Chapter 6. Protecting Advanced Technology With the end of the Cold War and facing new challenges to US economic competitiveness, policymakers are focusing on the threat from foreign government and nongovernment entities to US advanced technologies, defense-related industries, proprietary data, intellectual property rights, and trade secrets. The increased value of US technical information necessitates balancing national policy objectives and the importance of sharing information with the need to protect our leading edge technologies. Highest priority is given to limiting the proliferation of weapons of mass destruction and advanced conventional weapons. Counterproliferation and nonproliferation policies range from diplomacy and export control regimes to the development of new weapon systems and tactics to counter advanced foreign systems on the battlefield. Negotiating and implementing a new international export-control framework is a complex task, and bringing consistency and coherence to US export-control policy requires the resolution of sharply conflicting interests. Both require an overall strategic direction that is beyond the Commission's mandate. The Commission has focused on a smaller segment of the counterproliferation policy spectrum, specifically the policies and procedures regarding foreign ownership or control of industrial firms performing classified contracts, military exchanges with foreign governments, and national disclosure of classified information to permit export and coproduction of classified weapon systems. The risk in each of these situations is that foreign entities will exploit the relationship in ways that do not serve our overall national goals of preserving our technological advantages and curtailing proliferation. These goals generally include keeping certain nations from obtaining the technical capabilities to develop and produce advanced weapon systems and from acquiring the ability to counter advanced US weapon systems. In cases where US national interests require the sharing of some of our capabilities with foreign governments, security safeguards must ensure that foreign disclosures do not go beyond their authorized scope. Safeguards must also be tailored to new proliferation threats and applied effectively to the authorization of foreign investment in classified defense industry and the granting of access by foreign representatives to our classified facilities and information. The Commission notes an additional area that is beyond the scope of this report but merits further attention. This issue is the need to update counterproliferation guidelines for prepublication review of reports of scientific and technical research funded by the government. Such matters involve the delicate balance between our paramount national commitment to an open scientific community and the imperative to control the spread of weapons of mass destruction by limiting access to unclassified but high-risk data. Improved protection of classified technology, as proposed by the Commission, is only one part of the comprehensive counterproliferation program that our nation requires. Foreign Ownership, Control, and Influence A basic tenet of our industrial security policy is that business firms engaged in classified government work should be controlled by persons who can be trusted to safeguard classified information. DoD policy, for example, requires that any company bidding on classified contracts must hold a facility security clearance issued by the government. The DoD also requires that the firm should not be subject to undue control or influence by foreign investors. When a foreign investor buys or otherwise acquires influence over a US company, the retention or initial issuance of a facility clearance is dependent upon a favorable Foreign Ownership, Control, and Influence (FOCI) determination. During the Cold War, regulatory policies governing FOCI determinations ranged from total risk avoidance to risk acceptance. For example, FOCI policy prohibited Soviet and other Communist countries from having a financial interest in, or otherwise influencing, US companies. However, with respect to non-Communist countries, especially our allies, special procedures were developed to mitigate FOCI in order to permit foreign investment without compromising classified information. Until 1992, there was a growing effort to accommodate the desires of foreign investors so as to encourage the infusion of capital and the development of joint projects to exploit technologies and markets to the benefit of both US companies and their foreign investors. A controversy arose in 1992 when a foreign firm that was majority owned and controlled by a foreign government sought to acquire a leading US defense company performing work in support of highly classified programs. Questions were raised about the sufficiency of traditional FOCI security arrangements (generally legal instruments to insulate US managers and workers from foreign owners or limit the scope of classified contracting)21 to protect classified leading edge technology from foreign exploitation. The case triggered a DoD and Congressional review of FOCI policy and reflected a growing concern over foreign economic espionage aimed at advanced US technology. As a result, the DoD drafted a proposed new FOCI policy, but the proposal proved controversial and was shelved, waiting in part for the recommendations of this Commission. Congress also enacted legislation in 1992 barring foreign government-controlled companies from acquiring US companies engaged in classified contracts unless the transaction is approved in accordance with the Exxon-Florio Amendment (Footnote 22). The Commission supports foreign investment in the US defense industry base but believes that FOCI policy should ensure that foreign firms cannot undermine US security and export controls to gain unauthorized access to critical technology. Essential to a sound policy is current intelligence, counterintelligence, and law enforcement information on attempts by foreign governments and commercial interests to obtain such access. This requires a closer relationship between the industrial security programs and the Intelligence Community. The Commission found that policymakers do not always have the information necessary to make sound and timely FOCI decisions. Comprehensive counterintelligence or intelligence information as to ultimate ownership, much less control or influence, is not centrally collected, analyzed, and made available to FOCI decision makers. The absence of a centralized FOCI decision data base also limits the flow of information and slows FOCI determinations. Legal review of contract documents enunciating security provisions to isolate FOCI is performed by the CIA, the DoE, and the DoD. However, within the DoD, FOCI contract documents are not consistently submitted for review by experts in the DoD's Office of General Counsel. The Commission also found that there