We come, at endlessly-long last, to the final set of recommendations in the Review Group report: the recommendations in Chapter VIII, which deal with “Protecting What We Do Collect.”
I tend to agree with Carrie Cordero that these recommendations are some of the more important, if some of the less discussed, suggestions in the document. And I am, generally speaking, sympathetic to the gist of what the Review Group is proposing here: greater government focus on, and rationality about, information security so that future Edward Snowdens and Bradley Mannings cannot simply walk off with large quantities of sensitive material. Like much of the report, Chapter VIII sweeps very broadly at the expense of detail, so it leaves things pretty vaguely thematic. That said, the themes seem, broadly speaking, just about right.
Recommendations #37-40 deal with reform of the security clearance system. Recommendation #37 suggests having background checks done only by US government employees or non-profit entities—not by for-profit contractors. Recommendation #38 suggests more ongoing review of cleared personnel, rather than the current system of updates every few years. Recommendation #39 urges more differentiated access, so that people like Snowden—a systems administrator—can do his job without access to a whole lot of underlying information. And Recommendation #40 suggests a technical system in which employees get assigned an “access score” based on the volume of sensitive material to which they have access and that the degree of scrutiny the government gives them should rise in proportion to that score. These approaches seem sensible, though the Review Group leaves what may be a more important idea than any of these to its explanatory text: Having fewer people cleared at the highest levels to begin with. The government, it says, “should review in detail why so many personnel require clearances and examine whether there are ways to reduce the total. Such a study may find that many of those with Secret-level clearances could do with a more limited form of access.”
There is, of course, an important corollary to this very important idea—one the Review Group does not mention: If the government wants fewer people cleared to keep its secrets, it needs to be more disciplined about what information it defines as secret in the first place. A great deal of material that is now classified, particularly at the lower levels, should not be classified. The more material the government defines as requiring protection, the more people it needs to have cleared to protect it. Their clearances, in turn, give them access to material that actually is sensitive. If everything is secret, as the old saw goes, then nothing is secret. One of the most important things the government could do to prevent future Snowdens is to be far more disciplined about defining what it needs to protect in the first place—and thereby reducing the number of people who need clearances in order to protect that material.
Recommendation #41 reflects another important idea: that “the ‘need-to-share’ or ‘need-to-know’ models should be replaced with a Work-Related-Access model, which would ensure that all personnel whose role requires access to specific information have such access, without making the data more generally available to cleared personnel who are merely interested.” The “need to share” idea was important as a response to information stove-piping prior to September 11, but it has gone too far and it creates real security risks of its own. There’s no good reason for a Manning to have access to hundreds of thousands of State Department cables. Agencies need to be disciplined about assigning access based on genuine need—giving that access when it’s appropriate but not defaulting to an information control model in which everyone cleared at a certain level gets everything classified at that level that might interest her.
Recommendations #42-45 deal with improving network security on classified networks. Recommendation #42 suggests that government networks should use the best available cyber security systems and should have procedural protections against internal and external threats. Along the same lines, Recommendation #43 urges that Executive Order 13587—which deals with the security of classified networks—should be fully implemented as soon as possible. Recommendation #44 suggests that the national security principals should review network security annually and should have a “Red Team” give an independent second opinion on the matter. Recommendation #45 suggests greater use of access- and rights-management software and more logical separation and air-gapping of networks and their components so that it is physically harder to walk away with data. It is hard to disagree with any of this.
Finally, Recommendation #36 suggests greater use of cost-benefit and risk-management analysis—a suggestion that operates at such a high level of altitude I am not sure I understand what it would mean in practice. But sure. It’s good to think strategically.
Chapter VIII, like a lot of the report, lives at a high altitude in general, but as I say, the themes are right and sensible. These are not the themes that are generating the political clamor to which President Obama will on Friday publicly respond. But he would do well to use the Review Group report to give the security bureaucracy a hard kick in the butt on these matters internally. They warrant attention and action.
Having now commented on every single recommendation within the Review Group report, I’m going to wrap up this series with a single additional post offering my own high-altitude comments on the report as a whole.