The world has changed dramatically during the last few years, with profound implications for our society, our government, and the Defense and Intelligence Communities. Our understanding of the range of issues that impact national security is evolving. Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention. Technologies, from those used to create nuclear weapons to those that interconnect our computers, are proliferating. The implications and impacts of these technologies must be assessed. There is wide recognition that the security policies, practices, and procedures developed during the Cold War must be changed. Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity, and cost. This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next.
With these imperatives in mind, the Joint Security Commission has focused its attention on the processes used to formulate and implement security policies in the Department of Defense and the Intelligence Community. In reviewing all aspects of security, the Commission has been guided by four principles:
o Our security policies and services must realistically match the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate change as the threat evolves.
o Our security policies and practices must be more consistent and coherent, thereby reducing inefficiencies and enabling us to allocate scarce resources effectively.
o Our security standards and procedures must result in the fair and equitable treatment of those upon whom we rely to guard the nation's security.
o Our security policies, practices, and procedures must provide the needed security at a price the nation can afford.
The recommendations of the Commission, presented in detail in this report, fall mainly into three categories:
(1) recommendations that will maintain and hopefully enhance security, but at a lower cost by avoiding duplication and increasing efficiency;
(2) recommendations that will reduce current levels of security but in accordance with risk management principles based on a changing threat; and
(3) recommendations that will create new processes to formulate and oversee security policy governmentwide.
In a very few cases-most notably concerning personnel security and information systems security-the Commission is recommending additional security requirements that will increase costs. The Commission's recommendations also include changes that are revenue neutral but will make the security system both more rational and inherently more fair. Although the Commission is recommending certain specific changes, the primary concern of the Commission is to create new and flexible processes that will adjust security policies, practices, and procedures to achieve our stated goals as the political, economic, and military realities evolve.
In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. Against this danger, we have striven to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Today's threats are more diffuse, multifaceted, and dynamic. We also know that some vulnerabilities can never be eliminated fully nor would the costs and benefits warrant trying. While the Commission recognizes that the consequences of some security failures are exceptionally dire and require exceptional protection measures, in most cases it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures. We can then select a mix that provides adequate protection without excessive cost in dollars and without impeding the efficient flow of information to those who require ready access to it. The Commission believes that the nation must develop a security framework that will provide a rational, cost-effective, flexible set of policies, practices, and procedures. This framework must use a risk management approach that considers actual threats, inherent vulnerabilities, and the availability and costs of countermeasures as the underlying basis for making security decisions.
Risk management requires evaluating the resource impact of proposed changes in security policies and standards. This is practically impossible with today's accounting systems because they are not designed to collect security cost data. The Commission believes that establishing a system to capture security costs is crucial to effective streamlining and cost reduction. Therefore, we have recommended the creation of a uniform cost-accounting methodology and tracking system for security resources expended by the Department of Defense, the Intelligence Community, and supporting industry.
The Commission believes two areas require particular attention. First, personnel security lies at the very heart of our security system. No amount of physical, information systems, or procedural security will be sufficient if we cannot ensure the trustworthiness of those who must deal with sensitive and classified information. Grave damage has been caused to the United States by current or former employees and contractors of the government who decided to become spies for our adversaries. Therefore, the Commission believes that renewed efforts must be made to strengthen our personnel security system. The Commission also recognizes the necessity for enhancing the training we provide security officers, managers, and workers in the importance of security and of their roles in protecting the nation's information assets.
The processes we use to clear personnel in the Defense and Intelligence Communities vary widely from agency to agency. Different standards are applied by different agencies; clearances are not readily transferable; and the time to grant a clearance ranges from a few weeks in one agency to months in others. Accordingly, we recommend common standards for adjudications and a joint investigative service to standardize background investigations and thus take advantage of economies of scale.
Second, information systems security requires increased attention. Productivity is, in today's world, directly related to information systems and their connectivity. The Defense and Intelligence Communities are increasingly dependent on information systems in performing their complex missions on behalf of the nation. Information systems technology is, however, evolving at a faster rate than information systems security technology. Overcoming the resulting gap will require careful threat assessments, well-thought-out investment strategies, sufficient funding, and management attention if our computers and networks are to protect the confidentiality, integrity, and availability of our classified and unclassified information assets.
