REDEFINING SECURITY
A Report to the Secretary of Defense and the Director of Central Intelligence
February 28, 1994
Joint Security Commission
Washington, D.C. 20505
The Honorable William J. Perry
Secretary of Defense
Pentagon
Washington, D. C. 20301
The Honorable R. James Woolsey
Director of Central Intelligence
Washington, D. C. 20505
Dear Sirs:
1. Pursuant to your request, the Joint Security Commission was convened on June 11, 1993. The Commission was guided by your direction to develop a new approach to security that would "assure the adequacy of protection within the contours of a security system that is simplified, more uniform, and more cost effective."
2. This report presents the recommendations of the Joint Security Commission to achieve these objectives and to redefine security policies, practices and procedures. The report describes the threats to our nation's security and lays out a vision the Commission believes will shift the course of security philosophy. We also propose a new policy structure and a classification system designed to manage risks better, and we outline methods of improving government and industry personnel security policies. We offer recommendations on developing new strategies for achieving security within our information systems, including protecting the integrity and availability of both classified and unclassified information assets, and we call for a new approach to capture security costs. We provide recommendations for linking traditional physical and technical countermeasures to threat. We believe that implementation of these recommendations will result in a security system that will meet the evolving threat while being fairer, more coherent, and more cost effective.
3. In reaching its conclusions and recommendations, the Commission drew upon the perspectives of policymakers, Congress, the military, industry, and public interest groups. Although our charter was limited to a review of the Intelligence and Defense Communities, we found that many of the problems and solutions have government-wide implications. In those instances where we believe that a government-wide solution is the best answer, we have offered recommendations to that effect.
4. This report represents months of work by the Commissioners, our staff, and a vast number of citizens both in and out of government, who graciously gave us their time and comments. On behalf of the Commission, I would like to thank all who contributed to this effort and to give special recognition to our superb staff, headed so ably by Dan Ryan. Ultimately, of course, the Commissioners bear full responsibility for the analysis and recommendations contained herein.
5. As you have directed, the Commission will remain in place until June 1, to assist in the implementation of our recommendations. We look forward to working with you to achieve the objectives you have laid before us.
Very respectfully,
Jeffrey H. Smith
Chairman
Attachment
EXECUTIVE SUMMARY
The world has changed dramatically during the last few years, with profound implications for our society, our government, and the Defense and Intelligence Communities. Our understanding of the range of issues that impact national security is evolving. Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention. Technologies, from those used to create nuclear weapons to those that interconnect our computers, are proliferating. The implications and impacts of these technologies must be assessed. There is wide recognition that the security policies, practices, and procedures developed during the Cold War must be changed. Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity, and cost. This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next.
With these imperatives in mind, the Joint Security Commission has focused its attention on the processes used to formulate and implement security policies in the Department of Defense and the Intelligence Community. In reviewing all aspects of security, the Commission has been guided by four principles:
- Our security policies and services must realistically match the threats we face. The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate change as the threat evolves.
- Our security policies and practices must be more consistent and coherent, thereby reducing inefficiencies and enabling us to allocate scarce resources effectively.
- Our security standards and procedures must result in the fair and equitable treatment of those upon whom we rely to guard the nation's security.
- Our security policies, practices, and procedures must provide the needed security at a price the nation can afford.
The recommendations of the Commission, presented in detail in this report, fall mainly into three categories:
- recommendations that will maintain and hopefully enhance security, but at a lower cost by avoiding duplication and increasing efficiency;
- recommendations that will reduce current levels of security but in accordance with risk management principles based on a changing threat; and
- recommendations that will create new processes to formulate and oversee security policy governmentwide.
In a very few cases-most notably concerning personnel security and information systems security-the Commission is recommending additional security requirements that will increase costs. The Commission's recommendations also include changes that are revenue neutral but will make the security system both more rational and inherently more fair. Although the Commission is recommending certain specific changes, the primary concern of the Commission is to create new and flexible processes that will adjust security policies, practices, and procedures to achieve our stated goals as the political, economic, and military realities evolve.
