Information Sharing and Protection:
A Seamless Framework or Patchwork Quilt?

Remarks of J. William Leonard
Director, Information Security Oversight Office (ISOO)
at the
National Classification Management Society's (NCMS)
Annual Training Seminar,
Salt Lake City, Utah

June 12, 2003

Our Nation and its Government are, of course, profoundly different in a post-9/11 world. Our citizens' sense of vulnerability has increased, as have their expectations of the Federal Government to keep them safe. In each situation, information is crucial. On the one hand, Americans are concerned that information may be exploited by our country's adversaries to harm us. On the other hand, impediments to information sharing among Federal agencies and with state, local and private entities need to be overcome in the interests of homeland security. Even more so, the free flow of information is essential if citizens are to be informed and if they are to be successful in holding the Government and its leaders accountable. In many regards, the Federal Government is confronted with the twin imperatives of information sharing and information protection - two responsibilities that contain inherent tension but are not necessarily incompatible.

Thus, we find ourselves today at a crucial moment in the development and implementation of Federal Government policy with respect to issues such as the protection and sharing of information. In some regards, what exists today can be seen as a series of bureaucratic fiefdoms, a veritable "patchwork quilt," that has come about as a consequence of a hodgepodge of laws, regulations and directives with respect to how the Federal Government handles and discloses information. In this vein, we are currently confronted with a unique opportunity. We can either continue, and quite possibly, add to the various seams in our information protection and disclosure regimes, or we can take the initiative and begin the process to develop and implement a seamless and congruous system for protecting and sharing all types of information, both classified and unclassified.

In reviewing our options, I believe it is important to distinguish between "disclosure" regimes, "protection" regimes, and those regimes that strive to accomplish both. Disclosure regimes attempt to limit the availability of information and may impose access requirements (e.g., the various export control regimes that require export licenses or other authorizations prior to the disclosure of certain controlled information to foreign persons). Protection regimes implement safeguarding standards (e.g., information may be releasable to the public but the information's integrity must still be protected pursuant to the Computer Security Act of 1987 while it is contained in a Federal computer system). Finally, there are those regimes that not only limit disclosure but also implement handling and safeguarding standards (e.g., the classification regimes that not only have safes, alarms, information system accreditation and approval, encrypted transmission, etc., but also establish security clearance standards).

In the unclassified arena, we are confronted with dozens of laws that restrict the disclosure of certain types of unclassified information. These include everything from the control of arms exports (which includes certain scientific and technical information) to the confidentiality of patient records and the prevention of interference with civil service examinations. The latest of the laws in this area was included in the Homeland Security Act of 2002, which created the category of Critical Infrastructure Information (CII). This same act called for the development and implementation of procedures for the identification, safeguarding and sharing of homeland security information that is sensitive but unclassified.

In addition to categories of certain unclassified information specified by law as requiring controls on its dissemination - commonly known as falling within the Freedom of Information Act's b(3) exemption - that statute also provides for eight additional types of information that are exempt from public disclosure. Some are rather specific (e.g., classified information or data concerning wells). Others are rather vague (e.g., internal personnel rules and practices of an agency). In any event, the underlying premise of the Freedom of Information Act (FOIA) is that unless information is specifically exempt, information held by Federal agencies is subject to public disclosure. However, it is important to note that being subject to public disclosure does not mean that the information does not require safeguarding, if only to preserve its integrity and availability.

Nonetheless, protection or safeguarding regimes are often confused with disclosure regimes. For example, the Computer Security Act of 1987 states that "… improving the security and privacy of sensitive information in Federal computer systems is in the public interest…" Since this law specifically limited "sensitive" information to information that was not classified, some say, in effect, that it serves as the veritable definition of "sensitive but unclassified" information. However, it is important to note that the Computer Security Act included specific provisions saying it was not authority to withhold information sought pursuant to the FOIA. Even more so, the continued usefulness of the concept of sensitive information in the Computer Security Act of 1987 - which envisioned computer security as an adjunct to system design and operation and used the concept of sensitive information as a criteria for establishing minimum acceptable security practices - has outlived its usefulness in the information age. As any owner of a home PC can attest, there is no such thing today as computers that we are concerned about from a security point of view and those that we are not. As set forth in subsequent congressional language, every Federal computer system must have security designed into it, regardless of its content.

Both outside and within Government, confusion abounds with respect to the multitude of disclosure and safeguarding regimes for unclassified information. For certain information, there are limitations on disclosure but no protection standards. For other information, there may exist protection standards but no limitations on disclosure. In any event, when requirements for new regimes are set forth and new standards are promulgated, very rarely, if ever, is recognition made of what already exists. This can result in overlapping or inconsistent rules or applications. It also results in the continuation of numerous regimes, many of which date back to the Cold War era and which have never been revalidated or revised as a consequence of the new environment in which our Nation finds itself. It can also result in incongruous standards. For example, should a Federal employee disclose certain unclassified information - specifically Critical Infrastructure Information - in an unauthorized manner, that individual now is subject to criminal sanctions under Section 214(f) of the Homeland Security Act. At the same time, an unauthorized disclosure of certain types of classified information by that same employee would not necessarily be subject to criminal sanctions. The reason for such disparity is not readily apparent.

