Where Does Classified Information Come From?

White House Logo

September 29, 2013 | Posted in CIA, Classified Information, Department of Defense, Department of State, DIA, Director of National Intelligence, EO 13526, Intelligence, Leaks, NSA | By

White House Logo

White House Logo

Given the recent huge leaks of classified information by Mr. Snowden, and the large volume of press reporting resulting from it, I was struck by some of the comments by politicians and journalists about the ‘over classification’ of information by elements of the executive branch or the excessive amount of information classified by the United States government.

Since most Americans have no direct experience with generating or handling classified information as part of their daily lives, I thought I’d cover some of the basics of the subject and hopefully lend a little knowledge and background information as food for thought.

The first thing you should know is that the high level guidance for classifying information is not classified at all.  That’s right, the basic instructions and guidelines are completely unclassified and available to anyone if you do a little digging.  In fact, the guidance comes from the President as an Executive Order, which is binding on all executive branch departments and agencies, including all elements of the Defense Department (which includes the DIA and the NSA) and all sixteen agencies/elements of the Intelligence Community (the CIA, the Department of Energy, etc).

All of the recent Presidents: Regan, Bush, Clinton, Bush, and Obama have issued Executive Orders laying out the rules for determining what can be considered classified national security information, and in my experience, those rules have not substantially changed the basic guidelines or criteria for determining what information to classify.  They have altered the length of time information can remain classified, as well as some of the review timelines, but that’s about all.

The current Executive Order, EO 13256, entitled ‘Classified National Security Information’ was signed by Barack Obama on December 29, 2009 and remains in force.

In order to start classifying information, you need to know a few things:  What levels of classification are there, who is allowed to classify information, and what information should be classified.

Classification Levels

No surprises here, you’ve all heard or seen them in the movies, but I’m listing them along with the definitions because these are the only classification levels in use by the U.S. Government (unless some statute creates others) and the definitions are key to allowing a classification authority to make a decision about which level a piece of information should be classified at.

  • “Top Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe
  • “Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe
  • “Confidential” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe

A key takeaway here is the last phrase in each definition: ‘that the original classification authority is able to identify or describe’.  No parlor games or hidden items here.  The damage that may result has to be able to be identified and described in writing by the classifying authority, otherwise known as the Original Classification Authority.

Who Can Classify Information?

If you think any government official or employee of the government can classify information just to keep it from the public, you are misinformed or have made a poor assumption.  The real world is not what Hollywood or the more conspiracy minded among us might think.

EO 13256 establishes two classification authorities – Original Classification Authority and Derivative Classification Authority.

Original Classification Authorities (OCA) are the President, Vice President, Agency and Department heads designated by the President, and U.S. Government Officials delegated in writing.  These Officials are usually General Officers in the military or Senior Executive Service level civilians in the civil service, not front line worker bees or managers.  Once they have been trained (yes they Order requires that they be trained), an OCA can make decisions, in writing, about exactly what information their department or agency creates should be classified.  To make those decisions, they must apply and adhere to the criteria described in the President’s Order (more on that in a bit).  Out of the entire federal workforce of 2.2 million people in 2012, only 2,326 were OCA.

A Derivative Classification Authority (DCA) is one of those worker bees or managers in an organization or entity who might create a document, power point slide, or some other material that would need to be classified.  They work solely off the written decision of the OCA discussed earlier.  They do not get to decide what is classified at which level, they must follow the written guidance they have received from the OCA.

What Information Gets Classified?

Under the President’s Order, information can only be classified if it meets ALL of the following criteria:

  • An original classification authority is classifying the information
  • The information is owned by, produced by or for, or is under the control of the United States Government
  • The information falls within one or more of the categories of information listed in the order
  • The original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage.

Moreover, the Order also states that “If there is significant doubt about the need to classify information, it shall not be classified.”

