Government Executive - Authors - Richard Lardner

The Secret's Out

Richard Lardner — Sat, 01 Aug 1998 00:00:00 -0400

rice Waterhouse didn't become a force in the consulting world by ignoring market trends. So it was no surprise when the firm decided to expand its information security operation. After all, the Internet has completely changed the way business is done: Paper is out, electrons are in. But just as electronic commerce is skyrocketing, so too are the odds that sensitive corporate information might be tampered with as it travels through cyberspace.

With the private sector beginning to recognize that the digital door swings both ways, there's growing demand for the "risk management" services Price Waterhouse and other companies are offering to help keep the hackers at bay. To snare these potential clients, the company needed to hire hundreds of information technology professionals. Trouble is, information protection may be a huge growth area, but the talent pool is mighty shallow.

So officials at Price Waterhouse did what many other commercial enterprises have done, and continue to do. They targeted a group of employees at the Defense Department's secretive National Security Agency, where thousands of the federal government's best and brightest spend their days eavesdropping on other countries while at the same time ensuring that U.S. information networks are secure. Because of the highly sensitive missions the agency performs, companies like Price Waterhouse know they are getting employees who are extremely good at what they do and are solid citizens too-NSA is picky about whom it hires and conducts thorough background investigations.

Price Waterhouse has refused repeated requests for comment on its hiring tactics. However, former NSA employees confirm the company was extremely aggressive, making handsome offers that were not refused. While the raid generated only a small portion of the infotech professionals the company expects to hire over the next several years, the episode underscores a growing trend: When the business world knocks, NSA professionals are answering.

The brain drain at NSA has various causes, but money is the single biggest factor. The agency cannot compete with the fat salaries, attractive benefits packages and promises of speedy upward mobility the private sector is offering.

For an agency used to being on the offensive in its mission, the mounting losses of skilled employees have put NSA in an unfamiliar position. The agency is trying to fend off competitors with numerous recruitment programs and initiatives, but NSA officials freely admit that it is still difficult to get, and then keep, the people it needs. "It's a real worry," says one senior NSA executive. "If the issue is salary, we're in a noncompetitive position."

Ears Full

Located between Washington and Baltimore at Fort Meade, Md., NSA runs the world's largest and most far-flung intelligence-gathering apparatus. NSA's annual budget and number of employees are classified, but the Federation of American Scientists, a Washington-based public interest group, estimates the agency gets roughly $4 billion a year and has close to 20,000 civilian and military employees.

NSA listens in on America's enemies and allies alike, and then sends the decrypted "signals intelligence" (SIGINT) to the White House, Pentagon and other top-level government customers. The agency's technological capabilities are legendary. In his groundbreaking book on NSA, The Puzzle Palace, author James Bamford wrote that the agency used to intercept the conversations of Soviet leaders such as Leonid Brezhnev as they traveled around Moscow in their limousines.

In addition to its SIGINT mission, the agency also develops the complex mathematical codes used to protect the data that flows through the nation's most sensitive information systems. The "football" that accompanies the President everywhere and controls America's nuclear arsenal, for instance, is protected from electronic intrusion by encryption systems NSA created. It is this second responsibility that has produced serious personnel headaches for the agency.

Cryptography, the science of keeping information secret, and encryption, the process of concealing words with numbers, are enormously complicated disciplines. Cryptographic algorithms, or ciphers, are the formulas used for encryption and decryption. Crafting these numerical recipes, which are the basis for any information security system, can take years of painstaking work. So staying ahead in the information security game demands some of the best minds in mathematics and computer science.

In years now long gone, crypto used to be NSA's exclusive domain, so the agency had little competition for top-notch personnel. NSA offered access to cutting-edge technologies as well as a front-row seat to the spy world. Code names like Gamma Gupy, Moonpenny and Venona concealed covert projects so sensitive that few outside the agency knew of their existence. One civilian who spent 12 years at NSA before leaving to work for a major information security company recalls the rush of being "shot off the end of an aircraft carrier," to perform a particular mission. "It is the greatest play box in the world; they've got one of everything," marveled another agency veteran now working in the IT industry.

But in the last decade particularly, the information technology revolution has changed the way NSA operates. Software companies big and small now offer all sorts of information security products. Demand is high, and competition is fierce. Walk down the aisles of your favorite software store and you'll see boxes with names like Secret Agent, Your Eyes Only, Guard Dog and Pretty Good Privacy. The encryption genie is out of the bottle, and NSA has long since given up trying to get it back in.

The Pay Gap

As the demand for information security products increases, so does the need for people who are good at developing them. But recent studies by the Commerce Department and the Information Technology Association of America say there is a severe shortage of skilled information technology workers. Constrained in how much it can offer in salary and benefits, NSA is losing out more and more to the private sector.

The Commerce study, "America's New Deficit: The Shortage of Information Technology Workers," noted that government organizations are being squeezed out of the competition for IT talent. "While average starting salaries [in the private sector] for graduates with bachelor's degrees in computer engineering grew to more than $34,000 in 1995, the federal government's entry-level salary for computer professionals with bachelor's degrees ranged from about $18,700 to $23,000 that year," the study reported.

