Pages

4 August 2015

The Difficulty of Try to Keep So Many Secrets

Peter van Buren
August 3, 2015

What everyone with a Top Secret security clearance knows – or should know

In the world of handling America’s secrets, words – classified, secure, retroactive – have special meanings. I held a Top Secret clearance at the State Department for 24 years and was regularly trained in protecting information as part of that privilege. Here is what some of those words mean in the context of former Secretary of State Hillary Clinton’s emails.

The Inspectors General for the State Department and the intelligence community issued a statement saying Clinton’s personal email system contained classified information. This information, they said, “should never have been transmitted via an unclassified personal system.” The same statement voiced concern that a thumb drive held by Clinton’s lawyer also contains this same secret data. Another report claims the U.S. intelligence community is bracing for the possibility that Clinton’s private email account contains multiple instances of classified information, with some data originating at the CIA and NSA.

A Clinton spokesperson responded that “Any released emails deemed classified by the administration have been done so after the fact, and not at the time they were transmitted.” Clinton claims unequivocally her email contained no classified information, and that no message carried any security marking, such as Confidential or Top Secret.

The key issue in play with Clinton is that it is a violation of national security to maintain classified information on an unclassified system.


Classified, secure, computer systems use a variety of electronic (often generically called TEMPESTed) measures coupled with physical security (special locks, shielded conduits for cabling, armed guards) that differentiate them from an unclassified system. Some of the protections are themselves classified, and unavailable in the private sector. Such standards of protection are highly unlikely to be fulfilled outside a specially designed government facility.

Yet even if retroactive classification was applied only after Clinton hit “send” (and State’s own Inspector General says it wasn’t), she is not off the hook.

What matters in the world of secrets is the information itself, which may or may not be marked “classified.” Employees at the highest levels of access are expected to apply the highest levels of judgment, based on the standards in Executive Order 13526. The government’s basic nondisclosure agreement makes clear the rule is “marked or unmarked classified information.”

In addition, the use of retroactive classification has been tested and approved by the courts, and employees are regularly held accountable for releasing information that was unclassified when they released it, but classified retroactively.

It is a way of doing business inside the government that may at first seem nonsensical, but in practice is essential for keeping secrets.

For example, if an employee were to be handed information sourced from an NSA intercept of a foreign government leader, somehow not marked as classified, she would be expected to recognize the sensitivity of the material itself and treat it as classified. In other cases, an employee might hear something sensitive and be expected to treat the information as classified. The emphasis throughout the classification system is not on strict legalities and coded markings, but on judgment. In essence, employees are required to know right from wrong. It is a duty, however subjective in appearance, one takes on in return for a security clearance.

“Not knowing” would be an unexpected defense from a person with years of government experience.

In addition to information sourced from intelligence, Clinton’s email may contain some back-and-forth discussions among trusted advisors. Such emails are among the most sensitive information inside State, and are otherwise always considered highly classified. Adversaries would very much like to know America’s bargaining strategy. The value of such information is why, for example, the NSA electronically monitored heads of state in Japan and Germany. The Freedom of Information Act recognizes the sensitivity of internal deliberation, and includes a specific exemption for such messages, blocking their release, even years after a decision occurred. If emails discussing policy or decisions were traded on an open network, that would be a serious concern.

The problem for Clinton may be particularly damaging. Every email sent within the State Department’s own systems contains a classification; an employee technically cannot hit “send” without one being applied. Just because Clinton chose to use her own hardware does not relieve her or her staff of this requirement.

Some may say even if Clinton committed security violations, there is no evidence the material got into the wrong hands – no blood, no foul. Legally that is irrelevant. Failing to safeguard information is the issue. It is not necessary to prove the information reached an adversary, or that an adversary did anything harmful with the information for a crime to have occurred. See the cases of Chelsea Manning, Edward Snowden, Jeff Sterling, Thomas Drake, John Kiriakou or even David Petraeus. The standard is “failure to protect” by itself.

None of these laws, rules, regulations or standards fall under the rubric of obscure legalities; they are drilled into persons holding a security clearance via formal training (mandatory yearly for State Department employees), and are common knowledge for the men and women who handle America’s most sensitive information. For those who use government computer systems, electronic tools enforce compliance and security personnel are quick to zero in on violations.

A mantra inside government is that protecting America’s secrets is everyone’s job. That was the standard against which I was measured throughout my career and the standard that should apply to everyone entrusted with classified information.

No comments:

Post a Comment