Behind Closed Doors

Streamlining controls over classified information is a tall order for the new Security Policy Board, and some agency officials are miffed because they aren't being consulted.

G

uarding the government's secrets is big business. Every year, hundreds of thousands of federal and private-sector employees spend billions of dollars making sure classified information, facilities and people are properly protected. But while business may be booming, it's not necessarily good. Over the years, U.S. national security policies, practices and procedures have produced a massive government secrecy system that is expensive, inconsistent and ineffective.

To help fix what had become badly broken, President Clinton created the U.S. Security Policy Board (SPB) in September 1994 and directed it to recommend major improvements in all phases of government security-from determining how secure your telephone line needs to be to deciding what kind of lock is required for your safe. "It will be responsible for not only what to protect but also how to protect it," SPB Staff Director Peter Saderholm explained in a 42-page manifesto outlining the new organization's sweeping mission.

Despite the SPB's broad mandate to advocate change in so many sensitive areas of government, it has received little media attention. Aside from a few passing references, the daily press has all but ignored the SPB. Indeed, the board itself is probably one of Washington's best kept secrets. And that's probably just the way the the board wants it. Navigating the intricacies of the U.S. security system is tough enough to do when you're working behind closed doors. Why complicate matters by going public?

But for government managers and their employees-whether they work in the national security arena or not-knowing even just a little bit about the SPB is probably a good idea. Just ask Sadie Pitcher, the Commerce Department's information technology security manager. In late 1994, Pitcher learned from a colleague at Commerce that the SPB was proposing to create a subgroup, the Information Systems Security Committee (ISSC), which would eventually dictate policy for all classified and unclassified computer networks.

Pitcher, co-chair of the interagency Federal Computer Security Program Managers Forum, and representatives from agencies outside the national security community knew little about the SPB, which was just beginning to take shape. Nonetheless, they were immediately concerned. Agencies like Commerce, Health and Human Services and the IRS routinely deal with information that is "sensitive" but not classified. Different policies and standards dictate how this kind of information should be safeguarded.

But the SPB proposed the Information Systems Security Committee merge the government's unclassified and classified computer worlds, presumably requiring the two to operate under the same security rules. This could make it difficult for agencies that deal regularly with the public and require fewer restrictions on the information they handle, Pitcher and her colleagues say. They also say the SPB's proposal ran counter to the 1987 Computer Security Act, which sought to maintain separate standards for classified and unclassified systems. Despite the ramifications of SPB's recommendations, Pitcher and the program managers forum, a group of senior computer security managers from civil agencies, never had been asked for their input.

The forum wrote to the Office of Management and Budget's information and regulatory affairs division in January 1995, asking that the SPB be told to back off. "We believe it is inappropriate for the national security and intelligence communities to participate in selecting security measures for unclassified systems at civil agencies," the group wrote. "Their expertise in protecting national security systems is not readily transferable to civil agency requirements."

Pitcher never received a formal response from OMB, but the message was passed on to the Security Policy Board. At a March meeting of the Computer System Security and Privacy Advisory Board, an organization made up of public and private-sector officials created by the Computer Security Act, Saderholm was conciliatory. He said he wanted to work closely with the advisory board in determining the best policy for protecting sensitive but unclassified information. He added the SPB would abide by the Computer Security Act and would not be solely responsible for unclassified systems, according to the minutes from that meeting.

The classified/unclassified systems debate is far from over, however. The Information Systems Security Committee has yet to be established, in part due to the concerns voiced by the civilian agencies over its scope. SPB officials say the committee will be up and running this year, but acknowledge there are challenges ahead. "This committee has not been established because of the unwillingness of the national security community and [civilian agency] officials to agree to have one body for both classified and sensitive, but unclassified, information," Saderholm said during public testimony in December. Saderholm declined to be interviewed for this article.

Wayward Bureaucracy?

To its critics, the SPB represents what is already wrong with the U.S. security system. It is excessively complex and sealed off from public view. "So far the SPB has been functioning like some wayward Eastern European bureaucracy, untainted by any hint of democratic principles or fair play," says Steven Aftergood, a senior research analyst at the Federation of American Scientists and editor of the monthly newsletter Secrecy & Government Bulletin.

A public interest organization called the Electronic Privacy Information Center (EPIC) filed a lawsuit last year arguing the board will have a major impact on the U.S. information infrastructure and therefore more should be known about the group. EPIC's suit demands that the National Security Council be forced to release documents relating to the SPB's activities. The council, to which the SPB ultimately reports, had rejected EPIC's earlier Freedom of Information Act requests.

"This is a battle over the accountability and oversight of government computer policy. These decisions must be made in the bright light of day," EPIC Director Marc Rotenberg said after the suit was filed in March 1995.