A compensation study cited in the Commerce report said the average hourly compensation for a private-sector software development architect in 1996 was $77.70, or $161,000 per year. An operating systems software architect could make $85.60 an hour, or $178,000 per year. Finally, on the very upper end, a software programming analyst manager could command $92.20 an hour, or $192,000 annually.

According to NSA, these positions are equivalent to the agency's Computer Scientist jobs, which pay $34,309 to $70,870.

A similar gap exists in the managerial ranks. Senior-level positions in NSA's Information Systems Security Organization pay between $99,200 and $118,400 a year. Comparable private-sector jobs can pay roughly double that amount, according to a 1998 compensation study by Positive Support Review, a California consulting firm. For example, the study found that the average salary for a chief information officer at a large company (roughly comparable to NSA's deputy director of information systems security position) was $239,163; the average salary for a vice president for information services at a large company (roughly comparable to the technical director of NSA's Information Systems Security Organization) was $184,291.

Retention is Down

Retention is a challenge as well. NSA is cautiously optimistic it will meet its fiscal 1998 agencywide hiring goal of 500 people; as of mid-March, 342 people had been hired against those targets. However, maintaining a stable workforce at the executive level is perhaps the agency's biggest challenge. The situation is most serious within the agency's middle-management ranks. Employees at GS-9 through GS-12, the grades from which people are groomed for more senior positions at NSA, are frequently taking more financially attractive positions in the private sector.

NSA, which hires only U.S. citizens, says the average age of a full-time civilian employee is 42 years and has been with the agency 14 to 18 years. To agency insiders, these numbers suggest a workforce that lacks the civilian corporate memory the agency needs to handle its code-making and code-breaking duties. "The days when you were hired, trained and moved up through the ranks are probably over," says a retired NSA official who spent 30 years at the agency. "[NSA leaders] are faced with a challenge they've never been faced with before: There's a high risk of not getting good people in the senior ranks."

Michael Jacobs, NSA's deputy director of information systems security, attributes the personnel turnover in part to a change in attitudes about work in both the public and private sectors. "When I came here, I could pretty much assure that the people I came in with would probably be there 25 years later," says Jacobs, who's been at NSA for 34 years. "That's just the nature of the group that came in in the '60s. [Today, people] are far more mobile . . . and seem to think it's all part of the nature of how they have to evolve in their career.

The attrition problem is compounded by the fact that government downsizing prevents the agency from replacing some departing workers, Jacobs notes. "So you don't have the same degree of flexibility in recruiting that you used to have," he says. "We are suffering from characteristics that are absolutely 180 [degrees] out from the characteristics of this growth industry." While new information technology companies are able to do as much hiring as needed to get the job done, "we're up against this ceiling."

William Crowell, who spent more than 30 years at the agency before retiring last September as NSA's deputy director, says the attraction of working at the agency used to compensate for the lower wages. Jobs at NSA are still quite compelling, he believes, but the pull of the private sector is now greater than ever. "The entire [NSA] benefits package, with salary, isn't bad, but it's at the median of what the really high-tech candidates would come to expect," says Crowell, who is now vice president for product management and strategy at Cylink, a Sunnyvale, Calif.-based infotech firm.

Changes in NSA's mission and culture are contributing to the problem as well. NSA no longer develops all the government's crypto systems. For sensitive but unclassified data, for example, the agency buys some encryption products from the private sector. Mathematicians and engineers who went to the agency to build crypto systems are now spending more time analyzing and evaluating commercial wares. This shift has certainly led to some of the attrition.

The stronger ties to the commercial world have also increased the opportunities for NSA employees to become aware of, and be offered, positions in the private sector. "I think it is a big, long-term problem for the agency," says Stewart Baker, former general counsel at NSA. "As its information security mission becomes more closely integrated with commercial infosec efforts, its people will be developing skills and contacts that almost guarantee some brain drain." This overlap is less acute for the signals-intelligence side of the house, so there's less opportunity for departure there, adds Baker, now a partner in the Washington law firm of Steptoe and Johnson.

Golden Years

The federal government has taken steps to make itself more competitive with the private sector when it comes to hiring and keeping a quality workforce. Ironically, one of those changes has made the decision to leave government service an easier one.

In January 1987, the Federal Employee Retirement System went into effect. FERS-a three-tier plan consisting of Social Security, a basic annuity and the Thrift Savings Plan-provides better benefits than its predecessor, the Civil Service Retirement System. FERS also has another key feature: portability. The old system encouraged a long career with a single employer. Leaving before your scheduled retirement date meant a deferred benefit, making for a tough choice. The portability feature of FERS, however, has made the choice far less difficult. Now, many NSA employees can have their cake and eat it too.

