Given the recent huge leaks of classified information by Mr. Snowden, and the large volume of press reporting resulting from it, I was struck by some of the comments by politicians and journalists about the ‘over classification’ of information by elements of the executive branch or the excessive amount of information classified by the United States government.
Since most Americans have no direct experience with generating or handling classified information as part of their daily lives, I thought I’d cover some of the basics of the subject and hopefully lend a little knowledge and background information as food for thought.
The first thing you should know is that the high level guidance for classifying information is not classified at all. That’s right, the basic instructions and guidelines are completely unclassified and available to anyone if you do a little digging. In fact, the guidance comes from the President as an Executive Order, which is binding on all executive branch departments and agencies, including all elements of the Defense Department (which includes the DIA and the NSA) and all sixteen agencies/elements of the Intelligence Community (the CIA, the Department of Energy, etc).
All of the recent Presidents: Regan, Bush, Clinton, Bush, and Obama have issued Executive Orders laying out the rules for determining what can be considered classified national security information, and in my experience, those rules have not substantially changed the basic guidelines or criteria for determining what information to classify. They have altered the length of time information can remain classified, as well as some of the review timelines, but that’s about all.
The current Executive Order, EO 13256, entitled ‘Classified National Security Information’ was signed by Barack Obama on December 29, 2009 and remains in force.
In order to start classifying information, you need to know a few things: What levels of classification are there, who is allowed to classify information, and what information should be classified.
No surprises here, you’ve all heard or seen them in the movies, but I’m listing them along with the definitions because these are the only classification levels in use by the U.S. Government (unless some statute creates others) and the definitions are key to allowing a classification authority to make a decision about which level a piece of information should be classified at.
- “Top Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe
- “Secret” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe
- “Confidential” is applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe
A key takeaway here is the last phrase in each definition: ‘that the original classification authority is able to identify or describe’. No parlor games or hidden items here. The damage that may result has to be able to be identified and described in writing by the classifying authority, otherwise known as the Original Classification Authority.
Who Can Classify Information?
If you think any government official or employee of the government can classify information just to keep it from the public, you are misinformed or have made a poor assumption. The real world is not what Hollywood or the more conspiracy minded among us might think.
EO 13256 establishes two classification authorities – Original Classification Authority and Derivative Classification Authority.
Original Classification Authorities (OCA) are the President, Vice President, Agency and Department heads designated by the President, and U.S. Government Officials delegated in writing. These Officials are usually General Officers in the military or Senior Executive Service level civilians in the civil service, not front line worker bees or managers. Once they have been trained (yes they Order requires that they be trained), an OCA can make decisions, in writing, about exactly what information their department or agency creates should be classified. To make those decisions, they must apply and adhere to the criteria described in the President’s Order (more on that in a bit). Out of the entire federal workforce of 2.2 million people in 2012, only 2,326 were OCA.
A Derivative Classification Authority (DCA) is one of those worker bees or managers in an organization or entity who might create a document, power point slide, or some other material that would need to be classified. They work solely off the written decision of the OCA discussed earlier. They do not get to decide what is classified at which level, they must follow the written guidance they have received from the OCA.
What Information Gets Classified?
Under the President’s Order, information can only be classified if it meets ALL of the following criteria:
- An original classification authority is classifying the information
- The information is owned by, produced by or for, or is under the control of the United States Government
- The information falls within one or more of the categories of information listed in the order
- The original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage to the national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage.
Moreover, the Order also states that “If there is significant doubt about the need to classify information, it shall not be classified.”
The categories of information the Order allows an OCA to classify are:
- Military plans, weapons systems, or operations
- Foreign government information
- Intelligence activities (including covert action), intelligence sources or methods, or cryptology
- Foreign relations or foreign activities of the United States, including confidential sources
- Scientific, technological, or economic matters relating to the national security
- United States Government programs for safeguarding nuclear materials or facilities
- Vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security
- The development, production, or use of weapons of mass destruction
Note that under the order, you are not permitted to classify information for political purposes (i.e. claiming ‘national security’ when you are covering up a crime like Nixon did), to hide crimes or malfeasance, or simply because you don’t want to share information with the public. In our system, it meets the criteria or it doesn’t get classified.
That’s quite a bit to take in quickly, so lets walk through a simplified practical example. For the next five minutes, we’ll assume I’ve been appointed Secretary of Defense. Consequent to my appointment, The President appoints me in writing as an OCA.
Soon after, the Commander of Central Command walks into my office to inform me that he’s able to track the movements of the terrorist Usama bin Bad Guy. Bad Guy calls his wife every day at noon to check in with her and he often tells her where he is, and CENTCOM has the ability to monitor the phone calls using NSA’s SIGINT capabilities. Since Bad Guy is planning terrorist operations in Europe and the U.S., the CENTCOM Commander wants to capture or kill Bad Guy before he can carry out his plans.
Obviously, I need to give the Commander some guidance on classifying some important national security information.
First of all, does the information meet all four criteria? Yes. The President appointed me as an OCA, the information is produced and under the control of the U.S. Government (the DoD), it all falls within two of the categories of information that can be classified (military plans and operations and intelligence), and as the new Secretary of Defense, I’ve determined that disclosing the information may damage national security.