Lynn McNulty, former co-chair of the program managers forum and a former associate director for computer security at the National Institute of Standards and Technology, warns civilian agency officials must remain vigilant as the SPB continues its work. "No one is saying the unclassified world doesn't have problems, but adding another bureaucratic layer is not necessarily the solution," says McNulty, who co-signed with Pitcher the letter to OMB.

But to its supporters, the Security Policy Board is an absolute necessity. Before the SPB existed, the process of developing security policy was hopelessly fragmented and in need of a single body to provide direction and focus. "This piecemeal approach to security policy has led to a decentralized policy structure in which multiple groups with different interests and authorities work independently of one another," the Joint Security Commission said in its 1994 report, "Redefining Security." Many of the groups have overlapping memberships and responsibilities, "but all exact a cost in terms of time, energy and efficiency," the commission said.

Jeremy Clark, acting deputy assistant secretary of Defense for intelligence and security, believes the SPB will bring about needed efficiencies, which will save money without degrading the level of security the federal government requires. "It's a matter of building trust and cooperation and codifying it in a meaningful way so we have standards across the community," says Clark.

Willis Ware, chairman of the Computer System Security and Privacy Advisory Board, initially took a dim view of the SPB because of its plans to seize control of information security. In fact, his group passed a resolution recommending the SPB "not proceed with its plans to control unclassified but sensitive systems until broader input of these issues is gathered." Ware now says he is pleased with the SPB's willingness to attend his group's meetings and brief members on the issues. "In terms of responding to our requests, they've been up front and forthright," says Ware of the SPB staff.

Getting Started

The impetus for the SPB was provided by the Joint Security Commission, which produced its landmark report in February 1994. The Security Commission, a panel of distinguished national security experts, was directed in May 1993 by then-Defense Secretary Les Aspin and then-Central Intelligence Director R. James Woolsey to conduct a no-holds-barred assessment of the defense and intelligence communities' security policies and offer recommendations for changing them.

The commission concluded there was plenty that needed repairing. "Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity and cost," the commission said in a report, "Redefining Security." "This nation must develop a new security system that can meet the emerging challenges we face in last years of this century and the first years of the next."

Key to all the commission's recommendations was the formation of a single organization, a "security executive committee," that would be responsible for the creation of new security policies and standards that would then be carried out by the national security community. An advisory board would provide "a non-government and public interest perspective to security policy," the commission said. In response, Woolsey and Aspin's successor at the Defense Department, William Perry, established the Joint Security Executive Committee (JSEC) in the summer of 1994.

The National Security Council saw a need for a governmentwide organization whose security policy responsibilities were not limited to the military and intelligence communities. So on Sept. 16, 1994, Clinton signed presidential decision directive 29 redesignating the JSEC the Security Policy Board. Co-chaired by the deputy Defense secretary and the director of central intelligence, other members of the SPB include the vice chairman of the Joint Chiefs of Staff, deputy secretary of State, undersecretary of Energy, deputy secretary of Commerce, deputy attorney general, and one deputy secretary from another "non-defense related" agency.

According to the directive, the SPB is the "the principal mechanism for reviewing and proposing" to the National Security Council legislative initiatives and executive orders that deal with security policy, practices and procedures.

The Security Policy Forum established under the JSEC would now report to the SPB. Here, representatives from virtually every sector of government meet to evaluate proposed security policies from an "operational perspective," says Saderholm, who refers to the forum as the SPB's "heart." If the forum is doing its job right, most issues will be resolved before being submitted to the SPB for final consideration. The forum's broad representation-27 departments and agencies-is intended to allow all sectors of government to have a say in how security policies are fashioned.

As recommended by the Joint Security Commission, the directive called for the creation of a Security Policy Advisory Board of five members appointed by the president to ensure that U.S. security policies are consistent with the overall goals of government-open, fair and cost-effective. The Advisory Board will "provide a nongovernmental and public interest perspective on security policy initiatives," the directive stated. While no time was wasted in creating the SPB and solidifying the role of the forum under it, the Advisory Board has yet to be established.

The failure to create the Advisory Board has irked public interest advocates, most notably Aftergood of the FAS. He notes that representatives from U.S. defense companies regularly attend security policy meetings, which he says calls into question who the SPB is really working for. "This is poor strategy since it needlessly antagonizes concerned citizens whose interests may not precisely coincide with those of defense contractors," says Aftergood.

Meanwhile, Clark insists there is nothing sinister about the delay in establishing the Advisory Board. A list of nominees has been sent to the National Security Council for approval and a formal announcement of the panel's creation is "imminent," Clark says. "I wouldn't say in any way that [the delay] indicates security policy is a lower priority," says Clark, who co-chairs the Security Policy Forum. "I guess other higher priorities like Bosnia and budget deliberations have kept it off the plate."