Things are not much better in the classified realm. One of the great fallacies is the belief that the Federal Government uses a three-tier classification process - TOP SECRET, SECRET and CONFIDENTIAL. In reality, the Federal Government has so many varieties of classification that it can make Heinz look modest at the number of varieties it offers.

First, of course, there is national security information classified pursuant to Executive Order 12958, as amended. Then there is information under the purview of the Department of Energy requiring protection pursuant to the Atomic Energy Act of 1954, as amended. In addition, there is information relating to the protection of intelligence sources and methods, which is under the purview of the Director of Central Intelligence. While these are the "big three" regimes that utilize classification levels and categories, it does not end there. The National Security Agency, for example, is responsible for matters relating to the protection and dissemination of signals intelligence information as well as communications security information. In addition, the Defense Department serves as the United States Security Authority for NATO and as such promulgates Government-wide requirements for the protection of NATO classified information within the United States. The list goes on.

The above results in what I refer to as different "flavors" of classification. Each "flavor" carries its own protection and disclosure standards. These differing standards are usually not better or worse than comparable standards - they are just different. In fact, the difference is more often than not one of nuance rather than substance. Yet, it is these nuances that can serve as significant impediments to information sharing, especially in the networking of information systems.

Let me give you one example. Several years ago, this Nation engaged in armed conflict in Kosovo in the Balkans. American Service members were placed in harms' way in the discharge of what in essence was a NATO operation. Since this was a NATO campaign, much of the information generated, such as Air Tasking Orders (ATOs) and the like was often considered to be NATO classified information. Normally, such information would be transmitted on the backbone of the Pentagon's command and control system, a secure computer network known as the SIPRNET. However, the SIPRNET was accredited to transmit U.S. classified national security information, not NATO classified information. Clearly, if the SIPRNET was secure enough to transmit U.S. military classified information, it should be secure enough to transmit NATO classified information, especially since more often than not, the information in question originated with one U.S. unit and was being transmitted to another U.S. unit. However, since NATO requirements were "different" - not better or worse but just different - many U.S. units were prohibited from using the existing secure network and had to employ work-around procedures. In the final analysis, these work-around procedures were no more and, quite possibly less secure and even more importantly, potentially delayed information from being shared in a timely manner.

I use the above not to single out U.S. procedures for NATO classified information from several years ago but to give just one example of the numerous impediments that continue to persist in the sharing of classified information not only between Federal agencies and with other non-Federal elements but even within single Federal agencies. This is especially so when information is introduced into information systems that are accredited and approved by different authorities using different standards. It is no wonder that Government computer systems have such a difficult time "talking" to each other.

So, where does this leave us? Even without the events of 9/11, information sharing and protection would be one of the significant imperatives facing the Federal Government today. Our ability to share and leverage information is the source of American power and might in the 21st century. It is the source of our economic strength. Our military power, our intelligence and law enforcement prowess, and our technological research and development superiority are highly dependent upon effective information sharing that entails taking vast amounts of information from disparate sources and synthesizing it in timely and unprecedented ways. Whether on the battlefield, in the analyst's or criminal investigator's office, or in the laboratory, it is the innovative application of information in heretofore unfathomable ways that provides our Nation the decisive edge in undertakings such as the global war on terrorism.

I firmly believe that never before have we had such a clear and demonstrable need for a seamless process for sharing and protecting information, regardless of classification. Yet, in many ways, we are not only continuing the current "patchwork quilt," but we are quite possibly adding new seams every day. And these seams not only can serve as impediments to information sharing, they can also develop into the tears in the fabric through which information that requires protection may slip, as well intentioned individuals use work-around procedures in order to get the job done.

The above is as much, if not more of, a cultural issue than a policy or technology issue. However, changes in policy and the employment of the latest technology can help drive the needed cultural changes required to achieve a more seamless framework.

So what needs to be done? In the classified arena the challenges are many and, from my personal perspective, include: While the challenges confronting us in the classified world are significant, in some ways they are exceeded by those in the unclassified arena. Again, from my personal perspective, these include: What would be the essential elements of such a framework? Drawing analogies with the current classification system for national security information that, despite its imperfections, is well understood and predictable, I personally believe that such a framework should include: I would like to emphasize that I am not advocating the creation of a new classification system to cover the ephemeral universe of information often referred to as sensitive but unclassified information. Rather, I am acknowledging that the reality of controls on the dissemination of certain unclassified information has been with us for decades. As such, and especially in light of today's environment, the controls in this area require standardization and consistency and need to be narrowly drawn so as to address the impulse to "play it safe" and needlessly restrict the dissemination of information. They also require informed public debate with respect to what information is included in such a system and what is excluded.

In closing, I take note of the theme of your seminar this year, Preserving our Past - Protecting our Future. In large part, it describes the mission of ISOO, so I took particular interest in your outstanding program this year. Your theme also reflects the nature of some of the challenges we are confronting today as a Nation. However, just as the generations who have proceeded us effectively dealt with the daunting challenges with which they were confronted, I am confident that today's Americans, and in particular the NCMS membership, will succeed in meeting the current challenges of information sharing and protection in a post-9/11 environment. I am also confident that in dealing with these challenges, we will emerge stronger, more united, and as committed to our fundamental democratic principles as ever.

Source: ISOO