him from L.A.
I will skip all the rest of his wonderful credentials,
because we want to get right to your testimony.
And, without objection, the witnesses' full statements will
be inserted in the record.
I now ask each witness to summarize as quickly as possible,
starting with Chief Lanier.
STATEMENT OF CHIEF CATHY L. LANIER, METROPOLITAN POLICE
DEPARTMENT, WASHINGTON, D.C.
Chief Lanier. Thank you. Good morning.
Chairman Harman, members of the committee, staff and
guests, thank you for this opportunity to present this
statement on the impact of over-classification on information
sharing.
To begin, I emphasize the important role that local law
enforcement plays in homeland security efforts. We are more
than merely first responders, as you have stated. We are first
preventers who are uniquely positioned to detect and prevent
terrorist incidents right here in our home. There are 800,000
law enforcement members across the nation who know the
communities they serve and are in the best position to detect
the investigative criminal activity that might be connected to
terrorism.
Information provided by local police, if discovered early
and matched with the right intelligence, can help detect,
disrupt and prevent a terrorist plot. However, in order for
local law enforcement to perform its critical role of first
preventer, it is essential that the police officers and support
personnel be provided with timely intelligence information.
This requires an intelligence conduit consisting of an
organized, effective and trusting flow of information between
local law enforcement and our federal partners.
It is important to note that in the national capital
region, the flow of information among our federal partners is
fairly good through the JTTF. Part of that reason for that is
that our agencies have worked together for years sharing
information and coordinating responses to a variety of
situations. Pre-established relationships and a track record of
trust has made smooth and eliminated obstacles experienced by
other jurisdictions. The JTTF understands local law enforcement
and appreciates the value of those relationships.
Nonetheless, several issues remain as it relates to federal
and local information sharing. Law enforcement needs better
access to federal intelligence information as well as an
enhanced ability to translate such information into local law
enforcement activity. This involves classifying information
appropriately as well as creating a more efficient local
access, both classified and non-classified information.
Access to federal intelligence information remains a major
obstacle for local law enforcement. While the security
classification system that mandates security clearances helps
to ensure that sensitive information is protected, it also
hinders the local homeland security efforts.
Information collected by the federal government is
sometimes overly classified and causes valuable information
that should be shared to remain concealed. Law enforcement does
not need to know the details about where information originates
or how it is collected; however, we do need sufficient and
timely information in order to know what to look out for as
well as what scenarios to prepare for.
Information provided by the federal government that is
dated or only shared once the threat becomes imminent does not
offer value to local law enforcement. At this point, it is too
late for us to enhance our capabilities to effectively deal
with a threat. Conversely, local law enforcement analysts
should also ensure that intelligence they collect is assessed
and shared with DHS, FBI and other local and state agencies.
The significant challenges facing local law enforcement is
in translating this intelligence once it is obtained from the
federal government into actions for local jurisdictions. This
challenge is notably exacerbated when the information provided
is either not timely or is restricted so that it cannot be
shared with other stakeholders.
It is critical that the local law enforcement community be
made aware of global trends regarding people and organizations
that have a potential to commit crimes or pose a bona fide
threat to our community. Awareness of these global trends will
identify emerging threats and allow me to properly train my
patrol officers on the individual elements needed to mitigate
these emerging threats.
As a police chief, I need various forms of intelligence
that will come from a variety of different agencies. On the
strategic side, I need a global view of known terrorist
organizations, groups and individuals, both foreign and
domestic, and the potential threat they may post to the
homeland. This type of intelligence provides me with a better
understanding of the history of these groups, their
capabilities and their interest in particular targets or
weapons.
The broad nature of this type of intelligence, in my
opinion, should not be classified beyond law enforcement
sensitive. Even when it involves emerging groups and
capabilities, as long as the information remains in the law
enforcement community and is used for legitimate law
enforcement purposes, it should not cause harm to any ongoing
intelligence operation.
In addition to increased awareness of global trends, I also
need to be familiar with the local threat environment right
here in the national capital region. Being familiar with the
presence of known terrorist organizations in this region allows
me to educate and train my officers on the known tactics used
by these organizations so they can pay particular attention to
the certain subtle activities while on routine patrol.
For example, if it is known that a particular terrorist
organization that has a presence in the NCR is known to engage
in financing terrorist activities by selling unpacked
cigarettes, my patrol officers need to be aware of this so that
particular tactic--so they would know which information needs
to be shared with the JTTF for further analysis.
This intelligence, combined with information such as how
these groups travel, communicate and influence will help me
influence the resource allocation, training, prevention efforts
and response practices.
The bottom line, the frontline officers who see individual
elements of crimes every day need to be knowledgeable of
emerging threats and tactics in order to link these individual
elements so that trends can be identified early and mitigated
quickly.
I will skip to the end of my testimony to stay within the
time, but I do believe that ultimately improvements in the
intelligence-sharing environment will make our nation safer, as
the federal government and local first responders work jointly
as first preventers.
And I thank you for having this opportunity today.
[The statement of Chief Lanier follows:]
Prepared Statement of Cathy L. Lanier
March 22, 2007
Chairwoman Harman, members of the Committee, staff and guests--
thank you for the opportunity to present this statement on the impact
of overclassification on information sharing. Specifically, I will
address federal-level information sharing with local law enforcement.
To begin, I emphasize the important role that local law enforcement
plays in homeland security efforts. We are more than merely first
responders. We are first preventers who are uniquely positioned to
detect and prevent terrorist incidents right here at home. There are
800,000 law enforcement members across the nation who know the
communities they serve and are in the best position to detect and
investigate criminal activity that might be connected to terrorism.
Information provided by local police--if discovered early and matched
with the right intelligence--can help detect, disrupt and prevent a
terrorist plot.
However, in order for local law enforcement to perform its critical
role of first preventer, it is essential that police officers and
support personnel be provided with timely intelligence information.
This requires an intelligence conduit consisting of an organized,
effective and trusting flow of information between local law
enforcement and our federal partners. It is important to note that in
the national capital region, the flow of information among federal,
state and local partners through our Joint Terrorism Task Force (JTTF)
is quite good. Part of the reason for this is that our agencies have
worked together for years sharing information and coordinating
responses to a variety of situations. Pre-established relationships and
a track record of trust have smoothed many of the obstacles experienced
by other jurisdictions. The JTTFs understand local law enforcement, and
appreciates the value of local relationships. I believe other aspects
of the federal homeland security community could learn from the
experiences of the JTTFs.
Nonetheless, several issues remain as it relates to federal-local
intelligence sharing practices. Local law enforcement needs better
access to federal intelligence information, as well as an enhanced
ability to translate such information into local law enforcement
activity. This involves classifying information appropriately, as well
as creating more efficient local access to both non-classified and
classified information. Further, we need to recognize the importance of
smaller law enforcement agencies, as well as the need to expand
homeland security efforts beyond our traditional partners. I will
discuss these issues in greater detail in this testimony.
Access to federal intelligence information remains a major obstacle
for local law enforcement. While the security classification system
that mandates security clearances helps to ensure that sensitive
information is protected, it also hinders local homeland security
efforts. Information collected by the federal government is sometimes
overly classified, causing valuable information that should be shared
to remain concealed.
Local law enforcement does not need to know details about where
information originates or how it was collected. However, we do need
sufficient and timely information in order to know what to look out
for--as well what scenarios to prepare and drill for. Intelligence
analysts should assess intelligence information and synthesize it in a
manner that allows pertinent information to be shared widely among
local law enforcement personnel. This requires that they write the
analysis for release and appreciate the type of actionable information
useful to law enforcement. I want to also emphasize the importance of
quickly sharing information--even if the information is not fully
vetted. Information provided by the federal government that is dated or
only shared once a threat becomes imminent does not offer value to
local law enforcement. At this point it is too late for us to enhance
our capabilities to effectively deal with the threat. Conversely, local
law enforcement analysts should also ensure that intelligence they
collect is assessed and shared with DHS, FBI, and other local and state
agencies.
A significant challenge facing local law enforcement is translating
the intelligence information that is obtained from the federal
government into action for local jurisdictions. This challenge is
notably exacerbated when the information provided either not timely or
is restricted and cannot be shared with other stakeholders. It does a
local police chief little good to receive information--including
classified information--about a threat if she cannot use it to help
prevent an attack. Operationally, local law enforcement needs to be
aware of the presence of possible terrorist organization activity in
their jurisdiction and surrounding region. This intelligence--combined
with information such as how these groups travel and communicate--
influence local law enforcement resource allocation, training,
prevention, and response practices.
It is critical that the local law enforcement community be made
aware of global trends regarding people and organizations that have the
potential to commit crimes or pose a bona fide threat to the community.
Awareness of these global trends will identify emerging threats and
allow me to properly train my patrol officers on the individual
elements needed to mitigate these emerging threats. As a police chief I
need various forms of intelligence that will come from a variety of
different agencies. On the strategic side, I need a global view of
known terrorist organizations, groups and individuals--both foreign and
domestic--and the potential threat they may pose to the homeland. This
type of intelligence provides me with a better understanding of the
history of these groups, their capabilities and their interest in
particular targets or weapons. The broad nature of this type of
intelligence, in my opinion, should not be classified beyond ``law
enforcement sensitive''. Even when it involves emerging groups or
capabilities, as long as the information remains in the law enforcement
community, and is used for legitimate law enforcement purposes, it
should not cause harm to any ongoing intelligence operation.
In addition to increased awareness of global trends, I also need to
be familiar with the local threat environment in the national capitol
region. Being familiar with the presence of known terrorist groups in
the region allows me to educate and train my officers on the known
tactics used by these organizations so they can pay particular
attention to certain subtle activities while on routine patrol. For
example, if it is a known that a particular terrorist group that has a
presence in the NCR is known to engage in financing terrorist
activities by selling untaxed cigarettes, my patrol officers need to be
aware of these and other tactics so that they would know which
information to pass to the JTTF for further analysis.
The bottom line issue is that the frontline officers, who see the
individual elements of crimes, need to be knowledgeable of emerging
threats and tactics in order to link these individual elements so that
trends can be identified early and mitigated quickly.
Importantly, there are also occasions where local law enforcement
officials may need to be apprised of classified information. There is
no question that local law enforcement personnel have added value to
federal task forces--such as the JTTFs--as well as Department of
Homeland Security operation centers. It is for these reasons that
appropriate security clearances must be granted--in a timely manner--to
local police.
While the Metropolitan Police Department (MPD) has obtained a
number of security clearances for its members, that is not true for all
law enforcement organizations. It is imperative that federal, state,
and local law enforcement personnel that are working together to
protect the nation from terrorist threats be on equal footing. While
local law enforcement has seen some improvement in the process of
receiving security clearances, more must be done to expedite the
process.
I am optimistic that the DHS-supported fusion centers that are
becoming operational across the country will help bridge some the
existing intelligence sharing gaps. This will be accomplished by having
analysts from different agencies and perspectives talking to each other
and working together. .
While large-sized police departments have the ability to develop
and implement more sophisticated intelligence functions, small agencies
are sometimes left out of the loop. In the Washington area alone there
are 21 municipal law enforcement agencies that have less than 40 police
officers. It is incumbent upon the federal government and large police
departments to ensure that smaller agencies are kept informed--and
understand the importance of intelligence information. Formal liaisons
should be established, and every agency--no matter how small--should
have an accessible representative that is familiar with handling
intelligence information.
I also believe that federal and local law enforcement should
consider expanding its homeland security efforts beyond traditional
parameters. We need to examine the possibility of establishing
intelligence conduits with other local government components.
Firefighters, paramedics and health workers, are well positioned to
contribute valuable information to help protect our communities. In
order to harness these types of resources, intelligence-sharing
networks must be more inclusive. Further, the intelligence community
will also need to work on developing and sharing intelligence that is
actionable for other professions. We should begin planning for this new
front now.
Finally, local law enforcement recognizes that in addition to
needing timely intelligence from federal agencies, we also must be
willing and able to share timely and useful information gathered at the
local level with our federal state, and local partners. This is what
the fusion center concept is all about. Local law enforcement stands
ready to do its part in contributing to--and receiving and acting
upon--the information that we hope will be shared more extensively in
the future.
Ultimately, such improvements in intelligence sharing will make our
nation safer, as the federal government as local first responders work
jointly as first preventers.
Thank you again for the opportunity to appear before you today.
Ms. Harman. Thank you, Chief. Your testimony is very
important for the hearing record.
Mr. Downing?
STATEMENT OF MICHAEL DOWNING, ASSISTANT COMMANDING OFFICER,
COUNTER-TERRORISM/CRIMINAL INTELLIGENCE BUREAU, LOS ANGELES
POLICE DEPARTMENT
Mr. Downing. Chairman Harman, Ranking Member Reichert,
members of the subcommittee, thank you for the opportunity to
discuss the Los Angeles Police Department's efforts to fight
terrorism and the important issue of the over-classification of
intelligence.
Having recently returned from an 8-week attachment to the
new Scotland Yard's Counterterrorism Command, I have a much
greater appreciation for change and why we need to change.
In Peter Clarke's words, the national coordinator for
counterterrorism, if you looked at the 30-year IRA campaign and
look at the antithesis of that campaign, that is the threat
that they have now. To take a 130-year-old organization's
special branch and amalgamate it into the counterterrorism
command is huge change for a culturally rich institution, and
if they change, we certainly need to change.
Local law enforcement's ability to play a significant role
in stopping terrorism is seriously hampered by the over-
classification of intelligence by the federal government. In
Los Angeles, we enjoy a positive constructive partnership with
various federal agencies, but the classification process has
been a substantial roadblock to our capacity to investigate
terrorism cases.
The terrorist threat to our communities currently involves
continued domestic terrorism and international terrorists
plotting to destroy American cities. Prior to September 11,
local law enforcement agencies primarily investigated domestic
terrorist groups, including white supremacists, hate groups,
special issue groups conducting criminal activities.
Investigations centered on familiar cultures that were socially
motivated by political ideologies to commit terrorism.
The bombing of the Alfred Murrah building in Oklahoma, in
1995, the most notable domestic terrorist attack, had a
catastrophic impact on American soil and brought together local
and federal law enforcement to bring the terrorists to justice.
Local law enforcement, in fact, played a critical role in the
investigation and apprehension of the offenders.
I understand that you are coming to Torrance in a few weeks
for a field hearing. The JIS case was an unclassified case that
dealt in prison radicalization and conversion to gangs and
terrorism. That was an unclassified case because it didn't have
an international connection. Had it had an international
connection, it would have been classified and the outcome
perhaps could have been much different.
Prior to September 11, international terrorism was not in
the national consciousness. Despite the first World Trade
Center bombing, most Americans did not realize the significant
threat of Islamic extremism and the consequences of this
terrorism. September 11 changed the mindset of all Americans,
including local law enforcement.
In addition, in the war on Afghanistan, and later in Iraq,
the face of Islamic terrorism changed. No longer was the only
threat a group of dissident Saudis hijacking a plane to crash
into American symbols of power. Throughout the world, suicide
bombers attacked discos, train stations and buses. Islamic
terrorism has continued to demonstrate its reach and power from
changing the outcome of the 2004 national election in Spain to
paralyzing the transportation system in London in 2005.
The terrorist transformed himself from Middle East
foreigner to second and third generation local citizen.
The sheer number of terrorist threats to our communities
across the country has increased dramatically, and the federal
government's capacity to collect intelligence and investigate
these threats has been overwhelmed. Consequently, local law
enforcement's efforts to counterterrorism has never been more
important and has never been more critical.
Across the country, a new concept of fusion centers arose,
where analysts from police departments, FBI, Immigration and
Customs Enforcement and other agencies worked on the same
information screens to identify possible terrorist threats.
In Los Angeles, the LAPD provides personnel to participate
in the JRIC located in Norwalk, California. We have 14 other
participating agencies in that center.
The JRIC provides critical information-sharing
opportunities with the federal government. However, over-
classification of intelligence has become an impediment to full
information sharing with the local law enforcement agencies who
participate in the JRIC. As such, it has provided an impediment
to the JTTFs, which is a great success story in our partnership
with the federal agencies.
After the 9/11 Commission issued its comprehensive report,
America's local law enforcement community, consisting of over
700 law enforcement officers, was reluctantly invited into the
effort of countering the international terrorist threat. One
part of the rationale was that neither the CIA or DOD could
conduct intelligence operations within the U.S. against
American citizens.
Moreover, the total number of FBI special agents assigned
to protect over 18,000 cities, towns and villages throughout
the United States is slightly over 12,000 people. This number
becomes less reassuring when one examines the number of agents
needed to handle the FBI's other responsibilities, including
white collar crime, organized crime, public corruption,
financial crime, fraud against the government, bribery,
copyright infringements, civil rights violations, bank robbery,
extortion, kidnapping, espionage and so on.
At the national level, local law enforcement was not deemed
an important stopgap in the field of counterterrorism,
particularly in the area of Islamic extremists. In addition,
the significant role of----
Ms. Harman. Mr. Downing, could you please summarize at this
point, because we are concerned that a vote will be called.
Mr. Downing. Thank you. I will conclude, Ms. Chairman.
The United States faces a vicious, amorphous and unfamiliar
adversary on our land. Our previous defensive strategy to
protect our cities was ineffective, and our current strategy is
fraught with issues. We cannot support any process that takes
us closer to another failure.
We have mutual interest in working common direction to
prevent acts of terrorism in the United States. The
classification levels are based on fear, the probability of
information being disseminated to those that can cause serious
damage to national security. What this system is not designed
to do is to protect us against the threat itself.
This is achieved by disseminating the information to people
who stand the best chance of stopping violence against American
cities, our first preventers and law enforcement.
[The statement of Mr. Downing follows:]
Prepared Statement of Michael P. Downing
March 22, 2007
I. Introduction
Chairman Thompson, Chairwoman Harman, Ranking Member Reichert, and
Members of the Subcommittee, thank you for the opportunity to discuss
the Los Angeles Police Department's (LAPD) efforts to fight terrorism
and the important issue of the over-classification of intelligence.
Local law enforcement's ability to play a significant role in
stopping terrorism is seriously hampered by the over-classification of
intelligence by the federal government. While in Los Angeles we have
enjoyed a very positive and constructive partnership with various
federal law enforcement agencies, including the Federal Bureau of
Investigation's (FBI) Los Angeles Field Office and the Department of
Homeland Security's Immigration and Customs Enforcement (ICE), the
classification process has been a substantial roadblock to our capacity
to investigate terrorism cases and work hand-in-hand with these federal
agencies.
II. The Terrorist Threat to Our Local Communities
The terrorist threat to our communities currently involves
continued domestic terrorism and international terrorists plotting to
destroy American cities.
A. Domestic Terrorism
Prior to September 11, local law enforcement agencies primarily
investigated domestic terrorist groups, including white supremacists,
hate groups, and special-issues groups conducting criminal activity
(e.g. the Animal Liberation Front). Investigations centered on familiar
cultures that were socially motivated by political ideologies to commit
terrorism. The bombing of the Alfred P. Murrah Federal Building in
Oklahoma in 1995, the most notable domestic terrorist attack, had a
catastrophic impact on American soil and brought together local and
federal law enforcement to bring the terrorists to justice.\1\ Local
law enforcement, in fact, played a critical role in the investigation
and apprehension of the offenders.
---------------------------------------------------------------------------
\1\ The 1993 World Trade Bombing was seen as international
terrorism and investigated by the FBI.
B. International Terrorism
Prior to September 11, 2001, international terrorism was not in the
national consciousness. Despite the first World Trade Center bombing,
most Americans did not realize the significant threat of Islamic
extremism and the consequences of international terrorism. September 11
changed the mindset of all Americans including local law enforcement.
Since September 11, the scope of terrorism and extremism has
increased exponentially. In addition, as the war in Afghanistan and
later in Iraq waged on, the face of Islamic terrorism changed. No
longer was the only threat a group of dissident Saudis hijacking a
plane to crash into American symbols of power. Throughout the world,
suicide bombers attacked discos, train stations, and buses. Islamic
terrorism has continued to demonstrate its reach and power from
changing the outcome of the 2004 national election in Spain to
paralyzing the transportation system in London in 2005. The terrorist
transformed himself from Middle East foreigner to second and third
generation local citizen.
The sheer number of terrorist threats to our communities across the
country has increased dramatically and the federal government's
capacity to collect intelligence and investigate these threats has been
overwhelmed. Consequently, local law enforcement's efforts to counter
terrorism have never been more important or critical.
III. LAPD's Response to Terrorist Threats
A. Counter-Terrorism Bureau
The Los Angeles Police Department has taken the threat of
international terrorism very seriously. The city has a population of
over 4 million and spans over approximately 500 square miles. The
region is home to numerous potential terrorist targets including the
Los Angeles International Airport, the ports of Los Angeles and Long
Beach, and the entertainment industry.In response, the LAPD has
invested numerous hours and millions of dollars toward preparedness and
response to a possible terrorist attack. In addition, the LAPD has
created a Counter-Terrorism/Criminal Intelligence Bureau with nearly
300 officers who are solely dedicated to counter-terrorism and criminal
intelligence gathering. While this bureau has served a critical
function in the war against terror, the LAPD has been required to
dedicate officers to intelligence gathering, a function typically
performed by the federal government.
B. Joint Regional Intelligence Center and Joint Terrorism Task
Force
Across the country, a new concept ``fusion centers'' arose where
analysts from police departments, the FBI, Immigration and Customs
Enforcement, and other agencies worked on the same information streams
to identify possible terrorist threats. In Los Angeles, the LAPD
provides personnel and participates in a Joint Regional Intelligence
Center (JRIC), located in Norwalk, California, which includes fourteen
participating agencies. The JRIC provides a critical information-
sharing opportunity with the federal government. However, the over-
classification of intelligence has become an impediment to full
information sharing with the local law enforcement agencies who
participate in the JRIC.
The LAPD, as well as other Los Angeles-area law enforcement
agencies, is an active participant in the Joint Terrorism Task Force
(JTTF). Like the JRIC, the JTTF also serves as an excellent partnership
with federal law enforcement agencies and provides the opportunity for
extensive information sharing. The same impediments of the JRIC,
however, apply to the local law enforcement agencies participating in
the JTTF. The dissemination of critical intelligence is restricted due
to its over-classification.
IV. The Consequences of Over-Classification of Intelligence
After the 9/11 Commission issued its comprehensive report,
America's local law enforcement community, consisting of over 700,000
law enforcement officers, was reluctantly invited into the effort of
countering the international terrorist threat. One part of the
rationale was that neither the Central Intelligence Agency nor
Department of Defense could conduct intelligence operations within the
United States against American citizens. Moreover, the total number of
FBI Special Agents assigned to protect over 18,000 cities, towns, and
villages throughout the United States is slightly over 12,000. This
number becomes less reassuring in the when one examines the number of
agents needed to handle the FBI's other responsibilities including
white-collar crime, organized crime, public corruption, financial
crime, fraud against the government, bribery, copyright infringement,
civil rights violations, bank robbery, extortion, kidnapping,
espionage, interstate criminal activity, drug trafficking, and other
serious violations of federal law.
At the national level, local law enforcement was not deemed an
important stopgap in the field of counter-terrorism particularly in the
area of Islamic extremists. In addition, the significant role of local
law enforcement in the fight against international terrorism was not
viewed as significant. More than five years after the tragic events of
September 11, local law enforcement involvement has still not been
fully embraced because of the impediment of information sharing and the
over-classification of intelligence.
The result of including local law enforcement is that uniform
police officers, bomb squads, and hazardous material teams now train
together to address terrorist threats with the FBI, Department of
Energy, Federal Emergency Management Agency, and the Department of
Homeland Security, and train to respond to possible terrorist
scenarios.
Local law enforcement has had a long history in investigating
individuals and groups while developing and handling human and
electronic intelligence. No agency knows their landscape better than
local law enforcement; it was designed and built to be the eyes and
ears of communities. Over-classification, however, prevents a true
partnership with federal agencies.
An impediment for both federal and local agencies, for example, is
that local FBI agents, cannot change the originating agency's
classification level, and this problem is amplified when the response
to the threat is time sensitive. Appropriate law enforcement response
to substantial threats can be significantly impaired with minimal lead-
time, creating greater risk to the community, and impacting the ability
for a ``First Preventer'' response. A local field agent, however, has
the discretion to classify a case as ``secret.'' The criteria for this
classification is ``secret shall be applied to information, the
unauthorized disclosure of which reasonably could be expected to cause
serious damage to the national security.'' Additionally, the standard
used for ``secret'' for intelligence information is ``the revelation of
significant intelligence operations.'' Many field agents may over-
classify their cases for fear of compromise. Unfortunately, this is a
double edge sword because it stifles collaboration with local law
enforcement.
The burden to overcome is that the investigations push up against
federal investigations, which in turn become classified. The result is
the old adage of local law enforcement pushing information to federal
agencies without getting anything back. The federal fix has been to
brief the Chief of the executive staff of classified cases, but
restricted the dissemination to their intelligence units (despite
proper clearance levels of personnel). The result is to develop
separate and likely redundant intelligence gathering operations. For
example, New York was first in the country to disengage from relying on
the federal agencies to protect their city, committing almost 1,200
officers to counter-terrorism efforts. Currently, the association of
Major Cities Chiefs of Police is campaigning in Congress to send police
officers overseas to obtain information from their police counterparts
rather than rely on our own federal agencies to share information.
V. Recommendation
The declassification of information currently classified at the
secret level would greatly improve the information-sharing environment
and build upon the counter-terrorism capabilities of local law
enforcement. Federal authorities should consider changing the criteria
classification of terrorism-related intelligence to ``Law Enforcement
Sensitive'' to enable the dissemination of information to critical
personnel in the field. ``Top Secret'' should be an exceptional
classification that requires extraordinary demonstration of need while
``Secret'' should be a classification that requires more stringent
demonstration of need than currently required.
Local law enforcement already works in an environment with a
``right and need to know'' and efforts made to declassify ``secret''
information to ``law enforcement sensitive'' would not only make for
more effective and timely intelligence, but inspire true partnership,
better collaboration, the building of more robust trust networks, and
develop a richer picture with regard to community intelligence.
VI. Conclusion
The United States faces a vicious, amorphous, and unfamiliar
adversary on our land. Our previous defensive strategy to protect our
cities was ineffective and our current strategy is fraught with issues.
In Los Angeles, we cannot support any process that takes us closer to
another failure. We have the mutual interest and are working in common
direction to prevent acts of terrorism in the United States. The
classification levels are based on fear: the probability of information
being disseminated to those that can cause serious damage to national
security. What this system is not designed to do is protect us against
the threat itself. Local law enforcement has a culture and capacity
that no federal agency enjoys; the know how and ability to engage a
community and today it is a vital part of the equation. This is
achieved by disseminating the information to people who stand the best
chance of stopping violence against American cities: our first
preventers in local law enforcement.
Ms. Harman. Thank you very much.
The chair now recognizes the chairman of the full
committee, the gentleman from Mississippi, for 5 minutes of
questions.
Mr. Thompson. Thank you very much, Madam Chairman. I
appreciate the opportunity.
Chief Lanier, nice to see you again. You do us proud.
Chief Lanier. Thank you.
Mr. Thompson. Mr. Downing, New York City saw that they had
a problem with cooperation and communication with respect to
intelligence. So they created their own intelligence division
to kind of address many of the items you shared with us today.
What has the Los Angeles Police Department put together to
address some of the issues that we are talking about today?
Mr. Downing. We have our own intelligence section as well,
probably 30 people dedicated to gathering intelligence within
our major crimes division, which does not include the Joint
Regional Intelligence Center.
The Joint Regional Intelligence Center sits on top of seven
counties that the L.A. FBI office is in charge of. We have
approximately 44 people in that center, growing to 80. It is
going to be a 7-day, 24-hour operation. It is an all crimes,
all hazards approach to intelligence. However, with the minimal
staffing right now, it is primarily terrorism. But that is how
we deal with it.
The FBI has established that as a top-secret level JRIC
center. It is managed by the L.A. sheriffs, LAPD and the FBI,
with the FBI as the functional lead in the center.
Mr. Thompson. Thank you, and I will get back to the other
part.
Chief Lanier, do you believe that you are receiving all the
information, or your department is receiving all the
information necessary from federal government sources at this
point?
Chief Lanier. No, I am sure I am not.
Mr. Thompson. And without pointing fingers, can you tell me
who is good, who is not so good, who is deserving of being
better? Because what we are trying to do with the hearings is
trying to determine where we need to start to focus. For
instance, I will give you a good example, our Capitol Police
happen to use analog radios. Well, they can't talk to anybody
but themselves, because everybody else is digital. And that is
a problem. So if we can't talk to each other from an
interoperability standpoint, I am wondering how much of the
sharing of intelligence and other things.
So if you could kind of give me your analysis of what you
have found so far.
Chief Lanier. I can walk that fine line there, sir.
Mr. Thompson. All right.
Chief Lanier. First of all, I always believe if I am going
to criticize anybody for anything, we have to look at ourselves
first. And I will say that local law enforcement needs to do a
better job of clearly articulating what our intelligence needs
are to the various intelligence agencies so they know what to
give us.
It took some pushing from me--fortunately, I had the
support from Chief Ramsey--to go to the right people and the
right agencies and say, ``This is what I need and why I need
it.'' It is not enough to say, as a police chief, ``You are not
giving me enough information; give me more.''
If the other federal agency doesn't know what it is that I
need, they are going to give me what they think I need. So I
need to lay that out very clearly. So we are guilty as well.
With that said, now I can throw other stones. I do think
that the participation of the JTTF has increased the
information-sharing flow with the FBI because there is a
longstanding history there. The new players in the game,
through the Department of Homeland Security, does not have that
longstanding relationship and well-established conduit for
information to flow clearly.
And, I don't want to oversimplify this, but I think it is
really, really important that in a lot of cases it boils down
to the right people, in the right place, having an opportunity
to sit down and have a dialogue. I would be happy to sit down
with somebody in this classification issue and have them sit
across the table from me, as a police chief in the nation's
capital, and look me in the eyes and listen to what I have to
say about what my needs are and then tell me why I shouldn't
have that.
Mr. Thompson. You do a good job.
Chief Lanier. Thank you.
Mr. Thompson. Thank you very much.
I yield back, Madam Chair. Thank you.
Ms. Harman. Thank you, Mr. Chairman.
The chair now yields 5 minutes for questions to the ranking
member, Mr. Reichert, from Washington.
Mr. Reichert. This brings back memories to me.
Ms. Harman. Nightmares.