is no coherent national policy on FOCI. When foreign investment is sought in US industries that work with the Defense and Intelligence Communities, FOCI decisions are independently made by the DoD, the DoE, and the CIA. Each has its own procedures for developing and evaluating available threat information, devising an acceptable security arrangement, and monitoring compliance. For example, DoD FOCI determinations are made on a company by company basis whereas the CIA's determination is on a procurement by procurement basis. Moreover, an agreement such as the DoD's Special Security Agreement (SSA), is not acceptable to the CIA and the DoE because the SSA allows the foreign investor to exercise considerable management control over the US company. The CIA believes this approach does not totally negate FOCI-related security problems. Thus, a major US firm with multiple contracts sponsored by the DoD, the DoE, and the CIA may be subject to more than one FOCI arrangement. The lack of a common FOCI policy contributes to a lack of reciprocity among government agencies and may also place certain companies at a competitive disadvantage. For example, the CIA judged one company a significant FOCI risk, but this did not stop the NSA from letting an unclassified but sensitive contract with that same firm. Although a common FOCI policy is being considered by the DoD, the DoE, the CIA and industry, there is no coordinating mechanism to ensure that the policy will be implemented, uniformly applied, and enforced. The Commission recognizes that foreign investment can play an important role in maintaining the vitality of the defense industrial base. The existing FOCI policies and the political climate since the 1992 controversy have discouraged foreign investment. However, as a matter of policy, DoD has a number of programs to encourage cooperative international R&D and procurement with our allies to spread the burden of increasing costs and decreasing defense budgets. The Commission encourages these efforts and believes that FOCI policy should not undermine them. The Commission also believes that "buy American" provisions, which preclude foreign firms from competing for US government contracts, must be used only when US national security interests would truly be threatened by foreign participation. "Buy American" restrictions should never be used for protectionist purposes. Finally, the Commission notes that international defense trade is increasing and that measures taken by the United States can invite retaliatory action by other nations that would harm US economic and security interests. The Commission believes that the security executive committee should, as a key priority, develop a policy and a mechanism to balance these competing interests. The policy should be based on a risk management approach that permits departments and agencies to tailor the measures that are needed in an individual transaction. Rigid structures that inhibit foreign investment should be avoided. Recommendation 56 The Commission recommends that a coordinated FOCI policy be developed by the security executive committee. Foreign Exchange Agreements-The Status Quo Our foreign economic competitors focus a considerable amount of their collection efforts on United States leading edge technology and defense-related industry. Information is obtained both overtly and covertly. Foreign liaison and cooperative exchange programs, such as the Defense Development Exchange Program (DDEP) and the Personnel Exchange Program (PEP),23 allow the United States to exchange information concerning military, technical, or scientific data; weapons; weapon systems; or operational concepts with its allies. However, the Commission has come to believe that the United States is losing more than it is gaining through participation in many foreign exchange agreements. These programs, designed to better marshal the technological capabilities of the United States and its allies, as well as to reduce costs, have also served as vehicles for covert exploitation of our most sensitive technologies. Foreign governments frequently stretch the boundaries of intergovernmental program relationships with aggressive, persistent, and coordinated efforts to gain access to nonreleasable technological data that they can use to further economic competition with the United States. This can be accomplished through international data exchange programs, which have grown tremendously over the past 30 years as more and more industrial countries seek advanced US technologies. There are approximately 750 DoD-wide agreements, with over 310 data exchange agreements in one military service alone. Foreign liaison officers working within key DoD organizations can gain knowledge and invaluable insight into US leading-edge technology programs under development. Within one military service, approximately 118 foreign military personnel from 19 countries work under the Personnel Exchange Program; 43 foreign scientists or engineers from 6 countries work within its research and development facilities; and 172 foreign liaison officers officially representing 22 countries are integrated within various other service elements. Often, foreign governments use this insider knowledge to target and pursue technical information early in a major acquisition systems life cycle and then work against civilian targets, such as DoD contractors and university scientists engaged in defense work. Foreign liaison officers can also exploit their official status to gain "back door" access to special access program technologies: On several occasions, when a foreign liaison officer's request for sensitive technical information was denied by one military command, the same request would surface through another foreign liaison officer at another command. In one instance, the second request occurred within one day of the first denial. Critics of the Defense Development Exchange Program maintain that the program has become a one-way street for foreign governments to funnel United States advanced technology overseas, while providing comparatively little of value to the United States in return. A US Army Intelligence study (Footnote 24) found that valuable classified and unclassified underlying technologies in many advanced weapon systems not authorized for release are being lost to foreign governments through the Defense Development Exchange Program. These losses may eventually compromise our weapon systems and erode our technological superiority on the battlefield, or at the very least, provide advanced technology to US economic competitors. Recommendation 57 The Commission recommends that the Secretary of Defense review existing data exchange programs, using updated threat information, to determine whether the programs should be continued, canceled, or renegotiated to ensure they are in concert with current US national security and economic goals. Threat Analysis-Vital to Protecting Advanced Technology The Commission