I Overview: Protecting Secrets and Reducing Secrecy Commission Purposes and Objectives Congress established the Commission on Protecting and Reducing Government Secrecy in Title IX of the Foreign Relations Authorization Act for Fiscal Years 1994 and 1995 (Public Law 103-236) to make "comprehensive proposals for reform” that are designed "to reduce the volume of information classified and thereby to strengthen the protection of legitimately classified information," as well as to improve existing personnel security procedures. In meeting these objectives, the Commission seeks to promote both the effective protection of information where warranted and the disclosure of information where there is not a well-founded basis for protection or where the costs of maintaining a secret outweigh the benefits. From the beginning of the American republic, and especially over the past half century, a tension has existed between the legitimate interest of the public in being kept informed about the activities of its Government and the legitimate interest of the Government in certain circumstances in withholding information; in short, between openness and secrecy. This report analyzes the grounds for this tension and suggests means for reconciling the dual "protecting" and "reducing" objectives that are part of the Commission's name and authorizing statute. It is essential to define the appropriate spheres of protecting and reducing secrecy to avoid perpetuating a system that was identified more than forty years ago as "so overloaded that proper protection of information which should be protected has suffered" and one in which "the mass of classified papers has inevitably resulted in a casual attitude toward classified information, at least on the part of many." The challenge of reducing secrecy overall and protecting secrets more effectively has increased since that time with the broadening reach of national security concerns. Even as the Freedom of Information Act (FOIA) has created a means for the public to obtain government information, consistent with security requirements, the reach of government secrecy has expanded in line with broadened conceptions of what must be protected in the name of national security. Moreover, although the current executive order on classification places a greater burden on those who seek to classify information, existing incentives still tend to promote secrecy over openness. The result today is a system which neither protects nor releases national security information particularly well. Substantial concerns exist with respect to both the ability of the classification system to protect secrets effectively and the adequacy of the procedures in place to make information available to those outside the Government. In part, this is because the protection of government secrets and the reduction of government secrecy too often have been viewed as competing objectives, instead of being seen as able to reinforce one another when practiced effectively. This Commission is the first body established by Congress to examine government secrecy in four decades. The only prior body created by statute, the Commission on Government Security, was established in 1955 and issued its final report in 1957. Other commissions and task forces have examined elements of the security system; the most significant of these are described in Appendix G. Some of these previous bodies concluded that incremental changes to the classification system and other security procedures would suffice, while others—most notably the Seitz Task Force of the Defense Science Board in 1970-proposed broader reforms. Several also addressed the problems that arise from inadequate protection of classified information by government officials. In each case, however, any changes that followed did not alter significantly the basic structure and underpinnings of the security system that developed primarily during the early years of the Cold War. (Although implementation of the recommendations made three years ago by the Joint Security Commission is still an ongoing process, most of the changes made concern specific security practices and procedures; they have little consequence for those outside of government, aside from industrial contractors, and have not affected the functioning of the system overall.) Indeed, the central finding of the Commission on Government Security that there existed a "vast, intricate, confusing and costly complex of temporary, inadequate, uncoordinated programs and measures designed to protect secrets and installations vital to the defense of the Nation against agents of Soviet imperialism" still rings true today. Many of those programs and measures have proven to be anything but “temporary," however, remaining in place even as the overarching threat to U.S. security posed by the Soviet Union and its ideological supporters within the United States dissipated and gave way to a new set of very different and less monolithic security challenges. To a significant degree, and despite the various studies and a succession of executive orders on classification, today's system remains deeply rooted in the concepts and principles examined thoroughly by the Commission on Government Security four decades ago. This is particularly striking in view of the National Security Agency's release, beginning in July 1995, of the VENONA intercepts describing Soviet espionage in the United States during the 1940s. Those documents provide historians with a new opportunity to analyze the Commission on Government Security's conclusion that "the Communist threat is both real and formidable." They also reveal how far the United States has come from an era of espionage activities based mainly on ideological motives. Yet even as the global Communist threat is now being analyzed as a historical phenomenon, the security classification and personnel security system that grew up largely in response to it has yet to adapt to new realities. The revolution in information technology, which has changed the landscape of how the government creates, manages, and protects its information, accentuates this failure of the system to adapt. The estimation that the amount of available information in the United States will grow nineteen times between 1992 and 2000 highlights both the opportunities and the challenges in the years to come. The United States possesses the world's most highly connected and at the same time most vulnerable information infrastructure; a denial or disruption of service could have a significant negative impact, not only on the protection of classified national security information, but more broadly on the functioning and credibility of the Federal Government as a whole. Moreover, as more records are created and distributed electronically, it will be essential to focus additional attention on how to prevent information from being manipulated or modified in a manner that would alter its basic content or render it unavailable— problems that were much less likely to arise in a "paper-based" world. In light of these varied new challenges, this report also describes key information security issues which relate to both the "protecting" and the "reducing" elements of the Commission's charter. Secrecy Issues Not Addressed by the Commission In view of the breadth of its title, the Commission also had to decide which issues relating to government secrecy not to address. First, the Commission did not try to examine every facet of the security system. For example, the report does not discuss the myriad of physical and technical security measures used