In addition to the retirement plan changes, cuts in the U.S. intelligence budget have eliminated the financial headroom the agency used to enjoy. Retired Vice Adm. John McConnell, who served as NSA director from May 1992 through February 1996, says he was concerned about early-out packages offered to more senior people during his tenure at Fort Meade. The idea was to get them to leave the agency, which presumably would save increasingly scarce dollars, says McConnell, now a vice president with Booz-Allen & Hamilton.

The problem with that strategy is it also eliminates big chunks of NSA's institutional knowledge. The agency's military workers cycle in and out every few years. That makes retaining NSA's civilian employees all the more critical.

Yet once an employee reaches the agency's middle-management ranks, moving up the ladder is dependent upon a slot becoming available, and mid-career doldrums set in for some. At the same time, "we're seeing industry go crazy, doing all sorts of exciting things," one agency employee says. And, while NSA can't promise a promotion, offers from the private sector often come with such guarantees.

In a written response to a series of questions, NSA's public affairs office says the agency is "constantly trying to improve its recruitment process, especially in this time of extremely fierce competition for information technology talent." In 1996, the agency's pay for mathematics, computer science and engineering jobs was increased "to help keep us in range of private-sector salaries," the public affairs office says, and an "extremely generous" education package, the Skills Enhancement Recruitment Incentive Program, provides funding and time off for graduate-level study in mathematics and computer science.

Lost Appeal?

Despite all these initiatives and programs, NSA acknowledges "we are finding it increasingly difficult to attract IT talent to the agency." Crowell says the agency has been very successful in hiring mathematicians; indeed, NSA is probably the largest employer of mathematicians in the United States. The trouble is finding enough quality people with computer science backgrounds. "You don't do cryptology as a single individual anymore; it's a team effort," he says. "It requires mathematics, computer science and a little bit of business."

Certainly money is the major factor in NSA's recruitment and retention difficulties. But current and former NSA employees say the cloak-and-dagger image that once attracted people to the agency is no longer as strong. A smaller Defense budget and a greater reliance on commercial products have created some confusion over the agency's strategic future. Certainly there is a need for NSA, but exactly how big should it be, what systems should it be responsible for developing and what needs can the agency rely on the private sector to meet?

In its report on the fiscal 1999 intelligence authorization bill, the House Permanent Select Committee on Intelligence tore into NSA, demanding "very large changes" in NSA's culture and method of operations. At the same time the report was published, Deputy Defense Secretary John Hamre reined in the agency, which has traditionally enjoyed a direct line to the Defense Secretary and chairman of the Joint Chiefs of Staff. According to a plan approved by Hamre in late April, NSA's leadership must now go through the office of the assistant Defense secretary for command, control, communications and intelligence before gaining access to DoD's most senior levels.

For all these reasons, lengthy careers at NSA are no longer the rule, but the exception. Thomas McDermott spent more than 30 years at NSA, eventually becoming the agency's senior information security official. He retired last year and headed to the private sector "to start a second career," he says. He is now senior vice president for information assurance at CACI, a high-tech company in suburban Washington.

For McDermott and many others like him, working at NSA had an attraction that transcended money. It was about the opportunity to get deeply involved in electronic espionage, a tremendously complex and controversial discipline. A career there gave young engineers and mathematicians like McDermott a chance to be exposed to cutting-edge technologies, and to learn from some of the nation's premier encryption experts.

"You didn't go to NSA for the compensation," says McDermott. "It was about the opportunities it would present to you."

McDermott believes that if NSA works hard and is creative enough, it can hang on to its top people. He says the agency must continue offering a demanding work environment and at the same time increase its level of cooperation with the private sector.

But high-level departures aren't always completely negative, he adds. If these people remain in the information assurance business, NSA can still take advantage of their expertise. "They're still a resource. It may cost the agency slightly more, but they're there," McDermott says.

There's also a school of thought that believes it is not such a good idea to have people stay at the agency for 30 years or more. Moore's Law holds that computing power doubles every 18 months, which means information technology purchased just two years ago is nearly obsolete. Perhaps the same principles apply to the IT workforce. "In fact, [NSA's leadership] may be entering an era when it is desirable for them to have turnover . . . when people become journeymen," a retired agency official says. "It brings new blood in, and gets the juices flowing."

For companies looking to hire NSA personnel, however, it's buyer beware. NSA doesn't take kindly to corporate raiders. According to a former NSA GS-14, the agency has agreements with some information security firms that prohibit them from overtly recruiting NSA employees. "NSA makes clear they won't do business with you if you steal their people," he says. Price Waterhouse's clients are overwhelmingly in the private sector, which might reduce that company's disincentive to hire away NSA personnel.

Threats notwithstanding, as long as there is a demand for superior information technology professionals, NSA will be viewed as a breeding ground of sorts by the private sector. Don Latham, former assistant Defense secretary for command, control, communications and intelligence, says NSA's situation reminds him of the story about famed stickup artist Willie Sutton. Asked why he robbed banks, Sutton said "Because that's where the money is." The same could be said of NSA, although it's not the agency's money the IT companies are after.