The Commission believes that a systems approach is necessary in making decisions about the application of security countermeasures. By placing all the responsibility for security on each of the security disciplines, we have created requirements for multiple layers of security that add little value. This is particularly apparent in physical security, where classified documents may be stored in locked containers inside locked strong rooms within secure buildings in fenced facilities patrolled by armed guards-overkill even at the height of the Cold War, much less in today's security environment. A risk-managed systems approach would tailor countermeasures to threat and should result in significant savings that could be applied to improving personnel and information systems security, or to maintaining or improving other areas directly related to successful performance of defense and intelligence missions.
Nowhere will the payoff from improving our security policies, practices, and procedures be higher than in the industrial base supporting the Defense and Intelligence Communities. Our current practices subject industry to a bewildering array of requirements that are compliance-based, inconsistent, and often contradictory. Security requirements imposed on industry far exceed the requirements used by government agencies and organizations to protect the same information. While some budgetary and proprietary information must be withheld from some contractors in order to preserve competition, the Commission has found little reason to treat industry differently from government for security purposes. We must create a partnership between government and industry to enhance security, leaving adversarial roles behind. The Commission also believes that our security policies must not unnecessarily discourage foreign investment in American companies nor unduly burden our industrial base in competing for a larger share of the world's markets.
Central to the Commission's recommendations is the immediate formation of a single organization-a security executive committee chaired by the Secretary of Defense (or his designee) and the Director of Central Intelligence-responsible for the creation of security policies and overseeing the coherent implementation of those policies across the Defense and Intelligence Communities. This committee would not, of course, supplant the existing statutory authorities of the Secretary of Defense and the Director of Central Intelligence, including the latter's responsibility to protect sources and methods. This committee would, however, replace numerous existing fora that today independently develop security policies and procedures that are often inconsistent and are sometimes contradictory. A single source for security policies should result in reciprocity with consequential reductions in cost and improvements in efficiency. Although it is outside the scope of our charter, the Commission also believes that this committee should, in the very near future, be expanded by the addition of representatives from other government departments and agencies and given the responsibility to formulate governmentwide security policies. The committee, which should report to the National Security Council, should oversee the security system and have an outside advisory panel of distinguished Americans to ensure that industry, academia, and public interest groups have a voice in the formulation of security policies.
To facilitate the formulation, implementation, and oversight of security policies, practices, and procedures, the Commission proposes a radical new classification system that greatly simplifies the current system and eliminates the subjectivity inherent in it. The Commission worked closely with the Task Force revising Executive Order 12356 on National Security Information in analyzing possible changes and their impacts, and determined that a single level of classification with two degrees of protection should be adopted. Most classified information would be protected using a coherent set of personnel, physical, information systems, and procedural security standards and would be based on discretionary need-to-know as currently practiced for Confidential and Secret materials. Highly sensitive information, such as that protected at the Top Secret, Sensitive Compartmented Information, or Special Access Program levels today, would be protected by using a more stringent set of standards and would be based on centrally managed need-to-know determinations. Application of this system will be founded on risk management rather than complete avoidance of all risk and would concentrate on security as a service to our communities in place of the compliance-based, punitive approach in use today.
The Joint Security Commission is pleased to present its recommendations for the creation of an improved process for the formulation, management, and oversight of security policies, practices, and procedures. We believe that implementation of this process and the coherent application of its results should ensure that security countermeasures are chosen to match the evolving threat and that inefficiencies and costs are minimized. The resulting security system would treat people fairly and provide a balanced mix of security needed to protect our information assets, facilities, personnel, and our nation's interests.
JOINT SECURITY COMMISSION
Commissioners: Jeffrey H. Smith, Chairman
Duane P. Andrews
J. Robert Burnett
Ann Caracristi
Antonia H. Chayes
Anthony A. Lapham
Nina J. Stewart
Richard F. Stolz
Harry A. Volz
Larry D. Welch
Staff: Dan J. Ryan, Executive Secretary, CIA
John T. Elliff, Deputy Executive Secretary, DoD
Marisa Barthel, CIA
John E. Bloodsworth, CIA
Sheila Brand, NSA
Edmund Cohen, CIA
Rene Davis-Harding, DoD
Lee A. Falcon, DoD
Mary Griggs, DoD
Helmut H. Hawkins, DoD
Dan L. Jacobson, DoD
Richard P. Nyren, Jr., DoD
Maria N. O'Connor, NSA
Michael D. Reynolds, CIA
Martin E. Strones, DoE
Jim Sullivan, CIA
Annette B. Swider, CIA
Larry D. Wilcher, DoE
Secretarial and Clerical Support:
Barbara Deve CIA
Josephine Harrison, CIA
Betty L. Richman, CIA