Mr. Reichert. Yes. Everything that you have each said I
struggled with as the sheriff in Seattle. And the sharing of
information between the federal agencies and local sheriff's
office and the local Seattle Police Department and the other 38
police departments in King County, every one of those chiefs
would be saying exactly the same thing that both of the
witnesses have said today.
When you talk about information sharing, of course one of
the things that we know is a necessity in these days is
technology.
Are either of you familiar with the LInX System?
Chief Lanier. Yes.
Mr. Reichert. Are you participants in that program or
beginning to become involved in that program or where do you
stand, each of you?
Chief Lanier. We are not yet, but we are in the process of
getting there. As you might have seen in some of my public
testimony lately, technology is still a significant struggle
for the Metropolitan Police Department. We are moving forward
and bringing up our fusion center, so we are on our way, and we
will be full participants in the LInX Program, so we are
getting underway with that now.
Mr. Reichert. Great.
Mr. Downing. Yes. And we, as well, are beginning in that
process. We have cops LInX, which connects the agencies within
the different counties, and some of the counties that can't
afford it are not participating but looking forward to the
installation of LInX, which will also bring in the federal
system.
Mr. Reichert. Yes. Who is the lead on the LInX Systems in
your areas?
Mr. Downing. Chief Baca, Chief Bratton, Chief Corona, from
Orange County.
Mr. Reichert. Who from the federal government, do you know?
Mr. Downing. Well, Steve Tidwell in the L.A. office is
assisting us with that.
Mr. Reichert. I just visited your fusion center a couple
weeks ago.
Chief?
Chief Lanier. In Washington, D.C., it is being coordinated
through the Council of Governments, the COG, which is regional.
Mr. Reichert. How big is your department?
Chief Lanier. We will be at 3,900 by the end of this year
and probably 4,200 by the end of next year.
Mr. Reichert. How many people are assigned to homeland
security?
Chief Lanier. You are going to get me in trouble with my
local constituents, but I will tell you.
[Laughter.]
I have approximately 30 in the Office of Homeland Security
and Counterterrorism, but I do have a Special Operations
Division that is 225, 230 people, and I am about to merge those
two units together so that every member of the Special
Operations Division will now take part in that.
Mr. Reichert. And other than UASI money, are you getting
any federal assistance, grant monies to pay for those bodies?
Chief Lanier. To pay for those bodies?
Mr. Reichert. Yes.
Chief Lanier. Now you are really going to get me in
trouble.
Mr. Reichert. I know the answer to that one, so go ahead.
[Laughter.]
Chief Lanier. There are a variety of grant funds under the
homeland security program, LETPP, as you know, and the state
funds as well, the UASI, but we struggle to get sometimes
reimbursement for federal duties that involve dignitary
protection and things----
Mr. Reichert. You have some unfunded mandates.
Chief Lanier. Yes.
Mr. Reichert. Yes.
Mr. Downing?
Mr. Downing. Yes. Our department is 9,500. We have just
under 300 assigned to the Counterterrorism Bureau, which is
primarily the terrorist-related matters. We are one of the six
tier one cities in UASI. This year's UASI allows us to get 25
percent of the total grant toward personnel costs.
Mr. Reichert. Okay. I have no further questions.
I yield. Thank you.
Ms. Harman. I thank the ranking member, and I have a few
questions.
First, I want to thank both witnesses for excellent
testimony.
Our goal in this session of Congress is to put ourselves in
your shoes to think about what are the opportunities and
frustrations of our local first preventers and how can we make
the sharing of information with them and the tools that they
need more effective? Because if you can't do your jobs well, we
can't protect America. It is that simple.
It is not all in Washington, D.C. I know that may come as a
shock to a few folks, but it is not all here.
And vertical information sharing has to be adequate, and
horizontal information sharing at the local level has to be
adequate too. And that is another issue that neither of you
raised today but it is something that has been raised by prior
witnesses.
Both of you provided some useful information.
I am quite horrified to think, Mr. Downing, that if the
information about that cell in Torrance had had some
international connection, we might have missed the whole thing.
That gets my attention, because in a couple of weeks when
we are in Torrance, California, congratulating the Torrance PD
for excellent local police work, we are going to talk about how
devastating could have been attacks by a homegrown terrorist
cell living next door to some of my constituents had we not
prevented them from doing anything. So I just want to observe
that.
And, Chief Lanier, you make a very good point when you say
it is your obligation to make clear to federal agencies what
you need and why you need it. I mean, that is a job you have,
and you can't just assume they are going to figure it out. In
fact, they are not going to figure it out. You have to be an
advocate for your own needs.
And it is in that connection that I want to ask this
question. The chairman of the full committee has had a long and
friendly conversation with Charles Allen of the Department of
Homeland Security's Office of Intelligence and Analysis--we
call it I&A--about the need for local participation either on
the NCTC or connected to the NCTC. And some of us were dismayed
to learn in a visit we made recently to the NCTC that the new
agency about to be created, called the Interagency Threat
Assessment and Coordination Group, the ITACG, might have on it
one representative of law enforcement.
In questions to Charlie Allen last week, he said, ``Well,
maybe that will change to two or three.'' I clearly don't know
how many members of the ITACG there will be, but I would just
like to ask both of you, as consumers of necessary
intelligence, what do you think about the idea of one person or
maybe two or three participating in the NCTC process?
Chief Lanier. Well, it is at least a start, but I will say
this: Police departments around the country have very different
needs based on the jurisdictions they serve as well as the
capabilities that they have.
So in the Metropolitan Police Department, a large city
police department, I have a lot of capabilities that a small
town police department may not have. But at the same token,
that small town police department, or sheriff's department, may
have some vulnerabilities and some other understandings that I
don't have. So I think the representation needs to be fair and
representative across the board.
State agencies, state patrol, highway patrol officers have
different skills and capabilities than transit police, than
urban police, than university police. So there needs to be an
adequate representation.
Ms. Harman. Mr. Downing?
Mr. Downing. I absolutely agree, and to take it even
further, in coming back from the U.K., they have 17 people in
17 different parts of the world, and they are growing to 21.
And as New York, they have eight people in eight different
parts of the world as well. We are interested in that as well,
because we are not sure that the local perspective is being
placed on foreign intelligence.
Ms. Harman. I thank you for that, and I actually share that
big time. I think that information sharing has to go
horizontally and vertically and that your help in designing the
products that you will use is absolutely indispensable.
Otherwise, they may not be useful to you.
It is your point, Chief Lanier, we have to be advocates for
what we need and why we need it, so I think you should be
sitting inside the room when our National Intelligence Fusion
Center is developing products that you are supposed to use. And
then I think our next problem is to make sure that the
classification system gets revised so that you are in a
position to use them.
My time has expired. I don't want to abuse this
opportunity. And I have spoken more than others.
Let me just ask either of the members, starting with
Chairman Thompson, whether you have any concluding remarks.
The ranking member?
Mr. Reichert. Thank you, Madam Chair.
I just want to, again, thank you for being here and taking
time out of your busy schedule to testify. And as we have
learned today and previous hearings from this information, we
have a lot of work to do, and we look forward to working with
you to help make our country safer.
Thank you all.
Ms. Harman. The hearing is adjourned.
[Whereupon, at 11:34 a.m., the subcommittee was adjourned.]
THE RESPONSE OF THE PROGRAM
MANAGER OF THE INFORMATION
SHARING ENVIRONMENT
PART II
----------
Thursday, April 26, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence, Information Sharing, and
Terrorism Risk Assessment,
Washington, DC.
The committee met, pursuant to call, at 10:05 a.m., in Room
1539, Longworth House Office Building, Hon. Jane Harman
[chairwoman of the committee] presiding.
Present: Representatives Harman, Langevin, Thompson,
Reichert, and Dent.
Ms. Harman. [Presiding.] Good morning. The subcommittee
will come to order.
The subcommittee is meeting today to receive testimony on
``The Over-Classification and Pseudo-Classification of
Government Information: The Response of the Program Manager of
the Information Sharing Environment.''
We are here today because our classification system is
broken and because pseudo-classifications are making effective
information sharing nearly impossible.
A few weeks ago, we heard from experts in these areas who
described an expanding problem that is making securing the
homeland harder. Last fall, the president appointed Ambassador
Ted McNamara to take on the pseudo-classification issue, and
the ambassador has worked a solution that the White House is
reviewing.
His proposed controlled unclassified information, CUI,
framework holds a lot of promise, but no matter how good this
solution might be, if federal agencies don't get on board, and
fast, well-planned and well-meaning efforts will fail.
I commend Ambassador McNamara, with whom I have met several
times, for including state and local law enforcement officers
in his process from the outset. The ambassador's working group
welcomed law enforcement as part of the process from day one,
as well they should have.
Police and sheriff's officers are among the people who will
be most affected by this new CUI framework. As all of us on the
subcommittee have stated, we cannot have a successful fix to
the pseudo-classification and other information sharing
challenges unless all affected parties are involved in
structuring the solution.
I hope that DHS is listening. You should know, and I think
you do, that this subcommittee is extremely concerned with the
absence of numbers of state and local participants in the new
ITACG that is being developed as an adjunct to the NCTC. We
think that is a problem, and we are going to stay on that
problem and hopefully change what is happening.
So in this case, in addition to Ambassador McNamara and our
DHS and FBI witnesses, we are joined this morning by Mark
Zadra, the assistant commissioner of the Florida Department of
Law Enforcement. Mr. Zadra will talk to us about the promise
and potential pitfalls of the CUI framework from his state-
level perspective.
I would note with sadness, however, that we are not joined
today by Colonel Bart Johnson of the New York State Police, who
had been invited as a witness and was originally scheduled to
testify. Late yesterday, two of his officers were shot while
attempting to apprehend a criminal suspect on Tuesday, and one,
Trooper David Brinkerhoff, died from his injuries. Our
condolences, and obviously the condolences of the entire
Committee on Homeland Security, go to his family and his
colleagues.
And I ask unanimous consent to enter his prepared remarks
into the record at this point. Hearing no objection, we will do
so.
[The statement of Colonel Johnson follows:]
For the Record
Prepared statement of Colonel Bart R. Johnson
April 26, 2007
Chairman Thompson, Ranking Member King, Chairwoman Harman, and
Members of the Subcommittee, I sincerely appreciate the opportunity to
appear before you today to discuss state and local law enforcement's
involvement with standardizing procedures for sensitive but
unclassified (SBU) information and related issues impacting local,
state, and tribal law enforcement.
I have served with the New York State Police for more than 24
years, and I have over 30 years experience in law enforcement.
Presently, I serve as the Deputy Superintendent in charge of Field
Command. I oversee the Bureau of Criminal Investigation, the Uniform
Force, the Office of Counter Terrorism, Intelligence, and the
associated special details of these units. I also have the privilege to
serve as the vice chair of the U.S. Department of Justice's (DOJ)
Global Justice Information Sharing Initiative (Global) Advisory
Committee, the chair of the Criminal Intelligence Coordinating Council
(CICC) and of the Global Intelligence Working Group (GIWG). In these
capacities, I have been fortunate to actively participate in
discussions relating to intelligence reform, and I have provided
significant input to the federal government regarding information
sharing and intelligence.
I expect that we would all agree that the current number of
sensitive but unclassified (SBU) designations and the lack of
consistent policies and procedures for unclassified information
severely hinder law enforcement's ability to rapidly share information
with the officials that need it to protect our country, its citizens,
and visitors. Much progress has been made recently in addressing the
classification issue by way of Guideline 3, and much of the headway is
due to the leadership and efforts of Ambassador Thomas E. McNamara of
the Office of the Program Manager for the Information Sharing
Environment (ISE) and the other relevant federal agencies. I am
gratified that I have also had the opportunity to contribute to this
effort.
For many years, law enforcement agencies throughout the country
have been involved in the sharing of information with one another
regarding investigations, crime reporting, trend analysis, and other
types of information considered law enforcement sensitive. Oftentimes,
these investigations involve public corruption, organized crime,
narcotics, and weapons smuggling, and they frequently involve the use
of undercover operations, confidential sources, and lawful covert
electronic surveillance. State, local, and tribal law enforcement
agencies do not have the ability to classify their material, and we
must be assured that strict control is used when handling and
distributing this type of data to ensure that the information and
investigation are not compromised and that we do not sustain a loss of
a life. Also, since September 11, 2001, law enforcement agencies
nationwide are more fully involved in the prevention, mitigation, and
deterrence of terrorism, and consequently, they receive more
information and intelligence from their federal counterparts.
Moreover, many law enforcement agencies generate their own
information and intelligence (much of which is collected in a sensitive
manner) that is passed to other law enforcement agencies for their
possible action. Law enforcement agencies have also begun to share
information with new stakeholders in the fight against terrorism. They
now routinely share information with non-law enforcement government
agencies and members of the private sector in order to assist in
prevention efforts. This activity has altered the information sharing
paradigm.
Another issue that exists within the current environment is the
apparent ``over-classification'' of material. Over-classifying data
results in information and intelligence not being sent to the law
enforcement professionals on the front lines of the fight against
terrorism in this country--the officers, troopers, and deputies in the
field. It still appears to be a difficult process for the federal
intelligence community to develop ``tear-line'' reports that can be
passed to law enforcement so that the intelligence can be
operationalized in an effective and proactive manner.Up until a short
time ago, there was a lack of a coherent, standardized process for
marking and handling SBU data. Lack of consistency in markings led to
confusion and frustration among local, state, tribal, and federal
government officials and also a lack of confidence in knowing that the
information that was shared was handled in an appropriate and secure
manner. Recent studies by the Government Accountability Office, the
Congressional Research Service, and other institutions have confirmed
and highlighted the problems created by the various markings and the
lack of common definitions for these designations. These studies
revealed that there are over 120 different designations being used to
mark unclassified information so that agencies can ``protect'' their
information. These pseudo-classifications did not have any procedures
in place outlining issues such as who can mark the material; the
standards used to mark the material; who can receive the information;
how the information should be shared, who it could be shared with, and
how it should be stored; and what impact, if any, these markings have
on the Freedom of Information Act.
As a result of several key federal terrorism-related information
sharing authorities, such as the Intelligence Reform and Terrorism
Prevention Act of 2004, Executive Order 13388, and the December 2005
Memorandum from the President regarding Guidelines and Requirements in
Support of the Information Sharing Environment, specifically Guideline
3, much work has been undertaken to bring about intelligence reform in
this country. Local, state, and tribal law enforcement have been and
continue to be active and collaborative participants in this
undertaking.
As a representative of the New York State Intelligence Center
(NYSIC) \1\ and DOJ's Global Initiative, I have participated in a
number of efforts to implement the guidelines and requirements that
will support the ISE. Recognizing the need to develop a process for
standardizing the SBU process, the CICC and GIWG commissioned a task
team in May 2006 to develop recommendations that would aid local,
state, and tribal law enforcement agencies in fully participating in
the nationwide information sharing environment. This work was done with
the Federal Bureau of Investigation, the U.S. Department of Homeland
Security, the Office of the Program Manager for the Information Sharing
Environment, and other law enforcement entities. The recommendations
made by that team were provided to an interagency SBU working group.
Subsequently, I participated on the SBU Coordinating Committee (CC)
that was established to continue the Guideline 3 implementation efforts
begun by the interagency group.
---------------------------------------------------------------------------
\1\Formerly known as the Upstate New York Regional Intelligence
Center (UNYRIC).
---------------------------------------------------------------------------
As you know, the SBU CC recommendations are currently under review
and awaiting ultimate Presidential approval. The CC recommends adoption
of a new Controlled Unclassified Information (CUI) Regime that is
designed to standardize SBU procedures for information in the ISE. The
recommendations include requiring controls on the handling and
dissemination of SBU information. By and large, I believe local, state,
and tribal agencies will support the new CUI Framework because they
want to be active participants in the ISE and are supportive of clear
and easily understandable protocols for sharing sensitive information.
Local, state, and tribal agencies want to be able to receive
terrorism, homeland security, and law enforcement information from the
federal government and clearly understand, based on the markings on the
data, how the data should be handled and stored and to whom the
information can be released. The data should be disseminated as broadly
as possible to those with a need to know, including non-law enforcement
public safety partners, public health officials, and private sector
entities. Conversely, local, state, and tribal entities are frequently
the first to encounter terrorist threats and precursor criminal
information, and the new CUI markings will assist with sharing that
type of information both vertically and horizontally while respecting
originator authority.
A number of critical issues must be addressed at the local, state,
tribal and federal levels in order to facilitate a successful CUI
Regime implementation, including training, policy and procedural
changes, system modifications and enhancements, and funding to
implement these recommendations.
Emphasis must be placed on the development and delivery of training
to local, state, tribal, and federal personnel on the CUI Framework.
Because of the possibility of wide distribution of sensitive
information, it is imperative that training be given a priority so
recipients have a clear understanding of marking and handling
procedures. In order to maximize the effectiveness of the training and
reach the appropriate recipients at the local, state, and tribal
levels, I recommend that it be provided on a regional basis across the
country to personnel in the designated statewide fusion centers.
Focusing on fusion center officials in the initial delivery phase
directly supports the national information sharing framework that calls
for the incorporation into the ISE of a national network of state and
major urban area fusion centers.
In support of the ISE, state and major urban area fusion centers
will be contributing information to ongoing federal and national-level
assessments of terrorist risks; completing statewide, regional, or
site-specific and topical risk assessments; disseminating federally
generated alerts, warnings, and notifications regarding time-sensitive
threats, situational awareness reports, and analytical products; and
supporting efforts to gather, process, analyze, and disseminate locally
generated information such as suspicious incident reports. Over 40
states currently have operational fusion centers, and it is critically
important that center personnel receive timely, relevant training to
enable them to fully function in the national ISE.
Training will provide insight and an understanding of how the CUI
handling and disseminating requirements affect business processes. This
will cause agencies to execute policy and procedural changes and system
modifications. There are potentially over 18,000 local, state, and
tribal law enforcement agencies in our country that could be impacted
by the implementation of the CUI Framework. I believe that the federal
government--working collaboratively with local, state, and tribal
authorities--should develop model policies and standards to aid in the
transition to the Framework. Funding issues will be a major factor for
local agencies, especially in regard to modifying/enhancing information
technologies and applying encryption requirements to ensure proper
transmission, storage, and destruction of controlled information.
It will be through these ongoing collaborative efforts regarding
Guideline 3 that the ISE will take another step towards being the
meaningful and cooperative sharing environment that it was intended to
be. These actions will result in the maturation of information sharing
among state, local, and tribal agencies; private entities; and their
federal counterparts, which will in turn assist in our collective
efforts to prevent another terrorist attack and reduce violent crime.
Our goal should be to share as a rule and withhold by exception,
according to rules and policies that protect the privacy and civil
rights of all.
Being involved in the CUI Framework development process has been a
rewarding and sometimes arduous experience. It is a process that I and
the entire state, local, and tribal law enforcement community take very
seriously. It is very encouraging to me that the Office of the Program
Manager and other relevant partner federal agencies have made great
strides in recognizing the value that local, state, and tribal
officials bring to the table. We want to remain active, ongoing
partners and participants with the federal government as we work
towards a national information sharing environment.
Mr. Chairman, I thank you and your colleagues for giving me the
opportunity to speak to you today, and I hope my comments have been of
some use to you in your deliberations.
Ms. Harman. But I would also note that our police, sheriffs
and firefighters are our front lines. They take all the risks
to keep our country safe, and on behalf of a grateful nation,
we send, again, our condolences and appreciation to the New
York State Police.
Today, we will also focus on how best to support the CUI
framework at the federal level. That is why DHS and FBI are
testifying. Last month, we learned that every agency in the
federal government has invented pseudo-classifications for
their particular brand of information. The increasing number of
these markings has led to tremendous confusion.
Obviously, that proliferation is a problem, and our goal
here is to find out whether Ambassador McNamara's new framework
is one that will be embraced, as it should be, by those federal
agencies that are in the same line of work. If we can't get it
right at the federal level, we can't expect state and local
entities to do any better. We are late in this process, and we
can and should move faster.
I hope this hearing will help us figure out how to move
from a good proposal to a good adopted strategy across the
federal government and with our state and local partners.
I would like to, again, extend a warm welcome to our
witnesses who will be talking about these issues, and I look
forward to your testimony.
I now yield time for opening remarks to the ranking member,
Sheriff Reichert.
Mr. Reichert. Thank you, Madam Chair. I like that
``sheriff'' title. Thank you for using that.
I, first of all, apologize. My voice is a little hoarse
this morning. I am experiencing some effect from the oak
pollen, I think, that is flying around out here. I am not used
to that back in Seattle.
Second, let me also share my condolences with the New York
State Police. I have experienced the loss of heartbreak myself
in my 33-year career, and that is a tough one to take.
Also, Ambassador, I would like to thank you for your
briefing earlier this week. It was very helpful, and thank you
again for being here today to share your thoughts on your new
ideas and plans.
I also want to say that I certainly recognize the
difficulty that all three of you have in bringing the nation's
state and local and federal agencies together to share
information. Just on the local level, in the Seattle region, I
know how tough that can be. So your job is going to be very
tough, as we all recognize, but we certainly want to be a part
of the solution with you.
So today we meet on a topic of pseudo-classification, which
is the use of document controls that protect sensitive but
unclassified information. This is the second hearing in a
series on the problems of over-classification and pseudo-
classification and information sharing.
I believe it is essential that sensitive information be
able to flow to those that need it, and I shared a story the
other day with the ambassador, my own personal experience
within the sheriff's office, people holding and withholding
information and other police departments not wanting to share
the information and therefore resulting in maybe a case not
being resolved or solved or being solved much later than it
could have.
Information needs to flow in a trusted information sharing
environment. The people who share sensitive information need to
be able to trust that different federal agencies, as well as
different states and localities, will treat their information
with respect and protect sensitive information.
Currently, there is no trusted information sharing
environment for sensitive, unclassified information. There are
currently over 107 unique markings for sensitive information
and over 130 different labeling or handling processes, as we
talked about the other day. This disparity creates confusion
and leads to information not being properly protected. If a
federal agency can't trust that sensitive, unclassified
information will be protected, it will simply classify the
document as secret or above, severely restricting access.
If a private-sector entity or state/local agency does not
believe its information will be protected properly, it simply
will not share that, and I have experienced that myself. So
without trust, the information sharing environment breaks down.
Creating a trusted environment is essential to the work of
the program manager. Cleaning up a messy system of sensitive
but unclassified designations is essential to creating that
trust.
We are looking forward to the program manager's testimony
as well as the testimony of our DHS and FBI witnesses who will
be able to discuss how these policies are progressing and how
we can ensure the information sharing is a success.
From the second panel, hopefully, we will hear from state
law enforcement. We have had a role in the process. The state
and local perspective is essential, because without the state
and local buy-in, as I said, collaboration will lead to not
sharing information.
We appreciate your testimony and your time this morning,
and thank you again for being here.
With that, I yield the balance of my time.
Ms. Harman. The gentleman's time has expired.
The chair now recognizes the chairman of the full
committee, the gentleman from Mississippi, Mr. Thompson, for an
opening statement.
Mr. Thompson. Thank you very much, Madam Chair, and I join
you in welcoming our distinguished witnesses today to this
important hearing on the work being done by Ambassador
McNamara.
I also join you and our ranking members and others in
expressing our heartfelt sympathies to the New York State
Police in the loss of their officer. Any front-line person puts
his or her life on the line every day, and, unfortunately,
sometimes these things happen. And that is why what we and is
so important every day and what so many others do.
But from information sharing, I think Representative
Reichert spoke volumes when he said it is important to have
information available in real-time. I was in local government
before coming to Congress and I remember when agencies bragged
about knowing something, and when other folks found out about
it weeks and months later, they would say, ``Well, we knew
about that all the time.''
To me, it is a no-brainer not to share the information if
we are supposedly all looking for the bad guys--or gals, in
some instances.
Ms. Harman. You had it right the first time, Mr. Chairman.
[Laughter.]
Mr. Thompson. But the notion is we absolutely need to do
it, but we are concerned that sometimes government over-
classifies information so that it can't get out into the field.
And, Ambassador, I know you have a tough challenge ahead of
you. We talked a little bit about it before the hearing, and I
am looking for this new framework. I want the commitment to be
there, to carry it forward. I would not like to see it become
another in a long line of acronyms that get put on the shelf
never to be taken off. So I look forward to your testimony, and
I look forward to pushing forward the new ideas.
The comfort zone, as all of us know, is we have always done
it this way, but that doesn't necessarily mean that it is
correct. And these are different times, different challenges
and it calls for broader strategies.
So I look forward to the testimony and the questions to
follow.
And I yield back.
Ms. Harman. The gentleman's time has expired.
And I would just observe, the comfort zone ended on 9/11.
There is no comfort zone anymore. I am looking at a press clip
today in the New York Times, which says, ``British anti-
terrorism chief warns of more severe al-Qa'ida attacks.'' These
are in Britain, but obviously we can imagine this here.
So in that spirit, I would hope that what we are talking
about never hits a shelf. That should not even be an option. We
have to change the way we do business.
I welcome our first panel of witnesses.
Our first witness, Ambassador Ted McNamara, is the program
manager of the Information Sharing Environment, a position
established by the Intelligence Reform and Terrorism Prevention
Act of 2004, a statute I am very familiar with.
Ambassador McNamara is a career diplomat who originally
retired from government service in 1998, after which he spent 3
years as president and CEO of the Americas Society and Council
of the Americas in New York. Following the September 11
attacks, he was asked to return to government service as the
senior advisor for counterterrorism and homeland security at
the Department of State.
Our second witness, Dr. Carter Morris, is currently
director of information sharing and knowledge management for
the Office of Intelligence and Analysis at the Department of
Homeland Security. That is a mouthful. That can't even be one
business card.
He is a detailee to DHS from the Directorate of Science and
Technology at CIA. Most recently, Dr. Morris served as the
deputy assistant director of Central Intelligence for
Collection where he helped coordinate all intelligence
community collection activities.
Thank you for that service.
Our third witness, Wayne Murphy, is currently an assistant
director at the FBI. He joined the bureau with more than 22
years of service at the National Security Agency in a variety
of analytic, staff and leadership positions. The bulk of his
career assignments have involved direct responsibility for
SIGINT analysis--that is signals intelligence analysis and
reporting--encompassing a broad range of targets.
Without objection, the witnesses' full statements will be
inserted in the record, and I would ask each witness to
summarize your statements.
I think this time clock is visible to you, or I think it
can be, or there is a time clock that is visible to you. And we
will get right into questions following your testimony.
Thank you.
We recognize you first, Dr. Morris. Dr. Morris, we are
recognizing you first. I am not sure why we are doing that, but
that is what we are doing.
Mr. Morris. Didn't realize I was going to go first, but I
will be very happy to do that.
Ms. Harman. Dr. Morris, you are relieved of going first.
[Laughter.]
Mr. Morris. Thank you.
Ms. Harman. Because this chair, who must be visually
impaired, skipped the top of the statement.
Ambassador McNamara, you are recognized first. I think that
does make more sense, because you are going to present the
information, and then we will follow on with two people who
will comment on it, which seems obvious. I apologize for the
confusion.
STATEMENT OF AMBASSADOR THOMAS E. McNAMARA, PROGRAM MANAGER,
INFORMATION SHARING ENVIRONMENT, OFFICE OF THE DIRECTOR OF
NATIONAL INTELLIGENCE
Mr. McNamara. Thank you very much, Madam Chair.
Chairman Thompson, Madam Chairman Harman, Ranking Member
Reichert and members of the subcommittee, it is a great
pleasure to be here with my colleagues today. And I want to
thank you for the continued focus and priority for building an
effective information sharing environment that you and the
committee have shown over the course of many months.
I hope to especially discuss with you all work on the
presidential priority to standardized sensitive but
unclassified information.
Our current efforts to provide the president
recommendations for standardizing SBU procedures, sensitive but
unclassified, have been successful because of the strong
interagency commitment that we have found. I want to note that
Wayne Murphy, who is a member of the SBU Coordinating Committee
with me, has been a part of this process since the very
beginning and, with his colleagues in the Department of Justice
and the FBI, have been instrumental in bringing the state,
local and private sector perspectives and concerns to the
table.
I also was hoping to thank Colonel Bart Johnson were he
here today, but I will thank him in his absence. He is the
chair of the Criminal Intelligence Coordinating Council of
Global Justice Information Sharing Initiative. He has been
giving so much of his time and expert advice to our group, and
I join the committee in offering our condolences to the family
of the slain officer and to Colonel Johnson and his colleagues.
I have a personal sense of this loss. My son is a law
enforcement officer and has been in a situation that occurred
in the last 24 hours himself.
Also, I would like to thank assistant commissioner for the
Florida Department of Law Enforcement, Mark Zadra, who is here
today, who was our host at the very first national conference
on fusion centers, which was held earlier this year in Florida.
It was an excellent, very astonishing, in some respects,
conference. Over 600 people came to that conference. They
closed the rolls for the conference about 3 or 4 weeks before
the conference began.
When I showed up in this job a year ago, if someone had
told me in a year that that would happen, I would have said,
``Well, you people are just overly optimistic.'' And I think
that shows how far things have gone over the course of the last
few years.
Finally, I want to note that the Department of Justice and
Department of Homeland Security were leaders in the initial
effort to research this issue on SBU and to collect the
information on which my committee has been working these last 6
months.
The lack of government-wide standards for SBU information
is well known. More difficult has been charting a feasible way
ahead to create such standards as part of a single regime. Over
the years, because SBU is not considered a matter of national
security concern, there has been no single control framework
that enables the rapid and routine flow of this type of
information.
Throughout the Cold War, executive branch agencies and
Congress responded in a piecemeal fashion, an uncoordinated
way, to protecting SBU. It was left to each agency to decide on
its control regime.
For example, there are close to 107 unique markings and
more than 131 different labeling or handling processes and
procedures for SBU information. These markings and handling
processes stem from about 280 statutory provisions and
approximately 150 regulations.
Protecting information and sharing information are critical
and interdependent functions for the information sharing
environment. Simply stated, sensitive information will not be
shared unless participants have confidence in the framework
protecting that information.
Standardizing SBU procedures is a difficult endeavor made
more complicated by the complex information management policies
and practices which the government now has. Correcting these
defects is especially important because some categories of SBU
truly require controls as strong as those for national security
information.
There are sound reasons in law and policy to protect those
categories from public release, both to safeguard the civil
liberties and legal rights of U.S. citizens and to deny the
information advantage to those who would threaten the security
or the public order of the nation.