Richard Lardner covers national security for Inside Washington Publishers.

]]>

Sign of the Times: House Intelligence Committee Criticizes NSA

Richard Lardner — Sat, 01 Aug 1998 00:00:00 -0400

t's not often that NSA is publicly rebuked. So sensitive is the agency's dual mission-code-making and code-breaking-that criticism, constructive or otherwise, is generally offered behind closed doors. But the Soviet Union is gone now, and NSA is in many ways a different agency than it was 10 or 15 years ago.

So perhaps a recent critique of the agency by the House Permanent Select Committee on Intelligence was simply a sign of the times. The GOP-led intelligence panel tore into NSA, saying previous attempts to repair management and budgetary shortcomings have been blunted by an agency that seems unwilling to change.

"The committee has concluded that very large changes in the National Security Agency's culture and method of operations need to take place, including changes in its budget methodology," the committee said in its fiscal 1999 report on the intelligence authorization bill. So concerned is the committee that it has threatened to take funds away from NSA if the agency "does not develop detailed strategic and business planning."

The committee says it has been forced to take serious action because NSA has resisted what the panel believed to be sensible reforms. "Outside management reviews, budget cuts and adds to reduce acquisition cycle time, plus cuts to lower the budget percentage allocated to support, were initiated in the fiscal year 1998 authorization process, but all have met resistance and have been deflected from their intended purpose," the committee said.

Further, the panel said NSA investments of money and personnel "in categories critical to the future" have been badly minimized: "NSA often cannot track allocations for critical functions that cross the old program and bureaucratic lines," the committee added.

The panel, chaired by Rep. Porter Goss, R-Fla., concluded that a "far more radical revision" of NSA's budget process is necessary. "Just as the military must train the way it will fight, NSA must budget according to the critical categories of a new and completely different architecture and mode of operations," the committee said.

And, perhaps most difficult of all, the agency will need to create a new culture in which a team effort produces a unified vision for the future, "rather than bubbling up disparate ideas and programs from across NSA and expending much of its energy on probable duplication," the committee said.

]]>

OPM Handbook Suggests Tool for Getting, Keeping IT Professionals

Richard Lardner — Sat, 01 Aug 1998 00:00:00 -0400

s the National Security Agency has found, competing with the private sector for information technology talent is not easy. But federal managers may not be as completely overmatched as they might think.

To help government executives recruit and retain a solid IT workforce, the Office of Personnel Management has crafted a handbook that lists strategies for "designing IT recruitment and retention strategies and in resolving current staffing problems."

Prepared for the top-level Chief Information Officers Council, the OPM guide, "Recruiting and Retaining Information Technology Professionals," doesn't contain any silver bullets. But by collecting the various tools available in a single document, OPM hopes to remind government executives they do have some leverage in the IT world. The guide was distributed by the CIO Council to agency personnel chiefs.

For example, the guide says that OPM can establish higher rates of pay "for an occupation or group of occupations" based on a finding that federal recruitment or retention efforts would likely become "significantly handicapped without those higher rates."

Agencies also have the authority to grant employees lump-sum cash awards, or accelerate their pay by granting quality step increases. A variety of work-life accommodations-alternative work schedules, telecommuting, dependent-care assistance-can also sweeten the offer, OPM says.

However, OPM insists that "conscientious and direct involvement by IT managers" is the most important single factor in attracting and recruiting IT professionals. "Managers need to identify where targeted recruiting efforts are likely to be fruitful," the guide states. "Managers need to be specific in describing the work that is to be done and the competencies that need to be used. Managers need to be creative in 'selling' prospective employees on the nature and importance of their agencies' projects. And managers need to be accomplished in coaching and leading IT employees."

]]>

Keeping Secrets

Richard Lardner — Sun, 01 Mar 1998 00:00:00 -0500

emocracy means government by discussion," wrote former British Prime Minister Clement Attlee, "but it is only effective if you can stop people talking." For the U.S. Security Policy Board, these should be words to live by.

The board, a senior-level group chaired by the Defense secretary and the director of central intelligence, was created by President Clinton in September 1994 to develop sensible and cost-effective security standards and practices. But it has yet to make serious progress in curbing the redundancies and complexities of the federal government's secrecy system. One reason is that the board has an abundance of participants doing too much talking.

With 35 agencies and departments represented in the structure of committees and working groups under the Security Policy Board (SPB), the decisions that do emerge tend to be consensus agreements rather than bold, but perhaps unpopular, policies. Agencies that don't care for a particular move can delay or dilute an action, undercutting one main reason the SPB was created.

Indeed, the congressional Commission on Protecting and Reducing Government Secrecy said in a March 1997 report that "not only has this approach delayed progress, but it has meant that SPB products often go no further than the extent that the least supportive agencies will accept."

