Skunk Works Critique of Secrecy and Security Policies

FAS Intro: The following critique of classification, personnel security and related policies was prepared by Lockheed Martin Skunk Works for submission to the congressionally-mandated Commission on Protecting and Reducing Government Secrecy, chaired by Senator Daniel P. Moynihan.

Lockheed Martin Skunk Works
1011 Lockheed Way
Palmdale, CA 93599
Ms. Joan Vail
Counsel for Security Policy
[Commission on Protecting and Reducing Government Secrecy]
2201 C Street, NW
Room 225, SA-44
Washington, DC 20522-4402
Dear Ms. Vail:
Thank you for the opportunity of presenting my thoughts to your Commission on Protecting and Reducing Government Secrecy. Attached are my comments on each of the four requested areas: classification, declassification, personnel security, and information security.
For more than fifty years, the Skunk Works has worked on highly classified efforts. We are unique in the fact that ninety percent of our work is classified. This presents us with particular problems. For example, the inability to clear and/or access an individual to a contract or program means that the individual will more than likely lose his/her job.
A problem that continues to plague the Skunk Works is the vast difference in security requirements between our customers. These differences subject the Skunk Works continually to inspections by multiple customers utilizing different criteria. The new National Industrial Security Program Operating Manual is attempting to solve these problems. However, a lot must change before true savings can be achieved by the present attempts at standardization.
I believe the government needs to evaluate each contractor on its performance. I stand behind the Skunk Works record of secrecy. Our success is evident in the security attached to such programs as the F-117, U-2 and SR-71. Their very existence was unknown for years. I feel that security should be included as a criteria for fee awards on contracts. This would not only provide an incentive for efficient, cost effective security, but allow security to become a revenue producer as opposed to an expense.
We are headed in the right direction. Commissions such as yours are fostering government and industry cooperation which will result in better security at lower costs.
Sincerely,
J.S. Gordon, President
Lockheed Martin Skunk Works
Lockheed Martin

POINT PAPER
RESPONSE TO
COMMISSION ON PROTECTING AND REDUCING GOVERNMENT SECRECY
REQUEST FOR INFORMATION

13 September 1995

LOCKHEED MARTIN SKUNK WORKS
Division of Lockheed Martin Corporation
1011 Lockheed Way
Palmdale, CA 93599

1. BACKGROUND
As requested, we are responding to the Commission's request for information on our thoughts and comments on the impact of preserving the secrecy of sensitive projects. We concur with the Commission's efforts to make comprehensive proposals for reform designed to reduce the volume of information classified and thereby strengthen the protection of legitimately classified information. The economic environment is such that every effort must be made to assure the adequacy of protection within the constraints of a security system that is simplified, more uniform and more cost-effective.
In the ever-changing environment in which we work, a lot has evolved since the Commission was formed. The current system for classifying, safeguarding, and declassifying national security information is contained with Executive Order 12958, dated April 1995. This order prescribes all pertinent details concerning classification standards, levels, categories, and authority. This order further defines the duration of classification and declassification/ downgrading. The National Industrial Security Program Operating Manual (NISPOM) further promulgates these regulations, and flows derivative classification authority and guidance to the contractor community. In short, the Government Contracting Authority is the classification authority and issues classification guidance to the contractor in the form of classification specification and security guides. The contractor role is to classify, based on this guidance (derivative classification), and challenge what it believes to be improperly classified information. Implementation of these measures on a consistent basis will go a long ways to drive down the cost of security.

2. ISSUES IN PRESERVING SECRECY
2.1 Extent of Classification/ Consequences of Overclassification
In original classification, the government has often relied on outdated perceptions concerning the value of the information, the whims of an overzealous classification official or, if all else fails, the status quo. Special access program managers have always had the power to independently set security policy within their program. This culture of secrecy often contributes to initially classifying more information than required, over- classification of information, and not downgrading or declassifying information in a timely manner. Often times this promotes empires and limits oversight. The consequence of this action directly relates to added cost affecting the bottom line of industry and inflating procurement costs to the government.