In the past, most security decisions have been linked one way or another to assumptions about threats. These assumptions frequently postulated an all-knowing, highly competent enemy. Against this danger, we have striven to avoid security risks by maximizing our defenses and minimizing our vulnerabilities. Today's threats are more diffuse, multifaceted, and dynamic. We also know that some vulnerabilities can never be eliminated fully nor would the costs and benefits warrant trying. While the Commission recognizes that the consequences of some security failures are exceptionally dire and require exceptional protection measures, in most cases it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures. We can then select a mix that provides adequate protection without excessive cost in dollars and without impeding the efficient flow of information to those who require ready access to it. The Commission believes that the nation must develop a security framework that will provide a rational, cost-effective, flexible set of policies, practices, and procedures. This framework must use a risk management approach that considers actual threats, inherent vulnerabilities, and the availability and costs of countermeasures as the underlying basis for making security decisions.
Risk management requires evaluating the resource impact of proposed changes in security policies and standards. This is practically impossible with today's accounting systems because they are not designed to collect security cost data. The Commission believes that establishing a system to capture security costs is crucial to effective streamlining and cost reduction. Therefore, we have recommended the creation of a uniform cost-accounting methodology and tracking system for security resources expended by the Department of Defense, the Intelligence Community, and supporting industry.
The Commission believes two areas require particular attention. First, personnel security lies at the very heart of our security system. No amount of physical, information systems, or procedural security will be sufficient if we cannot ensure the trustworthiness of those who must deal with sensitive and classified information. Grave damage has been caused to the United States by current or former employees and contractors of the government who decided to become spies for our adversaries. Therefore, the Commission believes that renewed efforts must be made to strengthen our personnel security system. The Commission also recognizes the necessity for enhancing the training we provide security officers, managers, and workers in the importance of security and of their roles in protecting the nation's information assets.
The processes we use to clear personnel in the Defense and Intelligence Communities vary widely from agency to agency. Different standards are applied by different agencies; clearances are not readily transferable; and the time to grant a clearance ranges from a few weeks in one agency to months in others. Accordingly, we recommend common standards for adjudications and a joint investigative service to standardize background investigations and thus take advantage of economies of scale.
Second, information systems security requires increased attention. Productivity is, in today's world, directly related to information systems and their connectivity. The Defense and Intelligence Communities are increasingly dependent on information systems in performing their complex missions on behalf of the nation. Information systems technology is, however, evolving at a faster rate than information systems security technology. Overcoming the resulting gap will require careful threat assessments, well-thought-out investment strategies, sufficient funding, and management attention if our computers and networks are to protect the confidentiality, integrity, and availability of our classified and unclassified information assets.
The Commission believes that a systems approach is necessary in making decisions about the application of security countermeasures. By placing all the responsibility for security on each of the security disciplines, we have created requirements for multiple layers of security that add little value. This is particularly apparent in physical security, where classified documents may be stored in locked containers inside locked strong rooms within secure buildings in fenced facilities patrolled by armed guards-overkill even at the height of the Cold War, much less in today's security environment. A risk-managed systems approach would tailor countermeasures to threat and should result in significant savings that could be applied to improving personnel and information systems security, or to maintaining or improving other areas directly related to successful performance of defense and intelligence missions.
Nowhere will the payoff from improving our security policies, practices, and procedures be higher than in the industrial base supporting the Defense and Intelligence Communities. Our current practices subject industry to a bewildering array of requirements that are compliance-based, inconsistent, and often contradictory. Security requirements imposed on industry far exceed the requirements used by government agencies and organizations to protect the same information. While some budgetary and proprietary information must be withheld from some contractors in order to preserve competition, the Commission has found little reason to treat industry differently from government for security purposes. We must create a partnership between government and industry to enhance security, leaving adversarial roles behind. The Commission also believes that our security policies must not unnecessarily discourage foreign investment in American companies nor unduly burden our industrial base in competing for a larger share of the world's markets.