Most of the talking takes place at the SPB's lower levels. In fact, the board itself, which is made up of 10 very senior government officials, including the deputy attorney general, the deputy secretary of State, the deputy Energy secretary and the vice chairman of the Joint Chiefs of Staff, has not met formally since March 1996. (It was scheduled to meet in late February.) Instead, SPB members keep in touch by phone and fax, the board's staff director says.

But critics say the failure to meet face to face regularly means important issues have been delegated to underlings. Worse, it suggests the board doesn't have anything to meet about. "It's a symptom of a kind of gridlock in the security policy process," says Steve Aftergood, a senior research analyst at the Federation of American Scientists and editor of Secrecy & Government Bulletin.

SPB officials, however, contend that all is well. In fact, they say, enormous advances have been made. The difficult job of establishing a series of baseline requirements for the protection of classified information has been completed, and now additional products can begin to flow.

"I think it's been a tremendous success story: starting from zero, getting agencies and departments together who had never been forced to really work together," says SPB staff director Dan Jacobson. "We've had numerous national [forums], but all they did was get together and generally agree to disagree. Finally, we have a process that forces us to resolve disputes."

Sharp Criticism

The SPB's harshest critic has been the Commission on Protecting and Reducing Government Secrecy. Chaired by Sen. Daniel Patrick Moynihan, D-N.Y., and Rep. Larry Combest, R-Texas, the commission was created by Congress to investigate ways to curb government secrecy while at the same time ensuring that information and people truly needing protection get it. The Moynihan panel, as it is known, agreed that under the board's umbrella, "many areas of security policy, such as personnel security, are coordinated more effectively than ever before." Yet, the panel said, "significant problems remain with regard to the SPB's overall functioning."

The SPB, the Moynihan panel said, has failed to make "meaningful progress" on major issues, like implementing key recommendations from a 1994 report produced by the Joint Security Commission, a group of distinguished national security experts. The Moynihan panel acknowledged the SPB has produced adjudicative standards and investigative guidelines, which are used to determine if a person should have access to classified information. But while these documents are intended to improve security clearance reciprocity between agencies, the panel said they are only "minimum standards;" that is, "agencies may go beyond these standards, thus limiting the extent to which there is genuine reciprocity of clearances."

Some of the Moynihan panel's sharpest criticism was reserved for the way the SPB operates. Below the board is the Security Policy Forum, made up of upper-level agency managers. Under the forum are committees and working groups that concentrate on specific areas, such as personnel security and classification management. There is also a Security Policy Advisory Board, which helps oversee the SPB. Finally, an SPB staff, run by Jacobson, supports the entire structure.

It's difficult to get things done in such a dense organization. For example, nearly two and a half years after President Clinton directed the board to develop a financial disclosure form for use by those with access to the nation's most sensitive secrets, the SPB has yet to produce such a document. An effort to set up an information security committee within the board's structure failed badly. Conflicts with the National Archives and Records Administration's Information Security Oversight Office have hampered the SPB's ability to forge classification and declassification policies.

Part of the problem, observers say, is that the people trying to fix the system may not know exactly what their bosses want them to do. "The SPB's plethora of committees and working groups has left the early stages of policy development in the hands of less senior representatives who may not even be aware of the positions advocated by the agencies' more senior officials," the Moynihan panel concluded. "Indeed, these representatives have at times spent months negotiating consensus products, only to have these overturned by their own senior management at higher levels within the SPB structure."

Retired Gen. Larry Welch, former Air Force chief of staff and chairman of the Security Policy Advisory Board, believes the SPB bit off more than it could chew when it got started.

"They took on this full panoply of issues with the full panoply of [entities]," Welch says. "Consequently, it creates a set of issues that are so complex that the Security Policy Forum, which is very, very active, has significant difficulty bringing [them] to the point where you would want the Security Policy Board to meet on something."

Aftergood says the board should meet anyway, if for no other reason than to demand to know why it doesn't have more on its plate. The board's membership, after all, makes it one of the most powerful groups in government.

Monumental Task

To be sure, the SPB was created to tackle a monumental chore. With numerous agencies having a stake in how the government decides to protect its people, property and information, the Clinton administration elected to get everyone involved-not just the defense and intelligence communities.

"We're negotiating a U.S. government security policy, rather than just an intelligence community security policy," says Carl Darby, who works with the SPB in his capacity as a senior policy analyst with the Community Management Staff, which supports the director of central intelligence.

While the SPB's approach may be logistically clumsy, board officials contend those who will be affected by a proposed policy should have a chance to comment on it. And the best people to comment are those who handle the day-to-day operations-the middle managers.

"We've found that if you really want to change something, you've got to get buy-in from your middle and upper management as part of the process," Jacobson says. "You can get every service secretary or agency head agreeing, you can have all the technical experts down below saying 'Yea verily,' but the people in the middle who have both arms up to their elbows in pots of money and resources who control what happens in an organization can kill it overnight if they don't buy in."

But the Joint Security Commission counseled against precisely this type of consensus-building, get-everybody-involved approach. While the SPB structure is consistent with what the commission envisioned, the process is not.