Overclassifying technology inhibits information exchange between programs and leads to "reinventing the wheel."

Classifying contractual and financial data within a corporation, which in today's environment should rarely be classified, inhibits accurate forecasting, limits oversight, and could eventually lead to an erosion in shareholder value based on unavailability of information for analysis.

From a legal standpoint, classifying unnecessary paperwork can put the company and the customer in jeopardy of union actions and lawsuits. Issues that we experience daily pit an overzealous need to limit access against the rights of a bargaining unit employee of employment based on seniority.

For larger programs, massive declassification would not only eliminate unneeded protection for older information but would also have the potential for decreasing the amount of classified areas that are dedicated to storage.
Most information is perishable. A rational government-wide standard of classification should serve as a guide for all classification decisions. It is the duty of the classification official and the program to do a uniform and realistic risk assessment that defines not only what information is classified, but how long it can be reasonably assumed to require that protection. If a declassification date cannot be established, a reasonable review date should be set up and adhered to. It is evident that any unnecessary restriction to information flow will create added cost and inefficiencies in an organization. One method of avoiding this is to address proper classification up front.

Our recent Tier III Minus program is a good example of cost avoidance in this area. Early in the program, Lockheed and ARPA worked diligently to establish realistic security guidance geared to the program goals-- a compressed schedule and roll out nine months later. The result was the ability to do a job without unnecessary restraints while protecting the technological capabilities. This was an acknowledged special access program.

Unfortunately, unacknowledged special access programs do not always work as well since they are at the mercy of the program managers and numerous security guides. These programs usually involve long lead technologies that are oftentimes classified on generalities and do not address review cycles for downgrading or declassification. This results in multiple customers applying multiple security requirements. A fallout of this is the fact that inspections are now comprised of multiple agencies, multiple programs within agencies, and a cast of inspectors continually inspecting the same items within the contractor facility. This repetition adds both time and money to the government and contractors. Eliminating this redundancy within inspections (e.g., every customer checking the alarm systems, plant protection response times, government security files, visitor control procedures, etc.) would create less intrusive inspections and save time all around. The bottom line is inspecting the common criteria only once.
To eliminate the added cost of secrecy requires cooperation of government and industry. We need to work together to establish the realistic classification guideline and properly identify exactly what information requires protection, while at the same time keeping program goals in mind. Also, proper oversight and management of a recognized and timely declassification review process is required to eliminate unnecessary security protection and allow effective flow of information.
2.2 Personnel Security
Personnel security, the cornerstone of the security system, is only as good as the trustworthiness of the people in possession of (or responsible for) classified information.

Personnel Security Clearance: The granting of a clearance means the individual has been screened and met the criteria for clearance in such areas as: financial stability, immoderate alcohol/ illegal drug use, foreign involvement/connections, arrest records, psychological/ mental counseling.

Periodic Re-evaluation: Each cleared employee needs to be periodically re-evaluated to assess his/her ability to continue to safeguard classified information and five- to seven-year periodic reviews should be continued.

Periodic reviews would be more effective if they consisted of a standard Counter Intelligence (CI) scope polygraph for contractor personnel.

A set of three to five questions dealing with trustworthiness (e.g. "Have you sold information to another country?"), rather than lifestyle questions, should be the standard for the polygraph.

Adverse Information Reporting: Adverse reporting is very important because it can trigger a new background investigation.

Every American convicted of espionage might have been stopped, if identifiable adverse information had been reported.

A strong security education program is required to motivate our employees to be responsible citizens and to report behavior that calls into question the integrity or trustworthiness of a cleared employee.

The greatest threat to a defense contractor does not come from outside sources. Historically, it has been someone from within that is most likely to commit espionage.
The personnel security system has recently become easier for contractors.

The Defense Investigative Service (DIS) agents and the Defense Industrial Security Clearance Office (DISCO) have adopted a user-friendly and helpful perspective towards industry.

The advent of computers has enabled contractors to process Personnel Security Questionnaires (PSQs) in a timely manner. Modern technology has allowed us to process and store information with a great deal of efficiency.