Central to the Commission's recommendations is the immediate formation of a single organization-a security executive committee chaired by the Secretary of Defense (or his designee) and the Director of Central Intelligence-responsible for the creation of security policies and overseeing the coherent implementation of those policies across the Defense and Intelligence Communities. This committee would not, of course, supplant the existing statutory authorities of the Secretary of Defense and the Director of Central Intelligence, including the latter's responsibility to protect sources and methods. This committee would, however, replace numerous existing fora that today independently develop security policies and procedures that are often inconsistent and are sometimes contradictory. A single source for security policies should result in reciprocity with consequential reductions in cost and improvements in efficiency. Although it is outside the scope of our charter, the Commission also believes that this committee should, in the very near future, be expanded by the addition of representatives from other government departments and agencies and given the responsibility to formulate governmentwide security policies. The committee, which should report to the National Security Council, should oversee the security system and have an outside advisory panel of distinguished Americans to ensure that industry, academia, and public interest groups have a voice in the formulation of security policies.
To facilitate the formulation, implementation, and oversight of security policies, practices, and procedures, the Commission proposes a radical new classification system that greatly simplifies the current system and eliminates the subjectivity inherent in it. The Commission worked closely with the Task Force revising Executive Order 12356 on National Security Information in analyzing possible changes and their impacts, and determined that a single level of classification with two degrees of protection should be adopted. Most classified information would be protected using a coherent set of personnel, physical, information systems, and procedural security standards and would be based on discretionary need-to-know as currently practiced for Confidential and Secret materials. Highly sensitive information, such as that protected at the Top Secret, Sensitive Compartmented Information, or Special Access Program levels today, would be protected by using a more stringent set of standards and would be based on centrally managed need-to-know determinations. Application of this system will be founded on risk management rather than complete avoidance of all risk and would concentrate on security as a service to our communities in place of the compliance-based, punitive approach in use today.
The Joint Security Commission is pleased to present its recommendations for the creation of an improved process for the formulation, management, and oversight of security policies, practices, and procedures. We believe that implementation of this process and the coherent application of its results should ensure that security countermeasures are chosen to match the evolving threat and that inefficiencies and costs are minimized. The resulting security system would treat people fairly and provide a balanced mix of security needed to protect our information assets, facilities, personnel, and our nation's interests.
JOINT SECURITY COMMISSION
Commissioners:
Jeffrey H. Smith, Chairman
Duane P. Andrews
J. Robert Burnett
Ann Caracristi
Antonia H. Chayes
Anthony A. Lapham
Nina J. Stewart
Richard F. Stolz
Harry A. Volz
Larry D. Welch
Staff:
Dan J. Ryan, Executive Secretary, CIA
John T. Elliff, Deputy Executive Secretary, DoD
Marisa Barthel, CIA
John E. Bloodsworth, CIA
Sheila Brand, NSA
Edmund Cohen, CIA
Rene Davis-Harding, DoD
Lee A. Falcon, DoD
Mary Griggs, DoD
Helmut H. Hawkins, DoD
Dan L. Jacobson, DoD
Richard P. Nyren, Jr., DoD
Maria N. O'Connor, NSA
Michael D. Reynolds, CIA
Martin E. Strones, DoE
Jim Sullivan, CIA
Annette B. Swider, CIA