Even SPB staffers acknowledge the slow pace. An internal e-mail message from one employee to another notes that "it does seem that bureaucratic inertia is working against us at times." Another staffer wonders whether the real problem is not the number of federal offices involved in the SPB process, but the sluggishness of decision-making. This employee contends the process is better than it used to be "but is still so excessively layered that the standards process will by its own inertia bring about a lack of dynamism that we cannot afford in this fast-moving, information- and change-rich age."

For Better or Worse?

Is government better off now, in terms of setting security policy, than it was more than three years ago? The answer is probably not.

To be sure, the SPB has had some successes-the adjudicative and investigative standards, for example. It's also won some important supporters. Jeffrey Smith, a Washington attorney who chaired the Joint Security Commission and later served as CIA general counsel, says the SPB is "accomplishing what we [the Joint Security Commission] had in mind."

But the board has also perpetuated many of the problems that made security policy such a mind-boggling maze in the first place. Members of the Security Policy Forum "love to go to meetings and debate how many angels can dance on the head of a pin," one Capitol Hill observer says.

Because of the classified nature of some of the board's discussions, its activities are sealed off from public view. This seems to run counter to the JSC's concept of an organization that would be a "focal point" for congressional and public inquiries. Further, the cloistered approach limits outside pressure on the organization to move more quickly.

It may be time for the SPB's senior leaders to seize control of the situation. This, of course, would require them to meet more often, which doesn't seem likely to happen. Jacobson says it's important to keep the SPB's principals engaged, but there's no need for the board to meet unless there's a real disagreement over a particular issue. He says an annual "security summit" makes more sense, but even scheduling a yearly gathering has so far proved tough to do.

Maybe, as Smith says, the SPB just needs time to get its sea legs. Or maybe it's time for a little less talk and a lot more action.

Richard Lardner is general manager of Inside Washington Publishers' Defense Group.

]]>

Keys to the Code

Richard Lardner — Tue, 01 Jul 1997 00:00:00 -0400

hrough the decades of the Cold War, the Defense Department's National Security Agency was the government's most secretive organization. Responsible for keeping U.S. communications secure while eavesdropping on the nation's enemies and allies alike, NSA worked hard at maintaining a low profile. The few who knew about NSA and what it did joked privately that the acronym stood for "No Such Agency."

Times have changed. The Internet explosion has made the public very much aware that advanced computers are powerful tools, but vulnerable as well. How can you be sure that data entered on one end will reach its destination without an uninvited party taking a peek? With so much interest in networked information systems and how to keep them secure, NSA has made a concerted effort in recent years to be less secretive, to explain what it does and why.

But NSA's coming out has not been completely voluntary. In fact, the U.S. computer industry has all but shoved the agency into the open. Microsoft Corp. and others want to sell their most sophisticated information security products overseas. NSA, along with the FBI, has vigorously-and publicly-argued for limits on the strength of encryption programs that are exported.

For NSA and the FBI, the reasons for a cautious export policy are simple. Encryption used to be the exclusive domain of the national security community-NSA in particular. Now, however, the U.S. computer industry has no peer when it comes to developing strong encryption technologies, which allow information to be encoded in a way that only the intended recipient can decipher it.

Without limits, argue the two agencies, terrorists and rogue nations will be able to communicate unfettered, using encryption products developed in the United States. NSA's international code-breaking duties will be made all the more difficult. On the domestic front, the FBI fears the day when it legally seizes a terrorist's computer hard drive, but is unable to read the data stored on it.

"In a world where we've got ubiquitous, unbreakable encryption, which commercial encryption can be, it becomes impossible for law enforcement to function," warned Ed Appel, National Security Council director for counterintelligence programs, at an information technology conference earlier this year.

The administration put a new encryption export policy into effect Dec. 30. Outside government, almost no one is happy. Critics say the plan will cost U.S. computer firms billions of dollars in lost sales because the policy restricts what can be sold outside the United States. U.S. computer firms generate between 50 percent and 60 percent of their revenue from exports. "We're going to be exporting jobs, not cryptography," says D. James Bidzos, president of RSA Data Security Inc., a leading encryption technology firm based in Redwood, Calif.

Aside from the economic implications, opponents say, the policy smacks of a larger, more sinister government effort to clamp down on the free flow of information and represents a major expansion of the government's current wiretapping authority. In the name of national security, NSA and the FBI want to make sure the U.S. government's communications are secure-and that everyone else's, including the American public's, are less so. People are then expected to trust that the government will respect their privacy, critics charge.

"The ability to hear a specific phone conversation is not nearly as invasive as the ability to intercept, without notice or consent, the full panoply of life online, including health records, financial transactions, online entertainment, intimate letters, and conversations," says Jerry Berman, executive director of the Center for Democracy and Technology.

A Numbers Game

Understanding the pros and cons of a restrictive encryption export policy is not nearly as difficult as comprehending what encryption is and how it works.