recognizes the gravity of having leading-edge technology and weapons in the hands of foreign adversaries. However, the foreign exchange approval authorities of the military services generally make their determinations within the acquisition or international programs community and without participation by security, intelligence and counterintelligence elements. Moreover, these authorities often do not ascertain the impact of proposed technology releases on the security of related future weapons or weapon support systems. Intelligence and counterintelligence support elements can assist in devising the most effective course of action to deny foreign collection efforts. Threat information is available through the DCI's Nonproliferation Center, the DIA's National Military Intelligence Production Center, and the CIA's Directorate of Intelligence. The Commission's proposed interagency counterintelligence "one-stop shopping" effort will also provide a focal point for obtaining threat information needed for national level security policies. For most organizations below headquarters level, however, the need is for information on the local threat to technologies under development or to critical facilities, rather than information pertaining to the broad national threat. Field organizations maintain that, to be of value, threat assessments must specify the foreign entity involved, identify what programs or systems it is targeting, and identify the specific areas of the country in which adversaries are operating. As a first step in meeting the local need, the DoD should modernize its counterintelligence collection and reporting system to speed the flow and improve the quality of both raw and finished counterintelligence products into a pull-down data base network. Counterintelligence elements should then work in daily partnership with field elements to explain the issues associated with protecting particular systems, provide practical local solutions, and serve as a valuable feedback mechanism in the total security process. The Commission believes the military services' counterintelligence elements must work closely with the FBI with these concerns in mind, so as to ensure a seamless, integrated capability and a consolidated FBI, DoD, and defense industry network against economic espionage. Recommendation 58 The Commission recommends that the Secretary of Defense direct that comprehensive, coordinated threat analysis, intelligence, and counterintelligence support be provided to facilitate risk management for DoD critical technologies, systems, information, and facilities. The National Disclosure Policy The National Disclosure Policy (NDP),25 established under a Presidential directive, provides the framework for approval or denial of disclosure of classified military information to foreign governments and international organizations. It also governs the export of classified military articles and unclassified military articles with embedded classified components. The Secretaries of the military departments have been delegated authority to render decisions with respect to disclosure of their information to the governments of most countries with which the United States has mutual defense arrangements. In the case of other countries an exception to policy is usually required. Exceptions to policy may be approved when it is determined that the proposed export or disclosure will result in benefits to the US Government that outweigh the damage that might accrue to US foreign policy, national defense, or military operational interests if the system or its underlying technology should be compromised. The Commission notes that the National Disclosure Policy Committee (NDPC), chaired by the DoD, coordinates foreign release policy and government-to-government agreements. Exceptions to the National Disclosure Policy receive senior-level review within the DoD as coordinated by the NDPC. However, most routine release decisions are made by field elements under authority delegated by the Secretaries of the military departments. This decentralized execution leads to different interpretations as to what is releasable within the broad outlines of the NDP and consequently, different actual release decisions. Moreover, the Commission found that specific senior-level review decisions have not always been communicated to the midlevel acquisition or international program officials within the military services, who over the years have made the day-to-day disclosure decisions under specific data exchange agreements. A lack of understanding of the foreign disclosure process by less-senior individuals, combined with the absence of current threat assessments and an automated DoD data exchange process, prevents effective and consistent execution by elements involved throughout the DoD and the military services. Recommendation 59 The Commission recommends that the Secretary of Defense: a) Centralize responsibility for coordinating and overseeing all foreign exchange programs and issues at a senior level. b) Improve and modernize the National Disclosure Policy process to ensure that senior-level disclosure decisions are readily available through a centralized, dynamic, interactive computer-driven mechanism. Recording Foreign Disclosure Decisions The Commission commends the DoD for creating the Foreign Disclosure and Technical Information System (FORDTIS) data base to house decisions of foreign release determinations and exceptions to foreign disclosure policy, technology transfers, and official foreign visits. The Commission supports the DoD's ongoing expansion of FORDTIS to military warfighting elements, such as US combatant commanders, to aid in determining specific classified and unclassified technologies or weapon systems that are releasable to foreign coalition partners. However, the Commission believes that the critical foreign exchange information contained in the FORDTIS data base should be updated and made available to more DoD consumers to aid them in analyzing, programming, and planning activities. Counterintelligence elements, in particular, should use the FORDTIS data base in determining the current status of releases of US technologies and systems. Recommendation 60 The Commission recommends that the Secretary of Defense: a) Expand access to the Foreign Disclosure and Technical Information System (FORDTIS) data base to command and other DoD consumers to support defense planning, programming, resourcing, analysis, and information-sharing activities. b) Ensure counterintelligence elements cross-check critical systems or technologies against the Foreign Disclosure and Technical Information System (FORDTIS) data base to determine: 1) the extent to which baseline technologies on each system have been released to foreign nations, and; 2) the vulnerabilities posed to current or future weapons or weapons support systems if exchanges continue under the applicable Defense Development Exchange Program agreements.