Larry D. Wilcher, DoE
Secretarial and Clerical Support:
Barbara Dever, CIA
Josephine Harrison, CIA
Betty L. Richman, CIA
TABLE OF CONTENTS
CHAPTER 1. APPROACHING THE NEXT CENTURY
Implementing the New Paradigm-Risk Management
CHAPTER 2. CLASSIFICATION MANAGEMENT
Classification: Driving Security
The Current Classification System: Cumbersome and Confusing
Special Access Programs: Lacking Faith in the System
A New System - Streamlined and Straightforward
A Simplified Controlled Access System
Limiting Use of Special Access Controls
Uniform Risk Criteria for Secret Controlled Access Information
Increasing the Flow of Data
Special Cover Measures
Security Oversight of Compartmented Access Programs
Classification Management Practices
Dissemination Controls: Impediments to Getting Intelligence into the Hands of Customers
Sharing Classified Information
Billet and Access Control Policies
Secrecy Agreements
Declassification
Making the Classification System Really Work: An Integrated Approach with Appropriate Oversight
Dealing with Sensitive but Unclassified Information
CHAPTER 3. THREAT ASSESSMENTS-THE BASIS OF SMART SECURITY DECISIONS
Asleep at the Wheel
A Wake-Up Call
CHAPTER 4. PERSONNEL SECURITY-THE FIRST AND BEST DEFENSE
The Process Begins
Requesting a Clearance
Prescreening and Fairness
Forms and Automation: Ending the Paper Trail
Investigations: Assessing Trustworthiness
Investigative Requirements: Streamlining the Process
Continuing Evaluation: Reinvestigations and Safety Nets
Clearance Processing: Time Is Money
Adjudication
Adjudicative Standards and Criteria
DoD Adjudicative Facilities
Reciprocity
Procedural Safeguards
DoD Contractor Personnel
DoD Civilian Personnel
Differences and Comparative Advantages
Military Personnel
Special Access Approvals
The Polygraph
Background
Applications of the Polygraph
Recommendations
Oversight
Standardization
Training, Research, and Development
CHAPTER 5. PHYSICAL, TECHNICAL, AND PROCEDURAL SECURITY
Physical Security Standards
Facility Certification
Facilities, Containers, and Locks
Industrial Security Inspections
TEMPEST
Technical Surveillance Countermeasures (TSCM)
Procedural Security
Central Clearance Verification
Certification of Contractor Visits
Communitywide Badge Systems
Document Tracking and Control
Document Destruction
Document Transmittal
Operations Security
CHAPTER 6. PROTECTING ADVANCED TECHNOLOGY
Foreign Ownership, Control, and Influence
Foreign Exchange Agreements: The Status Quo
Threat Analysis: Vital to Protecting Advanced Technology
The National Disclosure Policy
Recording Foreign Disclosure Decisions
CHAPTER 7. A JOINT INVESTIGATIVE SERVICE
Personnel Security Investigations
Industrial Security
Establishment of a Joint Investigative Service
CHAPTER 8. INFORMATION SYSTEMS SECURITY
The Threat to Information and Information Systems
Dated Policies
Failed Strategies
The New Information Systems Security Reality
Information Systems Security Policy for Tomorrow
The Investment Strategy for Information Systems Security
Research and Development: A Need to Consolidate
Infrastructure Security Management
Auditing Infrastructure Utilization
Managing the Risk to Information Systems
Emergency Response: The Need for Help
Information Systems Security Professionals
CHAPTER 9. THE COST OF SECURITY-AN ELUSIVE TARGET
Understanding Security Costs
Costs in Black and White
Visible and Invisible Security Costs
"There's No Way to Know How Much We're Spending on Security!"
Work to Date in the DoD
Intelligence Community Efforts
Capturing Security Costs in Industry
Moving Towards Consistency
Getting to the Bottom Line: The Payoff Is Long Term . . .
. . . With Up-Front Costs in the Near Term
The Bottom Line
CHAPTER 10. SECURITY AWARENESS, TRAINING, AND EDUCATION
The Present
Training for the Future
CHAPTER 11. A SECURITY ARCHITECTURE FOR THE FUTURE
The Present
The Future
APPENDIXES
A. Statement of Commissioner Lapham on Secrecy Agreements
B. Statement of Commissioner Chayes on Procedural Safeguards
C. Statement of Commissioner Lapham on Polygraph
To proceed to Chapter One click here.