Encryption products use complex mathematical formulas called algorithms that are combined with secret keys to scramble and unscramble information. The algorithm blends the key, which is a unique, randomly generated number stream, with the data that is to be protected. Encryption can be handled by computer software or hardware.

There are two types of encryption. Private key encryption requires the sender and the receiver to use the same key to encrypt and decrypt messages. This is the type of encryption used most often by the military. Private key encryption is, however, logistically clumsy. A sophisticated key management and distribution system is required to make sure the sender and recipient of the message have the same key while at the same time ensuring the keys don't fall into the wrong hands.

In the mid-1970s, communications took a giant leap forward with the advent of public key, or asymmetrical, encryption. Introduced by legendary cryptographers Whitfield Diffie and Martin Hellman, asymmetrical encryption involves two different keys, one for encryption and the other for decryption. The "public" key, used for encryption, can be kept available in an open directory; the private key is kept secret and used for decryption. So anyone can send a secret message by using the public key, but the message can only be decrypted and read by the receiver who holds the private key.

The security provided by an encryption system depends mainly on the quality of the algorithm and the length of the key. The U.S. Data Encryption Standard, the federally approved encryption algorithm used in millions of credit card and ATM transactions each day, employs a key that consists of 64 binary digits, or "bits." Of those 64 digits, 56 bits are generated and used directly by the algorithm. (The other eight bits are used for error detection.)

Although rapid advances in information technology have made the Data Encryption Standard a less secure system, the mathematics behind it are still imposing: There are 70 quadrillion-that's 70,000,000,000,000,000-possible keys of 56 bits, which makes guessing the key used for a particular transmission a time-consuming chore.

Keeping the Upper Hand

Sophisticated encryption products can offer enemies significant communications advantages, so the United States has treated encryption as a weapon and generally limited exports to systems using 40-bit keys. But with today's high-speed computers, 40-bit keys are all but useless, according to leading cryptographers whose findings were published by the Business Software Alliance in a 1996 report. Cryptosystems with 40-bit keys "offer virtually no protection at this point against brute force attacks," in which large numbers of computers are harnessed together in a concerted effort to break coded information, the experts found.

Under pressure from U.S. computer companies, the Clinton administration agreed last year to amend its encryption export regulations. The new policy, published in late December as an interim rule in the Federal Register, transferred jurisdiction for encryption export licenses from the State Department to the Commerce Department, meaning that commercial encryption products would no longer be considered weapons.

The policy would also allow encryption products of any algorithm and any key length to be exported, as long as those products incorporate controversial "key recovery" features.

Under a key recovery scheme, private encryption keys are registered with government-approved "trusted third parties" or "key recovery agents." With a court order, federal officials could quickly obtain a copy of the private key and decipher encoded information.

Encryption products up to 56-bits lacking key recovery features may be exported until January 1999, but the exporting company must commit to producing such features in the future. Computer firms would not be required to include key recovery in domestic products.

Administration officials view the new policy as a critical first step in dealing with the information age. As public key encryption becomes more prevalent, they say, there is a need for an international framework of people and systems that can generate, transport and store the keys used in the encryption process. Without such a key management infrastructure, people may not be sure who they are talking to, and whether the keys they are using are really secure.

William Crowell, NSA's deputy director, contends a good encryption algorithm is only part of the information security equation. Without a good key management infrastructure, an encryption algorithm's value "is comparable to that of a bank vault door on a cardboard box."

Make no mistake, however, NSA and the FBI view key recovery as an absolute must. In March testimony on Capitol Hill, Robert Litt, head of the Justice Department's criminal division, listed several recent cases in which encryption figured prominently. Aldrich Ames, the former CIA officer, was told by his Soviet handlers to encrypt the computer files he sent to them. Ramzi Yousef, convicted of conspiring to blow up 10 U.S.-owned airlines in Asia, and his cohorts apparently stored information about their terrorist plot in an encrypted computer file.

Shades of Orwell?

Despite the Clinton administration's security arguments, U.S. software manufacturers and many others aren't buying into the new policy.

Bruce Schneier of Counterpane
Systems, a computer security and cryptography consulting firm in Minneapolis, uses words like "Orwellian" to describe the policy. It is, he says, the latest in a
series of attempts by the administration to ensure its electronic surveillance
capabilities are not undercut by technological advances.

The American Civil Liberties Union contends the policy is an "irreparable
infringement" on First Amendment rights. Encryption is speech, the ACLU argued in comments sent to the Commerce Department earlier this year, and any efforts to restrict speech are
unconstitutional.

RSA's Bidzos, meanwhile, says the export policy will force U.S. companies to make products that overseas customers won't want. A foreign buyer, he argues, is unlikely to buy an encryption system that permits the U.S. government access to the decoding key. That buyer will look for products from other countries who don't mandate key recovery, thus allowing foreign competition to cut into a market the United States currently dominates.

"What if Japan had a policy that said computer security products may only be exported if the Japanese government is guaranteed access?" Bidzos said recently. "Would General Motors buy a computer security product from Toyota in that environment?"

