You can argue about the effectiveness of the United States’ national security classification program, but there’s no disputing one point: Keeping secrets costs money—lots of it.
Last year, executive branch agencies shelled out an estimated $11.4 billion on classified information systems and other facets of the program, according to an annual report released this week by the Information Security Oversight Office, a branch of the National Archives and Records Administration.
That’s up 12 percent–or $1.2 billion–from 2010, and more than double the figure from a decade ago. The actual tab to taxpayers is likely much higher, because the report doesn’t include spending by the CIA, the National Reconnaissance Office and four other agencies that do almost all of their work in secret. Their estimates are provided in a classified addendum to the public portion of the report.
ISOO doesn’t speculate on possible reasons behind last year’s double-digit percentage increase, but one obvious suspect is the government’s response to the massive WikiLeaks breach, which became known starting in mid-2010. Spending on “protection and maintenance for classified information systems,” for example, shot up 20 percent last year to $5.65 billion. The cost of physical security also ballooned by more than 20 percent to $1.74 billion. Interestingly, though, estimated agency spending on personnel security dropped 10 percent to about $1.4 billion.
At the National Archives’ Information Security Oversight Office, they were celebrating today’s release of a first-ever registry for controlled unclassified information, as the government describes records deemed worthy of some protection but not outright classification as secret, top secret, etc.
Although a lot of work remains, the new registry “is certainly an important milestone,” John Fitzpatrick, the office’s director, said in a phone interview this morning.
To date, agencies have pretty much been winging it in deciding what should fall under the CUI umbrella and what to call it (Examples include “Sensitive,” Law Enforcement Sensitive,” and “For Official Use Only”). In 2009, a presidential task force counted 117 different markings and concluded that executive branch performance “suffers immensely from interagency inconsistency” in the CUI arena.
The upshot was an executive order from President Obama that basically told the government to get its act together. The registry released today won’t change anything immediately; as the web site notes, the status quo remains in effect until a new yet-to-be-decided marking regimen takes effect. But it does break CUI down into 15 subject categories, such as law enforcement, immigration and privacy, followed by 85 subcategories (“privacy-contract use,” privacy-financial,” and so on.) It also justifies each with a reference to a specific law, regulation or government-wide policy.
“So far, so good I think,” said Sharon Bradford Franklin, senior counsel with The Constitution Project, one of a number of open government advocates that have been providing input to the government. She praised the oversight office for its work in finding a legal basis for each CUI grouping, but voiced concern with guidelines that restrict dissemination of CUI “only to individuals who require the information for an authorized mission purpose.”
“Require” seems a bit strong, Franklin said. “Going forward, I want to make sure that the instructions on dissemination and safeguarding aren’t unduly restrictive and that we’re promoting information-sharing as much as possible.”
As of today, the Information Security Oversight Office has a new director in the person of John P. Fitzpatrick, a former top security official at the Office of the Director of National Intelligence.
ISOO, part of the National Archives and Records Administration, is a small but critical cog in oversight of the government’s security classification system. The agency has also been charged with bringing order to the mishmash of agency approaches for handling controlled unclassified information.
“A strong advocate for information sharing and protection, he has demonstrated his ability to lead and oversee change both within and beyond the intelligence community throughout his career,” Archivist David Ferriero told NARA staff in announcing Fitzpatrick’s appointment. The announcement was posted on the Secrecy News blog of the Federation of American Scientists, where Steven Aftergood wrote that Fitzpatrick is taking over at “at a particularly crucial moment in secrecy policy.”
Fitzpatrick succeeds William Bosanko, who was promoted in March; William Cira, ISOO associate director for classification management, has been filling in.
Fitzpatrick formerly served as assistant deputy director of National Intelligence for Security at ODNI and previously headed the agency’s special security center, according to his official bio. He has also worked at the CIA and the National Reconnaissance Office.
A Senior Executive Service member, Fitzpatrick has a bachelor’s degree in economics and psychology from the College of William and Mary.
It appears that the Obama administration trusts the nation’s governors to keep a secret.
In a newly issued executive order on access to classified national security information, the administration said that governors can see such information without undergoing a background investigation, but first have to sign a non-disclosure agreement and can’t have any “disqualifying conduct” in the eyes of the clearance-granting official. Their clearances also can’t go beyond the “Secret” level, except on a case-by-case basis.
“To my knowledge, this is a new provision,” said Steven Aftergood, a government secrecy expert at the Federation of American Scientists who noted it on his blog Monday.
Prior to the the issuance of last Wednesday’s executive order, “there was no written policy specific to access by governors,” confirmed William Bosanko, director of the Information Security Oversight Office, a part of the National Archives and Records Administration that oversees the classification system. But the order incorporates long-standing practice under which governors were considered “inherently trustworthy” by virtue of their jobs and thus did not require a background investigation for access to classified information, Bosanko said.
A National Governors Association spokeswoman had no further information.
In case you were wondering, incidentally, members of Congress are also considered “inherently trustworthy,” but don’t have to sign non-disclosure agreements, according to a Congressional Research Service report. House members instead have to swear to avoid any unauthorized disclosures of classified information. The Senate apparently imposes no such obligation on its members, the report says.
[Updated Aug. 24 at 10:05 a.m. to reflect the National Governors Association response and at 1:41 p.m. with Bosanko comments.]