Appropriately protecting law enforcement and homeland
security related sources and methods, for example, are just as
valuable to our nation as protecting our intelligence sources
and methods. The global nature of the threat our nation faces
today requires that our entire network of defenders be able to
share information more rapidly and confidently so that those
who much act have the information they need to act.
This lack of a single rational standardized and simplified
SBU framework is a major cause of improper handling. It
heightens risk aversion and undermines the confidence in
control mechanisms. These problems are endemic within the
federal government between federal and non-federal agencies and
with the private sector. This is a national concern because the
terrorist threat to the nation requires that many communities
of interest, at different levels of government, share
information.
Ms. Harman. Ambassador McNamara, let me suggest that you
just describe the new system, and we can get into the arguments
for it and so forth in the question period, because your 5
minutes has expired.
Mr. McNamara. Okay. I will then move to saying that I think
this new system will enhance our ability to share vital
information at the state, federal, local, tribal and private
sector entities and also with our foreign partners.
There are three major elements to the standardized SBU
system that I am proposing. First, is the CU designation. The
committee has decided that a clean break with the current SBU
system would begin by calling it, controlled, unclassified
information, CUI, thus eliminating the old term of SBU and any
residual or legacy controls and habits that have grown up.
Secondly, CUI markings, there will be a CUI framework
recommended that also contains mandatory policy and standards
for making safeguarding and dissemination of all CUI originated
at the federal government level and shared in the ISE
regardless of the medium used for its display, storage or
transmittal. This framework includes a very limited marking
schema that addresses both safeguarding and dissemination.
Thirdly, there will be CUI governance recommended. A
central management and oversight authority in the form of an
executive agent and an advisory council would govern the new
CUI framework and oversee its implementation. This CUI
framework is one of the essential elements among many elements
that make up the ISE.
And since my time is short and over, I guess, I will say
that I would like to close by saying how helpful and important
it is to the work that I am doing for the Congress to focus on
this matter, as this committee and subcommittee has done. This
is a high-priority matter creating the ISE and in particular it
is important that the amount and quality of the collaboration
on implementing these reforms be noted and enhanced so that we
can strengthen our counterterrorism mission at all levels of
government.
Thank you.
[The statement of Mr. McNamara follows:]
Prepared Statement of Abassador Thomas E. McNamara
I. Introduction
Chairwoman Harman, Ranking Member Reichert, and Members of the
subcommittee: I am pleased to be here with my colleagues and want to
thank you for your continued focus and priority to building an
effective Information Sharing Environment (ISE).
As you and the Committee address classification of information
issues, I would like to update you on a Presidential priority to
standardize procedures for Sensitive But Unclassified (SBU)
information. This is a priority because if we do not have a manageable
SBU framework, we will not have an effective ISE.
Information vital to success in our protracted conflict with
terrorism does not come marked ``terrorism information''; it can and
does come from many sources, including from unclassified information
sources. Yet we lack a national unclassified control framework that
enables the rapid and routine flow of information across Federal
agencies and to and from our partners in the State, local, tribal and
private sectors. This is especially important because some categories
of unclassified information require controls as strong as those for
national security information. There are sound reasons to protect those
categories from public release, both to safeguard the civil liberties
and legal rights of U.S. citizens, and to deny the information
advantage to those who threaten the security or public order of the
nation.
This lack of a single, rational, standardized, and simplified SBU
framework is a major cause of improper handling. It heightens risk
aversion and undermines confidence in the control mechanisms. This
leads to both improper handling and unwillingness to share information.
These problems are endemic within the Federal government, between
Federal and non-Federal agencies and with the private sector. This is a
national concern because the terrorist threat to the nation requires
that many communities of interest, at different levels of government,
share information. They must share because they have each have
important responsibilities in countering terrorism. The problem exists
at all levels--Federal, State, local, tribal, and the private sector.
All have cultures that are traditionally cautious to sharing their
sensitive information, but this must be addressed if we are to properly
and effectively share sensitive but unclassified information. Only when
the Federal government provides credible assurance that it can protect
sensitive data from unauthorized disclosure through standardized
safeguards and dissemination controls will we instill confidence that
sensitive information will be appropriately shared, handled,
safeguarded, and protected, and thus make sharing part of the culture.
II. The Current SBU Environment
Let me note at the outset that I will focus here on
``unclassified'' information. Classified information is, by law and
regulation, controlled separately in a single system that was
established early in the Cold War years. The classification regime,
currently governed by Executive Order 12958, as amended, applies to
``national security information,'' which includes intelligence,
defense, and foreign policy information. Other information, which
legitimately needs to be controlled, is controlled by agency-specific
regimes. Collectively, these regimes address information referred to as
Sensitive But Unclassified (SBU) information. SBU information has grown
haphazardly over the decades in response to real security requirements,
but this information cannot be encompassed in the subject-specific
classified control regime. The result is a collection of control
mechanisms, in which most participants have confidence only when
information is shared within an agency--and sometimes not even then.
Let me give you some understanding of how complex SBU is: Among the
20 departments and agencies we have surveyed, there are at least 107
unique markings and more than 131 different labeling or handling
processes and procedures for SBU information. Even when SBU information
carries the same label marking (e.g. For Official Use Only), storage
and dissemination are inconsistent across Federal agencies and
departments. Because such markings are agency-specific, recipients of
SBU information in a different agency must understand the processes and
procedures of the originating Federal agency for handling the
information, even if their agency uses the same marking. The result is
an unmanageable collection of policies that leave both the producers
and users of SBU information unable to know how a piece of information
will be controlled as it moves through the Federal government and
therefore reducing information sharing.
I would like to highlight just two examples to convey the confusion
created by the current SBU processes:
The first example is a single marking that is applied to different
types of information. Four agencies (DHS, DOT, USDA and EPA) use
``SSI'' to mean ``Sensitive Security Information.'' However, EPA has
also reported the use of ``SSI'' to mean ``Source Selection
Information'' (i.e. acquisition data). These types of information are
completely different and have vastly different safeguarding and
dissemination requirements, but still carry the same SBU marking
acronym. In the same way, HHS and DOE use ``ECI'' to designate ``Export
Controlled Information,'' while the EPA uses ``ECI'' to mean
``Enforcement Confidential Information.'' ``Export Controlled
Information'' and ``Enforcement Confidential Information'' are clearly
not related, and in each case, very different safeguarding and
dissemination controls are applied to the information The second
example is of a single marking for the same information, but with no
uniformity in control. Ten agencies use the marking ``LES'' or ``Law
Enforcement Sensitive.'' However, the term is not formally defined by
most agencies nor are there any common rules to determine who can have
access to ``law enforcement information.'' Therefore, each agency
decides by itself to whom it will disseminate such information. Thus,
an individual can have access to the information in one agency but be
denied access to the same information in another. Further confusing the
situation, SBU markings do not usually indicate the originating entity.
As a result, even if a recipient had access to all the different
control policies for each agency, he or she could probably not
determine what rules apply because the recipient usually does not know
which agency marked the document.
Protecting the sharing of information is a critical and
interdependent function for the ISE. Simply stated, sensitive
information will not be shared unless participants have confidence in
the framework controlling the information. Standardizing SBU procedures
is a difficult endeavor, made more complicated by the complex
information management policies.
III. Unclassified Information Framework Imperative
Producers and holders of unclassified information which
legitimately needs to be controlled must have a common framework for
protecting the rights of all Americans. In the classified arena, we
deal with information that will, mainly, be withheld from broad
release. In the unclassified arena, we deal with information that is
mainly shareable, except where statute and policy require restrictions.
Agencies must often balance the need to share sensitive information,
including terrorism-related information, with the need to protect it
from widespread access.
A new approach is required. Existing practices and conventions have
resulted in a body of policies that confuse both the producers and
users of information, ultimately impeding the proper flow of
information. Moreover, multiple practices and policies continue to be
developed absent national standards. This lack of standards often
results in information being shared inappropriately or not shared when
it should be. In December 2005, the National Industrial Security
Program Policy Advisory Committee, described the consequences of
continuing these practices without national standards in the following
manner ``. . .the rapid growth, proliferation and inclusion of SBU into
classified contract requirements without set national standards have
resulted in pseudo-security programs that do not produce any meaningful
benefit to the nation as a whole.'' Clearly this situation is
unacceptable.
IV. A Presidential Priority
The lack of government-wide standards for SBU information is well-
known. More difficult has been charting a reasonable way ahead to
create such standards. This is an enormously complex task that requires
a careful balance between upholding the statutory responsibilities and
authorities of individual departments and agencies, and facilitating
the flow of information among them--all the while protecting privacy
and civil rights. We were successful in creating such a regime for
classified national security information by setting national standards
and requiring that they be executed uniformly across the Federal
government. In addition, we established a permanent governance
structure for managing the classified information regime. A similar
approach is necessary to establish an unclassified information regime,
with standards governing controlled unclassified information.
As required by the Intelligence Reform and Terrorism Prevention Act
of 2004, on December 16, 2005, the President issued a Memorandum to the
Heads of Executive Departments and Agencies on the Guidelines and
Requirements in Support of the Information Sharing Environment, which
specified tasks, deadlines, and assignments necessary to further the
ISE's development. Guideline 3, of his Memorandum, specifically
instructed that to promote the sharing of, ``. . .Sensitive But
Unclassified (SBU) information, including homeland security
information, law enforcement information, and terrorism information,\1\
procedures and standards for designating, marking, and handling SBU
information (collectively ``SBU procedures'') must be standardized
across the Federal government. SBU procedures must promote appropriate
and consistent safeguarding of the information and must be
appropriately shared with, and accommodate and reflect the imperative
for timely and accurate dissemination of terrorism information to,
State; local, and tribal governments, law enforcement agencies, and
private sector entities.''
---------------------------------------------------------------------------
\1\ Pursuant to the ISE Implementation Plan, and consistent with
Presidential Guidelines 2 and 3, the ISE will facilitate the sharing of
``terrorism information,'' as defined in IRTPA section 1016(a)(4), as
well as the following categories of information to the extent that they
do not otherwise constitute ``terrorism information'': (1) homeland
security information as defined in Section 892(f)(1) of the Homeland
Security Act of 2002 (6 U.S.C. Sec. 482(f)(1)); and (2) law enforcement
information relating to terrorism or the security of our homeland. Such
additional information includes intelligence information.
---------------------------------------------------------------------------
An interagency SBU Working Group, co-chaired by the Departments of
Homeland Security (DHS) and Justice (DOJ), undertook an intensive study
and developed several draft recommendations for a standardized approach
to the management of SBU. Its work provided a solid foundation for
completing the recommendations. It was determined, however, that
additional work was necessary to fully meet the requirements of
Guideline 3.
Recommendations for Presidential Guideline 3 are coming close to
completion in a SBU Coordination Committee (SBU CC), chaired by the
Program Manager, Information Sharing Environment (PM-ISE), with
Homeland Security Council oversight. The SBU CC began work in October
2006 with the participation of the Departments of State, Defense,
Transportation, Energy, Justice, and Homeland Security; the Federal
Bureau of Investigation; the Office of the Director of National
Intelligence; the National Security Council; and the Office of
Management and Budget. The committee actively consults with
representatives from other departments and agencies, the National
Archives and Records Administration (NARA), the Information Security
Oversight Office, the Controlled Access Program Coordination Office,
the Information Sharing Council, the Global Justice Information Sharing
Initiative, State, local, and tribal partners, and several private
sector groups.
The efforts of the SBU CC have focused on developing an SBU control
framework that is rational, standardized, and simplified, and as such,
facilitates the creation of an ISE that supports the individual
missions of departments and agencies and enhances our ability to share
vital terrorism information among Federal, State, local, tribal, and
private sector entities, and foreign partners.
Rationalization means establishing a framework based on a
set of principles and procedures that are easily understood by all
users. This should help build confidence among users and the American
public that information is being shared and protected in a way that
properly controls information that should be controlled, and protects
the privacy and other legal rights of Americans.
Rationalization means structuring a framework in which all
participants are governed by the same definitions and procedures and
that these are uniformly applied by all users. The objective is to end
uncertainty and confusion about how others using the framework will
handle and disseminate SBU information. Standardization helps achieve
the ISE mandated by Congress: ``a trusted partnership between all
levels of government.''
Simplification means operating a framework that has
adequate, but carefully limited, numbers and types of markings,
safeguards, and dissemination of SBU information. Such a simplified
framework should facilitate Federal, State, and local government
sharing across jurisdictions; facilitate training users; and reduce
mistakes and confusion.
V. The Controlled Unclassified Information (CUI) Framework
I must reiterate that interagency discussions of a proposed
detailed framework are still underway. Furthermore, no recommendation
will become final unless and until it is approved by the President. Of
course, the ability to implement any reform will depend upon the
availability of appropriations. With respect to the present proposal,
however there is general agreement that the SBU framework should
include the following 6 main elements:
1. CUI Designation: To ensure a clean break with past
practices, the Framework would change the descriptor for this
information to ``Controlled Unclassified Information'' (CUI)_
thus eliminating the old term ``SBU.'' Participants would use
only approved, published markings and controls, and these would
be mandatory for all CUI information. All other markings and
controls would be phased out.
2. CUI Mmarkings: The CUI Framework also contains mandatory
policies and standards for marking, safeguarding and
dissemination of all CUI originated by the Federal government
and shared within the ISE, regardless of the medium used for
its display, storage, or transmittal. This Framework includes a
very limited marking schema that addresses both safeguarding
and dissemination. It also provides reasonable safeguarding
measures for all CUI, with the purpose of reducing the risk of
unauthorized or inadvertent disclosure and dissemination levels
that with the purpose of facilitating the sharing of CUI for
the execution of a lawful Federal mission or purpose.
3. CUI Executive Agent: A central management and oversight
authority in the form of an Executive Agent would govern the
new CUI Framework and oversee its implementation.
4. CUI Council: Federal departments and agencies would advise
the Executive Agent through a CUI Council composed of senior
agency officials. The Council will also create mechanisms to
solicit State, local, tribal, and private-sector partner input.
5. Role of Departments and Agencies: The head of each
participating Federal department and agency will be responsible
for the implementation of a functional CUI Framework within the
agency.
6. CUI Transition Strategy a Transition Strategy for a phased
transition from the current SBU environment to the new CUI
Framework is needed. During the transition, special attention
would be paid to initial governance, performance measurements,
training, and outreach components.
On a final note, our work has recognized that the substantive
information that will be marked and disseminated in accordance with the
proposed Framework is also subject to a variety of other legal
requirements and statutes. Among some of the most important statutes
and legal authorities that apply to this information are the Privacy
Act of 1974, the Freedom of Information Act, the Federal Information
Security Management Act (FISMA) and various Executive Orders, including
Executive Order 12333, which governs the Intelligence Community and its
use of United States Persons information. I would like to stress that
this proposed Framework for handling SBU has thoroughly considered
these legal authorities and does not alter the requirements and
obligations imposed by these authorities. We will continue to work with
the ISE Privacy Guidelines Committee to ensure that the appropriate
privacy issues fully meet any legal requirements to protect the civil
liberties and privacy of Americans.
VI. Conclusion
For information sharing to succeed, there must be trust--the trust
of government providers and users of information, or policymakers, and
most importantly, of the public. Each of these must trust that
information is being shared appropriately, consistent with law, and in
a manner protective of privacy civil liberties. Building trust requires
strong leadership, clear laws and guidelines, and advanced technologies
to ensure that information sharing serves important purposes and
operates consistently with American values.\2\
---------------------------------------------------------------------------
\2\ Mobilizing Information to Prevent Terrorism: Accelerating
Development of a Trusted Information Sharing Environment, Third Report
of the Markle Foundation Task Force, July 2006
---------------------------------------------------------------------------
The lack of a single, rationalized, standardized, and simplified
SBU framework does contribute to improper handling or over-
classification. To instill confidence and trust that sensitive
information can be appropriately shared, handled, safeguarded, and
protected, we must adopt a standardized CUI Framework. This is
especially critical to our counterterrorism partners outside the
intelligence community. Appropriately protecting law enforcement and
homeland security related sources and methods are just as valuable to
our national security as protecting our intelligence sources and
methods.
The global nature of the threats our Nation faces today requires
that: (1) our Nation's entire network of defenders be able to share
information more rapidly and confidently so that those who must act
have the information they need, and (2) the government can protect
sensitive information and the information privacy rights and other
legal rights of Americans. The lack of a government-wide control
framework for SBU information severely impedes these dual imperatives.
The CUI Framework is essential for the creation of an ISE which has
been mandated by the President and the Congress. Only then can we meet
the dual objectives of enabling our Nation's defenders to share
information effectively, while also protecting the information that
must be protected. A commitment to achieving standardization is
essential--a vital need in the post-9/11 world.
Ms. Harman. Thank you, Ambassador.
We now recognize Dr. Morris for a 5-minute summary.
STATEMENT OF CARTER MORRIS, Ph.D., DIRECTOR, INFORMATION
SHARING AND KNOWLEDGE MANAGEMENT, OFFICE OF INTELLIGENCE AND
ANALYSIS, DHS
Mr. Morris. Thank you, Madam Chairman, Chairman Thompson,
Ranking Member Reichert, other distinguished members of the
subcommittee.
It really is a pleasure for me to be here this morning to
talk about the activities that we are doing in DHS relative to
information sharing and specifically to talk about the
activities that we are doing with Ambassador McNamara, the FBI,
our other federal partners and our state and local partners in
developing a system that will effectively allow us to share
information but also to protect the information that needs to
be protected.
When I go around and give my various talks that I give on
information sharing, I like to quote from the Homeland Security
Act that says one of the responsibilities of DHS is to share
relevant and appropriate homeland security information with
other federal agencies and appropriate state and local
personnel together with assessments of the credibility of such
information. And the act defines state and local to include the
private sector.
I think that is my charge in DHS to make that happen and
that we take that very seriously that that is a major part of
the responsibilities of the Department of Homeland Security.
The challenge that we face, and the one we are talking
about here today, is the issue that being able to share but to
still protect the information that needs to be protected. Now,
I know from the Congress we hear both things coming at us
strongly, and we want to make sure that we do both effectively.
In the national security community, we have had a
classification system in place for a very long time. You can
argue as to what is in it and what is out of it, but let me
assure you, even in that community, we continue to look at need
to know and originator control and third agency rules, all the
things that people believe are an impediment to sharing, all of
which are actively being debated at the moment.
Outside of the national security community, as we have
already talked about, there are also reasons to protect
information. Some of this information is very vital to national
security--privacy, law enforcement case information, witness
protections, security practices, vulnerabilities in our
critical sectors and even lots of others.
These are very legitimate reasons, and what we have to do
is figure out how to share, how to protect and how to build
trust in the system, as Ranking Member Reichert pointed out, so
that people will actually share the information. And that is
the challenge that we have.
Let me add a little bit of my own personal assessment here,
speaking for myself. As I look around the information sharing
business, information that is what I would call important is
rarely not protected in some way. So in almost everything we
talk about in information sharing, we have to couple that with
a discussion of information protection. And so we can't talk
about one without the other.
We believe that DHS has moved forward in the information
sharing business. If you look at my written statement, you will
see that there are a number of references made, the things we
have done. I would like to point out just two, and one of them
is very relevant today.
One is, in the classified domain, we have led a community
effort with all of our partners to look at how we better
produce unclassified tear lines from classified reporting and
to not only produce that tear line with information but produce
an assessment, let me say, of the credibility of that
information. We believe we have a new system that is currently
being implemented, and some of my intelligence community
partners we have already seen a real change in how that is
being implemented.
The second area on the non-classified side is all of the
efforts that we have put into working the controlled,
unclassified information. As Ambassador McNamara said, DHS,
working with the Department of Justice, that really started
that planning into these activities, and we take this as a very
important thing to accomplish. Some of the people who work for
me are very rabid about the issue that we really do need to get
this under control and do it very well.
So that is the area that we really need to work on, this
regime for how we handle and control information.
Let me say that when we do this regime of looking at how
this controlled, unclassified information, we believe there are
three things that we particularly need to pay attention to. One
is that we put in place a governance structure to run this, and
we put it in quickly, effectively and from the beginning.
The second thing is we believe any system is going to have
to be easy to use. It is going to have to be convenient.
And the third thing is that we believe that we are going to
have to make sure that any system that we put in at the federal
level is closely coordinated with the state and locals and how
they handle information. As we know, there is law enforcement
information at the federal level, there is law enforcement
information at the state level. They are controlled
differently, and we need to bring those systems together.
Let me finish up then, since my light is on, and very
quickly. One, we are dedicated to information sharing. We are
dedicated to implementing a new system to run the controlled,
unclassified information. We are very much on board with the
program and the proposal that is currently being proposed.
However, I will say, I do not believe this is easy. It is
not easy at all, and I think that we are going to have to pay
particular attention. We believe the phased approach that is in
the initial proposal and how to get into this, we believe, is
the right proposal.
And I am here now to answer any questions that you might
like to ask.
[The statement of Mr. Morris follows:]
Prepared Statement of Dr. Carter Morris
April 26, 2007
Good morning, Chairwoman Harman, Ranking Member Reichert, and
distinguished members of the subcommittee. My name is Carter Morris,
and I am the Director of Information Sharing and Knowledge Management
for the Office of Intelligence and Analysis at the Department of
Homeland Security (DHS). It is a pleasure to be with you today to
discuss the control of government information and the actions DHS is
taking to address and improve our ability to share information without
unnecessary restrictions and in a manner that protects what needs to be
protected.
The Homeland Security Act of 2002 authorizes DHS to access, from
any agency of the Federal government, state, local, and tribal
governments, and the private sector, all information relating to
threats of terrorism against the United States and other areas;
information relating to the vulnerabilities of the United States to
terrorism; and information concerning the other responsibilities of the
Department as assigned to and by the Secretary. After analyzing,
assessing, and integrating that information with other information
available to DHS, the Secretary must then ensure that this information
is shared with state, local, and tribal governments; and the private
sector, as appropriate. Concomitant with these responsibilities is the
obligation of the Secretary to identify and safeguard all homeland
security information that is sensitive, but unclassified, and to ensure
its security and confidentiality. Information sharing, for
counterterrorism and related purposes, therefore, is key to the mission
of DHS.
Moreover, the Intelligence Reform and Terrorism Prevention Act of
2004 established the Program Manager of the Information Sharing
Environment (PM-ISE) to assist in the development of policies,
procedures, guidelines, rules, and standards, including those which
apply to the designation, marking, and handling of sensitive but
unclassified information, to foster the development and proper
operation of the ISE. DHS, in coordination with the PM-ISE and other
agencies on the Information Sharing Council, is actively participating
in efforts to standardize procedures for sensitive but unclassified
information and create an effective Information Sharing Environment. .
The Challenge
The challenge that we face in handling information is balancing two
important and competing factors: ``sharing the information that needs
to be shared'' and ``protecting information that needs to be
protected.'' Our goal is to share information unless there is a valid
and necessary reason to protect such information and thus limit or
control the dissemination to a discrete community or other set of
users.
The legitimate need to classify some information, for purposes of
national security and to protect our sources and methods and allow
information collection operations to be conducted without advanced
notice to our adversaries, is well established. As sources and methods
for acquiring information change, as well as our adversaries
capabilities, we continue to evaluate and adjust our classification
criteria.
Similarly, there are many indisputably legitimate reasons for
protecting certain unclassified information, which we refer to
generically as Controlled Unclassified Information (CUI)--for example,
privacy concerns relating to personal information, the danger of
compromising ongoing law enforcement investigations or of endangering
witnesses, the need to protect private sector proprietary information
and, most importantly, the need to protect information containing
private sector vulnerabilities and other security-related information
that could be exploited by terrorists. Unauthorized disclosure of this
information could cause injury to a significant number of individual,
business, or government interests.
Through DHS's work with state and local fusion centers, we have
encountered examples of how the proliferation of internal policies for
handling unclassified but sensitive information can create unintended
barriers to information sharing. Existing markings that are meant to
identify necessary safeguards and dissemination restrictions on
information often create as much confusion as help. For example, a
state fusion center received a report that contained actionable threat
information bearing the marking ``LES'', meaning Law Enforcement
Sensitive. The fusion center personnel were unsure to what extent they
could disseminate information with such a marking. When they contacted
the originating Federal agency, they were unable to speak with someone
who knew the data and could explain the disclosure rules. The fusion
center personnel erred on the side of caution and did not share the
information--in this case not the best solution.
Sensitive information (classified or unclassified) is only shared
by people who trust the systems, policies, and procedures that guide
that sharing. Any lack of confidence regarding the operation and
effectiveness of a system reduces the willingness of consumers to share
the information, therefore limiting any benefits it might offer.
With that in mind, we continue working to transition from a
historically risk averse approach to sensitive information sharing, to
one where the risks are considered and managed accordingly, but
consistent with a responsibility to provide information to our partners
and customers who need it.
In order to implement the mandates of the Information Sharing
Environment we must both produce material at the lowest sensitivity
level appropriate to allow it to be easily shared with all who need it
and ensure that processes for protecting information that needs to be
protected are defined and effective.
DHS is leading information sharing
DHS has been a leader in establishing new approaches to information
sharing--including federal sharing at all classification levels;
sharing with our state, local, tribal, and territorial partners; and
sharing with the private sector. In this sharing it is critical to
address both operational needs and the appropriate security in
transferring the information. I would like to talk about five specific
DHS information sharing initiatives where we are addressing the need to
share but still providing an appropriate level of control of this
information.
1. Like other Federal departments and agencies, DHS shares
information with state, local, and tribal partners through state and
local fusion centers. We are providing people and tools to these fusion
centers to create a web of interconnected information nodes across the
country that facilitates the sharing of information to support multiple
homeland security missions. Working with the Federal government and its
partners to establish this sharing environment, DHS is ensuring that
its processes and systems not only achieve the sharing necessary but
also provide the protection and control of the information that gives
all parties confidence and trust that the information is appropriately
used and that information which needs to be protected--such as
personally identifiable information--is appropriately controlled and
protected.
2. DHS, DOJ and other federal entities are also creating a
collaborative, unclassified information sharing community, based on
establishing a trusted partnership between the fusion centers and the
federal government. This environment is requirements driven, and
focused on providing information to support the mission of the
intelligence analysts, allowing both information sharing and
collaboration with the state and local intelligence communities to
encourage the development of mature intelligence fusion capabilities. A
key to the development of such a sharing environment is providing a
system and processes that build confidence that information will not
only be shared but also protected and controlled as needed, which is
what we are doing.
3. As part of the Presidential Guideline effort, DHS led an
interagency working group that developed the ``Recommended Guidelines
for Disseminating Unevaluated Domestic Threat Tearline Reporting at the
Unclassified Level.'' Federal agencies disseminate unclassified
extracts from unevaluated classified threat reports to facilitate
sharing of threat information with those on the domestic front lines.
Federal dissemination of raw threat reporting to State and local
authorities--before the relevant Federal agencies can assess the
specific threat--has, at times, led State and Local authorities to
misinterpret the credibility of the threat. This effort provided
recommendations to support timely sharing of terrorist threat data with
state and local officials with increased clarity on the credibility of
the information while maintaining the appropriate security for sources
and methods. These recommendations are now being implemented in the
intelligence community.
4. DHS is also leading the Federal Coordinating Group, to create
coordinated federal intelligence products at the lowest appropriate
levels of classification, for dissemination to state, local, tribal and
private sector communities. The Group will coordinate three categories
of ``federally coordinated terrorism information products''--time-
sensitive threat/incident reporting, situational awareness reporting,
and strategic or foundational assessments. For each category of
products, the Group will ensure originating agencies validate sourcing,
ensure substantive completeness, and tailor the analysis for state,
local, tribal, and private sector use. The Group will coordinate the
downgrading and/or ``tearlining'' of classified materials where
appropriate levels of classification or control that permit wider
state, local, tribal, and private sector use but do not jeopardize
national security or other sensitivities. Again the key is providing
the necessary information while also providing clear understanding of
the necessary protection and control of this information.
5. And finally, DHS is active in the interagency group working to
minimize the number of different CUI safeguard and dissemination
requirements. We undertake these efforts with an eye toward
facilitating appropriate information sharing--and significant progress
can be made by eliminating internal safeguarding and dissemination
policies that are inconsistent throughout Executive agencies and that
are occasionally overly protective of information. We are committed to
developing a system for Controlled Unclassified Information that
effectively facilitates sharing while at the same time protecting
sensitive information that requires robust protection.
DHS Key CUI elements
There are three issues that we believe are critical to success in
instituting an effective CUI framework.
First, an effective and continuing CUI governance structure must be
established. The lack of a government-wide governance structure is one
of the primary reasons that we have been struggling to overcome
confusion in this area. To advance the government's information sharing
demands with the attendant need to appropriately safeguard sensitive
information requires a permanent governance structure to oversee the
administration, training, and management of a standardized CUI system.
Second, DHS believes that the improved CUI framework must be clear
and easy to implement for all stakeholders. It is important that we can
justify and defend all information that is so controlled. If the
framework is not readily understood it will not be used. Furthermore,
adoption must be swift. Establishing the governance structure will aid
this process by documenting the rules and standardizing the policies,
processes, and procedures for handling CUI across the federal
government.
And third, we must ensure that all potential users of CUI have a
clear understanding of the CUI framework so that we can facilitate a
more effective and interactive information exchange. We understand that
they have their own constraints surrounding systems and sensitive data,
so we must work to identify mechanisms to integrate state and local
systems with the Federal framework.
Addressing these elements will help provide transparency and build
confidence to increase sharing across communities--from intelligence to
law enforcement, from law enforcement to the first responders, etc.
Challenges Facing CUI standardization
Over 100 CUI designators or markings have been identified, and each
of these has arisen to address a valid need to protect information.
Most are codified as internal policies and procedures, some of which
have actually served to enhance information sharing, i.e., clearly
defined control systems create a trusted environment that encourages
information sharing. Less often, such designators or markings are the
result of legislative and/or regulatory requirements to protect certain
information in a particular way. These practices worked well within a
local environment, but the challenge is to leverage the successful
practices and build a trusted environment that bridges communities and
domains. We must exercise caution, however, as we go forward to
consider and, where appropriate, revise operational practices in a
manner that can achieve both sharing and protection in an expanded
community.
This caution is especially true in cases where controls were
created more to facilitate, rather than limit, information sharing.