On-line capabilities have alleviated the seven-day delay in waiting for mail deliveries for Letters of Consent. This permits employees on lay-off or in holding tanks to report to their work stations expeditiously.

The NISPOM relaxed the need for extensive paperwork for reinstatement/ revalidation/ transfer. It is now possible to utilize a one-page form for these purposes.

DIS has granted a waiver to transfer clearances within all Lockheed Martin companies, to easily merge and reorganize the new corporation.

DIS is transitioning into more of a partnership with industry. An example of this partnership is the amount of time needed to clear an individual from "hire" to "start date." The ISM [the old Industrial Security Manual] gave only 30 days. At the Skunk Works most employees must possess a final clearance before they can start work. A final clearance takes between 3 months to 6 months on an average-- and as long as one year in some instances. We requested a waiver from this 30-day requirement and asked instead for 120 days processing time. The waiver was granted, and the NISPOM, which replaced the Industrial Security Manual (ISM), changed the processing time to 180 days.

This partnership is a reality-- especially at the local level. DIS representatives visit the facility and know what is going on. They have adopted a "teamwork" approach (e.g. sharing information, solving problems, etc.) rather than behaving like a policing agency looking for problems.

The future offers a more timely and less expensive personnel security system.

Beginning late this year, a new standard form will be utilized for all clearance requests, i.e. Top Secret, Secret and Confidential clearances.

The Privacy Portion on the new form will be easier for employees to complete due to the fact that most of the questions will address only the last seven years.

Eventually, all forms will be on-line to DISCO, including the new PSQ, User Agency endorsement letters, and fingerprint cards. Contractors cannot accomplish transmission if any of the required data is missing from forms, which will eliminate time-consuming rejections.
The personnel security system needs even more refinement.

The new personnel security Executive Order, requiring a financial disclosure, is poor "risk management"; it speaks more towards "risk avoidance." If someone makes the decision to commit espionage, he/she would not hesitate to lie on a financial disclosure statement. Financial disclosure would also have a negative effect on our industry by keeping good people from becoming involved in an industry that invades their privacy.

Contractors are required to complete a local file check-- which encompasses a review of personnel files, Government Security files, payroll (wage garnishments), etc., and a supervisor certification for a Top Secret clearance at the time a request for clearance has been initiated. When Defense Investigative Service (DIS) agents arrive to investigate, they perform exactly the same file checks. This is a time-consuming task and a duplication of effort.

Change the requirement to report traffic violators to a certain number with a certain time-span. Increase dollar amount on traffic citations to be reported as adverse information (not to include alcohol or drugs).

The Defense Office of Hearings and Appeals needs to make more timely decisions of whether to grant or deny an employee a security clearance. In some cases, it takes six months to a year for a decision.

It is redundant to submit a complete PSQ package for adverse information (e.g. wage garnishments) which has already been reported and favorably adjudicated within the past 12 to 18 months.

Program access criteria should be standardized for SAP/SAR programs.
2.3 Information Systems Security
More attention must, by necessity, be focused on information systems security.

We are totally dependent upon computer systems to perform almost every aspect of our complex classified contracts. Threats to national security information disseminated across electronic information systems are very real. The increased value of US technical information necessitates balancing national policy objectives and the importance of sharing information with the need to protect our leading edge technologies.

The majority of incidents involving information systems are caused by authorized individuals doing unauthorized activities. Strong technical measures already exist to keep the outside out (encryption, firewalls, passwords, etc.). It appears there is more benefit to information systems security through an effective personnel security program than arbitrary, costly physical restrictions on the computer systems.

There is no doubt that increased connectivity creates greater vulnerabilities. However, the advent of the NISPOM has not really addressed implementing security requirements based on risk management factors, but, instead, appears to be aimed at risk avoidance.