And the SPB includes defense contractors in meetings because it has been "told to work with industry," which is directly affected by the recommendations of the board, Clark says. "We're trying to lower costs across the federal government including industry," he says. "The industry people have made a number of suggestions that have been really useful in how you apply risk management techniques and procedures to their areas."

Action by Committee

In keeping with the President's directive, a series of committees has been created to support the Security Policy Forum. For example, the personnel security committee will address "all personnel security policies, procedures and practices applicable to U.S. government departments and agencies," according to an SPB document.

The SPB also has committees for facilities protection, training and professional development and classification management, which recommends policies for reducing the amount of information the government labels secret. Saderholm chairs the policy integration committee, charged with making sure overarching themes like cost accountability are assimilated into security policy. Once the national security and civilian sectors agree, an information committee will round out the SPB structure.

In the last year, the SPB has focused on getting its new organization established, overhauling the "fragmented security policy structures that existed prior to the founding of the board," Saderholm told the Commission on Protecting and Reducing Government Secrecy, a panel of government and private sector officials, during a public hearing in December. Where eight organizations once developed facilities protection policies, now the SPB handles it all, except for securing overseas facilities, such as embassies, that remain under the State Department's control.

The SPB has busied itself with the implementation of two recent Clinton executive orders. E.O. 12958, "Classified National Security Information," creates a new system for classifying, safeguarding and declassifying the nation's secrets. E.O. 12968, "Access to Classified Information," is the first presidential directive to establish a uniform set of rules for granting security clearances.

The Joint Security Commission's report served as a blueprint for the SPB and during its first year the board has completed more than 20 percent of the commission's 76 recommendations, says Saderholm.

This year, the SPB faces one of its thorniest challenges: the government's polygraph program. Unquestionably invasive, the lie detector test is also one of the most useful tools in assessing a person's fitness to be trusted with sensitive information, national security experts say. According to Saderholm's testimony during the public hearing, the SPB "will review the efficacy of the polygraph and evaluate its utility."

The SPB cites as a success the elimination of outdated control markings that have limited the distribution of information within the U.S. intelligence community. The absence of markings such as NOCONTRACT (not releasable to contractor/consultants) and WINTEL (warning notice sensitive sources and methods involved) expands the number of people who can have access to sensitive documents while ensuring the sources of the information are properly protected. National security experts insist this is not a trivial change.

"In the years of risk avoidance, if an analyst was working at his workstation, he almost automatically put his 'headers' on in advance," says Clark. "He'd have a blank sheet of paper to write his intelligence report for the day. At the top he'd have 'secret, no foreign dissemination, limited distribution, originator control, and proprietary information.' And now we tell him, get rid of all those words off the top and come at it from the bottom up."

A Rocky Road

Proponents of the SPB believe the new structure eventually will result in a more efficient and effective system for protecting the government's secrets. But they know it won't be easy. "I have to admit there has been some disappointment in that at the lower echelons of the process. People are still circling their wagons and wanting to do business as usual-afraid of change, not wanting change and resisting change," Saderholm said in December. Bold leadership is required to ensure that status quo ideas are rejected, he said.

And if the SPB has found the going tough so far, the process will only get more difficult. The single committee not yet part of the SPB's structure deals with information security, which Saderholm acknowledges "is the greatest and most exciting challenge facing the board." The Joint Security Commission called protecting the nation's information systems and networks "the major security challenge of this decade and possibly the next century."

Further complicating the development of information security policy is the business community. Not only must the national security and civilian agencies come to an agreement, but private contractors will have a say as well. Whatever policies the government adopts will have a major impact on the companies it does business with, and they won't stay quiet if they believe a proposed action is too restrictive or costly.

The SPB also faces financial challenges. The Joint Security Commission's report acknowledged some of its recommendations will require an up-front investment, especially in the information and personnel security areas. To save money, some will have to be spent. In this era of tight federal budgets, coming up with the cash that will be needed to completely overhaul the U.S. security system will be a tall order.

Still, steps must be taken to repair a security system gone haywire. One need look no further than EPIC's lawsuit to see the inconsistencies in government security decisions. Among the documents the Washington, D.C.-based organization sought through its FOIA request was a copy of presidential decision directive 29, which created the SPB. In response to the request, the National Security Council told EPIC it is not subject to FOIA, and, furthermore, the unclassified presidential decision directive was not "releasable." But the directive and other unclassified documents relating to the SPB are immediately available to anyone who wants them on Aftergood's "Government Secrecy Project" home page on the World Wide Web at http://www.fas.org/pub/gen/ fas/sgp/.

"Our real fear is that [the Security Policy Board] is going to go beyond the national security realm," says David Sobel, EPIC's legal counsel. "[The lawsuit] is our vehicle to know what they're doing."

NEXT STORY: Race for Survival