Within DHS, there are three such information-protection regimes--
``Protected Critical Infrastructure Information (PCII),'' ``Sensitive
Security Information (SSI),'' and the newly established ``Chemical
Vulnerability Information (CVI).'' Congress mandated these categories
of information be protected and DHS promulgated regulations
implementing these regimes. Each was specifically created to foster
private sector confidence to increase their willingness to share with
the federal government crucial homeland security-related information.
To date, PCII and SSI have been successful in this regard and have been
well-received by the private sector. Moreover, these designations are
ready examples of how robust control of information can actually
promote appropriate sharing.
Summary
Because we are changing established cultures and procedures and
moving forward, in coordination with the PM-ISE, with a new framework
for CUI, it is important that we adequately address all elements of its
implementation. Governance, training, strategic communications,
information technology systems planning, and the development of new
standards and procedures are all important to the effective
implementation of these reforms. Phased implementation and continuous
incorporation of the lessons learned in this process are basic tenets
of change management. It is important that the appropriate governance
model is adopted to ensure systematic implementation of the framework
and foster information sharing.
That said, DHS is fully committed to this new framework and is,
moreover, pleased that the framework fully recognizes the difficulties
of implementation by proposing, among other things, a planning phase
and phased implementation. Doing so will allow a smoother
implementation and reduce the risk of losing the confidence that non-
federal partners have now found in current DHS programs.
DHS looks forward to continue working with the PM-ISE, the
Information Sharing Council, and each of our Federal partners, to
address the challenges of what many perceive to be the ``over-
classification'' of information. We believe we made great strides in
identifying the challenges. We also believe the paths forward are paved
for interagency success in improving the sharing of information and
providing an appropriate and streamlined system for controlling
sensitive information. Nevertheless, and notwithstanding the good
progress we have made to date, we should not underestimate the
challenges that exist for implementing a new system for standardizing
and handling Controlled Unclassified Information across the Federal
government.
Thank you for your time. I would be glad to answer any questions.
Ms. Harman. Thank you, Dr. Morris.
The chair now recognizes Mr. Murphy for a 5-minute summary
of his testimony.
STATEMENT OF WAYNE M. MURPHY, ASSISTANT DIRECTOR, DIRECTORATE
OF INTELLIGENCE, FEDERAL BUREAU OF INVESTIGATION
Mr. Murphy. Good morning. Thank you, Madam Chairman Harman,
Chairman Thompson, Ranking Member Reichert and members of the
subcommittee.
I am pleased to be here today to demonstrate the commitment
of the Federal Bureau of Investigation to strengthening our
nation's ability to share terrorism information. We are
diligently working to fulfill the expectations that Congress
set forth in the Intelligence Reform and Terrorism Prevention
Act of 2004.
As the assistant director for intelligence to the FBI and
the FBI's senior executive for information sharing, I am at
once responsible for, accountable to, and have a vested
interest in a successful information sharing environment.
I am particularly pleased to be testifying today with
Ambassador Ted McNamara and Dr. Carter Morris. It has been my
privilege over the past many months to work with these
professionals and many others as we seek to craft an outcome
that matches both the letter and spirit of the task before us.
I join them today to discuss our collective efforts to
develop a standardized framework for marking, safeguarding and
sharing controlled, unclassified information. My nearly 24
years in the intelligence community have largely been served in
an environment where I dealt almost exclusively with classified
national security information.
While those regimes could be complicated and require great
discipline and attention to detail, by comparison, they are far
less challenging than my experience has been in working to
organize a functional CUI framework. This is not because of a
lack of commitment, focus and creativity and trying to address
that framework but because of the myriad of issues and
interests that one encounters in the transitional world of
information between what is controlled and what is not.
From an FBI perspective, getting it right is especially
important. Our information sharing environment spans the range
from classified national security information to fully open
source. We must have the capacity to interpose information from
all of these regimes and to do so in a dynamic manner. We must
have the agility to rapidly move information across security
barriers and into environments that make it more readily
available and therefore of greater value to the broadest set of
players.
And across all of our partners, we must have a framework
that allows for an immediate and common understanding of
information's providence and the implications that that
imparts. We must make the sharing of CUI a benefit, not a
burden, especially on state, local and tribal police
departments who would be disproportionately affected if asked
to sustain a complex and expensive control framework. We must
manage information in way that sustains the confidence of
people and organizations who share information that puts them
and their activities at risk.
Most important of all, we must respect the power of that
information and the impact it holds for the rights and civil
liberties of American people who have trusted us to be its
stewards. That means we must also never use control as a way to
deny the public access to information to which they are
properly entitled.
With the FBI, achieving a streamlined CUI framework is much
more than establishing a process; it is about shaping mindsets
so that we can shift fully from a need to know to a duty to
provide. The CUI framework, as proposed, creates opportunities
and solves problems for me that I could not have solved on my
own. The FBI is fully and completely committed to this process.
All of us who have been part of this process wish we could
move more quickly in reaching a point where we are today, but I
believe the investment of time, the level of effort and the
openness and commitment that has marked our dialogue has done
justice to the expectations of the American people.
Thank you for this hearing. I look forward to answering
your questions.
[The statement of Mr. Murphy follows:]
Prepared Statement of Wayne M. Murphy
april 26, 2007
Good morning, Chairman Harman, Ranking Member Reichert, and members
of the Subcommittee. I am pleased to be here today to demonstrate the
commitment of the Federal Bureau of Investigation (FBI) to
strengthening our nation's ability to share terrorism information. We
are diligently working to fulfill the expectations Congress set forth
in the Intelligence Reform and Terrorism Prevention Act of 2004. As the
Assistant Director for Intelligence and the FBI Senior Executive for
Information Sharing, I am at once responsible for, accountable to and
have a vested interest in a successful Information Sharing Environment.
I am particularly pleased to be testifying today with Ambassador
Ted McNamara, the Information Sharing Environment Program Manager, and
Dr. Carter Morris, Director for Information Sharing and Knowledge
Management, Intelligence and Analysis from the Department of Homeland
Security. It has been my privilege over the past many months to work
with these professionals and others as we seek to craft an outcome that
matches both the letter and spirit of the task before us.
I join them today to discuss our collective efforts to develop a
standardized framework for marking, safeguarding, and sharing
``Controlled Unclassified Information'' (CUI), or as it is more
commonly known, ``sensitive but unclassified'' information.
On December 16, 2005, the President issued the ``Guidelines for the
Information Sharing Environment'' as mandated by the Intelligence
Reform and Terrorism Prevention Act of 2004. These Guidelines, among
other things, set in motion a process for standardizing the handling of
controlled unclassified information.
My nearly 24 years in the intelligence community have largely been
served in an environment where I dealt almost exclusively with
classified national security information. While those regimes could be
complicated and required great discipline and attention to detail, by
comparison they are far less challenging than my experience has been in
working to organize a functional CUI framework. This is not because of
a lack of commitment, focus and creativity in trying to address that
framework, but because of the myriad of issues and interests that one
encounters in the transitional world of information between what is
controlled and what is not.
It is essential that we get it right, because it is information in
this environment that can be of greatest utility when we need to share
across a broad range of interests and constituencies. This framework
provides a measure of protection for sensitive information to reassure
those who might seek to hold such information in a classified or overly
restrictive regime, which would deny others access and cause us to fail
on our ``duty to provide.''
From an FBI perspective--getting it right is essential. The
Information Sharing Environment, which is the lifeblood of our mission,
spans the range from classified national security information to fully
open source. We must have the capacity to interpose information from
all of these regimes and do so in a dynamic manner. We must have the
agility to rapidly move information across security boundaries and into
environments that make it more readily available and therefore of
greater value to the broadest set of players. And across all of our
partners, we must have a framework that allows for an immediate and
common understanding of information's provenance and the implications
that imparts. We must make the sharing of CUI a benefit, not a burden--
especially on State, Local and Tribal police departments who would be
disproportionately affected if asked to sustain a complex and expensive
control framework. We must manage information in a way that sustains
the confidence of people and organizations who share information that
puts them at risk. Most important of all, we must respect the power of
that information and the impact it holds for the rights and civil
liberties of the American people who have entrusted us as its stewards.
That also means that we must never use ``control'' as a way to deny the
public access to information to which they are entitled.
For the FBI, achieving a streamlined CUI framework is much more
than establishing a process, it's about shaping mindsets so we can
fully shift from ``need to know' to ``duty to provide.'' This shift
does not diminish our responsibility to properly protect the privacy
rights and civil liberties of all Americans. It does not set up a
framework that puts at greater risk our sources and methods and it does
not compromise our capacity to conduct both an intelligence and law
enforcement mission with full vigor and impact. Rather, this framework
seeks to level the information sharing playing field through a common
lexicon and a shared understanding of goals.
Unfortunately, the present set of policies and practices make it
extremely difficult for well meaning individuals to act responsibly,
appropriately and completely in this regime. There are well over 100
separate markings for CUI and there is no easy way for the recipient of
information bearing an unfamiliar marking to find out what that marking
means. Moreover, the same marking means different things in different
parts of the Federal Government.
The FBI, working in close coordination with the Department of
Justice, have jointly drawn upon the experience and the wisdom of state
and local law enforcement personnel to help us understand better what
kinds of CUI policies would be most helpful to them as we strive to
share information without compromising either privacy or operational
effectiveness. The Criminal Intelligence Coordinating Council (CICC) of
the Global Justice Information Sharing Initiative has played an active
role in advising us on this matter, including the convening on December
6, 2006 for an all-day meeting to discuss the practicability at the
state and local level of various proposed ``safeguards'' for CUI. I
would like to acknowledge here the particularly constructive role
played by the CICC Chair, Col. Bart Johnson of the New York State
Police. Col Johnson is forthright in explaining what Federal policies
would be most helpful in enabling state and local law enforcement to
play their part in preventing terrorism, but he is also sophisticated
in his understanding of the many other factors that must be taken into
account.
In our view there are three aspects of the current draft framework
that are particularly important:
1. Every marking that appears on any CUI document in the future
must have a clear and unambiguous meaning. There should be a
website--accessible over the Internet to everybody--on which
the approved markings are defined, and no markings should ever
be used that are not defined on this website. This will mean
that recipients of shared information who want to do the right
thing will easily be able to find out what protective measures
are expected of them. I believe that this change will both
increase sharing and decrease the risks of sharing.
2. All CUI information must be marked with a standardized level
of safeguarding. For most CUI this safeguarding will be no more
than ordinary prudence and common sense--don't discuss CUI when
you can be overheard by people you don't intend to share it
with, store it in an access controlled environment, as needed
protect it with a password.
3. All CUI information must be marked with appropriate
dissemination guidance so that recipients can easily understand
what further dissemination is permitted.
All of us who have been part of this process wish we could have
moved more quickly in reaching the point where we are today, but I
believe the investment of time, the level of effort and the openness
and commitment that has marked our dialog has done justice to the
expectations of the American people.
Thank you for time, I look forward to answering your questions.
Ms. Harman. Thank you very much. We are impressed that
there is a minute and a half left over. You win the prize, Mr.
Murphy.
[Laughter.]
Well, I do apologize for rushing Ambassador McNamara. He
has important things to tell us. But unless we adhere to this
format, we don't give adequate time to ask questions and to
respect the fact that we have a second panel of witnesses and
also probably that we are going to have to recess for votes at
some point during this hearing.
Well, I thank you all for your testimony.
And I will now recognize myself for 5 minutes of questions,
and I will strictly adhere to the time.
Dr. Morris, I was sending DHS a message through you about
frustration with the lack of progress on the ITACG and the
inclusion of state, local and tribal representatives in the
preparing of analytic products that is hopefully going to give
those state, local and tribal authorities information they need
in a timely way to know what to look for and what to do.
Every terror plot is not going to be hatched in Washington,
D.C. where we might have adequate FBI and federal resources at
the ready. I don't believe that for a minute, and I know no one
on this panel does.
So I am sending this message that it is absolutely critical
for DHS to spend more time supporting the inclusion of numerous
state, local and tribal representatives in the ITACG and to
stand up the ITACG promptly. We don't understand any reason for
delay. I am speaking for myself. I have a feeling that the
chairman is going to speak for himself shortly on this same
issue.
And the way to do it right is the way Ambassador McNamara,
working with you and state and local and tribal authorities,
has come up with this proposal. So there is a positive example
to learn from, and I hope that DHS, through you, is going to
learn.
Are you going to learn?
Mr. Morris. I think that we are all committed to bringing
state and locals into this activity. I can tell you personally
it has always been my objective to do that. I have a meeting
with my staff this afternoon on how we do this.
I think the challenge has been, the delay is that, in a
sense, establishing the infrastructure for doing this kind of
thing is more challenging than we would all like to have, but
there is no lack of commitment, and we will move forward
aggressively. And that is what we are doing.
Ms. Harman. Well, I hope that is true. Some of us thought
that these folks could just be included in the NCTC itself, and
then we were told we need a separate entity. Now you are saying
setting up a separate entity has problems. I think the
principle is the critical piece, and so let's not create
problems with the second entity if it is a problem. Let's just
move forward on the principle.
Mr. Morris. We agree. No, absolutely.
Ms. Harman. Sure. Okay.
Ambassador McNamara, I did rush you and you really didn't
get a chance to lay out how this is going to happen. We all get
it that the White House hasn't approved your proposal. We are
hopeful that it will be approved. Surely, the other two
witnesses were saying positive things about it, and we have
been briefed, the members of this committee, by you on it, and
we are positive.
Could you put on the record how this is going to happen,
what the governance structure will look like, and could you
address the issue of whether you need legislation to accomplish
this?
Obviously, it makes no sense to have a brilliant proposal
that no one follows, so I am sure you have already--I know you
have already thought about this, and I don't think we have
testimony yet on the record about how this will get adopted
across the federal government.
Mr. McNamara. Yes, Madam Chairman. First of all, how: Right
now the committee that I am chairing is putting in what I hope
is final form a series of recommendations that will be a report
to the president. He has asked for that report. It is known as
guideline three, and we will be responding to that in, I
expect, within a month or two, say, by the end of this quarter.
We will send forward for review by the interagency
process--that means deputies, principals and then sent to the
president--a series of recommendations. It is not a study, it
is not an investigation. What it is, is a series of policy
recommendations for changing the current system and instituting
a new regime called, CUI, as I mentioned.
Second, you asked about the----
Ms. Harman. The need for legislation.
Mr. McNamara. For legislation.
Ms. Harman. To make certain there is compliance.
Mr. McNamara. Correct. There is in fact a group, a subgroup
of this committee that has been looking at the legislative
history of SBU and what might be necessary in the way of
legislation for the implementation of a new regime.
It is headed by the Department of Justice, and we expect,
once we have given them the final version of this, that they
will come back to us with recommendations, and we will include
those recommendations with the other recommendations. But those
recommendations can't be made until they look at the product
that we are telling them that we want implemented. And then
they will give us their opinion as to whether or not
legislation is needed.
On whether legislation is needed to get acceptance of this,
the answer, I think, is, no. The president has asked for this,
he wants it, and he will review it, I think, with dispatch.
Ms. Harman. I thank you for your answers. My time has
expired.
I would just alert you and the public listening in that we
are considering legislation here on the issue of over-
classification, which Dr. Morris spoke to briefly, as well as
this issue. We think it is absolutely critical that we have
understandable and clear rules for what information is
protected and what information is shared. Otherwise, we think,
we are not going to be able to get where we need to get, which
is to block Al Qaida plots coming our way in real-time.
I now recognize the ranking member of the subcommittee, the
gentleman from Washington, for 5 minutes for questions.
Mr. Reichert. Thank you, Madam Chair.
Just to follow up on the chairwoman's last question,
governance and legislation, I was taking notes during your
testimony and didn't find it in your written testimony, but you
mentioned 280 pieces of legislation or ordinances and then
another 150--
Mr. McNamara. Regulations.
Mr. Reichert. --regulations.
Is the group in DOJ, are part of their tasks to take a look
at those 280 and 150 to see----
Mr. McNamara. Yes, indeed. In fact, they were the ones who
came up with those numbers.
Mr. Reichert. Oh, okay.
Mr. McNamara. They did a research project to find out what
legislation created the current SBU system and what regulations
were adopted subsequently after the legislation was passed to
implement the requirements of the legislation. That is where
that comes from, from that group.
Mr. Reichert. Because I can see that maybe some of what we
could do, Madam Chair, is pass a law eliminating some of these
rules and regulations that might be inhibiting you in
accomplishing that task.
Mr. McNamara. Let me note that the vast majority, I
believe, not having looked at all of them, but I have been told
that the great majority of those simply require controls
without going into detail as to what control mechanism should
be put on specific kinds of information. The details of what
controls were put on were determined by the regulations. And,
therefore, it is the opinion of this group at this point that
many of those legislative mandates require just a change of the
implementing regulations rather than go back and change the
legislation.
But the definitive answer will only come when we have a
final set of recommendations that we can hand to the lawyers.
Mr. Reichert. Great. Good. The subcommittee would be happy
to be working with you on those changes.
I wanted to ask Dr. Morris, you mentioned as a part of the
DHS mandate that you have, in that statement that you read, it
talks about appropriate state and local personnel, which
includes the private sector.
How do you define ``appropriate''? Who does that include?
Mr. Morris. That is an interesting question. As part of my
talks, I have talked about that word exactly, because it was
written in there. I think that is something we have to work
with the state and locals. The program that we currently have
is certainly focusing on the fusion centers that operate at the
state level and at the local ones that have that.
We believe that in the DHS program right now, that is where
we are focusing our efforts and then working with the people in
those fusion centers to understand where it needs to go beyond
that.
One of the things that I have actually talked to some
people who worked for me for awhile is, how do we define, in
working with the fusion centers, what are the other
distribution methods that need to be there? Who else has to get
the information in order to act?
Mr. Reichert. Yes.
Mr. Morris. I think that is the key thing. But right now
our focus is through the fusion centers and working with the
FBI and the activities that they do in the JTTF.
Mr. Reichert. Good. Well, I think we all know from our
experience that there are a lot of people who think they are
appropriate, and that is the tough part is letting some people
that they are not.
Also, we talked a few days ago, Ambassador, about cultural
change as it relates to gaining trust and training, and it is
also something that Mr. Murphy mentioned.
I kind of know where you are at on that, Ambassador, but I
was hoping maybe Mr. Murphy might comment since you mentioned
it in here, in your opening statement. The cultural change, in
your opinion, is the need to know versus the need to share. So
I think you nailed it when you said that. How would you say we
are going to reach that goal?
Mr. Murphy. I wish I could take credit for that.
What really brought it home for me was when I was
supporting a military operation as part of my responsibility at
NSA, and afterwards we were doing a hot wash, and a Marine
infantryman who was working as part of the front end
operational activity told me, ``What makes you think that you
have my perspective? What makes you think you can make
judgments about what I need to know and don't need to know? You
need to understand my environment better and work within my
environment.''
That has resonated with me, particularly after 9/11, and
the decisions I had made that made good sense at the time but,
frankly, were parochial and limiting. I think this moves toward
exposing our customers to the information that we have and
letting them help us shape the message and shape the way it is
delivered so the people that they represent is absolutely
critical.
And so changing the mindset, at the end of the day, is more
important than any process thing that we do, because if the
mindsets change, the processes will really take care of
themselves.
Mr. Reichert. I appreciate that answer very much, and we
are all three on the same page.
Ms. Harman. The gentleman's time has expired. I appreciate
that answer very much too.
I now yield 5 minutes to the chairman of the full
committee, Mr. Thompson of Mississippi.
Mr. Thompson. Thank you very much, Madam Chairman.
Good answer, Mr. Murphy.
Dr. Morris, if we implement CUI framework, do you think we
can get DHS to come along?
Mr. Morris. Well, I don't think there is any problem with
us coming along. I think that the only issue that I believe
that we need to address in the end is going to be, how do we
make sure with any new system we come up with that we build the
trust in that system and the trust in the markings, the
controls, the disseminations that are specified by that?
One of the big challenges for us in DHS has been working
with the private sector, particularly, in the sharing of threat
information on our critical infrastructure. And what we are
dedicated to do under the new system is to make sure that
whatever it says on the top of the piece of paper along an
electronic message that people trust that system. And we think
that is so critical in working with the private sector.
Mr. Thompson. And so do you think we can get our ICE, CBP,
TSA to buy into it also?
Mr. Morris. I didn't say it was going to be easy. Yes, I
do. Actually, I do. I think that we have socialized the
proposal within the department. We haven't gotten back major
pushbacks on it. I think people are still wondering how they
are going to implement it, but in principle, yes, we have
gotten acceptance.
Mr. Thompson. Ambassador, what participation have we gotten
in the development of this new framework from the private
sector? Did you have any discussions with any private sector
stakeholders or anything?
Mr. McNamara. Yes, we have. We have been in consultation
with them. There is a committee that the Department of Homeland
Security has formed with private sector partners to examine
many issues related to homeland security, not just this issue
of the SBU and CUI. And we have gone over with them in some
detail various aspects of this proposed and this recommendation
for CUI that would affect the private sector in particular.
We have had telephone conferences, we have had meetings
with them here in Washington. They are about, I think, within a
few days or a week to send in some final comments on the CUI
proposal as well as some other proposals that they have been
looking at to, I think, the chair of that committee or that
group, the assistant secretary for infrastructure protection at
the Homeland Security Department, Bob Stephan.
And my understanding, from phone conversations, et cetera,
is that they will be favorably disposed. They believe that
their needs will be met by this new proposal for CUI.
Mr. Thompson. I yield back, Madam Chair.
Ms. Harman. Thank you, Mr. Chairman. We have been so
efficient that I would ask Sheriff Reichert if he has an
additional question, maybe one, and then we will move to our
second panel.
Unless you do, Mr. Chairman.
Mr. Thompson. I have no further questions.
Mr. Reichert. I would like to just give Dr. Morris a chance
to address the cultural change. I noticed you had your hand up
and you might have a comment there.
Thank you, Madam Chair.
Mr. Morris. I was just going to make a comment. I was on
another panel recently and we were talking about information
sharing, and there was a representative from private industry
who came to the panel and basically said that approaching
information sharing the way we are doing it now is going to
fail, because it doesn't address the issue of discovery. And
that gets back to the key point that you were making is that we
have to put in place a system that promotes discovery of
information, find the people out there who need it.
And then that is an area that we really need to start and
continue. It struck a note with me, and I certainly agreed with
what I heard.
Mr. Reichert. Madam Chair, if I could just quickly follow
up. The public disclosure issue, as you mentioned discovery, is
also one that I think the FBI might have to handle and deal
with, isn't that true, all three, nod your head?
Thank you.
Ms. Harman. Well, I thank the witnesses and do agree with
the ranking member that building trust is the key to making all
of this work. Without that, discovery won't happen, changing
cultures won't happen and getting information, accurate and
actionable information in real-time won't happen.
This is, as far as I am concerned, the critical mission for
this subcommittee to drive home.
Ambassador McNamara, I hope when you leave this room you
will call the White House and ask them what minute they are
going to approve your guidelines so we can get on with this.
Right? Good. I know the phone number.
[Laughter.]
All right. This panel is excused. Thank you very much.
Thank you very much, all.
Are we now set up? Yes, we are. Counsel can take a seat
next to me.
I welcome our second panel.
Our witness, Mark Zadra, serves as assistant commissioner,
Florida Department of Law Enforcement, and is a 29-year veteran
who has served in many leadership positions. Among them was
overseeing the development and implementation of various
intelligence and information technology systems.
He served as special agent supervisor of the Domestic
Security Task Force prior to his appointment to chief of office
of statewide intelligence in 2002 and subsequently to special
agent in charge of domestic security and intelligence. And as
we heard, he welcomed 600 people to Florida recently to have a
conference on the critical subject of fusion centers.
Without objection, Mr. Zadra's full statement will be
inserted in the record.
And I would now ask you to summarize in 5 minutes.
STATEMENT OF MARK ZADRA, ASSISTANT COMMISSIONER, FLORIDA
DEPARTMENT OF LAW ENFORCEMENT
Mr. Zadra. Thank you, Madam Chair and distinguished members
of the committee. I am pleased to speak to you today about the
importance of common federal information sharing protocols and
the impact that they have on the state, local and tribal
governments.
Prior to 9/11, law enforcement agencies at all levels had
little need to share sensitive information with non-law
enforcement agencies. We had a generally accepted practice for
sharing with one another, but because local and state law
enforcement had minor involvement in the counterterrorism
arena, we had limited experience with classified information.
Little consideration was also given to sharing information
outside of law enforcement, and particularly with respect to
the private sector, it was generally not done.
The paradigm shifted after 9/11 when it became known that
14 or more of the hijackers had lived, had traveled and trained
in the state of Florida while planning their atrocities. One
month later, Florida experienced the first of several
nationwide deaths from anthrax, which once again terrorized our
nation.
In light of these grim realities, we recognized that local,
state and tribal resources, together with a whole new set of
non-law enforcement partners, including the private sector,
represent the frontline of defense against terror and our best
hope for prevention.
Over the years, since 9/11, collectively, we have made
great strides in overcoming the cultural barriers to
information sharing. Despite many successes and a new cultural
that encourages information sharing, barriers that impede the
establishment of the desired national information sharing
environment remain.
Perhaps the single largest impediment is the lack of
nationally accepted common definitions for document markings
and standard policy procedures for handling, storing and
disseminating non-classified information.
Some states like Florida have open record laws, while other
states impose very restrictive requirements and afford broad
protections from release. Florida's reputation is that of an
open record state, and it is widely known.
Exemptions provided by Florida's public record law are
insufficient to protect against public disclosure of all types
of sensitive information. The fear that sensitive information
may not be protected under state law has a chilling effect on
the free flow of information from out-of-state agencies and
non-governmental to and from Florida.
We also believe that a lack of a standard definition
results in federal agencies over-classifying information in an
effort to protect it.
Developing and implementing a nationally accepted
designation will provide Florida and other states with the
justification that they need to encourage modification of state
laws so that sensitive information can be protected.
Florida supports the implementation of the controls,
unclassified information framework to replace the existing,
sensitive but unclassified designation. Implementation of the
new standard will involve varying degrees of physical and
legislative impacts. However, it is my opinion that acceptance
will be facilitated if the guidelines are straightforward and
delivered in clear and concise language that there is a single,
nationally accepted, encrypted communication standard and
system, which can also be used by non-law enforcement homeland
security partners and that that be designated.
The fiscal impacts are mitigated through the use of grants
for the training and awareness programs and reprogramming of
systems to allow this new framework.
And then implementation timelines need to consider the need
to change policies and laws, purchase new equipment, do
programmatic changes and to do the training that I referenced.
Federal agencies are now providing state and local agencies
with significant amounts of threat information. Much of the
information that is still needed, however, is classified at the
national level in order to protect methods, means and
collection and national security interests. Under most
circumstances, however, we do not need to know the identity of
the federal sources, nor the means, nor the methods of
intelligence collection, only whether the information is deemed
to be credible and specifically what actions that they want
state, local and tribal authorities to take.
Florida believes the implementation of state regional
fusion centers is the key to the establishment of the desired
information sharing environment. These centers bring properly
trained and equipped intelligence professionals with
appropriate clearances to connect the puzzle pieces and
disseminate actionable intelligence.
The problem remains that, unfortunately, most of the
operational components at the state and local level that may
benefit from the information and would otherwise be available
to report on indicators and warnings we observed in the field
will never have access to this information because of the
classification.
Tear line reports forwarded to fusion centers can help
address this particular concern. So state, local and tribal law
enforcement, in addition to other discipline partners and the
private sector, can receive information that they can act upon.
Madam Chair and members of the subcommittee, thank you for
the opportunity to appear and testify before you. I can assure
you that the state of Florida is encouraged by your interest in
facilitating an enhanced information sharing environment across
the nation. It is my hope that the testimony and the
understanding of Florida's desire to be a strong participant in
the flow of critical, sensitive information and intelligence
nationally will be help on your endeavor.
And, ma'am, if I may take 15 more seconds. I want to, from
a state perspective and probably on behalf of Colonel Johnson,
to thank you for the recognition and the gratefulness on behalf
of the nation for the agency's loss of their trooper, the New
York state trooper, the New York state police and lost his
family and agency. And thank you for recognizing the sacrifice
of the state and local and tribal multidisciplinary partners
that are also part of this fight on terror.
Thank you.
[The statement of Mr. Zadra follows:]
Prepared Statement of Assistant Commissioner Mark Zadra
Good morning Madam Chair and distinguished members of the
Subcommittee.
My name is Mark Zadra and I am a 29-year member of the Florida
Department of Law Enforcement (FDLE). FDLE is a statewide law
enforcement agency that offers a wide range of investigative, technical
and informational services to criminal justice agencies through its
seven Regional Operations Centers, fifteen Field Offices, and six full
service Crime Laboratories. Our primary mission is to promote public
safety and strengthen domestic security by providing services in
partnership with local, state and federal criminal justice agencies to
prevent, investigate, and solve crimes while protecting Florida's
citizens and visitors. FDLE utilizes an investigative strategy that
comprises five primary focus areas including Violent Crime, Major
Drugs, Economic Crimes, Public Integrity and Domestic Security.
I was recently appointed as FDLE's Assistant Commissioner of Public
Safety Services however, prior to that appointment I served as the
Special Agent in Charge of Domestic Security and Intelligence and the
state's Homeland Security Advisor. In those roles I have overseen the
development and implementation of various intelligence and information
sharing programs and systems for FDLE and subsequently for the State of
Florida. I have also overseen the development and implementation of the
prevention component of Florida's Domestic Security Strategy and
Florida's implementation of national information-sharing initiatives
such as the Homeland Security Information Network (HSIN) and Florida's
fusion center. I have further been an active participant on the Global
Justice Information Sharing Initiative--Global Intelligence Working
Group (GIWG). The goals of the GIWG include seamless sharing of
intelligence information between systems, allowing for access to
information throughout the law enforcement and public safety
communities, creating an intelligence sharing plan, determining
standards for intelligence sharing, developing model policies,
determining training needs, and creating an outreach effort to inform
law enforcement of the result of this effort. Over the last ten months
I have been afforded an opportunity to provide input to the GIWG
regarding the development of the recommended common protocols for
sharing and protecting sensitive information and intelligence among
multiple agencies with a role and responsibility in homeland security.
I am pleased to speak to the Committee today about the importance
of common federal information-sharing protocols and the impact they
have on state, local and tribal governments.
Prior to 9/11, law enforcement agencies at all levels had little
need to share sensitive information with non law enforcement agencies.
We had generally accepted practices for sharing information with one
another but, because local and state law enforcement had minor
involvement in the counterterrorism arena, we had limited experience
with federally classified information. Little consideration was given
to sharing sensitive information outside the law enforcement community,
and sharing information with the private sector was generally not done.
