SECRECY NEWS
from the FAS Project on Government Secrecy
Volume 2015, Issue No. 2
January 12, 2015

Secrecy News Blog: http://fas.org/blogs/secrecy/

"INSIDER THREAT" PROGRAM LAGS BEHIND SCHEDULE

The government-wide effort to contain the threat to classified information and sensitive facilities from trusted insiders is falling behind schedule.

Currently, the anticipated achievement of an Initial Operating Capability for insider threat detection by January 2017 is "at risk," according to a new quarterly progress report. Meanwhile, the date for achieving a Full Operating Capability cannot even be projected. See "Insider Threat and Security Clearance Reform, FY2014, Quarter 4."

One aspect of the insider threat program is "continuous evaluation" (CE), which refers to the ongoing review of background information concerning cleared persons in order to ensure that they remain eligible for access to classified information and to provide prompt notice of any anomalous behavior.

The Office of the Director of National Intelligence was supposed to achieve "an initial CE capability for the most sensitive TS [Top Secret] and TS/SCI population" by December 2014. The quarterly report on the Insider Threat program noted that this milestone is "at risk." In fact, it was missed.

"We did not meet" the December 2014 milestone for an initial CE capability, confirmed ODNI spokesman Eugene Barlow, though he said that "we've made considerable progress" in the Insider Threat program overall.

Nor has a revised milestone date for the initial CE capability been set, he added. But "we continue to aggressively push forward" and the desired function will be rolled out over the next few years, he said.

The Department of Defense is "on track" to provide continuous evaluation of 225,000 agency personnel by the end of 2015, and to expand that number to 1 million employees by 2017, according to the quarterly report. Actual achievements in individual agencies are classified.

As a general matter, the Insider Threat program faces both technological and "cultural" obstacles.

The information technology structures that are in place at most executive branch agencies are not optimized to support continuous evaluation or related security policies. Adapting them to address the insider threat issue is challenging and resource-intensive. Nor are agency policies and practices consistent across the government or equally hospitable to security concerns.

But it's worth noting that the uneven performance described in the quarterly report reflects a degree of public candor that is unusual in security policy. Instead of presenting assurances that everything is fine in the Insider Threat program, the report acknowledges that some things are not fine and will not be fine for an unspecified time. That is refreshing and even, in its straightforward approach to the issue, somewhat encouraging.


IC INSPECTOR GENERAL FINDS NO OVERCLASSIFICATION

"We do overclassify," Director of National Intelligence James R. Clapper, admitted at his 2010 confirmation hearing. It's a theme he has reiterated on a number of occasions on which he has spoken of the need for increased transparency in intelligence.

So it comes as a surprise and a disappointment that a new study of the subject from the Intelligence Community Inspector General failed to identify a single case of unnecessary or inappropriate classification.

"IC IG found no instances where classification was used to conceal violation of law, inefficiency, or administrative error; prevent embarrassment to a person, organization, or agency; restrain competition; or prevent or delay the release of information not requiring protection in the interest of national security," the December 2014 report said.

When it comes to overclassification, ODNI is far from the worst offender. But the IC IG report purports to address classification trends across the intelligence community. And its conclusions are hard to reconcile with the public record, to say the least.

Thus, at the same time that the Inspector General was finding no use of classification to prevent or delay the release of information not requiring protection, the release of the Senate Intelligence Committee report on CIA interrogation practices was being hamstrung and delayed for months or years by dubious, inconsistent classification claims.

"Members of the Committee have found the declassification process to be slow and disjointed, even for information that Congress has identified as being of high public interest," Sen. Dianne Feinstein wrote to the President last month.

Today the New York Times reported on a 2012 report on intelligence surveillance practices that had been withheld in its entirety until it was partially released in response to a lawsuit brought by the Times. Numerous other examples of the misapplication of classification authority could be cited. Yet all of them were somehow missed or ignored by the IC Inspector General.

Meanwhile, some senior officials in the intelligence community are rethinking current classification practices and policies because they have concluded, contrary to the thrust of the new IG report, that the status quo is unsatisfactory.

"Going forward, I believe that the Intelligence Community is going to need to be much more forward-leaning in what we tell the American people about what we do," said ODNI General Counsel Robert S. Litt in a public speech last year. "We need to scrutinize more closely what truly needs to be classified in order to protect what needs to be protected."


DOD CYBER OPERATIONS, AND MORE FROM CRS

A new report from the Congressional Research Service presents an introduction to U.S. military operations in cyberspace and the thorny policy issues that arise from them.

"This report presents an overview of the threat landscape in cyberspace, including the types of offensive weapons available, the targets they are designed to attack, and the types of actors carrying out the attacks. It presents a picture of what kinds of offensive and defensive tools exist and a brief overview of recent attacks. The report then describes the current status of U.S. capabilities, and the national and international authorities under which the U.S. Department of Defense carries out cyber operations."

The Department of Defense requested $5.1 billion for "cybersecurity" in 2015, the CRS report noted. Cybersecurity here includes funding for cyberspace operations, information assurance, U.S. Cyber Command, the National Cybersecurity Initiative, and related functions. See "Cyber Operations in DoD Policy and Plans: Issues for Congress," January 5, 2015:

(The CRS report includes only a capsule summary description of the Stuxnet episode. A fuller account is presented in Kim Zetter's gripping book Countdown to Zero Day.)

Other noteworthy new and updated CRS reports that Congress has withheld from online public distribution include the following.

State Sponsors of Acts of International Terrorism--Legislative Parameters: In Brief, December 24, 2014

The President's Immigration Accountability Executive Action of November 20, 2014: Overview and Issues, January 8, 2015

Proposed Retirement of A-10 Aircraft: Background in Brief, January 5, 2015

American War and Military Operations Casualties: Lists and Statistics, January 2, 2015

A Shift in the International Security Environment: Potential Implications for Defense--Issues for Congress, December 31, 2014

Secret Sessions of the House and Senate: Authority, Confidentiality, and Frequency, December 30, 2014

Navy Littoral Combat Ship (LCS) Program: Background and Issues for Congress, December 24, 2014

Navy Shipboard Lasers for Surface, Air and Missile Defense: Background and Issues for Congress, December 23, 2014

Definitions of "Inherently Governmental Function" in Federal Procurement Law and Guidance, December 23, 2014

Congressional Careers: Service Tenure and Patterns of Member Service, 1789-2015, January 3, 2015

The Congressional Research Service has never been more frequently cited or more influential in informing public discourse than it is today, as its publications are increasingly shared with the public in violation of official policy. But budget cuts and congressional dysfunction seem to have bred discontent among some staff members, judging from an article by former CRS analyst Kevin R. Kosar.

"Thanks to growing pressure from a hyper-partisan Congress, my ability to write clearly and forthrightly about the problems of government--and possible solutions--was limited. And even when we did find time and space to do serious research, lawmakers ignored our work or trashed us if our findings ran contrary to their beliefs. When no legislation is likely to move through the system, there's simply not much market for the work the CRS, at its best, can do," he wrote. See "Why I Quit the Congressional Research Service," Washington Monthly, January/February 2015.

******************************

Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists.

The Secrecy News blog is at:
      http://fas.org/blogs/secrecy/

To SUBSCRIBE to Secrecy News, go to:
     http://fas.org/sgp/news/secrecy/subscribe.html

To UNSUBSCRIBE, go to:
      http://fas.org/sgp/news/secrecy/unsubscribe.html

OR email your request to saftergood@fas.org

Secrecy News is archived at:
      http://fas.org/sgp/news/secrecy/index.html

SUPPORT the FAS Project on Government Secrecy with a donation here:
      https://fas.org/donate/