The NISPOM, Chapter 8, "Automated Information Systems Security," above all other chapters in the manual, requires extensive changes in our automated information systems security program that are more restrictive and that have significant cost impact to industry. For example:

All procedures for our classified computer systems must be totally rewritten to accommodate new NISPOM requirements. This is an extensive investment of manpower for this contractor as we currently have over 150 Standard Practice Procedures for 1200 classified systems. There is a further concern with the implementation of the NISPOM Supplement used by our special access program customers, i.e. can the contractor come up with a single set of procedures that can be adapted to special programs and "white world" programs without each special access program retreating to its own format as they have done in the past.

A Certification Test Plan, which outlines the inspection and test procedures to demonstrate compliance with the security requirement associated with the mode of operation must be developed for each classified system. As a minimum for dedicated systems, the test plan must verify that system access controls and/or procedures are functional and provide test results that verify the need to know controls are implemented. This is a costly requirement. By definition, these tests mandate highly technical personnel perform these tests. We rely on our Information Services personnel to assist with security tests and evaluations, but their services are charged back to programs incurred with each test. Additionally, each contractor is conducting its own tests on similar equipment, meaning each contractor is "reinventing the wheel" rather than sharing test results for specific configurations.

Storage media used for Top Secret processing may not be used for Secret processing. It may not be declassified; destruction of the storage media is the only acceptable method. Up until a year ago, almost without exception, storage devices used for classified special access program processing (regardless of classification level) were required to be destroyed. In one instance the Skunk Work was required to destroy over $300,000 worth of storage devices used on one of its classified mainframe processors (we had upgraded from double-density storage devices to triple-density storage devices). Recently, we have been allowed to degauss or overwrite Confidential and Secret special access program storage devices for reallocation on other special access programs. However, Top Secret storage devices must still be destroyed.

A bigger issue with storage devices is with the prohibition against using Top Secret storage devices for multiple special access programs from different User Agencies (e.g., Air Force special access programs will not allow their devices to be used by Navy or Army special access programs). The main impact here is with our supercomputing efforts. Supercomputers and their storage devices are expensive; contractors cannot afford to purchase separate storage devices for each classification level, each program, and each agency. We appear to be spending more dollars "protecting us from us." Economies of scale demand that once a system is approved at the Top Secret level, it should be available to multiple programs and agencies (with "clearing" between processing sessions).

The contractor must validate the functionality of security-related software, requiring the similar technical expertise as that required for Certification Tests. In addition, and much more costly, is the requirement to verify all software is free of malicious code prior to installation. This is a prime example of implementing "risk avoidance" rather than "risk management." The expense of line code and virus checks of every standard off-the-shelf software package used on a classified system is not warranted. With over 1,200 classified systems in use by the Skunk Works, the manpower required to virus check each software revision on each system prior to installation would be untenable.
More and more, special access program customers are becoming involved in how the Skunk Works protects its unclassified systems as well as its classified systems.

The Joint Security Commission report, "Redefining Security," and the Information Infrastructure Task Force's report, "NII Security: The Federal Role," clearly shows this interest is warranted, not only by our customers, but by the Corporation itself. But as both of these reports point out, there is a need to better understand what will be needed to make our information secure enough to ensure information security and network reliability. Until we have a better understanding of the "what," the government should not implement arbitrary and costly security measures. Government contractors and computer vendors should expand the time sharing of information system vulnerabilities and countermeasures.

3. SUMMARY
The past few years have seen great changes in the security programs in the United States. Foremost among these changes have been the approval of the National Industrial Security Program (NISP) and Executive Order 12958. These are significant improvements in standardizing requirements for the contractor community. As we have pointed out, they can still be improved upon. The work of the Joint Security Commission and now the forming of your Commission are another positive step forward. Even with the current strides, we are still spending too much protecting us from ourselves. We need to be more conscious of utilizing risk management instead of risk avoidance methods in determining security requirements in this era of diminishing assets.
I do believe we need to concentrate a large part of our efforts on Information and Personnel Security programs. This is money well spent. In all other areas the risk management versus risk avoidance approach must be stringently and intelligently applied. Only continuous meaningful Government/ Industry participation in defining the rules, combined with the appropriate oversight will allow us to drive down the exorbitant costs of security. We look forward to providing you with any additional information that can be of assistance.