The paradigm shifted after 9/11 when it became known that fourteen
or more of the hijackers had lived, worked, traveled and trained across
Florida while planning the atrocities they would ultimately commit. In
their daily activities they left many clues that, if viewed together,
may have predicted the plan and given authorities an opportunity to
avert the catastrophic consequences. One month after the horror of 9/
11, Florida experienced the first of several nationwide deaths from
Anthrax which once again terrorized our nation. In light of these grim
realities, we recognized that local, state and tribal resources--
together with a whole new set of non-law enforcement partners including
the private sector- represent the front line defense against terror and
our best hope for terror prevention. Appropriately shared information
is the key weapon in moving from the role of first responder to that of
first preventer.
Sharing information with agencies such as health, fire, emergency
managers, and even non-governmental entities with a role in the fight
against terror presented new challenges, not just the inherent cultural
ones, but those relating to law, policy/procedure, technology and
logistics. Over the years since 9/11, collectively, we have made great
strides in overcoming the cultural barriers to sharing information. In
Florida, through our Domestic Security Strategy and governance
structure, we routinely work with and share information across all
entities that have a role in protecting the safety and security of our
citizens.
Despite these successes and a new culture that encourages
information sharing, barriers that impede the establishment of the
desired national Information Sharing Environment (ISE) remain.
Common Document Markings and Dissemination Protocols
Perhaps the single largest impediment to an effective national ISE
is the lack of nationally accepted common definitions for document
markings and standard policy/procedure for handling, storing, and
disseminating non-classified information. Sensitive but unclassified
information, which is routinely received from federal and other state
agencies, is needed by state, local, tribal and private sector partners
that have a duty and responsibility to utilize it to provide for our
safety and security. Consistency in definition and protocol is
paramount to both fully sharing useful and actionable information, and
protecting information that should not be shared.
Some states, like Florida have open record laws that mandate
revealing information compiled by governmental agencies unless a
specific ``chapter and verse'' exemption or confidentiality provision
applies. Other states impose very restrictive dissemination
requirements and afford broad protections from release to those without
a need to know. Florida's reputation as an open records state is widely
known. While Florida law exempts certain information from public
disclosure, the most likely exemptions applicable to the type of
information that I am discussing are limited to criminal intelligence/
investigative information and information that pertains to a facility's
physical security system plan or threat assessment. Exemptions provided
by Florida's Public Records Law are insufficient to protect against
public disclosure of all types of sensitive information needed by
Florida's domestic security partners. For example, there is no specific
exemption in Florida's public records law for information provided to
Florida by a non-Florida agency unless it is intelligence or
investigative information--both of which have fairly narrow definitions
under Florida law. The fear that sensitive information may not be
protected under state law has a ``chilling effect'' on the free flow of
important information from out-of-state agencies and non governmental
entities to and from Florida. We also believe that the lack of a
standard designation results in federal agencies over-classifying their
information in an effort to protect it. Information and intelligence
sharing partners need to know, with certainty, that the information
they share will be appropriately protected. At the same time, we
understand there must be appropriate limits on what is removed from
public scrutiny and review, and a balance achieved between properly
informing the public and ensuring the safety and security of our state
and nation.
Developing and implementing a nationally accepted designation, with
clear and appropriate handling and dissemination standards for
sensitive information, will provide Florida and other states with the
justification they need to encourage modification of state laws so that
sensitive information can be protected in compliance with an accepted
national standard.
Fortunately, there appears to be a workable solution to the
concerns I have identified. Florida supports the implementation of the
Controlled Unclassified Information (CUI) framework to replace the
existing Sensitive But Unclassifed (SBU) designation. The SBU
designation contains numerous confusing designations used to mark
unclassified information. The recommended CUI framework streamlines
existing designations and provides handling requirements that
facilitate wide distribution among law enforcement, homeland security,
other government sectors and the private sector. We strongly believe
that the information sharing environment mandated by Presidential
Guideline 3 cannot be fully achieved without the implementation of a
model such as the CUI framework. In the absence of common protocols,
existing classification schemes will continue to be over utilized and/
or improperly utilized, resulting in the inability of persons who
receive information to adequately distribute it to those with a duty
and responsibility to take action to protect our citizens.
We believe that the recommendations made by the Sensitive But
Unclassified Working Group reflect workable solutions that could be
accepted and replicated by most states. As a state representative I
have been afforded an opportunity to review and comment on these
recommendations during their formulation. I have also had the pleasure
of personally meeting with Ambassador Thomas E. McNamara, Office of the
Program Manager for the Information Sharing Environment and espousing
Florida's views with respect to this and other information sharing
topics.
Implementing CUI
In the absence of federal guidance and standards, many states,
including Florida, have already expended resources in building systems
and programs to fill the information needs of their consumers.
Implementation of the new standard will involve varying degrees of
fiscal and legislative impacts, however it is my opinion that
acceptance will be facilitated if:
1. Guidelines are straight-forward and delivered in a clear,
concise language;
2. A single, nationally accepted, encrypted communications
system and federal information sharing encryption standard that
can be used by non-law enforcement homeland security partners
is designated;
3. Fiscal impacts are mitigated through grants for training and
awareness programs, as well as for new equipment and system re-
programming; and
4. Implementation timeline considers the potential need for
state, local, and tribal governments to:
a. Change policy and/or rules to comply with new
information dissemination requirements;
b. Purchase new equipment and/or system programming
changes; and
c. Train appropriate personnel in markings, handling,
storage and dissemination requirements.
For Official Use Only Tear Line Reporting
In response to post 9/11 criticism regarding failure to share
information vertically and horizontally across the spectrum of homeland
security partners, federal agencies are now providing state and local
agencies with significant amounts of threat information. Much of the
information that is still needed, however, is classified at the
national level in order to protect sources, methods and means of
collection and national security interests. State and local law
enforcement fully understand and appreciate the need to protect certain
information and restrict dissemination to only those with a need or
right to know. Under most circumstances, however, we do not need to
know the identity of federal sources or means and methods of
intelligence collection--only whether or not the information has been
deemed credible and specifically what actions that the state, local and
tribal entities should take.
Florida believes the implementation of state and regional fusion
centers is key to the establishment of the desired Information Sharing
Environment. These centers bring properly trained and equipped
intelligence professionals with appropriate clearances to connect the
pieces of the puzzle and disseminate actionable intelligence. The
problem remains that once the classified material is fused with the
non-classified information from which analysis is performed, the
information takes on the restrictions with the classified information
which significantly narrows to whom and how it can be shared.
Unfortunately, most of the operational components at the state and
local level that may be benefit from the information, and would be
otherwise available to report on the indicators and warnings being
observed within the field, will not ever have access to this
information. Tear line reports forwarded to fusion centers can help
address this particular concern so that state, local and tribal law
enforcement in additional to other discipline partners and the private
sector receive information that they can act upon.
In conclusion, I would like to compliment our federal partners for
recognizing the value of state, local and tribal representative's
expertise and allowing input on such a critical initiative prior to its
implementation. This has not always been the case, but is a testament
to the positive change in the information sharing culture and
established and improved partnerships. I have been honored to be a
member of the Global Intelligence Working Group and would like to
acknowledge the work done by those professionals under the guidance of
their Chairman, New York State Police Deputy Superintendent, Bart
Johnson.
Lastly, Madam Chair and Members of the Sub Committee, thank you for
the opportunity to have appeared and testified before you today. I can
assure you the State of Florida is encouraged by your interest in
facilitating an enhanced information sharing environment across the
nation. It is my hope that this testimony and the understanding of
Florida's desire to be a strong participant in the flow of critical
sensitive information and intelligence nationally will be helpful in
your endeavor.
Ms. Harman. I thank the witness for your testimony and now
yield myself 5 minutes for questions.
Let me say, first, Mr. Zadra, that I think we need to
bottle you. I am not sure what that process could involve, but
I would like to a bottle of you to sit on Charlie Allen's desk
and I would like a bottle of you to sit on the desk of the
appropriate people at the CIA who have a great role to play in
our present classification system.
And I definitely want a big bottle of you to be sitting on
Fran Townsend's desk in the White House, as we move forward.
Because it is absolutely critical, as you said, that you have
timely information. And we have both classification and pseudo-
classification systems that are making that more difficult than
it should be.
No one is arguing about the need to protect sensitive
sources and methods. I served for 8 years in the House
Intelligence Committee, and I think I get it, but I haven't
found a defender, and I would disagree with such a person if I
found one, who says that our present system works well. It
doesn't, it is broken, and this is hearing is about how to fix
at least a portion of it, and this subcommittee will focus on
trying to fix as much of it as we can get our arms around.
I want to ask you about a specific situation. I don't think
anyone in the country and most people around the world missed
the tragic events at Virginia Tech last week where 32 students
and faculty lost their lives. Initially, it was not known who
the shooter was. It turned out to be, we think, a mentally ill
student acting alone.
But I want to ask you, from your perspective, what were you
thinking about when that information came over the wire? For
example, were you thinking, is this a terrorist plot, is this
the first phase, is this going to roll out in some of my
universities in Florida?
And what information were you able to get in real-time as
you had those thoughts, and from whom?
Mr. Zadra. Madam Chair, I can assure you that the state of
Florida, there is not an incident that happens within our
state, whether it is an accident of hazardous materials on a
roadway or anything across the country, our mindset initially
is first to determine whether or not it has a potential nexus
to terrorism. I think we all learned a lesson after 9/11.
Certainly, when this happened our immediate thought, the
Florida Department of Law Enforcement has protective operations
detail for our governor and also for our legislature and
cabinet. And we, of course, when we first heard the news, were
concerned, did we have a nexus to anything within our state and
our particular universities and colleges that we needed to also
be concerned with.
Fortunately, because of the fusion center concept now, we
have an embedded Department of Homeland Security analyst within
our state fusion center. Very immediately two things happened.
We reached out immediately, through our DH analyst, to the
national operations center, and we were advised very quickly
that there was no known nexus to terrorism. Of course, it was
still unfolding at that time, but there were no initial
indicators.
The second thing that happened, which I think is proof
positive about the fusion center concept is that the Virginia
fusion center began putting out information that was made
available to the other state fusion centers. And that was
extremely critical and beneficial to us.
I know the last thing that we would want to do as a state
is to call and begin impacting the local law enforcement
agencies that were responding to that tragic incident. They had
their hands full. To have a state, a thousand or more miles
away, calling and wanting to check to know the status of
everything, it would be understandable that that could be an
impediment to them.
But because of the fusion center there and to be able to
reach out to them directly and with them providing updates to
us, and I know the last I saw was update number six, I know at
least six updates were provided from that fusion center to all
fusion centers across the nation.
Ms. Harman. Well, that is a good news report. That is not a
report you could have given a year or two ago, am I right?
Mr. Zadra. Yes, ma'am, that is correct.
Ms. Harman. Fusion centers, which have been the subject of
other hearings, are beginning to work. DHS does have personnel
embedded in 12 of them. You are obviously one of 12. We are
trying to help move more DHS people there, and I am just
assuming that the products you saw also reflected, for example,
FBI input, since they are typically a part of the fusion
center. Is that correct?
Mr. Zadra. Yes, ma'am, that was my understanding, that
there was a cooperative effort. And let me add, too, that we
are awaiting our FBI analyst. We will have an FBI analyst also
embedded in our state fusion center. The member has just not
arrived yet, but we are expecting that soon.
Ms. Harman. Well, I hope that does happen. I mean, the
goal, again, is to get the right people and right information
to the right places in real-time. Do you agree?
Mr. Zadra. Absolutely.
Ms. Harman. I thank you very much, Mr. Zadra, and now yield
5 minutes to the ranking member for questions.
Mr. Reichert. Good morning.
Thank you, Madam Chair.
First of all, you mentioned open record laws. I am from
Washington state, was the sheriff there for a while. In 33
years of law enforcement, one of the frustrating things in
working with the federal government, and you touched on, was
sharing that information and as they shared it with the local
sheriff's office in Seattle, it became subject to the public
disclosure laws of the state of Washington.
Can you talk a little bit about that, how that discussion
occurred within the framework of your involvement in discussing
where one had the future of sharing information?
Mr. Zadra. Yes, sir. In the state of Florida, we have some
exemptions from public disclosure, and from our perspective
there are usually three that we point to. One is active
criminal investigation, the other is active criminal
intelligence, and then the other deals with security plans,
which include photographs, floor plans and things like that, of
critical infrastructure.
While those are good, there is a hole, so to speak, with
sensitive information, because now, after 9/11, we have a lot
of different partners that we need to share with--health, fire,
emergency managers. So a lot of the information that we get is
not active criminal investigation, it is not active criminal
intelligence, and it is not a floor plan, it is not a
photograph.
For example, if we have mass prophylaxis from dealing with
health issues and where that is stored and how it is
transported, as we have hazardous materials come through our
state, we want to alert our Florida highway patrol, we want to
alert our motor carrier compliance, our Department of
Agriculture, their weigh and inspection stations, of the flow
of this.
Under our current public records exemptions, that
information is not criminal investigative, it is not criminal
intelligence, and it is not a security plan. We attempt to
protect it under those type things, and we have been pretty
much successful.
But to have a national framework that we--and I have talked
to both our house and our senate in our state, and if we had a
national framework that we could point to, to say, this is a
nationally accepted, controlled, unclassified information that
we could amend our state laws to provide those protections so
that when we need to share with other states, they have
confidence that the state of Florida, despite being an open
records law state, that we can protect the information they
share with us.
Mr. Reichert. Very good. The last part of my question was
going to address the last part of your answer.
I was also wondering what your opinion might be in this
whole area of governance, because local law enforcement has
difficulty at the state level, the sheriff's level and the
police chief. Who is going to be in control of the information?
The governance issue is a big one, as you know. It is always a
huge issue.
How did that discussion play out in your discussion of SBU
and all the players around the table? That governance issue is
always touchy.
Mr. Zadra. The state of Florida is a participant in the
Global Intelligence Working Group under the global justice
initiative, and so the state of Florida has been able to
provide input. I personally have been able to review the
recommendations and provide input to those.
I also served as homeland security advisor until most
recently, and we have seven regional domestic security task
forces that all have intelligence operations and components. So
we have had discussions with those, and everyone agrees that
this is a difficult, and we need a national standard.
We have awaited, of course, understanding the formal
adoption of these before we have done a lot of pushing out to
our state, because one thing that happens, while you want to
have the input from your local state, one thing that has
happened to us that encouraged our federal partners, it really
needs to be done and it needs to be done right, so when we take
it and share it, we can share it once, and it doesn't move, and
it doesn't change.
One of the most detrimental things that has happened to us
in the past is the rollout of new programs, and I have heard
them described as, well, we were building this airplane on the
fly.
To be honest with you, sir, I don't want to fly on an
airplane that is being built while I am on it, as we are
flying.
And so what happens is you push these things out to the
states, the locals. The federal government begins to lose
credibility because it continues to change and morph.
So, truthfully, from the state's perspective, what we have
done is we would like to know that there are recommendations,
we have provided input, and once we believe that they are close
to being finalized, to be able then to really push that through
our state framework.
Mr. Reichert. Great. Thank you so much.
I yield. Thank you, Madam Chair.
Ms. Harman. Thank you, Mr. Reichert.
We have votes coming up shortly, but I do have another
question or two, and so I hope you will join me in a second
round of questions until we can adjourn the hearing for voting.
First of all, it is Mr. ``Zadra''? Is that correct?
Mr. Zadra. Yes, ma'am, but anything is fine.
[Laughter.]
Ms. Harman. Well, you are very flexible, but this is my
second goof of the morning here, besides recognizing another
witness out of order. I apologize to you, and we will now
produce Zadra pills, which we are going to put in every federal
office.
I surely agree with you, in answer to your last question,
that it needs to be done right. But it also needs to be done
now. Do you agree with that?
Mr. Zadra. Yes, ma'am.
Ms. Harman. Okay.
Mr. Zadra. If not, the state and locals, like we have done
on many things in the past, we have implemented our own
methodologies and that continues to lead to the confusion and
interoperability between states. So you are correct. It needs
to be right, and it needs to be done as soon as possible.
Ms. Harman. So we have the ambassador calling the White
House today, and we will have approval later today. That would
be nice, obviously. Then we need a forcing mechanism across the
federal government.
My question to you is, would some funds for training help
push this concept into the states? I know there are some other
issues that you were just discussing with Mr. Reichert, but
would training money be of use to you?
Mr. Zadra. Madam Chair, absolutely, and the recommendation
for Florida that we have made, particularly through the
Department of Homeland Security, deals with the federal grant
funding programs, and I know that you are highly aware of those
different ones.
We would ask, because currently we fund our fusion center
efforts through the Law Enforcement Terrorism Prevention
Program, we would ask, because the fusion centers are so
critical to this entire effort, that there be thoughts, just as
there are designated port grants or transit grants, that we
designate fusion center grants. And I believe that the money in
a fusion center grant is so tied to what we are talking about
that we would use those funds in conjunction with the fusion
centers to deal with how we would train how to use CUI.
Ms. Harman. Well, we are working right now on several
proposals to push more money into fusion centers to help with
local training, local involvement, also to get DHS people in
every fusion center. I was confused about your answer before,
probably my fault, about the Virginia Tech information. Your
fusion center does or does not presently have a DHS person in
it?
Mr. Zadra. It does.
Ms. Harman. It does.
Mr. Zadra. It has since January.
Ms. Harman. And that fusion center was what you contacted,
and it got in touch with the Virginia fusion center; is that
what happened?
Mr. Zadra. Our state Florida fusion center made contact
with the Virginia fusion center. Our Department of Homeland
Security analyst made direct contact to the national operations
center, which is the Department of Homeland Security. We went
both ways.
Ms. Harman. So we had a real live example of information
sharing, horizontally at the local level and vertically with
the federal intelligence community; is that correct?
Mr. Zadra. Yes, ma'am. That is not the first time. I think
we continually see progress and movement. And, again, the
creation of state and the regional fusion centers and then
having our federal components embedded in those, I think, are
the best things that we could be doing.
Ms. Harman. Well, we totally agree. We think that is one of
the best things. We think another of the best things is to
change the way we protect information so that we only protect
what we need to protect and we share the rest of it, both on
the classified side and the pseudo-classified or non-classified
side. And that is why we are having this hearing. And I think
you are on the same page; am I right?
Mr. Zadra. Absolutely. I couldn't agree more.
Ms. Harman. I thank you again for your very valuable
testimony, Mr. Zadra, and now yield for additional questions to
the ranking member.
Mr. Reichert. I just have two or three follow-ups. Thank
you, Madam Chair.
How much of your budget is dedicated to homeland security
efforts? Would you know the answer to that?
Mr. Zadra. How much of our state budget or federal grant?
Mr. Reichert. Your agency's budget.
Mr. Zadra. Our agency budget? Not a tremendous amount, and
the reason why is because our state legislature, and I can
forward it to you later, if you would like, sir, our state
statute that designates our domestic security efforts in
Florida indicate that we are to maximize federal funding.
I believe that Florida has placed approximately $25 million
of state revenue into this. Florida, fortunately, because of
the critical infrastructure landscape that we have, we have
been treated very well from the national level. I mean, we
would always want more, but Florida has been a recipient and
last year was the third largest amount of federal funding from
the Department of Homeland Security.
Mr. Reichert. What is your agency's training budget? What
percentage of your budget goes to training?
Mr. Zadra. Sir, I don't know the answer to that. I don't
have that with me today. I can certainly provide that as a
follow-up to you. I do note that we also maximize our federal
homeland security funds to deal with our training.
Mr. Reichert. And to further follow up on the chair's
question regarding funding, would it be helpful to you to have
additional funds that would pay for backfill as you send people
to training?
Mr. Zadra. Yes, sir. To be honest with you, I am sure it
would be greatly appreciated. I think I can say on behalf of
the state of Florida, particularly from the law enforcement
component, is that this is our mission. It is clear to us. This
is just as important as responding to any burglary, rape,
robbery, and we would do it if you didn't give us backfill.
I will say this from the fire side: The fire, we do provide
backfill and overtime for them. Because when you take a
hazardous material truck and you send them all to training,
that is loss. So if you take one member and they don't have
enough to have that team, so they have to backfill that. Law
enforcement, we are a little bit different.
So I guess the best way to answer that, we would be happy
to receive it and it would be a benefit, but I will assure you
the state of Florida is going to do what is necessary, even if
we did not have it.
Mr. Reichert. Well, one of the things we talked about--this
is the last question I have--is creating an environment of
trust. And I just have to smile, still being probably new here
in my second term, beginning my third year at the federal
acronyms, so just today SBU, CUI, ISE, PCI, ICC. So when you
talk about building trust and user friendly, the local cops
really would like language they can understand, don't you
agree?
Mr. Zadra. Sir, interesting that you bring that up, as
Governor Crist, our newly elected governor, his very first
executive order was a plain language initiative in the state of
Florida.
Mr. Reichert. Yes. I think it is a great idea.
Mr. Zadra. We concur wholeheartedly. It needs to be very
plain, it needs to be simple. And no disrespect to our law
enforcement officers who are obviously very confident, but it
makes sense that whatever we do has to be simple so that we can
assure it is done properly and that it will be utilized. If it
is too complicated, it is not going to be utilized and we won't
effect what we are after.
Mr. Reichert. Well, certainly appreciate your time, and
thank you for your service to your community.
And I yield back.
Ms. Harman. I thank the gentleman for yielding back.
The time for questions has expired.
I would just note to Mr. Zadra that I often say the
dirtiest four-letter word in government is not an acronym; it
is spelled T-U-R-F, and it has a lot to do with the subject we
are discussing today.
The hearing is adjourned.
[Whereupon, at 11:22 a.m., the subcommittee was adjourned.]
MAKING DHS THE GOLD STANDARD FOR DESIGNATING CLASSIFIED AND SENSITIVE
HOMELAND SECURITY INFORMATION
PART III
----------
Thursday, June 28, 2007
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence, Information Sharing, and
Terrorism Risk Assessment,
Washington, DC.
The subcommittee met, pursuant to call, at 10:08 a.m., in
Room 311, Cannon House Office Building, Hon. Jane Harman
[chairwoman of the subcommittee] presiding.
Present: Representatives Harman, Langevin, Carney, Reichert
and Dent.
Ms. Harman. The hearing will come to order.
I apologize to my colleagues and our witnesses for needing
to be in two places at the same time, but the Energy and
Commerce Committee is marking up the energy bill, and that
includes things like plug-in hybrids, which are a huge issue
for California. So I will, as soon as my BlackBerry goes off,
have to go out; and Mr. Langevin will chair the hearing for a
period.
But I would like to welcome our witnesses and welcome our
panel and take a deep breath and launch. Good morning.
According to last Sunday's Washington Post, the Vice
President is inventing his own classified and unclassified
designations to keep his work products secret. My personal
favorite--and I have never heard of this designation in my 8
years on the House Intelligence Committee--is, quote, treated
as Top Secret SCI, unquote.
According to the Post, experts in and out of Government
said Cheney's office appears to have invented that designation,
which alludes to Sensitive Compartmented Information, the most
closely guarded category of Government secrets. By adding the
words ``treated as'', the Post noted, the Vice President seems
to be seeking to protect his unclassified work as though its
disclosure would cause exceptionally grave damage to national
security.
The problem is that the Vice President and some other law
enforcement and security agencies believe that they should
decide which information they can keep secret, regardless of
the law, rules or what the needs are of our local law
enforcement community.
In my view, this is bad policy. But, not only that, it
poses huge obstacles to our need to connect the dots in time to
protect, to prevent or to disrupt the next terrorist attack
against us.
I ask the question, what hope is there for the controlled
unclassified information regime being developed by the program
manager of the Information Sharing Environment at the DNI's
office if we have agencies and parts of our White House that
are going to continue to make their own decisions on what
information they keep secret?
One of our witnesses today is a player, a participant, in
the controversy involving the Vice President's office. Bill
Leonard of the Information Security Oversight Office testified
before this subcommittee this past March, and we welcome him
back. At the prior hearing, he and other witnesses helped paint
a picture of the consequences of abusing the classification
regime and its outrageous costs to both taxpayers and our
information-sharing efforts.
I am aware, Mr. Leonard, that the Justice Department is
currently trying to resolve the issue between your office and
the Vice President, and I anticipate that you may not be able
to comment on the issue, but surely I personally admire your
courage, and I think you are on the right side.
Mr. Leonard appears today to testify about what he believes
the Department of Homeland Security should do to reduce the
problems from overclassification and pseudo-classification.
And our other witnesses, each of our other witnesses,
brings enormous expertise to this. Several of you have been
witnesses before us before. All of you are people whom I talk
to on a regular basis about what this committee should be doing
to get the problem right.
Let me just state a few other tentative conclusions that we
have reached after exploring this issue for some time.
Number one, the only way to insure that relevant homeland
security information is shared between the Federal Government
and its State, local, tribal and private sector partners is to
create a classification and pseudo-classification system that
is enforceable, understandable and applicable to everyone.
Number two, almost 6 years after 9/11, we should be
treating far less information as classified.
Number three, fixing this should be a top priority.
Number four, classified markings are not--repeat not--to be
used to protect political turf or hide embarrassing facts from
public view. They should only be used to properly hide--if that
is a good word--or protect sources and methods from public view
because if those sources and methods are disclosed, people die
and information dries up.
Indeed, a recurrent theme throughout the 9/11 Commission's
report was the need to address the problems of over--and
pseudo--classification to clear up a major stumbling block to
dealing with terrorist threats.
While I hope that Congress will fashion a Government-wide
solution, this committee, the Homeland Security Department and
this subcommittee is a good place to start. We can try to
figure out what Homeland Security should be doing, and we can
hope that what we propose for the Homeland Security Department
can become the best practices Government-wide.
As I mentioned, we have phenomenally good witnesses before
us today; and I look forward to working with them, continuing
to work with them, and to working on a bipartisan basis with
Sheriff Reichert getting this right.
I would like to extend a warm welcome to everyone and would
now yield to the ranking member for his opening comments.
Mr. Reichert. Thank you, Madam Chair; and welcome to all of
you.
I have a couple of pages of prepared comments, but I am
just going to read one paragraph, and then I am going to
comment from more of a local perspective.
This subcommittee is to focus on the Department of Homeland
Security and actions that they can do better in terms of
overclassification, pseudo-classification. However, in crafting
legislation, we must not lose sight of the fact that
overclassification is a Government-wide problem, and that
requires Government-wide solutions. I think really that kind of
boils the whole thing down.
I just want to again comment from a local perspective. It
has only been a little over 2 years since I came from the
Sheriff's Office in Seattle. I had 33 years experience there,
some working with the Federal officials, the FBI, Secret
Service and DEA and ATF and you name it, from a detective's
perspective in sharing information and working as partners in
investigating crimes.
One of those crimes, as I mentioned in earlier hearings, is
a well-known case called the Green River Murder Investigations,
where we had nearly 50 to 60 Federal agents assigned to the
task force. I operated there as the lead investigator from the
middle 1980s into the early 1990s. We had difficulty obtaining
information from the Federal agencies and agents that worked
there with us, right alongside, side by side.
My partner, FBI agent Special Agent Bob Agnew, shared
information with me because we built a relationship. We had a
friendship where we trusted each other. But the agency itself
classified the documents that were associated with our case at
a level where I had no access to the documents in our own case.
So this is back in the 1980s.
So when we finally come to make an arrest years later, 19
years later, while I then served as the first elected sheriff
in 30 years in Seattle, I had the opportunity once again to
oversee for 2 years the investigation of this serial murder
case that solved 50 murders. Part of that investigation then
required that we go back to the Federal agency, the FBI, and
acquire the documents that they had produced during that
investigation for discovery so that we could pursue charges
against the suspect. They refused to give them to us. That is
ridiculous, and it touches on the level that the Chair
mentioned at a local level.
Really, it boils down to, look, cops on the street, the
local cops, the local sheriff's deputies, the State Patrol, you
know, the State agencies, and all the other Federal agencies,
the guys and gals on the street do not care one iota about the
Vice President and the politics of this stuff. What they want
is a system in place where we can share information, where we
can build that trust, that sort of friendship that Bob Agnew
and Dave Reichert had back in the mid-1980s, where we could
share the information vital to investigating a local crime.
Now, in today's world, after September 11th, vital to the
security of this Nation, because, as we have all said over and
over again in this subcommittee and in our full committee, the
involvement of local law enforcement is critical in the
protection of our country. And if we don't share information
with our local agencies and we can't trust each other and build
trust between local agencies and Federal agencies, this
country's safety is at great risk.
So I know all of you are working hard to overcome this
problem, but I wanted to share with you just one of my
experiences in my 33-year career working with one Federal
agency. I have other stories I could share with you that would
illustrate this point, but I won't take the time this morning.
So I appreciate you being here this morning and look
forward to your testimony.
Madam Chair, I yield.
Ms. Harman. I thank the gentleman for his comments and
would note that other members of the subcommittee are reminded
that, under committee rules, opening statements may be
submitted for the record.
Ms. Harman. As mentioned, I welcome our four witnesses.
Our first witness, Mr. William Leonard, is the Director of
the Information Security Oversight Office. The ISOO reports to
the President and is responsible for policy and oversight of
the Federal Government-wide security classification system and
the National Industrial Security Program.
Mr. Leonard has testified several times before Congress
about the need to break down the classification impediments to
information sharing. Some of them were just graphically
mentioned by Mr. Reichert.
Our second witness, and a very long-standing friend of
mine, is Scott Armstrong, who is the Executive Director of the
Information Trust, a nonprofit group that works toward opening
access to Government information. He has been inducted into the
Freedom of Information Act, FOIA, Hall of Fame--that is
impressive; I hope you are wearing the medal--and was awarded
the James Madison Award by the American Library Association.
Mr. Armstrong has been a Washington Post reporter, a member
of the board of several nonprofits, is the founder of the
National Security Archive of the George Washington University
and co-author of a major book on the Supreme Court.
Our third witness, Suzanne Spaulding, is an authority on
national security issues, including terrorism, homeland
security, critical infrastructure protection, cybersecurity,
intelligence, law enforcement, crisis management and issues
relating to the threats of chemical, biological, nuclear and
radiological weapons. She just knows everything.
