Saturday, September 3, 2016

On The Handling Of Classified Information

     I worked in defense engineering for nearly thirty years. Much of my work involved the use of classified information (CI). In the years before the emergence of convenient, high speed networking and communications, the rules for handling CI were relatively easy to keep in mind:

  • To receive CI, one must have a clearance equal to or higher than its classification level.
  • One must also have “need to know,” which arises from one’s assignment and particular duties.
  • CI documents must be kept secure at all times:
    1. When in use, they must be in the custody of a person cleared to possess them;
    2. When not in use, they must be in an approved, secured container.

     Before being granted my security clearance, I was required to attend a briefing on those rules. At the conclusion of that briefing, I was required to sign a witnessed document to the effect that I knew and understood the rules outlined above. As my Gentle Readers can see, they weren’t hard to understand.

     The key point of it all was this: By signing that document, I agreed that I was legally bound by the rules, as set out in the National Security Act and the Espionage Act, and could be prosecuted for violating them. Had I not signed the document, I could not be prosecuted; the First Amendment would have forbidden it.

     The essence of legally enforceable information security, as you can see, is the documented acceptance of responsibility for it. No one is ever legitimately allowed access to CI without first agreeing to be bound by the applicable laws. If there are other laws that require one’s signed agreement to be bound by them, I don’t know of them.

     There are some complexities here. If Smith, a clearance holder, provides CI to Jones, who has no clearance, Smith is prosecutable, but Jones is not – even if Jones knows that Smith is violating the law. However, under certain circumstances, if it can be demonstrated that Jones knows the CI is classified yet discloses it to others not cleared for it, he can be prosecuted. Federal law on the subject is a bit contorted, and not all federal judges have applied it the same way.

     In today’s heavily networked world, further provisions to the handling of CI have become necessary. In essence, they reduce to this:

  • A network on which CI is to be created or stored must be cleared for those purposes. The network’s clearance level must be made known to all its users. Moreover, no user whose clearance level is lower than that of the network may be allowed access to it.
  • CI must not be transmitted from a network on which it was legally created or stored to another, uncleared network.
  • If CI created or stored on a cleared network becomes “hard copy” (i.e., a removable medium or a printed document), that item must be protected according to the earlier rules for CI documents.

     These rules are, of course, included in contemporary security briefings, and in the document a freshly cleared user must sign in acknowledgement of his responsibilities. The application of these rules to today’s most common form of non-audible communication – email – should be obvious.

     That’s why Hillary Clinton must insist that she doesn’t recall having been educated in the rules for handling CI. It also indicates that, should Clinton’s signed briefing agreement ever come to light, she could be prosecuted for her email practices. Whether that agreement can be found is the question of the hour.

     I’ve often written that the security rules are in some ways an impediment to actual, effective information security. I continue to think so, at least as regards the rules for storage and for the creation of high clearance / “no need to know” classified documents control officers. (A significant number of recent espionage scandals have involved classified documents control officers.) But the rules are as they are, and are well known to anyone ever legitimately permitted access to CI. No “better way” has been proposed for the handling and security of CI in recent years.

     Perhaps the most important aspect of CI and its handling is that there should be as little CI and as few persons cleared to access it as possible. Obviously, there will be government officials who need access to it to perform their duties. The higher those officials are, the more subordinates they will have – and some of those subordinates will need access to the same CI as the boss. So the problem of limiting access is a stiff one.

     More, the problem cannot be confined to government. Private individuals will frequently be required to have access to CI, just as I was. The classification pyramid, which once rose seventeen levels into the sky (I was once told it went even higher than that, but I couldn’t verify it), is flattened somewhat for defense contractors: to Confidential, Secret, and Top Secret, each of which can be qualified further by the NOFORN (No Foreign Nationals) designation. Private workers allowed access to such CI must be as scrupulous as any government worker in its handling.

     Information disclosure is irrevocable. Once CI has been released to an uncleared person, there’s no way to retract it. Thus, the discovery of a “spill,” the jargon term for the movement of CI to an uncleared network, is always an occasion for extremely swift action in hope of remediation. It’s occasionally required the physical destruction of equipment in hope of preventing further transmission. (It’s also given rise to some well known gag lines such as “burn this before reading it” and “I could tell you, but then I’d have to kill you.”)

     Those persons charged with enforcement of the security laws are expected to take them very seriously, and the great majority of them do. The most recent disclosures about Hillary Clinton’s email practices horrify them, as is proper. They can see no distinction between the “extreme carelessness” with which FBI Director James Comey tagged her, and the “willful negligence” requirement for being charged under the National Security Act and the the Espionage Act. The notion that she should be allowed to go scot free appalls them, when they know that anyone else who’d done the same things would rot in prison for it. It makes a mockery of our beliefs about personal responsibility, justice, and of course the Rule of Law.

     Which, should Mrs. Clinton, demonstrably the most corrupt person ever to have attained a federal office, be elected president, might make “We Were Extremely Careless” a fitting epitaph for the United States of America.


Roy Lofquist said...

When I signed my security agreement it was 18 pages long. There were 17 original copies. Each page had to be signed individually. My signature went from a mildly aesthetically pleasing Palmer style to an illegible scrawl that has been with me for more than half a century.

Francis W. Porretto said...

I know, a pain in the ass, wasn't it?

0007 said...

And don't forget that you typically had to go through a short-form re-brief/review every year AND be completely re-vetted every five years. Hell, the year I was retiring from State, I had to go through the security update on the long form(took 102 pages on the computer print-out - I still have my copy) because it was time for my five year review.

Anonymous said...

I have told all who will listen that if I had handled CI like she did I'd still be making little ones out of big ones. Oh.. and no pension for that time either. But she gets off completely and will live on our dime to a great extent the rest of her life.