The categories of information the Order allows an OCA to classify are:

  • Military plans, weapons systems, or operations
  • Foreign government information
  • Intelligence activities (including covert action), intelligence sources or methods, or cryptology
  • Foreign relations or foreign activities of the United States, including confidential sources
  • Scientific, technological, or economic matters relating to the national security
  • United States Government programs for safeguarding nuclear materials or facilities
  • Vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security
  • The development, production, or use of weapons of mass destruction

Note that under the order, you are not permitted to classify information for political purposes (i.e. claiming ‘national security’ when you are covering up a crime like Nixon did), to hide crimes or malfeasance, or simply because you don’t want to share information with the public.  In our system, it meets the criteria or it doesn’t get classified.

An Example

That’s quite a bit to take in quickly, so lets walk through a simplified practical example.  For the next five minutes, we’ll assume I’ve been appointed Secretary of Defense.  Consequent to my appointment, The President appoints me in writing as an OCA.

Soon after, the Commander of  Central Command walks into my office to inform me that he’s able to track the movements of the terrorist Usama bin Bad Guy.  Bad Guy calls his wife every day at noon to check in with her and he often tells her where he is, and CENTCOM has the ability to monitor the phone calls using NSA’s SIGINT capabilities.  Since Bad Guy is planning terrorist operations in Europe and the U.S., the CENTCOM Commander wants to capture or kill Bad Guy before he can carry out his plans.

Obviously, I need to give the Commander some guidance on classifying some important national security information.

First of all, does the information meet all four criteria?  Yes.  The President appointed me as an OCA, the information is produced and under the control of the U.S. Government (the DoD), it all falls within two of the categories of information that can be classified (military plans and operations and intelligence), and as the new Secretary of Defense, I’ve determined that disclosing the information may damage national security.

So here are the results of my classification decisions as an OCA, in writing for the CENTCOM Commander:

The fact that we can track Usama bin Bad Guy’s movements will be classified TOP SECRET

The fact that NSA & CENTCOM can monitor Usama bin Bad Guy’s phone calls will be classified TOP SECRET

Any information about Bad Guy’s terrorist plans in Europe or the U.S. will be classified SECRET

The CENTCOM operations to capture or kill Bad Guy will be classified TOP SECRET

This written listing forms the Classification Guide that CENTCOM and all other subordinate elements of the DoD will follow.  The practical effect of this is that all military and civilian personnel will now use this guide to exercise their Derivative Classification Authority under EO 13256 to classify any information about Bad Guy’s movements, the content of his phone calls, his evil plans for Europe and the U.S., and the CENTCOM operations to stop him.

Depending on how long Bad Guy keeps calling his wife, and CENTCOM takes to plan and execute operations to capture or kill Bad Guy, hundreds or thousands of documents containing classified information may be generated, from just this one activity alone.

How Many Classified Documents Are There?

According to the National Archives’ Information Security Oversight Office’s 2012 Annual Report, which covers all U.S. Government executive branch agencies, the 2,326 OCA’s made 73,477 original classification decisions.

The employees across the government who create and handle classified material made 95,180,243 derivative classification decisions during that year.  That seems like a large number, but given the proliferation of office automation technologies and computer networks, you need to remember than every e-mail, every word or power point document, or field or record in a database is counted because it was subject to a derivative classification decision.

Moreover, given the wording in the report, (i.e. decisions versus documents) you should remember that decisions themselves may not equate to just an individual ‘document’.  One derivative classification decision on a paragraph in a twenty page word document can result in twenty classified pages because of the procedures used when classifying the whole document.  Each classified page may be counted as one ‘classification decision’ based on the instructions issued by that organization to comply with the National Archives annual need.  Having been part of some of the counting that happens once a year, I can tell you that the number of decisions is a reasonable benchmark, but probably under counts the actual number of classified items (call them documents, pages, or whatever you like) created due to the counting method in use  and the usual bureaucratic processes in government.

Surprisingly, the Department of State made the most original classification decisions in FY 2012 – 39,770, while the Department of Defense only made 19,121.

Hopefully, you now have a better understanding of how classified information is generated by the government and why there is so much of it.

Read More →