She started working on national security issues on Capitol
Hill over 20 years ago. More recently, she was the Executive
Director of two congressionally mandated commissions, the
National Commission on Terrorism, on which I was a member and
where I met her, and the Commission to Assess the Organization
of the Federal Government to Combat Proliferation of Weapons of
Mass Destruction, which was chaired by former CIA Director John
Deutch; and she also was the chief of staff to the then
minority on the House Intelligence Committee when I was the
ranking member.
Welcome back, Suzanne.
Ms. Spaulding. Thank you.
Ms. Harman. Our fourth witness, Mark Agrast, is a Senior
Fellow at the Center for American Progress, where he focuses on
the Constitution, separation of powers, terrorism, civil
liberties, and the rule of law.
Prior to joining the Center for American Progress, Mr.
Agrast was counsel and legislative director to Congressman
Delahunt of Massachusetts. He serves on the 37-member Board of
Governors at the American Bar Association, past Chair of ABA's
section on Individual Rights and Responsibilities, and a former
colleague of mine in law practice. Very, very knowledgeable
about this subject.
Without objection, all the witnesses' full statements will
be inserted in the record; and I would now urge you each to
summarize, in 5 minutes or less, your principal points.
We do have a timer. You will see it. It will start blinking
at you. But it will be much more productive if we can have a
conversation here, not just having you read from a prepared
text. And all of us are very eager to learn from you today.
STATEMENT OF J. WILLIAM LEONARD, DIRECTOR, INFORMATION SECURITY
OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORD ADMINISTRATION
Ms. Harman. Please start, Mr. Leonard.
Mr. Leonard. Thank you, Madam Chair, Mr. Reichert, members
of the subcommittee. I want to thank you for holding this
hearing today and giving me the opportunity to appear.
Obviously, the ability and the authority to classify
national security information is a critical tool at the
disposal of the Government and its leaders to protect our
Nation and its citizens.
As with any tool, the classification system is subject to
misuse and misapplication. When information is improperly
declassified or not classified in the first place, although
clearly warranted, our citizens, our democratic institutions,
our homeland security, and our interactions with foreign
nations can be subject to potential harm.
Conversely, too much classification, the failure to
declassify information as long as it no longer satisfies the
standards for continued classification, or inappropriate
reclassification unnecessarily obstructs effective information
sharing and impedes an informed citizenry, the hallmark of our
democratic form of Government.
In this time of constant and unique challenges to our
national security, it is the duty of all of us engaged in
public service to do everything possible to enhance the
effectiveness of this tool. To be effective, the classification
tool is a process that must be wielded with precision.
Last year, I wrote to all agency heads and made a number of
recommendations for their consideration. Collectively, these
recommendations help preserve the integrity of the
classification system, while at the same time reduce
inefficiencies and cost. They included things such as
emphasizing to all authorized holders of classified information
the affirmative responsibility they have under the order to
challenge the classification status of information they believe
is improperly classified.
I also suggested requiring the review of agency procedures
to ensure that they facilitate classification challenges. In
this regard, agencies were encouraged to consider the
appointment of impartial officials ombudsmen, if you will,
whose sole purpose is to seek out inappropriate instances of
classification and to encourage others to adhere to their
individual responsibility to challenge classification as
appropriate.
Also, I suggested ensuring that quality classification
guides of adequate specificity and clarity are absolutely
necessary in order to insure accurate and consistent derivative
classification decisions.
In this letter, I also suggested ensuring the routine
sampling of recently classified products to determine the
propriety of classification and the application of proper and
full markings. Agency inspector generals, for example, could be
involved in this process.
Consideration should also be given to reporting the results
of these reviews to agency personnel as well as to officials
designated who would be responsible to track trends and assess
the overall effectiveness of the agencies' efforts and make
adjustments as appropriate.
Finally, I suggested that agencies need to ensure that
information is declassified as soon as it no longer meets the
standards for continued classification.
Again, thank you for inviting me here today, Madam Chair;
and I would be happy to answer any questions you or the
subcommittee may have.
Ms. Harman. Thank you, Mr. Leonard.
[The statement of Mr. Leonard follows:]
Ms. Harman. I just want to announce to all that I have to
leave to return to this markup. I will try to get back. Mr.
Carney will assume the Chair, because Mr. Langevin has to
depart shortly. But we will hear testimony from all four of
you, and then we will ask questions of all four of you.
Again, I would like to thank you all, but I would like to
say to you particularly, Mr. Leonard, that you are in a tough
fight, and your courage and integrity are very impressive.
Thank you very much.
Mr. Leonard. Thank you.
Ms. Harman. Without objection, I will now turn the Chair
over to Mr. Carney.
Mr. Carney. [Presiding.] Thank you, Mr. Leonard, for your
testimony.
Mr. Armstrong. Thank you.
Mr. Armstrong. I was intending to wish our chairwoman, Mrs.
Harman, a happy birthday, as today is her birthday, but we can
sing to her when she returns.
Mr. Carney. Not me. I want to get re-elected.
STATEMENT OF SCOTT ARMSTRONG, FOUNDER, INFORMATION TRUST
Mr. Armstrong. I appreciate the opportunity to address
these issues of classification and pseudo-classification at the
Department of Homeland Security.
My views are my own, but I should note I have been working
closely within the Aspen Institute to sustain a 6-year dialogue
between senior journalists, editors and publishers and high-
level Government officials from various national security
agencies, including senior members of Congress and their
staffs. We met from time to time with the Director of Central
Intelligence and the Attorney General and ranking members of
the various intelligence bureaucracies. The product of those
meetings I think is an agreement that the goal is to have a
well-informed citizenry that is assured of its safety, without
sacrificing its liberty.
The lessons of 9/11 were focused on sharing more
information within Government agencies, laterally across
Government agency barriers, and among Federal, State, and local
governments and with critical private industries, community
first responders and the public at large.
The challenge for the Department of Homeland Security is
not so much how to withhold information or secrets from the
public but how to share information so as to promote our
security. For once, the Government's first mission is not to
silence leaks but to effectively share official information
outside of its usual constraints.
The discipline of controlling information needs to give way
to the creative task of selectively selecting previously
withheld information and pushing it rapidly and articulately
out to the extraordinarily varied organizations that protect
us, from local law enforcement, first responders, medical and
emergency response teams, community leaders, utility industry
managers with nuclear facilities, or farms of chemical and
electrical storage tanks, mass transportation, and on and on.
Homeland security requires the vigilance of the many,
rather than the control of the few. Awareness, prevention,
protection, response and recovery are not hierarchical tasks
delegated or dictated from the top.
The National Intelligence Reform Act of 2004 allowed--in
that Congress took a major step to address these needs. It
authorized broad central power for the new Director of National
Intelligence and urged the DNI to create a tear-line report
system, in which intelligence gathering by agencies is prepared
so that information relating to intelligence sources and
methods is easily severable within multi-layered products to
allow wide sharing, while still protecting truly sensitive
sources and methods from unauthorized disclosure.
The benefit of the protection to our communities lies on
the other side of that tear-line. By concentrating on
classification guidelines for protecting well-defined sources
and methods and making refined decisions to protect that which
really, truly require protection, more of the remaining
information will be available for sharing with the public.
Your attention today follows a series of extraordinary
efforts by this administration to control information with such
severity and vengeance that it has blinded its constitutional
partners here and in the judiciary. Most startling, this
administration has used the information controls to institute
policy and decision-making layers which have deemed even senior
departmental officials from working--have doomed them to
working in the sort of isolated stovepipes that are repeated
again and again in the lessons of 9/11.
The practices that I have outlined in my prepared statement
of DHS that have frustrated this effort can be read there. But
I emphasize that it is DHS that is the place to start. By
adopting legislative features, you can directly address your
interests. Give DHS near-term objectives and extra resources to
achieve results. Hold the Secretary of Homeland Security
accountable for the mandates already contained in the law which
dispensed such sweeping power.
The DNI has the authority to mandate DHS as a test-bed and
to direct other departments and agencies to cooperate in
changing the range of intelligence information controls. Hold
the DNI accountable for regularly measuring achievements within
the organizations under his control. Provide built-in
monitoring by independent and experienced observers, such as
Bill Leonard and the Information Security Oversight Office and
Public Interest Declassification Board.
The tear-line system defined by Congress 4 years ago is the
right standard. It is the place to start. It needs major
attention to standardize guidance materials which can be
applied with precision. Training and performance evaluation is
necessary throughout.
But, most of all, demand and reward less information
control in order to maximize communication. Translate the
classification guides that Mr. Leonard referred to into action
directives about what and how Congress--what and how should be
communicated, rather than simply whether information might be
classified and decontrolled. Hold Government officials and
employees accountable for their decisions. When mistakes come
to light, reeducate and retrain and emphasize the importance of
the supervisors in that process.
Lastly, encourage the Office of the DNI and the full range
of agencies under the DNI authority. This includes, not limited
to DHS, to take careful cognizance of the well-established
tradition of background briefings in which national security
officials and the news media communicate informally in a manner
meant to inform the public, including Congress and others in
the executive, and provide a degree of confidence that secrecy
is not being used to erode or impede civil liberties and free
expression.
We would all do well to recall that our freedom has been
protected and our homes have been secure because we as a people
have understood how to best share information and how to best
respond together to mutual threats. We look forward to
cooperating with you in that effort.
Thank you.
Mr. Carney. Thank you, Mr. Armstrong.
[The statement of Mr. Armstrong follows:]
Prepared Statement of Scott Armstrong
June 28, 2007
Chairwoman Harman, Ranking Member Reichert, and members of the
Committee, thank you for this opportunity to address the issues of
classification and pseudo-classification at the Department of Homeland
Security.
My views today are my own, but I should note that I have been
working closely with the Aspen Institute to sustain a six-year Dialogue
between senior journalists, editors and publishers and high level US
government officials from various national security and intelligence
agencies, including senior members of congress and their staffs. The
Dialogue on Journalism and National Security has attempted to address
recurring concerns about the handling of sensitive national security
information by government officials and representatives of the news
media. The discussions have included the Attorney General, the Director
of the Central Intelligence Agency and ranking officials from the
National Security Council, the Department of Defense, the National
Security Agency, the FBI as well as the CIA and the Department of
Justice.
The Dialogue grew out of mutual concerns that legislation passed by
both Houses of Congress in 2000 was, in effect, America's first
Official Secrets Act. Although vetoed by President Clinton, the bill
was reintroduced in 2001. In the wake of 9/11, high ranking officials
of the national security community and the leadership of national press
organizations recognized that the disclosure of sensitive national
security information was a reason for concern. We found considerable
agreement that legislation which inhibited virtually all exchanges of
sensitive information--even responsible exchanges designed to increase
public appreciation of national security issues--was not likely to make
America more secure.
The goal, we seemed to agree, has been to have a well-informed
citizenry that is assured of its safety without sacrificing its
liberty. The lessons of 9/11 focused on sharing more information within
government agencies, laterally across federal agency barriers and among
federal, state, local governments and with critical private industries,
community first responders and the public at large.
The Homeland Security Information Sharing Act, first passed by the
House in 2002 and incorporated into the Homeland Security Act of
2004,\1\ mandated the creation of a unique category of information
known as ``sensitive homeland security information.'' This category of
SHSI information--as we have transliterated the acronym--was designed
to permit the sharing of certain critical information with state and
local authorities without having to classify it and require its
recipients to hold clearances thus creating new barriers to
communication. At the same time, SHSI designates information deemed
necessary to withhold briefly from the general public while appropriate
measures are taken to protect our communities.
---------------------------------------------------------------------------
\1\ PL.107-296
---------------------------------------------------------------------------
The challenge for the Department of Homeland Security is not so
much how to WITHHOLD secrets from the public and its local governmental
representatives. The challenge is how to SHARE information so as to
promote our security. For once government's first mission is not to
silence ``leaks,'' but to effectively share official information
outside its usual restraints.
The discipline of controlling information needs to give way to the
creative task of selecting previously withheld information and pushing
it rapidly and articulately out to the extraordinarily varied
organizations that protect us: local law enforcement; first responders;
medical and emergency response teams; community leaders; utility
industry managers with nuclear facilities or farms of chemical and
energy storage tanks; mass transportation operators, and so forth.
Homeland security requires the vigilance of the many rather than
the control of the few. Awareness, prevention, protection, response and
recovery are not hierarchical tasks dictated from the top. Secrecy must
yield to communication. This is no trivial task. The mission of
information sharing is difficult enough within the cumbersome and
slumbering giant newly merged from dozens of agencies and populated
more than 180,000 employees. But that job is only the beginning since
DHS is the focal point for leveraging some 87,000 different
governmental jurisdictions at the federal, state, and local level which
have homeland security responsibilities involving tens of millions of
Americans whose responsibilities cannot be choreographed from afar, but
must be inspired by shared information.
In the National Intelligence Reform Act of 2004, the Congress took
another major step to address this phenomenon. It authorized broad
centralized power for the new Director of National Intelligence and
urged the new DNI to create a tear-line report system by which
intelligence gathered by an agency is prepared so that the information
relating to intelligence sources and methods is easily severable within
multiple layered products to allow wide sharing while protecting truly
sensitive sources and methods from unauthorized disclosure.
The benefit to the protection of our communities lies on the other
side of that ``tear-line'' system. By concentrating on the
classification guidelines for protecting well-defined sources and
methods and making refined decisions to protect that which truly
requires protection, more of the remaining information should be
available for sharing within the intelligence community as well as
within the diversified and distributed elements of the colossus of
those charged with Homeland Security responsibilities. The public
benefits from these designations within internally published
intelligence requiring protection because it makes majority of fact and
analysis available for expedited release--not just to homeland security
organizations--but also to the media and the public.
Your attention today follows a series of extraordinary efforts by
this administration to control information with such severity and
vengeance that it has blinded its constitutional partners here and in
the judiciary. Most startling, this administration has used these
information controls to institute policy and decision making layers
which have doomed even senior departmental officials to work in the
sort of isolated stovepipes described in the repetitious texts of 9/11
failures.
This is no longer a question of issues of over-classification but
one of wholesale compartmentalized control and institutionalized
intimidation through the use of draconian Non-Disclosure Agreements. It
appears designed more to inhibit and constipate internal communications
in the federal government than to protect the national security.
Not surprisingly, the Department of Homeland Security wasted no
time in replicating the move to Non-Disclosure Agreements (NDA's). But
it combined it with an effort to side-step the congressional mandate to
foster information sharing. Rather than educate the rest of the
government on how to effectively communicate information, DHS dispersed
new information control authority across the full spectrum of executive
agencies. The uncoordinated proliferation of Sensitive But Unclassified
designations--of the sort you address today--already includes some
remarkable missteps.
In one instance, the Department of Homeland Security drafted a
draconian Non-Disclosure Agreement (NDA) designed to impose
restrictions on tens of thousand federal employees and hundreds of
thousands of state and local first responders. This NDA \2\ for
unclassified information more severe than the NDA's covering Sensitive
Compartmented Information and even more sensitive information under the
government's control.
---------------------------------------------------------------------------
\2\ DHS Form 11000-6 (08-04) ``NON-DISCLOSURE AGREEMENT''.
---------------------------------------------------------------------------
This NDA required officials, employees, consultants and
subcontractors to protect such ``sensitive but unclassified
information,'' which is defined as ``an over-arching term that covers
any information. . . which the loss of, misuse of, or unauthorized
access to or modification of could adversely affect the national
interest or the conduct of Federal programs, or the privacy [of]
individuals . . . but which has not been specifically authorized under
criteria established by an Executive Order or an Act of Congress to be
kept secret in the interest of national defense or foreign policy. This
includes information categorized by DHS or other government agencies
as: For Official Use Only (FOUO); Official Use Only (OUO); Sensitive
Homeland Security Information (SHSI); Limited Official Use (LOU); Law
Enforcement Sensitive (LES); Safeguarding Information (SGI);
Unclassified Controlled Nuclear Information (UCNI); and any other
identifier used by other Government agencies to categorize information
as sensitive but unclassified.''
This overbroad--but legally binding requirement--was implemented as
a condition of access to certain unclassified information. Such an NDA
represented a vast increase in government secrecy. It left control in
the hands of an undefined and virtually unlimited number of
supervisors. Those who signed the agreement were bound perpetually
until it was explicitly removed. The NDA had no statutory authority and
thus no defined criteria, rules, limitations or effective oversight.
Although it did not provide an explicit rationale for withholding
``Sensitive But Unclassified'' information under the Freedom of
Information Act, it surely provided an incentive to err in favor of
using other exemptions to deny release.\3\
---------------------------------------------------------------------------
\3\ See also DHS directive (MD 11042) on ``Safeguarding Sensitive
But Unclassified (For Official Use Only) Information,'' dated May 11,
2004.
---------------------------------------------------------------------------
Although this NDA was withdrawn by DHS in January 2005, it was used
last year at the Department to silence private Wackenhut guards who
were speaking to the press about security breakdowns at the
Department's Nebraska Avenue headquarters. Other instances of SBU
constraints by government agencies, contractors and utilities appear to
be used most often to discourage and prevent the public from
participating in its government. Provisions similar to the DHS NDA have
since appeared in other employee and contractor agreements both within
DHS and within other departments.\4\
---------------------------------------------------------------------------
\4\ See CRS Report RL33303, ``Sensitive But Unclassified''
Information and Other Controls: Policy and Options for Scientific and
Technical Information, February 15, 2006 Genevieve J. Knezo, Specialist
in Science and Technology Policy, Resources, Science, and Industry
Division.
---------------------------------------------------------------------------
I repeat the details of DHS's failed practices to underline the
suggestion that DHS is dramatically out of synch with its mandate to
increase our security at home by aggressively--and yet carefully--
sharing information in order to frustrate terrorists through prepared
and coordinated responses of the most sophisticated intelligence
capabilities on one hand, and our most formidable first line of
defense--local law enforcement and first responders, on the other hand.
The Necessary Response
Adopt into legislation features which directly address your intentions.
1. DHS is the right place to begin. The current classification
system within government is out of control and likely uncontrollable.
Someone needs to start over with a new test-bed. DHS, with its
critically mission of communicating effectively across the federal
government and with all other layers of state and local institutionsm
has the greatest incentive for change.
2. Give DHS near-term objectives and extra resources to achieve
concrete results. Hold the Secretary of Homeland Security accountable
for the mandates contained in the law which dispensed such sweeping
power.
3. The DNI has the authority to mandate DHS as a test-bed and to
direct other departments and agencies to cooperate in changing the
range of intelligence and information control systems. Hold the DNI
accountable by regularly measuring achievements within organizations
under his control.
4. Provide built-in monitoring by independent and experienced
observers such as the Information Security Oversight Office and the
Public Interest Declassification Board and provide the monitors with
the resources to do their job.
5. The tear-line system designated by Congress four years ago is
the right standard. It needs major attention to standardize guidance
materials which can be applied with precision. All intelligence
publication and sharing should be premised on carefully and formally
defining sources and methods which require protection by isolating the
smallest number of critical details. Information which requires less
protection will receives greater circulation and earlier decontrol.
6. Provide training and performance evaluation incentives
throughout all levels of DHS, in order to assure that the information
which needs tight sources and methods control--and only that
information--receives the ultimate protection.
7. Create an electronic metadata tagging system which requires that
rigorous classification decision making will follow established
guidance. Use it to assure that all levels understand they must conform
with established practice and their effectiveness can and will be
calibrated. Such a tagging system not only improves accountability, but
also allows corrections and the protection of information improperly
handled.
8. Demand and reward less information control in order to maximize
communication.
Changing goals require reinforcement that professionalizes
every level and every aspect of the information control
process.
Translate Information Control Guides (Classification
Guides) into action directives about what and how to
communicate rather than simply what and when information might
be declassified or decontrolled.
Provide opportunities for training and conceptual
exercise which insist on communication up and down the line as
well as lateral reviews and find mechanisms to make sure that
the communication runs to, as well as from, all intended
recipients.
9. Hold government officials and employees accountable for their
decisions.
When mistakes come to light, reeducate and retrain.
Rethink the scope and purpose of both past practices
and contemporary innovations by insisting managers manage the
process with a willingness to keep changing procedures until
they truly work.
Remove authority from those who abuse it.
Hold supervisors responsible by requiring them to
assume additional monitoring and training responsibilities if
those reporting to them fail to perform well-defined and
specifically designated responsibilities. Similarly reward them
when their aides perform their communication roles well.
End the incentive to classify simply because over
classifying has no consequences to individuals but information
released can be career ending.
Institute pro-active audits and correlated retraining.
Allow government employees and motivated citizens--
such as users of the FOIA--to bring mistakes to light. Follow-
up in a transparent manner to demonstrate that improved
communication and improved information controls are not
necessarily on separate planes but are integrated concerns of
all stakeholders in a democracy.
10. Encourage the Office of the DNI and full range of Agencies
under DNI authority--including but not limited to DHS--to take careful
cognizance of the well established tradition of background briefings in
which national security officials and the media communicate informally
in a manner meant to inform the public (including the Congress and
others in the Executive) and provide a degree of confidence that
secrecy is not being used to erode or impede civil liberties and free
expression.
Include training for national security officials on
responsible interaction with the news media by including the
news media in the training
Offer the media opportunities to learn about the laws,
regulations and practices which involve secrecy and other
national security protocols.
We would all do well to recall that our freedom has been protected
and our homes have been secure because--as a people--we have understood
how to best to share information and how best to respond together to
mutual threats.
Mr. Carney. Ms. Spaulding for 5 minutes, please.
STATEMENT OF SUZANNE E. SPAULDING, PRINCIPAL, BINGHAM
CONSULTING GROUP LLC
Ms. Spaulding. Thank you, Chair, ranking member and members
of the committee. I very much appreciate this opportunity to be
here today to testify about classification issues at the
Department of Homeland Security. It is a very important issue,
and I commend the committee for making it a priority.
In my 20 years working national security issues for the
Government, I have seen firsthand how important it is to get
this classification issue right. It may seem counterintuitive
to some, but avoiding overclassification is essential to
protecting vital national security secrets. Those handling
classified documents will have greater respect for that Top
Secret stamp if they know that things are only classified when
they their disclosure will truly harm national security.
When things are classified that clearly would not harm
national security, it tempts some individuals to believe that
they can decide what is really sensitive and what is not. Now
let me be clear that, in making that observation, I am in no
way trying to excuse the disclosure of classified information,
merely to note that the risk of leaks I believe is heightened
by overclassification.
A similar phenomenon follows the increasingly common
practice of selective declassification by Government officials.
Strategic and carefully considered decisions to make previously
classified information available to the public can be important
in increasing transparency. But when the disclosures appear to
be designed to advance a particular political agenda or to gain
an advantage in a policy dispute, it again undermines the
respect for and confidence in the classification system. And
this risk is heightened when the declassification is done
selectively, so as to reveal only intelligence that supports
one side of the issue, leaving contrary intelligence
classified.
It is equally essential for our national security that
information that can be shared without jeopardizing national
security is not prevented by overclassification from getting to
those who need it and could make use of it.
It is appropriate that the committee has decided to begin
with an effort to make the Department of Homeland Security the
gold standard for reducing overclassification, because it is
DHS that faces the most significant imperative to provide
relevant information to a wide range of users, including those
at the State and local level, the private sector, and even
within DHS who are not traditional members of the national
security community and are unlikely to hold security
clearances. If information is unnecessarily restricted, it
threatens homeland security by hampering the ability of these
key players to contribute to the mission.
I know the committee is considering a number of ideas, a
number of which have already been articulated here today, and I
think these are very sound suggestions. There are additional
near-term and longer-term steps that the committee might also
consider.
One, require that intelligence documents be written in an
unclassified version first to the maximum extent possible.
Rather than creating a tear-line of unclassified or less
sensitive information at the bottom of a document, why not set
up the system so that no classified document can be prepared
without first entering information into the unclassified
section at the top of the document? This exercise could prompt
a more careful effort to distinguish between truly classified
information and that which can be shared more broadly and
provide a visual reinforcement of the importance of writing in
an unclassified form.
Two, enforce portion marking. This used to be the standard
practice, where each paragraph was determined to be whether it
was classified or unclassified. We have drifted away from that,
and I think we should go back to really enforcing that
requirement.
Three, use technology to tag information as it moves
through the system. This provides even greater granularity than
the paragraph portion marking, indicating which precise bits of
information are classified. And then these tags, perhaps
embedded in metadata, can move through the system with that
information, facilitating the production of less classified
documents.
Reverse the incentive to overclassify. This will not change
until performance evaluations consider classification issues.
It should be a specific factor when employees are evaluated for
moving up or for raises. Employees who routinely overclassify
should be held accountable and receive additional training, and
employees should be rewarded for producing reports that can be
widely disseminated.
Five, identify key Federal, State and local officials who
can receive relevant classified information by virtue of their
office, rather than by having to get a clearance. This is how
we have always handled it for Members of Congress. More
recently, we have included Governors; and DHS should consider
extending it to other key officials.
And, six, develop innovative ways of sharing information
without handing over documents; and I have got some specifics
on that in my prepared testimony.
In conclusion, these are just a few ideas, based on
practical experience working in the classified environments for
nearly 2 decades. I know the committee is aware of the
outstanding work of the Markle Foundation and others, and I
recommend those to your consideration as well.
The problem of overclassification is an enduring one and
presents a daunting challenge. The committee is to be commended
for taking up that challenge and endeavoring to set a new
standard at DHS, and I appreciate the opportunity to contribute
to that effort.
Thank you.
Mr. Carney. Thank you, Ms. Spaulding.
[The statement of Ms. Spaulding follows:]
Prepared Statement of Suzanne E. Spaulding
June 28, 2007
Chairwoman Harman, Ranking Member Reichert, and members of the
Committee, thank you for this opportunity to testify today about
classification issues at the Department of Homeland Security. This is
an important issue and I commend the committee for making it a
priority.
I was fortunate enough to spend 20 years working national security
issues for the government, including 6 years at CIA and time at both
the Senate and House Intelligence Committees. I have seen first hand
how important it is to get the classification issue right.
It may seem counterintuitive to some, but avoiding over-
classification is essential to protecting vital national security
secrets. Those handling classified documents will have greater respect
for that ``Top Secret'' stamp if they know that things are only
classified when their disclosure would truly harm national security.
When things are classified whose disclosure clearly would not harm
national security, it tempts some individuals to believe that they can
decide what is really sensitive and what is not. This could apply to
employees in the intelligence community or others, such as members of
the media, who receive classified documents. In making this
observation, I certainly do not mean in any way to excuse the
disclosure of classified information, merely to note that the risk of
leaks is heightened by over-classification.
A similar phenomenon follows the increasingly common practice of
``selective declassification'' by government officials. This selective
declassification can be accomplished either by unofficial leaks to the
media or by official decisions to declassify material. Strategic and
carefully considered decisions to make previously classified
information available to the public can be an important and effective
way of increasing the transparency that is so vital for a functioning
democracy. However, when the disclosures appear to be designed to
advance a particular political agenda or to gain advantage in a policy
dispute, it again undermines the respect for and confidence in the
classification system. An employee or reporter who sees senior
officials deciding that classification isn't as important as their
particular agenda may be emboldened to make similar decisions. This
risk is heightened when the classification is done selectively so as to
reveal only intelligence that supports one side of the issue, while
leaving contrary intelligence classified.
Just as getting the classification process right is vital for
protecting true secrets, it is essential that information that can be
shared without jeopardizing national security is not prevented by over-
classification from getting to those who could make use of it. As the
9/11 Commission Report made clear, this is particularly urgent for our
counterterrorism efforts.
It is appropriate that the Committee has decided to begin with an
effort to make the Department of Homeland Security the ``Gold
Standard'' for reducing over-classification, since DHS faces the most
significant imperative to provide relevant information to, and receive
and analyze information from, a wide range of users who are not
traditional members of the national security community. Key players at
the state and local level, in the private sector, and within DHS? own
entities, are unlikely to have clearances. Yet they serve vital roles
in protecting the homeland and can provide, benefit from, and help
analysts to better understand, information that is gathered overseas
and in the US. If this information is unnecessarily restricted, it
threatens homeland security by hampering the ability of these key
players to contribute to the mission.
I know that the committee is considering a number of ideas,
including a certification process to ensure that those who have
authority to classify documents are properly trained to recognize when
information is truly sensitive and regular audits of existing
classified documents to assess the scope and nature of any over-
classification. I think these are sound suggestions. There are
additional near-term and longer-term steps that the Committee might
also consider.
1. Require that documents be written in unclassified version first,
to the maximum extent possible. Traditional practice in the
intelligence community has been to prepare a classified document
reflecting the intelligence and then, if dissemination to non-cleared
individuals was required, to prepare an unclassified version at the
bottom of the document after a ``tear line.'' These are known as ``tear
sheets;'' the recipient would tear off the bottom portion to provide to
the un-cleared recipient. Instead, to facilitate the admonition to move
from a ``need to know'' to a ``need to share'' culture--what the Markle
Foundation called a ``culture of distribution''--why not set up the
system so that no classified document can be prepared without first
entering information in the unclassified section at the top of the
document. There may be times when almost nothing can be put it the
unclassified portion, but the exercise could prompt more careful effort
to distinguish between truly classified information and that which can
be shared more broadly. And putting the unclassified version at the top
visually reinforces the shift in priorities.
2. Enforce ``portion marking.'' It used to be standard practice
that each paragraph of a document had to be individually determined and
marked as classified or unclassified. This requires more careful
consideration of what information is actually sensitive and assists in
any later efforts to provide an unclassified version of the document.
My sense is that, over time, documents are increasingly classified in
their entirety, with no portion marking, making it far more difficult
and cumbersome to ``sanitize'' the information for wider dissemination.
A simple immediate step would be to enforce the requirement for portion
marking for every classified document.
3. Use technology to tag information as it moves through the
system. The optimum system would provide even greater granularity than
the paragraph portion marking, indicating what precise bits of
information are classified. These classification ``tags''--perhaps
imbedded in metadata--would then move with the information as it flows
through the system and facilitate the preparation of unclassified
versions of documents. The more precisely we can isolate truly
sensitive information, the easier it will be to identify and
disseminate unclassified information.
4. Reverse the ``default'' incentive to over-classify. Virtually
all of the incentives today are in favor of over-classification. The
danger of not classifying information that is indeed damaging to
national security is well understood. What is not as widely appreciated
in the national security risk of over-classification. Thus, there are
effectively no penalties in the system for an individual decision to
classify unnecessarily. This will not change until performance
evaluations consider classification issues. Regular audits can provide
insight into individual patterns as well as overall agency performance,
for example. Employees who routinely over--classify should be held
accountable and receive additional training. And employees should be
rewarded for producing reports that can be widely disseminated. In
addition, the system should make it easy to produce unclassified
documents and require a bit more effort to classify something.