to safeguard information, ranging from facilities protection to document control to operations security requirements. Many of these were addressed in the Joint Security Commission's 1994 report and several of the changes recommended in that report have since been reviewed within the interagency Security Policy Board structure (although the implementation record to date has been mixed). Nor does this report detail how secrecy is maintained in the Legislative and Judicial Branches (for example, through secrecy oaths and disclosure orders), except in areas that relate to the classification, declassification, personnel security, and information systems security criteria and procedures developed by the Executive Branch. The report also does not examine the impact of various government security requirements on the private sector-including patent, trade secret, and other invention secrecy rules, and export control laws and regulations—except where they relate directly to the protection of government secrets. The Commission also does not address certain issues that, while obviously related to government secrecy, are best considered in the context of a broader examination of intelligence roles and missions. Thus, the appropriate status of the U.S. intelligence budget, role and conduct of covert actions, procedures for intelligence sharing with allies and international organizations, and relationship between intelligence and law enforcement objectives are not addressed in this report. These were among the matters reviewed in the past year by the Commission on the Roles and Capabilities of the United States Intelligence Community in its report, Preparing for the 21st Century: An Appraisal of U.S. Intelligence, by task forces on intelligence reform organized by the Council on Foreign Relations and Twentieth Century Fund, and in the report of the House Permanent Select Committee on Intelligence, IC21: Intelligence Community in the 21st Century. This Commission has explored government secrecy by analyzing the basic policies and procedures through which it is developed and maintained—not by examining particular secret operations. Finally, the Commission has drawn a distinction between "secrecy" and "privacy." In The Torment of Secrecy (originally published in 1956 and reissued last year with an Introduction by Chairman Moynihan), Edward A. Shils contrasted "secrecy," which he defined as "the compulsory withholding of knowledge, reinforced by the prospect of sanctions for disclosure," from "privacy," which he termed "the voluntary withholding of information reinforced by a willing indifference.” The report does not analyze the requirements of the Privacy Act of 1974 nor evaluate the balancing of governmental policies and individual rights, although it does cite privacy interests in discussing subjects such as personnel security procedures and the difficult effort to attempt to develop an updated encryption standard. Defining Government Secrecy Scholars have struggled with the general concept of secrecy for centuries. Philoso- "Three may keep a secret if two of them are dead." There is nothing particularly unique about the general means by which the U.S. Government seeks to ensure effective protection of its secrets. The process rests on three pillars. First, an official must identify what information is to be kept secret and then the means for maximizing the likelihood that it will remain secret; in short, the rules for classification and physical security. As the universe of those with whom the information is communicated increases, however, so does the likelihood of an unwanted disclosure. Thus, the second pillar of effective secrecy is to ensure that the secret is shared only with those viewed as trustworthy: a combination of personnel security rules and the principle of "need-to-know." Finally, as Shils's definition reflects, there is a third pillar: rules that those who breach the commitment to maintain secrecy will be subject to some type of sanction. In the context of protecting national security information, this means enforcement through the espionage laws as well as through applicable administrative procedures. Benjamin Franklin Where any one of these pillars is weak or otherwise not utilized effectively, the The Means for Protecting Government Secrets Five major categories of information are protected through some form of government secrecy: (1) national defense information, encompassing military operations and weapons technology; (2) foreign relations information, including that concerning diplomatic activities; (3) information developed in the context of various law enforcement investigations; (4) information relevant to the maintenance of a commercial advantage (typically proprietary in nature); and (5) information pertaining to personal privacy. Of these, the first two categories together define the sphere of "national security information" covered by security classification executive orders and are the primary subjects of this Commission's inquiry. The U.S. Constitution includes only one explicit reference to "secrecy,” and it concerns procedures of the Congress, not the Executive Branch. Article I, section 5 provides "Each House shall keep a journal of its Proceedings, and from time to time publish the same, excepting such Parts as in their Judgment require Secrecy." The authority of the Executive Branch to maintain secrecy has been based in part on four statutes: the Espionage Act, the National Security Act, the Atomic Energy Act, and the Freedom of Information Act. Nevertheless, as it has developed in the United States over the past eight decades, government secrecy can be understood best as a form of government regulation. With the exception of the procedures for classifying “nuclear-related information” under the Atomic Energy Act and protecting intelligence "sources and methods" under the National Security Act, the mechanics for protecting national security information have evolved through a series of executive orders. Over the past half century, the Congress has played only a limited role in any consideration of how the system should function, limiting itself to occasional oversight hearings. The Executive Branch has assumed the authority both for structuring the classification system and for deciding the grounds upon which secrets should be created and maintained. Thus, what commonly is referred to as "government secrecy" more properly could be termed "administrative secrecy" or "secrecy by regulation." The series of six executive orders since 1951, however, does not represent the full range of secrets protected through some form of regulation. A great deal of information is protected by the Government outside the formal national security classification system. One especially confounding matter has been the uncertain scope of "sensitive unclassified information": information not meeting the criteria for classification but that is considered by the Government to warrant some form of protection. This category (or, more accurately, categories) of information has remained difficult to define, in part because of the greatly varied rationales used to justify its protection. In 1971, a House subcommittee found no fewer than 62 different control markings being used to restrict the distribution of sensitive unclassified information. Use of these markings was not linked to any explicit statutory authority. In fact, unlike the tiers of Confidential, Secret, and Top Secret security classification, they also were not expressly authorized by executive order. The Commission's own inquiry reveals that, |