So here are the results of my classification decisions as an OCA, in writing for the CENTCOM Commander:
The fact that we can track Usama bin Bad Guy’s movements will be classified TOP SECRET
The fact that NSA & CENTCOM can monitor Usama bin Bad Guy’s phone calls will be classified TOP SECRET
Any information about Bad Guy’s terrorist plans in Europe or the U.S. will be classified SECRET
The CENTCOM operations to capture or kill Bad Guy will be classified TOP SECRET
This written listing forms the Classification Guide that CENTCOM and all other subordinate elements of the DoD will follow. The practical effect of this is that all military and civilian personnel will now use this guide to exercise their Derivative Classification Authority under EO 13256 to classify any information about Bad Guy’s movements, the content of his phone calls, his evil plans for Europe and the U.S., and the CENTCOM operations to stop him.
Depending on how long Bad Guy keeps calling his wife, and CENTCOM takes to plan and execute operations to capture or kill Bad Guy, hundreds or thousands of documents containing classified information may be generated, from just this one activity alone.
How Many Classified Documents Are There?
According to the National Archives’ Information Security Oversight Office’s 2012 Annual Report, which covers all U.S. Government executive branch agencies, the 2,326 OCA’s made 73,477 original classification decisions.
The employees across the government who create and handle classified material made 95,180,243 derivative classification decisions during that year. That seems like a large number, but given the proliferation of office automation technologies and computer networks, you need to remember than every e-mail, every word or power point document, or field or record in a database is counted because it was subject to a derivative classification decision.
Moreover, given the wording in the report, (i.e. decisions versus documents) you should remember that decisions themselves may not equate to just an individual ‘document’. One derivative classification decision on a paragraph in a twenty page word document can result in twenty classified pages because of the procedures used when classifying the whole document. Each classified page may be counted as one ‘classification decision’ based on the instructions issued by that organization to comply with the National Archives annual need. Having been part of some of the counting that happens once a year, I can tell you that the number of decisions is a reasonable benchmark, but probably under counts the actual number of classified items (call them documents, pages, or whatever you like) created due to the counting method in use and the usual bureaucratic processes in government.
Surprisingly, the Department of State made the most original classification decisions in FY 2012 – 39,770, while the Department of Defense only made 19,121.
Hopefully, you now have a better understanding of how classified information is generated by the government and why there is so much of it.
It seems that every couple of months or so, some professional news outlet, or the on-line site WikiLeaks, releases or reports what is described as classified material. Once an organization or entity reports it, other professional journalists tend to jump on the story quickly, hitting up their sources and reporting on the story in whatever unique way or angle they believe they can.
Today’s case in point is the Washington Post’s initial reporting (based initially on a WikiLeaks release of classified State Department cables between the U.S. and the host governments), on the locations of the bases used to purportedly launch and recover unmanned drones like the MQ-9 REAPER. These drones are used, in part, to carry the U.S. war against Al-Qaeda and its affiliates directly to the leaders in those organizations. REAPER drones have launched missiles and bombs directly at identified Al-Qaeda or Al-Qaeda affiliate leaders to kill them with pinpoint strikes, giving the U.S. an unmatched capability to strike and limit collateral damage, while reducing risk to U.S. forces.
The Post reporting picked up and expanded upon by Fox News today, is obviously something that would be judged a ‘newsworthy’ item by an editor. There is just one problem. The revelation of even the general location of these bases has placed the lives of American military personnel in extreme danger.
Did the Washington Post or Fox News provide specific geographic coordinates for these bases? No. Did the classified cables posted on the WikiLeaks site? I’m not going to look and find out (I have no interest in making WikiLeaks think they are providing a useful service.) It doesn’t matter if they did or not. Anyone with any reasonable amount of deductive reasoning and an Internet connection can look at the publicly available information on the MQ-9’s performance characteristics, check Google Earth for the overhead imagery of the airfields capable of allowing a REAPER to land in country X, and then send people to stay in nearby towns for a day or two and wait to see a REAPER takes off from, or lands at the airfield nearby to confirm the presence of the drones. And Al-Qaeda has more than proven itself to have people capable of deductive reasoning and Internet access and usage.
What comes next is obvious. Al-Qaeda conducts a little more reconnaissance of the security at the airfield, some planning, obtains some weapons and explosives, and conducts a little more planning. Suddenly there is an attack on the airfield, killing the American military members who act as the REAPER’s ground crew and maintenance team, and damaging or destroying one or more of the drones at the base. Al-Qaeda gains a propaganda windfall within the Arab world and the Jihadist community, while a few more American soldiers, sailors, airmen or marines are shipped home in coffins to grieving family members.
So where is the problem? The problem is the person or persons who leaked the State Department cables to WikiLeaks that kicked off the journalistic process of ‘they reported the news worthy item, why don’t we?’ inside the editorial offices and journalist’s minds.
The U.S. news outlets can’t be faulted for anything other than what I view as being in ‘rush to publish’ mode and what I view as less than ideal judgement. The Constitution of the United States explicitly allows the freedom of the press, but I will argue that in my personal opinion, the editors at the Post and Fox News should have recognized the potential danger and elected not do a story on the leaked cables. However, they are journalists first, and I’m sure they did not see (or likely consider) the potential repercussions beyond the immediate gratification of trumpeting this previously unknown facet of U.S. drone operations before more of their colleagues did, and the perceived ‘luster’ of the story faded.
What can be done is that the people who leaked the cables need to be identified by the appropriate law enforcement agencies, investigated, and prosecuted within the fullest extent of all applicable laws. They have compromised the security of the United States and its allies in a time of war, imperiled U.S. confidential diplomatic discourse with other nations, and potentially endangered the lives of U.S. and Allied military personnel. If any U.S. or Allied service member or person is harmed or killed by the leak of this information, the individuals who leaked the cables should also be charged as accomplices to assault or murder.