Requiring that unclassified documents be written first and enforcing
the requirement for portion marking are some examples. Requiring that
the specific harm to national security be articulated in each case
might be another possibility, although it is important not too make the
system so cumbersome that it undermines the ability to be quick and
agile when necessary. Ultimately, you want a process that makes it
harder to go around the system that to use it.
5. Identify key federal, state, and local officials who can receive
relevant classified information by virtue of their office rather than
having to get a clearance. This is how it has always worked with
Members of Congress. More recently, this was adopted as the policy for
governors. DHS should consider extending this to other key officials.
6. Develop innovative ways of sharing information without handing
over documents. Ultimately, the key is to enhance understanding and
knowledge. Too much emphasis is sometimes placed on sharing documents,
rather than on sharing ideas, questions, and insights gleaned from
those documents. This can often be done without revealing the sensitive
information in the documents. In addition, when dealing with
unclassified but sensitive information, such as business proprietary
information, DHS could consider ``partnership panels'' where the
government and business would come together in a neutral space, share
information such as vulnerability assessments and threat information,
so as to enhance mutual understanding and benefit from each others
insights, but then leave the space without having handed over the
documents.
These are just a few ideas based on practical experience working in
classified environments for nearly two decades. I know that the
Committee is aware of the outstanding work by the Markle Foundation and
others in developing recommendations for improving information sharing
and will take those under consideration as well.
The problem of over-classification is an enduring one and presents
a daunting challenge. This Committee is to be commended for taking up
that challenge and endeavoring to set a new standard at DHS. I
appreciate the opportunity to contribute to that important effort.
Mr. Carney. Mr. Agrast, please summarize for 5 minutes.
STATEMENT OF MARK AGRAST, SENIOR FELLOW, CENTER FOR AMERICAN
PROGRESS
Mr. Agrast. Thank you, Mr. Carney.
My name is Mark Agrast. I am a Senior Fellow at the Center
for American Progress, where I focus on civil liberties and
national security concerns; and I previously spent a decade on
Capitol Hill.
Most Americans understand and accept the need to protect
Government information whose disclosure would endanger the
Nation's security. But as the 9/11 Commission found, too much
secrecy can put our Nation at greater risk, hindering
oversight, accountability and information sharing, concealing
vulnerabilities until it is too late to correct them, and
undermining the credibility of the classification system
itself.
Ten years ago, the Moynihan Commission concluded secrets
could be protected more effectively if secrecy is reduced
overall. Unfortunately, while the Clinton Administration made
much headway in reducing unnecessary secrecy, today we are
moving in the opposite direction. There were nearly three times
as many classification actions in 2004 as in the last year of
the Clinton Presidency; and while President Clinton
declassified nearly a billion pages of historical material, the
pace has slowed to a trickle in the last 6&ars.
Today's epidemic of overclassification stems in part from
rules that resolve all doubts in favor of nondisclosure and in
part from standards so hard to administer that even skilled
classifiers often get it wrong. Sometimes material is
classified only to suppress embarrassing information.
Take the decision to classify the Taguba Report on prisoner
abuse at Abu Ghraib. A reporter who had seen a copy of that
report asked Secretary Rumsfeld why it was marked Secret. You
would have to ask the classifier, Rumsfeld said. Or the
decision to reclassify a 1950 intelligence estimate written
only 12 days before Chinese forces entered Korea, predicting
Chinese entry in the conflict was not probable.
Still, despite such failures, at least there are rules what
can be classified, for how long and by whom. The same cannot be
said for the designations used by Federal agencies to deny
access to sensitive but unclassified information. Few of these
pseudo-classifications have ever been authorized by Congress.
They allow virtually any employee, and even private
contractors, to withhold information that wouldn't even rate a
Confidential stamp, with few standards or safeguards to prevent
error and abuse.
As the Chair noted, last Sunday's Washington Post described
a pseudo-classification scheme invented by the Vice President
himself. His office has been giving reporters documents labeled
treat as Top Secret/SCI, an apparent attempt to treat
unclassified material as though it were Sensitive Compartmented
Information, a special access designation reserved for secrets
whose disclosure would cause exceptionally grave damage to
national security.
I commend the committee, the subcommittee for its
commitment to doing the oversight that is so long overdue; and
I hope you won't stop at oversight. It has been 10 years since
the Moynihan Commission urged Congress to legislate the rules
that protect national security information, rather than leaving
it up to the executive branch to police itself. It is time for
Congress to take up that challenge.
In some cases, this will require Government-wide solutions.
For example, Congress could and should reinstate the
presumption against classification in cases of significant
doubt, the Clinton era policy which the Moynihan Commission
urged Congress to codify.
Congress should also rein in the use of pseudo-
classification, at a minimum prohibiting agencies from adopting
unclassified designations that are not expressly authorized and
mandating strict standards for any designations it does
authorize to minimize their impact on public access.
Better still, Congress could refrain from authorizing
unclassified designations in the first place. Such powers are
all too easily given; and, once they are in place, it is
virtually impossible to get rid of them.
Finally, Congress can take steps to reform the system one
agency at a time by initiating reforms at the Department of
Homeland Security. By making DHS the gold standard, Congress
can promote best practices throughout the system.
My full statement includes recommendations to improve
oversight of the classification system at DHS and to reduce the
harmful effects of pseudo-classification as well. I would just
review a couple of those in the half a minute or so that I have
left.
I would recommend that Congress establish an independent
DHS Classification Review Board to ensure that information is
declassified as soon as it no longer meets the criteria for
classification. Congress should establish an independent ombuds
office within DHS to assist with declassification challenges
and requests for declassification. It should require the DHS
Inspector General to conduct periodic audits of the DHS
classification program and report to Congress on the
appropriateness of classification decisions. And it should
require DHS to implement a system of certification for DHS
officials with classification authority and to provide them
with training and proper classification practices.
I would refer you to my testimony for recommendations
regarding sensitive information controls.
I do think that by helping to ensure that the Government
keeps secret only what needs to be kept secret, these measures
and others would enhance both openness and security at DHS and
throughout the Government.
Thank you.
[The statement of Mr. Agrast follows:]
Prepared Statement of Mark D. Agrast
June 28, 2007
Madame Chair, Ranking Member Reichert, and members of the
subcommittee, thank you for conducting this hearing and inviting me to
testify.
My name is Mark Agrast. I am a Senior Fellow at the Center for
American Progress, where I work on issues related to the Constitution,
separation of powers, terrorism and civil liberties, and the rule of
law.
Before joining the Center, I was an attorney in private practice
and spent over a decade on Capitol Hill, most recently as Counsel and
Legislative Director to Congressman William D. Delahunt of
Massachusetts. A biographical statement is appended to my testimony.
In an address to the Oklahoma Press Association in February 1992,
former Director of Central Intelligence, Robert M. Gates, now the
Secretary of Defense, noted that the phrase ``CIA openness'' can seem
as much an oxymoron as ``government frugality'' and ``bureaucratic
efficiency.'
That seeming contradiction in terms illustrates the anomalous role
that secrecy plays in a democracy that depends so profoundly on an
informed and engaged citizenry.
At the same time, most Americans understand and accept the need to
withhold from public view certain national security information whose
disclosure poses a genuine risk of harm to the security of the nation.
But the events of 9/11 taught us how dangerously naive it would be
to equate secrecy with security. As the 9/11 Commission conclude, too
much secrecy can put our nation at greater risk, hindering oversight,
accountability, and information sharing.
Too much secrecy--whether through over-classification or through
pseudo-classification--conceals our vulnerabilities until it is too
late to correct them.
It slows the development of the scientific and technical knowledge
we need to understand threats to our security and respond to them
effectively.
It short-circuits public debate, eroding confidence in the actions
of the government.
And finally, it undermines the credibility of the classification
system itself, encouraging leaks and breeding cynicism about legitimate
restrictions. As Associate Justice Potter Stewart famously cautioned in
the Pentagon Papers case:
I should suppose that moral, political, and practical
considerations would dictate that a very first principle of that wisdom
would be an insistence upon avoiding secrecy for its own sake. For when
everything is classified, then nothing is classified, and the system
becomes one to be disregarded by the cynical or the careless, and to be
manipulated by those intent on self-protection or self-promotion. I
should suppose, in short, that the hallmark of a truly effective
internal security system would be the maximum possible disclosure,
recognizing that secrecy can best be preserved only when credibility is
truly maintained.\1\
---------------------------------------------------------------------------
\1\ N.Y. Times Co. v. U.S., 403 U.S. 713, 729 (1971) (Stewart, J.,
concurring).
---------------------------------------------------------------------------
The Commission on Protecting and Reducing Government Secrecy,
chaired by Sen. Daniel Patrick Moynihan, reached a similar conclusion
in its 1997 report: ``The best way to ensure that secrecy is respected,
and that the most important secrets remain secret, is for secrecy to be
returned to its limited but necessary role. Secrets can be protected
more effectively if secrecy is reduced overall.'' \2\
---------------------------------------------------------------------------
\2\ Report of the Comm'n on Protecting & Reducing Gov't Secrecy
(1997) at xxi [hereinafter Moynihan Commission Report].
Classification, Declassification and Reclassification
The Moynihan Commission was created by Congress to consider whether
it was time to rethink the vast system of secrecy that had been brought
into being during the Cold War. The Commission recommended a series of
statutory reforms to the classification system that were widely praised
but never implemented.
The spirit of the Moynihan recommendations can certainly be
discerned in the contemporaneous amendments to the classification
system that were instituted by President Clinton under Exec. Order No.
12958. The order established a presumption of access, directing that
``If there is significant doubt about the need to classify information,
it shall not be classified.'' Similarly, the order provided that ``If
there is significant doubt about the appropriate level of
classification, it shall be classified at the lower level.'' The
Clinton order also: .
Limited the duration of classification, providing that
where the classifier cannot establish a specific point at which
declassification should occur, the material will be
declassified after 10 years unless the classification is
extended for successive 10-year periods under prescribed
procedures.
Provided for automatic declassification of government
records that are more than two years old and have been
determined by the Archivist of the United States to have
permanent historical value, allowing for the continued
classification of certain materials under specified procedures.
Established a balancing test for declassification
decisions in ``exceptional cases,'' permitting senior agency
officials to exercise discretion to declassify information
where ``the need to protect such information may be outweighed
by the public interest in disclosure of the information.''
Prohibited reclassification of material that had been
declassified and released to the public under proper authority.
Authorized agency employees to bring challenges to the
classification status of information they believe to be
improperly classified.
Created an Interagency Security Classification Appeals
Panel (ISCAP) to adjudicate challenges to classification and
requests for mandatory declassification, and to review
decisions to exempt information from automatic
declassification.
The changes instituted by President Clinton were largely erased by
his successor, who issued a revised executive order in 2003. Exec.
Order No. 13292 eliminated the presumption of access, leaving officials
free to classify information in cases of ``significant doubt.'' It
also:
Relaxed the limitations on the duration of
classification, and made it easier for the period to be
extended for unlimited periods.
Postponed the automatic declassification of protected
records 25 or more years old from April 2003 to December 2006,
and reduced the showing that agencies must make to exempt
historical records from automatic declassification.
Revived the ability of agency heads to reclassify
previously declassified information if the information ``may
reasonably be recovered.''
Allowed the Director of Central Intelligence to
override decisions by ISCAP, subject only to presidential
review.
The results of this shift in policy are reflected in the annual
classification statistics published by the Information Security
Oversight Office (ISOO). The number of classification actions by the
government hit an all-time high of 15.6 million in 2004, with only
slightly fewer (14.2 million) reported in 2005. This was nearly twice
the number of classification actions (8.6 million) taken in 2001, the
first year of the Bush administration, and three times the number (5.8
million) taken in 1996, the last year of President Clinton's second
term.\3\
---------------------------------------------------------------------------
\3\ Info. Sec. Oversight Office, Nat'l Archives & Records Admin.,
Report to the President 2005 at 13.
---------------------------------------------------------------------------
As classification actions have soared, declassification actions
have plummeted. President Clinton oversaw the declassification of more
historic materials than all previous presidents combined. During his
last six years in office, 864 million pages were declassified, hitting
an all-time high of 204 million pages in 1997 alone. Under the Bush
administration, the numbers have fallen precipitously. Only 245 million
pages were declassified from 2001--2005, with fewer than 30 million
pages were declassified in 2005.\4\
---------------------------------------------------------------------------
\4\ Id. at 15.
---------------------------------------------------------------------------
Apart from its costs to both openness and security, all this
classifying and declassifying comes at a heavy financial cost as well.
In 2005, the cost of securing classified information was $7.7 billion,
of which only $57 million was spent on declassification. In all, for
every dollar the federal government spent to release old secrets, it
spent $134 to create new ones.\5\
---------------------------------------------------------------------------
\5\ OpenTheGovernment.org, Secrecy Report Card 2006 at 4.
---------------------------------------------------------------------------
What the numbers cannot reveal is whether classification decisions
are lawful and appropriate. Estimates of the extent of over-
classification vary, but I was particularly struck by Mr. Leonard's
testimony before this subcommittee last March, in which he said that an
audit conducted by the Information Security Oversight Office found that
even trained classifiers, armed with the most up-to-date guidance,
``got it clearly right only 64 percent of the time.'' \6\
---------------------------------------------------------------------------
\6\ Overclassification and Pseudo-classification: The Impact on
Information Sharing: Hearing Before the Subcomm. on Intelligence,
Information Sharing and Terrorism Risk Assessment of the House Comm. on
Homeland Sec., 110th Cong. (2007) (statement of J. William Leonard).
---------------------------------------------------------------------------
There are also instances in which over-classification is the
result, not of honest error, but of a desire to conceal. Both the
Clinton and Bush executive orders prohibit the use of the
classification system to ``conceal violations of law, inefficiency, or
administrative error'' or prevent embarrassment to a person,
organization, or agency.'' Yet at least some recent classification
decisions could have had little purpose other than to suppress
information that might be embarrassing to the government.
A particularly troubling example is the decision by the Department
of Defense to classify in its entirety the March 2004 report of the
investigation by Maj. Gen. Antonio M. Taguba of alleged abuse of
prisoners by members of the 800th Military Police Brigade at Baghdad's
Abu Ghraib Prison. According to an investigation by the Minority Staff
of the House Committee on Government Reform:
One reporter who had reviewed a widely disseminated copy of the
report raised the issue in a Defense Department briefing with
General Peter Pace, the Vice Chairman of the Joint Chiefs of
Staff, and Secretary Rumsfeld. The reporter noted that `there's
clearly nothing in there that's inherently secret, such as
intelligence sources and methods or troop movements' and asked:
`Was this kept secret because it would be embarrassing to the
world, particularly the Arab world?' General Pace responded
that he did not know why the document was marked secret. When
asked whether he could say why the report was classified,
Secretary Rumsfeld answered: `No, you'd have to ask the
classifier.' \7\
---------------------------------------------------------------------------
\7\ Minority Staff of House Comm. On the Judiciary, 10TH Cong.,
Report on Secrecy in the Bush Administration (2004) at 50.
---------------------------------------------------------------------------
The desire to prevent embarrassment seems also to have played a
role in the Bush administration's aggressive reclassification campaign.
According to a February 2006 report by the National Security Archive,
the administration has reclassified and withdrawn from public access
9,500 documents totaling 55,500 pages, including some that are over 50
years old. For example:
complaint from the Director of Central Intelligence to
the State Department about the bad publicity the CIA was
receiving after its failure to predict anti-American riots in
Colombia in 1948.
A document regarding an unsanctioned CIA psychological
warfare program to drop propaganda leaflets into Eastern Europe
by hot air balloon that was canceled after the State Department
objected to the program.
A document from spring 1949, revealing that the U.S.
intelligence community's knowledge of Soviet nuclear weapons
research and development activities was so poor that America
and Britain were completely surprised when the Russians
exploded their first atomic bomb six months later.
A 1950 intelligence estimate, written only 12 days
before Chinese forces entered Korea, predicting that Chinese
intervention in the conflict was ``not probable.'' \8\
---------------------------------------------------------------------------
\8\ Matthew M. Aid, Nat'l Sec. Archive, Declassification in
Reverse: The U.S. Intelligence Cmty's Secret Historical Document
Reclassification Program (2006).
---------------------------------------------------------------------------
These reclassification actions call to mind the observations of the
late Erwin N. Griswold, former Solicitor General of the United States
and Dean of Harvard Law School, who argued the Pentagon Papers case
before the Supreme Court in 1971. Presenting the case for the
government, he had argued that the release of the Pentagon Papers would
gravely damage the national security. Nearly two decades later,
Griswold reflected on the lessons of that case:
It quickly becomes apparent to any person who has considerable
experience with classified material that there is massive
overclassification and that the principal concern of the
classifiers is not with national security, but rather with
governmental embarrassment of one sort or another. There may be
some basis for short-term classification while plans are being
made, or negotiations are going on, but apart from details of
weapons systems, there is very rarely any real risk to current
national security from the publication of facts relating to
transactions in the past, even the fairly recent past. This is
the lesson of the Pentagon Papers experience, and it may be
relevant now.\9\
---------------------------------------------------------------------------
\9\ Erwin N. Griswold, Secrets Not Worth Keeping: The Courts and
Classified Information, Wash. Post, Feb. 15, 1989, at A25.
Pseudo-Classification
For all its faults, the classification system has many virtues as
well. Classification actions are subject to uniform legal standards
pursuant to executive order. These actions can be taken by a limited
number of officials who receive training in the standards to be
applied; they are of limited duration and extent; they are monitored by
a federal oversight office; they can be challenged; and they can be
appealed.
The same cannot be said for the potpourri of unclassified control
markings used by federal agencies to manage access to sensitive
government information, most of which are defined by neither statute
nor executive order, and which collectively have come to be known
pejoratively as the ``pseudo-classification'' system.
Among the better known are Sensitive But Unclassified (SBU),
Sensitive Security Information (SSI), Sensitive Homeland Security
Information (SHSI), Critical Infrastructure Information (CII), Law
Enforcement Sensitive (LES), and For Official Use Only (FOUO).
While some of these control markings are authorized by statute,\10\
others have been conjured out of thin air. Some of these pseudo-
classification regimes allow virtually any agency employee (and often
private contractors) to withhold information without justification or
review, without any time limit, and with few, if any, internal controls
to ensure that the markings are not misapplied.
---------------------------------------------------------------------------
\10\ See, e.g., Aviation and Transp. Sec. Act, Pub. L. No. 107-71;
Fed. Info. Sec. Act, Pub. L. No. 107-347; Homeland Sec. Act, Pub. L.
No. 107-296; Critical Infrastructure Info. Act, Pub. L. No. 107-296.
---------------------------------------------------------------------------
A March 2006 report by the Government Accountability Office (GAO)
found that the 26 federal agencies surveyed use 56 different
information control markings (16 of which belong to one agency) to
protect sensitive unclassified national security information. The GAO
also found that the agencies use widely divergent definitions of the
same controls.\11\
---------------------------------------------------------------------------
\11\ U.S. Gov't Accountability Office, Rep. No. GAO-06-385,
Information Sharing: The Federal Government Needs to Establish Policies
and Processes for Sharing Terrorism-Related and Sensitive but
Unclassified Information (2006).
---------------------------------------------------------------------------
According to the GAO report, the Department of Homeland Security
(DHS) employs five of these control markings: For Official Use Only
(FOUO) (agency-wide); Law Enforcement Sensitive (LES) (agency-wide);
Limited Official Use (LOU) (U.S. Secret Service); Protected Critical
Infrastructure Information (PCII) (Directorate for Preparedness); and
Sensitive Security Information (SSI) (Transportation Security
Administration and U.S. Coast Guard).
The department's approach to the use of these designations is set
forth in a DHS management directive regarding the treatment of
sensitive but unclassified information originating within the
agency.\12\ The directive is chiefly concerned with the For Official
Use Only designation, which it says will be used ``to identify
sensitive but unclassified information within the DHS community that is
not otherwise specifically described and governed by statute or
regulation.'' The directive identifies 11 categories of SBU information
that can be designated as FOUO, and provides that the designation can
be made by any DHS employee, detailee, or contractor and will remain in
effect indefinitely until the originator or a management official
determines otherwise.
---------------------------------------------------------------------------
\12\ Safeguarding Sensitive But Unclassified (For Official Use
Only) Information, Mgt. Dir. No. 11042 (2004), at http://www.fas.org/
sgp/othergov/dhs-sbu.html, revised by Mgt. Dir. No. 11042.1, (2005), at
http://www.fas.org/sgp/othergov/dhs-sbu-rev.pdf [hereinafter
Safeguarding].
---------------------------------------------------------------------------
For good measure, the directive notes that where other agencies and
international organizations use similar terminology but apply different
requirements to the safeguarding of the information, the information
should be treated in accordance with whichever requirements are the
more restrictive.
A 2004 report by the JASON Program Office at MITRE Corporation
suggests that the designation authorities at DHS are not atypical:
``'Sensitive but unclassified' data is increasingly defined by the eye
of the beholder. Lacking in definition, it is correspondingly lacking
in policies and procedures for protecting (or not protecting) it, and
regarding how and by whom it is generated and used.'' \13\
---------------------------------------------------------------------------
\13\ JASON Program Office MITRE Corporation, Horizontal
Integration: Broader Access Models for Realizing Information Dominance
5 (2004).
---------------------------------------------------------------------------
As in the case of classification and reclassification actions,
these designations have at times been used not to protect legitimate
national security secrets, but to spare the government from
embarrassment. In a March 2005 letter to Rep. Christopher Shays, then
the Chairman of the House Committee on Government Reform, Rep. Henry
Waxman cited examples in which:
The State Department withheld unclassified conclusions
by the agency's Inspector General that the CIA was involved in
preparing a grossly inaccurate global terrorism report.
The State Department concealed unclassified
information about the role of John Bolton, Under Secretary of
State for Arms Control, in the creation of a fact sheet that
falsely claimed that Iraq sought uranium from Niger.
The Department of Homeland Security concealed the
unclassified identity and contact information of a newly
appointed TSA ombudsman whose responsibility it was to interact
daily with members of the public regarding airport security
measures.
The CIA intervened to block the chief U.S. weapons
inspector Charles A. Duelfer, from revealing the unclassified
identities of U.S. companies that conducted business with
Saddam Hussein under the Oil for Food program.
The Nuclear Regulatory Commission sought to prevent a
nongovernmental watchdog group from making public criticisms of
its nuclear power plant security efforts based on unclassified
sources.\14\
---------------------------------------------------------------------------
\14\H.R. Rep. No. 109-8, at 16 (2005) (letter from Henry Waxman to
Christopher Shays).
---------------------------------------------------------------------------
In another case, currently in litigation, a federal air marshal
blew the whistle when TSA attempted to reduce security on ``high risk''
flights, and the agency allegedly retaliated by retroactively
designating the material he had disclosed as Sensitive Security
Information (SSI).\15\
---------------------------------------------------------------------------
\15\ Project on Gov't Oversight, Alert: Robert MacLean v. DHS
(2007), at http://pogo.org/p/government/rmaclean-dhs.html
---------------------------------------------------------------------------
Another concern arises out of the interplay between unclassified
control markings and the Freedom of Information Act (FOIA). Certain
unclassified control markings, including Sensitive Security Information
(SSI) and Critical Infrastructure Information (CII), are specifically
exempt by statute from release under FOIA. But some agencies have
claimed that other unclassified control markings constitute an
independent legal basis for exempting information from public
disclosure under FOIA--even in the absence of an express statutory
exemption and even where the information does not fit within an
existing exemption.
Such claims prompted the American Bar Association's House of
Delegates to adopt a resolution in February 2006 urging the Attorney
General to clarify that such designations should not be used to
withhold from the public information that is not authorized to be
withheld by statute or executive order.
As it happens, the DHS directive meets the ABA standard. It
provides that FOUO information is not automatically exempt from
disclosure under FOIA and that FOUO information may be shared with
other agencies and government entities ``provided a specific need-to-
know has been established and the information is shared in furtherance
of a coordinated and official governmental activity.'' \16\
---------------------------------------------------------------------------
\16\ Safeguarding, supra note 11.
---------------------------------------------------------------------------
But whether or not an agency has a legal basis for withholding
pseudo-classified information not otherwise exempt under FOIA is almost
beside the point. The designation is itself sufficient to exert a
chilling effect on FOIA disclosures. As Thomas S. Blanton of the
National Security Archive testified before a subcommittee of the House
Committee on Government Reform in March 2005, ``the new secrecy stamps
tell government bureaucrats `don't risk it'; in every case, the new
labels signal `find a reason to withhold.' '' \17\
---------------------------------------------------------------------------
\17\ Emerging Threats: Over-classification and Pseudo-
classification: Hearing Before the Subcomm. on Nat'l Sec., Emerging
Threats and Int'l Relations of the House Comm. on Gov't Reform, 109th
Cong. (2005) (statement of Thomas S. Blanton).
---------------------------------------------------------------------------
An article published in the Washington Post on June 24, 2007,
brought to light a pseudo-classification scheme apparently invented by
the Vice President of the United States. His office has been giving
reporters documents labeled: ``Treated As: Top Secret/SCI''--an
apparent attempt to treat unclassified material as though it were
Sensitive Compartmented Information (SCI)--a special access designation
reserved for secrets whose disclosure would cause `exceptionally grave
damage to national security.'' '\18\
---------------------------------------------------------------------------
\18\ Barton Gellman & Jo Becker, A Different Understanding with the
President, Wash. Post, June 24, 2007, at A1.
---------------------------------------------------------------------------
Unlike the Cheney innovation, Special Access Programs (SAPs), which
limit access above and beyond the three-tiered classification system,
are authorized by law, and are confined to a relatively limited circle
of senior officials. Exec. Order No. 12859, as amended, provides that
unless otherwise authorized by the President, only certain named
officials are authorized to establish such programs. The list includes
the Secretaries of State, Defense, and Energy, and the DCI, or the
principal deputy of each. Interestingly, the list does not include the
Vice President--perhaps in anticipation of his novel assertion that the
Office of the Vice President is not an agency of the Executive Branch
and need not comply with the requirement under Exec. Order 12859 that
such agencies file an annual report with ISOO.\19\
---------------------------------------------------------------------------
\19\ Peter Baker, Cheney Defiant on Classified Material: Executive
Order Ignored Since 2003, Wash. Post, June 22, 2007, at A1.
---------------------------------------------------------------------------
The fact that SAPs are authorized by executive order does not mean
they are immune from the deficiencies of pseudo-classifications. The
Moynihan Commission noted a ``lack of standardized security
procedures'' that ``contributes to high costs and other difficulties,''
and recommended the establishment of a single set of security standards
for Special Access Programs--another of its sensible recommendations
which, as far as is known, has not been carried out.\20\
---------------------------------------------------------------------------
\20\ Moynihan Commission Report at 28.
Recommendations for Congress
Madame Chair, you and the subcommittee should be commended for
exercising your oversight authority over the treatment of national
security information--both classified and unclassified--at the
Department of Homeland Security. Such scrutiny is essential, and it is
long overdue.
I would also respectfully suggest that the time has come for the
committee, and for Congress, to exercise its legislative authority over
these matters. For 67 years, Congress has largely ceded that authority
to the president, and as I hope I have explained, the results have been
decidedly mixed.
It has been ten years since the Moynihan Commission urged Congress
to legislate the rules that protect national security information,
rather than leaving it up to the executive branch to police itself. It
is time for Congress to take up that challenge.
A. Systemic solutions
Many of the problems facing the classification system are systemic,
and they require comprehensive, government-wide solutions. Among other
things, Congress should reinstate the provisions of Exec. Order No.
12958 which (a) established a presumption against classification in
cases of significant doubt (a policy which the Moynihan Commission
urged Congress to codify); (b) permitted senior agency officials to
exercise discretion to declassify information in exceptional cases
where the need to protect the information is outweighed by the public
interest in disclosure; and (c) prohibited reclassification of material
that had been declassified and released to the public under proper
authority.
Congress also should undertake a thorough and comprehensive
examination of the growing use of agency control markings to restrict
access to unclassified information. Much has been said, and rightly so,
about the importance of information sharing among government agencies.
But what is the justification for a system that entrusts low-level
employees and private contractors with the non-reviewable discretion to
determine whether an unclassified document--a document that doesn't
even rate a ``Confidential'' stamp--a document that may not even
qualify for a FOIA exemption--is too sensitive for public view?
Before Congress acquiesces in the further proliferation of these
designations, it should consider whether those that already exist place
an unwarranted burden on the free exchange of information, not only
among government officials, but between the government and the people
who elect it.
At a minimum, Congress should prohibit agencies from adopting
unclassified controls that are not expressly authorized by statute (or
executive order), and should mandate strict standards for any controls
it does authorize to minimize their impact on public access.
H.R. 5112, the Executive Branch Reform Act, which was reported by
the House Government Reform Committee during the 109th Congress,
directs the Archivist of the United States to promulgate regulations
banning the use of information control designations not defined by
statute or executive order. If the Archivist determines that there is a
need for some agencies to use such designations ``to safeguard
information prior to review for disclosure,'' the regulations shall
establish standards designed to minimize restrictions on public access
to information. The regulations shall be the sole authority for the use
of such designations, other than authority granted by statute or
executive order.
This approach would ameliorate some of the worst features of what
is today an unregulated wilderness of inconsistent standards and
insufficient checks. But it begs the question of whether Congress
should be authorizing agency officials to withhold unclassified
information in the first place. Such powers are all too easily given,
and once they are in place, it is virtually impossible to get rid of
them.
I hope that Congress will consider codifying standards that
incorporate these policies. But there are also many steps that can be
taken to reform the management of national security information one
department at a time. By undertaking such reforms at the Department of
Homeland Security--by making DHS the ``gold standard''--Congress can
create a model for best practices that other agencies can adopt.
B. The Classification System at DHS
(1) Congress should establish an Information Security Oversight
Office, modeled after the Information Security Oversight Office
at the National Archives and Records Administration, to oversee
security classification programs at DHS. Its responsibilities
would include development of implementing directives and
instructions; maintenance of liaison with ISOO and agency
counterparts; monitoring of agency compliance and preparation
of reports to Congress; and development of security
classification education and training programs.
(2) Congress should establish an independent DHS Classification
Review Board to ensure that information is declassified as soon
as it no longer meets the criteria for classification. Among
the responsibilities of the board would be to facilitate and
review requests for declassification and classification
challenges, and to conduct an independent ongoing review of
classified materials to determine whether they are properly
classified.
(3) Congress should establish an independent ombuds office
within DHS to provide assistance with classification challenges
and requests for declassification.
(4) Congress should require the DHS Inspector General to
conduct periodic audits of the DHS classification program and
report to Congress on the appropriateness of classification
decisions.
(5) Congress should require DHS to implement a system of
certification for DHS officials with classification authority
and to provide them with training in proper classification
practices.
C. Sensitive Information Controls at DHS
As noted above, I hope that Congress will reconsider the question
of whether agency employees and private contractors should be given a
license to withhold unclassified, non-FOIA exempt information from the
public. But short of curtailing the use of unclassified control
markings, there are steps that can be taken by DHS to minimize error
and abuse, and reduce the impact of pseudo-classification on public
access to information.
(1) Congress should require DHS to place strict limits on the
number of agency officials authorized to designate FOUO and
other unclassified information as controlled, to implement a
system of certification for DHS officials with designation
authority, and to provide authorized officials with training in
proper designation practices.
(2) Congress should require DHS to limit the duration of
controls on unclassified information and provide procedures by
which such controls can be removed.
(3) Congress should require DHS to develop procedures by which
members of the public can challenge unclassified designations.
(4) Congress should require the DHS Inspector General to
conduct periodic audits of the use of controls on unclassified
information and report to Congress on the appropriateness of
designations.
(5) The Homeland Security Committee should oversee DHS
implementation of--
a. The directives regarding the use of the SSI
designation by TSA which Congress included in the DHS
Appropriations Bill for FY 2007 (Pub. L. 109-295).
Those directives require review of any document
designated SSI whose release is requested and require
release of certain documents designated SSI after three
years unless the DHS Secretary provides an explanation
as to why it should not be released.
b. The recommendations included in the GAO report of
June 2005 evaluating the use of the SSI designation by
TSA.\21\ The GAO found significant deficiencies in
TSA's management of SSI, and recommended that the
Secretary of DHS direct the TSA Administrator to:
---------------------------------------------------------------------------
\21\ U.S. Gov't Accountability Office, Rep. No. GAO-05-677
Transportation Security Administration: Clear Policies and Oversight
Needed for Designation of Sensitive Security information (2005).
---------------------------------------------------------------------------
i. Establish clear guidance and procedures for
using the TSA regulations to determine what
constitutes SSI.
ii. Establish clear responsibility for the
identification and designation of information
that warrants SSI protection.
iii. Establish internal controls that clearly
define responsibility for monitoring compliance
with regulations, policies, and procedures
governing the SSI designation process and
communicate that responsibility throughout TSA.
iv. Establish policies and procedures within
TSA for providing specialized training to those
making SSI designations on how information is
to be identified and evaluated for protected
status.
Conclusion
By helping to ensure that the government keeps secret only the
information that needs to be secret, these measures would enhance both
openness and security--at DHS and throughout the government.
Thank you.
Mr. Carney. Well, I thank the witnesses for their
testimony; and I remind each member he or she will have 5
minutes to question the panel.
I now recognize myself for 5 minutes, and this is for all
the witnesses. If you could do one thing to overcome the
overclassification or pseudo-classification problem at DHS,
what reform initiative or best practice would you adopt? I know
Mr. Agrast, you just mentioned a few, but Mr. Leonard and Mr.
Armstrong, Ms. Spaulding?
Mr. Leonard. One that I would recommend, some agencies,
such as State and CIA, as a best practice have independent
advisory commissions comprised of historians that advise those
agencies on the effectiveness of their agencies'
declassification program. There is no reason why such an
advisory committee could not be established on the front end of
the process. An advisory committee may be of the principal
consumers, State and local officials with appropriate
clearances who could provide advice back to the Department as
to the effectiveness of what they are classifying and its
impact on their information needs.
Mr. Armstrong. Mr. Carney, I would emphasize--I think Ms.
Spaulding made reference to the same phenomenon--in the tear--
line system, or something like the tear-line system, emphasize
the communication of important information in the least--
controlled manner necessary. Remember that the purpose of all
communication in Government, whether it is the most sensitive
intelligence or not, is to influence someone somewhere to take
cognizance of it and to change their behavior or focus their
analytical skills. In doing so, put the emphasis on
communication and then minimize and restrict the sources and
methods portion of the communication to protect it. But put the
emphasis on communicating, not withholding.
Ms. Spaulding. I think the most important thing is to do
something to begin to change the culture and the mindset, and I
think that is set at the top. That is a tone and an emphasis
that is set at the top.
So I would consider issuing, maybe even from the President,
an Executive Order, for example, that would direct the
agencies, Department of Homeland Security to begin with, to
include in their performance evaluations the issue of
overclassification and underclassification, how employees do in
terms of getting the classification right, that that would be a
factor in how they are evaluated. I think that would go a long
way in setting the right tone.
Mr. Carney. Are the evaluators in your opinion able to do
that? Don't they have a vested interest in kind of keeping the
system as it is?
Ms. Spaulding. Well, I think it would be combined with the
kinds of recommendations that have been made at this table,
including regular audits of documents that have been
classified; and that would help to inform those kinds of
performance appraisals as to whether this employee regularly is
found to have overclassified documents, for example, or whether
this employee has written a great number of unclassified
reports that have been able to be widely disseminated.
Those performance appraisals are fairly standardized
actions; and if those forms have a specific thing that you have
to fill in that relates to how this employee does in terms of
their classification decisions, I think that would provide an
appropriate incentive.
Mr. Leonard. If I could add to that, as a follow-on,
another best practice that is very closely related to that, the
CIA, even though it is not required at the national level,
requires a personal identifier on every product they produced
as to who was responsible for the classification decision; and
something like that facilitates a follow-up and holding people
accountable.
Mr. Agrast. If I could also add, I completely agree with
the recommendations, particularly with the remarks of Ms.
Spaulding.
Mr. Reichert opened his portion of the hearing by talking
about his experience as a law enforcement officer at the State
and local level. I think there are two kind of prosecutors.
There are two kinds of law enforcement officers. There is the
kind that says my job is to convict as many people as possible,
and there is the other kind who says my job is to get the
truth, and I will be satisfied that I have done my job if I
convict the people who are guilty and don't convict the people
who are not guilty.
I think that is the cultural change that has to happen at
these agencies so the premium is set not solely on the number
of documents you have successfully kept from the public but
using discernment and using fine judgment in determining when
and whether classification decisions should be made.
Mr. Carney. Thank you.
Mr. Leonard, I know your office is responsible for
regulating classification by agencies within the executive
branch; and you consistently stated that the Government
classifies too much information. Why is this happening, in your
opinion? What is the reason?
Mr. Leonard. Reasons are varied, but I would agree more
than anything else with Ms. Spaulding's assessment that it is
really one of culture. We are very effective in terms of
holding people accountable for the inappropriate disclosure of
information, either administratively or criminally. Very
rarely, if ever, have I ever seen anyone held accountable for
inappropriately withholding or hoarding information.
Mr. Carney. Too many people have classification power?
Mr. Leonard. Yes.
Another best practice--and Mr. Agrast mentioned this--is
DOE follows it. They actually require people to be trained and
certified before they can affix classification controls on the
product, as opposed to just having clearance and having access
to it.
So something along those lines would facilitate
accountability, because you could have something to take away
from them now if they abuse it, and it restricts the universe
of people that you have to make sure are appropriately trained.
So there is a lot of benefits to it all around.
Mr. Carney. Thank you.
I now recognize the ranking member, my good friend from
Washington, Mr. Reichert.
Mr. Reichert. Thank you, Mr. Chairman.
I just wanted to go back to Mr. Carney's original question,
which was if you do one thing. I want to ask it in just a
little bit of a different way.
What is the biggest hurdle--I have an answer in my mind, in
my experience, but what is the biggest hurdle to overcome in
this whole issue of not sharing information and
overclassifying?
Okay, I will give you a hint at least where I am going with
this. Somebody mentioned the stovepipe thing. And, to me,
really to get more specific, governance, who has control over
the information? Who is the lead person? At the local level in
the sheriff's office, with 38 police departments and the
sheriffs in the county, you know, the battle is over who
controls the server that has the information. And you are
running into that sort of an issue at the Federal level. I am
sure you are.
Mr. Armstrong. I think what we have seen, Mr. Reichert, is
that the leadership of the various departments--that we had the
merger into the Department of Homeland Security and specific
incentives given--direction given to the DNI to begin to break
down the barriers, break down the stovepipes. But it requires
the leadership to do that.
The drift in the bureaucracy is toward safety, is toward
the norm, is toward withholding, is toward not exposing oneself
to criticism. Until and unless someone initiates a test-bed of
a new direction and puts the incentive on making sure that
everyone knows what they need to know, but all of what they
need to know, this will not happen. Things will not change. It
will default back to the old system. I think that is the
problem we are faced with.
Mr. Reichert. Certainly the difficulty is highlighted as
you bring the 22 departments under the one Homeland Security
umbrella. But it even gets more complicated then as you reach
outside to the other agencies that don't report to the homeland
security effort. So I mean it is a huge issue to overcome. Does
anyone have any suggestions?
Mr. Leonard. I would suggest, Mr. Reichert, another major
hurdle is the myriad of information protection regimes that
exist within the Federal Government. There is no individual who
can comprehend and understand all of them, even know of all of
them. While there are efforts under way within the executive
branch to streamline that and what have you, there are still
contributing issues, many of them statutorily based, in terms
of establishing requirements for protecting critical
infrastructure information and things along those lines. What
that results in is it is incomprehensible to me how an
operator, who has decisions to make on a day-to-day basis and
getting information from multiple sources, how they can even
begin to understand what they can and what they can't disclose.
And it can result in paralysis.
Mr. Reichert. It almost seems as though the local agencies
take the lead in this arena. As we in Seattle took a look at
the LInX System spearheaded by the U.S. attorney's office, the
FBI choosing not to participate in that information-sharing
experiment and the U.S. Naval Intelligence then taking the lead
with the U.S. attorney's office, finally after a few years we
have a system in Seattle now that we have partners.
I think one team at a time, one maybe part of the country
at a time coming together, being able to showcase a success,
would you not agree that might be a way to address this issue?
Mr. Agrast?
Mr. Agrast. Yes, I very strongly agree. I think pilot
programs and State experimentation is really a very useful tool
here. When people, as you have heard, are reluctant to change,
I think they need to see success stories. They need to see that
it can work and that there is a better way to do these things.
Mr. Reichert. Ms. Spaulding, you mentioned along the same
lines this cultural change, and several of you have. I really
see that as really the biggest issue, and it is a leadership
concern, you know, from protecting to sharing. Do you have any
ideas on how to really jump-start that?
Ms. Spaulding. Well, the Markle Foundation talks about
creating a culture of distribution. But I think you are right.
That is the most important thing. And, as I said, I think there
are some suggestions in terms of creating--there is already, as
Mr. Leonard pointed out, a huge incentive for classifying
documents. It is career ending if you fail to classify
something that is then disclosed and causes harm to national
security. So there is a huge incentive to classify. It is much
easier to classify a document. It is just a safe bet. And we
have to create incentives for being more careful about that
decision and incentives for creating unclassified documents.
You know, as I said, I have got a number of suggestions for
that in my testimony.
But I do think there are legitimate concerns that present a
stumbling block. You asked about what are some of the major
stumbling blocks. Having the trust that an agency isn't going
to take your information and somehow disrupt your operational
activity, and I am sure you understand exactly what I am
talking about.
Mr. Reichert. Yes, I do.
Ms. Spaulding. And it is a legitimate concern, but it is
also one of the major reasons why we find problems sharing
information, particularly among law enforcement and, you know,
agencies that have the ability to take action or are
undertaking operations. And I saw this in spades when I was at
the intelligence, when I was at CIA, and their relationships
with the other agencies, FBI, Customs, whatever, the concerns
on both sides of that that one or the other would take the
information and run an operation that would mess up what the
other agency had going.
So the challenge there, the solution there it seems to me
has got to be operational coordination. It can't be that you
are allowed to withhold that information, and there I think is
a place where particularly State and locals can provide
excellent models.
Mr. Reichert. Those agencies that have ongoing
investigations, especially with CIs, are very concerned about
sharing information.
My time has expired. Mr. Chairman, I yield back.
Mr. Carney. Thank you, Mr. Reichert.
I will now recognize Mr. Dent from Pennsylvania for 5
minutes, and we will probably do another round. Okay.
Mr. Dent. Thank you, Mr. Chairman.
Ms. Spaulding, you just brought up an issue that I find
interesting, and I wonder if we could talk about this issue.
There are incentives to overclassify right now, but the only
real control over information resides in the classification
realm. Isn't overclassification a natural reaction to
unauthorized disclosure of sensitive but unclassified
materials? There is no punishment for--serious punishment for
releasing sensitive material.
Ms. Spaulding. As I said in my testimony, I think that
overclassification actually contributes to a lack of respect
for the classification mark and therefore actually makes it
harder to protect true national security secrets.
I think overclassification is a detriment to protecting
truly secret information. So I do think that that is also part
of the incentive structure in terms of when you are looking at
leaks is that overclassification does contribute to that kind
of culture as well.
I think in addition to clearly trying to find ways to
identify people who disclose classified information and take
action, firm action against people who disclose classified
information, I think it is important also at all levels of
Government to reinforce the respect for classification
markings.
Mr. Dent. Well, I guess as a follow-up, how can the Federal
Government really balance the need? You know, how do we balance
this need I guess to share information on the one hand, and at
this unclassified level, with the knowledge that somebody
somewhere continues to leak sensitive but unclassified
information? I think that is really the crux of the problem
here.
Ms. Spaulding. My sense is that trying to hold more tightly
to that information within those stovepipes has not been an
effective way of preventing those disclosures. And therefore, I
think, as I said, in addition to trying to use technology to
help us with audit trails to keep track of who is accessing
information, who is printing information, who has access to the
information that might be disclosed and trying to identify
those people and hold them accountable, that it really is
important that we indicate that we have taken more care in
labeling things. So that when they are labeled, whether it is
classified or sensitive, law enforcement sensitive, that in
fact there has been a reasoned determination that could be
upheld as we look at it after the fact that this would harm
national security or homeland security or law enforcement
interests.
Mr. Armstrong. Mr. Dent?
Mr. Dent. Yes.
Mr. Armstrong. After three decades as a journalist in this
town, I have to recognize that there is an information economy,
there is an information currency within secrecy, that every
major agency at every senior level leaks classified
information, controls and manipulates classified information,
and in parallel at other levels, either in other agencies or in
the same agencies, other people speak candidly, but they speak
in terms of things that aren't genuinely secret.
When everything is secret, as Potter Stewart said, nothing
is secret. No one knows what to respect. Most senior officials
have some criteria, make judgments every day, several times a
day, about how to share information that is technically
classified but to get it out in some form that it believes the
public needs to know or their colleagues need to know, without
filing all the forms. It has caused problems from time to time,
but there is an ongoing communication about what those
standards are. And it is possible, particularly in the form
that we are talking about today, to emphasize how to
communicate without damaging the national security. Better to
do it within the system than have it done without the system.
Mr. Dent. I guess you are addressing it, but the question I
have, how do we balance this need to share this information at
the unclassified level with the knowledge that somebody
somewhere continues to leak sensitive but unclassified
information? I guess that is the question. How do you balance
this?
Mr. Agrast. Mr. Dent, one thing I guess I would hope we
would do is have these unclassified markings regulated by
Congress. They have taken on a life of their own. They are so
numerous and so varied, there are so few standards and
safeguards. You know, the classification system, with all its
problems, looks pretty good compared to the pseudo-
classification nonsystem.
So rather than have agencies making ad hoc decisions and
bringing the entire system of controlled information into
disrepute, shouldn't Congress take a look at this
comprehensively and decide whether such categories should exist
at all? Or whether, instead, if information is truly in need of
safeguarding, it ought not to be classified in the first place?
Mr. Dent. Yield back.
Mr. Carney. Thank you, Mr. Dent.
We will start a second round of questions here.
Mr. Armstrong, in your estimation, how effective has DHS
been in producing reports and products at the unclassified
level?
Mr. Armstrong. Well, we read unclassified material when it
is presented by DHS. But, more often, we read the relevant
information when it is put in unclassified form when it is
leaked to DHS because of the form of controls that have been
established that effectively discourage and inhibit candid
communication. The number of inappropriate things that have
happened to try and block contractors or the employees of
contractors in using information in labor disputes, for
example, does not increase respect for the system; and the
difficulty we have had is the difficulty of accountability.
Mr. Leonard administers some degree of accountability
within a classified system, but it is very difficult to do
when, effectively, a department has authority to create all
sorts of constraints on communication that are not necessarily
constraints designed to protect national security; and the
farther we move away from those for the original purpose to
protect sources and methods, to protect short-term objectives
that need to be accomplished, to coordinate at different levels
of our government, and we move into areas where political
control and sensitivity--it seems to us on the outside that the
Secretary of Homeland Security has been virtually unaccountable
to Congress, unaccountable to other agencies and ineffective in
the administration of his mandates.
Mr. Carney. What is the solution to that?
Mr. Armstrong. Well, I don't know what you need to do to
get him here to talk with you, but I think there are issues
that can be addressed about in a public executive session. He
has unbelievably large sets of responsibilities, but at various
levels throughout the Department there are professionals who
would like to do their job properly. I don't believe that they
are getting the leadership. The leadership sometimes emerges
when it is variegated by questions.
The truth--the most important purpose, Woodrow Wilson said,
for Congress is not to pass legislation but to inquire into how
government is effectively being done; and it is that process
that needs to occur and occur more publicly.
Mr. Carney. Thank you.
Mr. Agrast, in your estimation, how much information is
being withheld by DHS and its private contractors that is
unclassified and non-FOIA exempt?
Mr. Agrast. I actually have no idea how much is being
withheld. We have indications that, to the extent there are
standards, they aren't being followed. I will give you one
example, if I may, from my prepared testimony.
The GAO, the Government Accountability Office, issued a
report in June of 2005 evaluating the use of the SSI
designation by the TSA, which is of course a unit of the
Department; and they found significant deficiencies in TSA's
management of SSI information and recommended that the
Secretary direct the Administrator to take a number of remedial
actions.
One is to establish clear guidance and procedures for using
the regulations to determine what constitutes SSI. The second
is to establish clear responsibility for the identification and
designation of information that warrants SSI protection. The
third was to establish internal controls that clearly define
responsibility for monitoring compliance with regulations,
policies and procedures governing the designation process and
to communicate that responsibility throughout TSA. And,
finally, to establish policies and procedures within TSA for
providing specialized training to those making SSI designations
on how information is to be identified and evaluated for
protected status.
Clearly, those recommendations have yet to be implemented
in a proper way; and it is surely within the purview of this
subcommittee to inquire as to the progress that is or is not
being made.
Mr. Carney. How should DHS implement the new control of
unclassified information originating from CUI that Ambassador
McNamara developed? Mr. Agrast, sorry to interrupt your drink
there.
Mr. Agrast. You know, I would have to give more
consideration to how they ought to go about it on an agency
basis. Certainly there are some of these areas that are
interdepartmental in nature, and some of these kinds of
policies and practices require coordination. I am not sure that
a single agency can do it.
Mr. Carney. So you don't think it is something that DHS
could do quickly or necessarily?
Mr. Agrast. Not sure.
Mr. Carney. Ms. Spaulding, do you have any idea?
Ms. Spaulding. Certainly one thing to consider, and
particularly when you are talking about these pseudo-
classifications, is requiring that they be done at a fairly
senior level. Mr. Leonard touched on this both with respect to
classification and pseudo-classification, having people well-
trained and certified with the authority to, you know, put that
stamp on the document. But particularly in this area I think it
would be helpful to move those decisions to a more senior
level.
Mr. Carney. Thank you.
Mr. Reichert, any more questions?
Mr. Reichert. Thank you. I will just make mine pretty quick
here.
Last year, we passed a bill that directed some cooperation
in fighting terrorism, cooperating at the international level,
mostly through technology, those countries like Israel and
Canada and the U.K. and others who have been--Australia--who
have been kind of dealing with this a little longer than we
have, a lot longer in some cases. They have developed some
technologies and some systems. Would you consider that we
should consult these countries who have had this experience in
classifying and unclassifying and overclassification and
pseudo--classification? Should we be looking for leadership
from those other countries? And do you have any information or
knowledge about that occurring now? Anybody.
Mr. Leonard. I don't have any knowledge, direct knowledge
in terms of whether it is occurring or not, Mr. Reichert. But
something along those lines, that definitely has merit, if only
from the perspective of ensuring that we have congruous
systems. Because I know that we do that on the classification
level where we routinely, especially with our close allies and
friendly nations, work to ensure that we have congruous systems
that facilitate the sharing of classified information,
especially when we are in a coalition environment and things
along those lines. So those types of efforts clearly could bear
fruit on the unclassified level.
Now to the extent of whether they are occurring or not, I
really don't know.
Mr. Reichert. Anyone else have--
Mr. Armstrong. Most of the technologies that I think to
which you are referring that would be helpful here are employed
in the business realm already and for different reasons and
with different levels, obviously, of security and devotion to
principles. But we are talking about techniques. The notion of
embedding metadata begins to track intellectual product and the
ability to not only determine where it has gone or how it has
been used or whether it has been appropriately dealt with but
also to automatically begin to alert people to the fact that it
is no longer controlled or it requires additional controls for
an additional reason.
All of those things are present at high levels in certain
business environments, but they are expensive, and the
incentives have to be high. Capitalism tends to find some
degree of incentives. One would think that homeland security
and anti-terrorism measures could find at least as high a
level.
Mr. Reichert. Mr. Agrast, did you have--
Mr. Agrast. Congressman, I think it is an extraordinarily
thoughtful question. There has been a tendency not to look
abroad for answers, and I think that has demonstrated itself to
be a mistake. We don't have to do what other countries do, but
we should at least learn what we can from them.
Mr. Reichert. Yes. Thank you.
One last thought. With this new world of technology and our
soldiers fighting around the world and their access to various
communication devices, cell phones and cameras in their cell
phones and computers, they are communicating back to their
families and friends real-time info on battles occurring or
briefings that are occurring. How do you see that issue being
addressed in the sharing of information that could be critical
to our operations in fighting terrorism?
Mr. Leonard. Well, what I see that is emblematic of a
challenge we always have, and that is we are playing catch-up
to technology all the time, especially from the point of, A,
leveraging it but, B, understanding the ramifications from a
security or vulnerability point of view as well. And then when
we attempt to address it, we usually do it in a hand-fisted
way, which is sometimes analogous to trying to repeal gravity.
So the challenge is to somehow, some way get in front of
that curve all the time and fully understand the capabilities
and the limitations of the technology and try to keep our
policies abreast of it, rather than being in that proverbial
catch-up mode which we seem to be in.
Ms. Spaulding. I don't think there is a technological
solution, whether it is some new technology or shutting down
some of those technology outlets, because you will never get
them all. I think the only solution to that particular issue is
training. I mean, you have simply got to sensitize, you know,
those folks to what they can and should not be sharing and
disclosing publicly. And you will never have perfect success
with that, but it seems to me that trying to attack that, the
basis of technology, is not going to be very successful.
Mr. Reichert. Yeah. You know--one of the experiences I will
share real quick--in the Green River investigation in 1987, the
search warrant to be served on the suspect who we finally
arrested years, years later--we had a meeting on the service of
the search warrant. I was the detective in charge of the search
of this subject's house; and, as I arrived, standing on the
front porch was a reporter from our local newspaper to greet
me. So someone within the meeting immediately shared the
information.
That is really one of the frustrations I think in this
whole thing. You talked about building trust and in those local
agencies and within those agencies within the Federal
Government, too, in having the knowledge that their information
is protected as the investigation is ongoing. The firewalls
that can be built in a system to protect that information is a
huge hurdle I think to overcome and also plays into the
cultural change.
So I appreciate you being here this morning, and thank you
so much for your testimony.
Mr. Carney. Well, I want to thank the witnesses as well for
their invaluable testimony. This truly is an issue that we have
to further explore to shed light on the classification issue.
It is absolutely essential.
The members of the subcommittee will probably have
additional questions for the witnesses, and we ask that you
respond expeditiously in writing.
Hearing no further business, the subcommittee stands
adjourned.
[Whereupon, at 11:15 a.m., the subcommittee was adjourned.]
For the Record
Prepared Opening Statement of the Honorable Jane Harman, Chairman,
Subcommittee on Intelligence, Information sharing, and Terrorism Risk
Assessment
March 22, 2007
Good morning. I'd like to welcome you all to this hearing
on the increasing problems of over-classification and pseudo-
classification and their impact on what is the lifeblood of our
homeland security: effective information sharing with our State, local,
and tribal law enforcement officers.
The United States has had a classification regime in place
for decades: information and intelligence typically falls into one of
three categories: Top Secret, Secret, or Confidential.
Our nation adopted this regime for one reason: to protect
sensitive sources and methods.
Contrary to the practice of some in the federal
Intelligence Community, classified markings are NOT to be used to
protect political turf or to hide embarrassing facts from public view.
Indeed, a recurrent theme throughout the 9/11 Commission's
report was the need to prevent widespread over-classification by the
Federal government. The Commission found that over-classification
interferes with sharing critical information and impedes efficient
responses to threats.
The numbers tell us that we are still not heeding the
Commission's warning.
Eight million new classification actions in 2001 jumped to
14 million new actions in 2005, while the quantity of declassified
pages dropped from 100 million in 2001 to 29 million in 2005.
In fact, some agencies were recently discovered to be
withdrawing archived records from public access and reclassifying them!
Expense is also a problem: $4.5 billion spent on
classification in 2001 increased to $7.1 billion in 2004, while
declassification costs fell from $232 million in 2001 to $48.3 million
in 2004.
In addition, an increasing number of policies to protect
sensitive but unclassified information from a range of Federal agencies
and departments has begun to have a dramatic impact.
At the Federal level, over 28 distinct policies for the
protection of this information exist.
Unlike classified records, moreover, there is no
monitoring of or reporting on the use or impact of protective sensitive
unclassified information markings.
The proliferation of these pseudo-classifications is
interfering with interagency information sharing, increasing the cost
of information security and limiting public access.
Case in point: this document from the Department of
Homeland Security (HOLD UP RADICALIZATION IN THE STATE OF CALIFORNIA
SURVEY).
In a few weeks, I will be leading a field hearing to
Torrance, California, to examine the issues of domestic radicalization
and ``home grown'' terrorism.
This DHS document--a survey on radicalization in the State
of California--is marked ``Unclassified/For Official Use Only.''
On Page 1 in a footnote, the survey states that it cannot
be released ``to the public, the media, or other personnel who do not
have a valid ?need to know' without prior approval of an authorized DHS
official.''
Staff requested and was denied that approval.
Staff also asked for a redacted version of the document so
we could use at least some of its contents at the coming California
hearing. DHS was unable to provide one.
Let me be clear: I'm not denying that there may be
sensitive information included in this survey, but it illustrates my
point: what good is unclassified information about threats to the
homeland if we can't discuss at least some of it at a hearing?
How can we expect DHS and others to engage the public on
important issues like domestic radicalization if we hide the ball?
Unfortunately, this is nothing new. In 1997, the Moynihan
Commission stated that the proliferation of these new designations are
often mistaken for a fourth classification level, causing unclassified
information with these markings to be treated like classified
information.
These continuing trends are an obstacle to information
sharing across the Federal government and with State, local, and tribal
partners--including most especially with our partners in the law
enforcement community.
Unless and until we have a robust intelligence and
information sharing system in place in this country, with a clear and
understandable system of classification, we will be unable to prevent a
terrorist attack on the scale of 9/11 or greater.
That is why this Subcommittee will focus its efforts in
the 110th Congress on improving information sharing with our first
preventers--the men and women of State, local, and tribal law
enforcement who are the ``eyes and ears'' on our front lines.
And it's why we will pay particular attention to the
issues of over-classification and pseudo-classification of
intelligence--and what we can do to ensure that we err on the side of
sharing information.
We'll do this work in the right way--partnering with our
friends in the privacy and civil liberties community who want to
protect America while preserving our cherished rights.
I would like to extend a warm welcome to our witnesses who
will be talking about these issues.
On our first panel, we have assembled an array of experts
who will be testifying about the extent of these problems and where
things are trending.
Our second panel of law enforcement leaders will talk
about how over-classification and pseudo-classification are impacting
their ability to keep our communities safe.
In addition, I hope the witnesses will provide the
Subcommittee with a sense of how we might solve the challenges ahead of
us, with the goal of ensuring the flow of information between the
Federal government and State, local and tribal governments.
Welcome to you all.
Prepared Statement of the Honorable Bennie G. Thompson, Chairman,
Committee on Homeland Security
March 22, 2008
Thank you, Madame Chair, and I join you in welcoming our
distinguished witnesses today to this important hearing on the problem
of over- and pseudo-classification of intelligence.
Information sharing between the Federal government and its
State, local and tribal partners is critical to making America safer.
But we won't get there if all we have is more and more
classification, and more and more security clearances for people who
need access to that classified information.
The focus should be different.
The Federal government instead must do all it can to
produce intelligence products that are unclassified.
Unclassified intelligence information is what our nation's
police officers, first responders, and private sector partners--need
most.
They have told me time and time again that what they DON'T
need is information about intelligence sources and methods.
An officer on patrol in Jackson, Mississippi, or Des
Moines, Iowa, has no use for the name of the person in Afghanistan,
Africa, or elsewhere who provided the information or whether it was
obtained from an intercepted communication.
What he or she wants to know is if the information is
accurate, reliable and timely.
If so, police chiefs and sheriffs can use it to drive
their daily operations--especially when it comes to deciding where to
put their people to help prevent attacks.
That's what intelligence is all about: if it can't tell an
officer on the beat what to prepare for and how, what good is it?
Over-classification and pseudo-classification are nothing
new, but 9/11 has made these problems worse.
It's my understanding that security concerns after the
September 11th attacks prompted some agencies and departments to shield
whole new categories of information with Confidential, Secret or Top
Secret markings.
What might have started as a noble intention to protect
the homeland has broken down into a system of often excessive, abusive
and/or politically motivated classification decisions.
It's time to fix things.
This hearing will be the first of several on over- and
pseudo-classification and will help us get a handle on the scope of the
problem.
I hope each of the witnesses will be forthcoming in their
assessments of these issues and how we can help.
Welcome to you all. I look forward to your testimony.