So far, the administration is unfazed by the negative reactions. Indeed, government officials have proved adept at making their case, steering clear of the complex jargon that usually goes along with discussions over encryption.

In speeches and in testimony, Crowell frames the issues in plain language. To make the point that brute force assaults on encrypted messages are not really an option for law enforcement and national security officials, Crowell says it would take someone with 250 computer workstations 9 trillion times the age of the universe to decrypt a single message encoded with a 128-bit key. It would take 27 years to break a 56-bit key, he says. To avoid a terrorist incident or prepare evidence for trial, the government can't wait for years, or even months or days.

In a recent speech before the American Bar Association's Standing Committee on Law and National Security, NSA Director Lt. Gen. Kenneth Minihan insisted the administration's export strategy gives equal weight to public and private interests, a difficult balancing act.

"If we overemphasize the public interest, we risk a world with too much government, too much access, and too little security," Minihan said. "If we overemphasize the private interests, we risk a world with perhaps too many secrets. A world in which terrorists, organized crime, hackers and even other nations can acquire secure command and control capabilities formerly restricted to the advanced military forces of the world."

Although the encryption export policy is in effect, the debate rages on. Legislation pending in Congress would essentially reverse the administration's regulations, permitting U.S. companies far more leeway to ship encryption products overseas. And with American firms constantly achieving new breakthroughs in computing, it will become more and more difficult to maintain the balance between public and private interests.

It all seemed so much simpler decades ago. In 1929, President Hoover's secretary of state, Henry Stimson, upon learning that his agency was monitoring Japanese radio traffic, declared that all funding be cut off for such activities. "Gentlemen," Stimson sniffed, "do not read each other's mail."

Richard Lardner is general manager of Inside Washington Publishers' Defense Group.

]]>

The Need to Know

Richard Lardner — Sat, 01 Feb 1997 00:00:00 -0500

hree years ago this month, Aldrich Ames was arrested for swapping information about U.S. intelligence operations for about $ 2 million, first to the Soviet Union, then to Russia. Almost overnight, the veteran employee of the Central Intelligence Agency became one of this nation's most notorious spies. Indeed, the gravity of Ames' betrayal earned him equal billing with Benedict Arnold, a name linked with treason for more than 200 years.

While it's clear now what Ames did and the massive damage he caused, what's unknown to scores of federal executives is how Ames' crimes could affect their lives. Because of Ames, the executive branch has set about trying to right all that was wrong with its personnel security system. A glaring shortcoming, officials determined, was the lack of a procedure to track how employees with access to highly classified material make and spend their money.

Their efforts culminated in August 1995 with President Clinton's executive order 12968, "Access to Classified Information." The order made clear that to obtain a security clearance, federal employees as well as private sector workers would have to permit the government virtually unlimited access to their financial records. In particular, the order directed the U.S. Security Policy Board, a group chaired by the deputy Defense secretary and the director of central intelligence, to develop a financial disclosure form that would be required of those privy to the nation's most sensitive secrets, like nuclear weapon designs and the identities of covert agents. A pool of at least 50,000 to 60,000 employees, many of them senior government executives, would have to fill out the form. The Security Policy Board was given 180 days to craft a standard form that would be used by all government agencies.

Now, nearly a year and a half later, there is no such document, and it's unclear whether there ever will be one. There are, however, plenty of questions as to whether a form makes any sense at all. Early last year, the interagency group assigned to produce the form, the Personnel Security Committee, determined it "would not meaningfully enhance personnel security." The committee, which operates under the auspices of the Security Policy Board, voted overwhelmingly to recommend to the White House that the requirement for financial disclosure "be deleted."

While no such recommendation has yet been made and no relief has been granted, those close to the effort doubt whether a financial disclosure form will work. "I personally am not particularly impressed with the form," says Peter Saderholm, the Security Policy Board's staff director. "But I remain willing to be convinced that that's the most useful mechanism."

For now, the Personnel Security Committee, Saderholm and his staff push on, attempting to develop a financial disclosure form that will be not only acceptable to a broad range of federal agencies with different interests but also to the private sector firms that would be covered by disclosure requirements.

"I think it is appropriate for people with a security clearance, particularly ones that deal with sensitive information, to live within their means," Saderholm says. "Therefore, it is incumbent on the system that provides them that security clearance to have some understanding as to how they're living. I have no problem with that. I just think we need to do this in a fashion that is effective and also is the least intrusive."

Spies Lie

Just as supporters of financial disclosure cite the Ames case as the reason a governmentwide reporting system is necessary, opponents say the case is proof such a program won't work. Agents willing to betray their country are no more inclined to fill out a financial disclosure form honestly than they are to turn themselves in. In August 1994, after his conviction, Ames told congressional investigators financial disclosure is worthless if a spy makes a serious effort to cover his tracks. Ames, a GS-14 who lived in a half-million dollar home and drove a Jaguar automobile to work, made no such effort.

For the CIA, financial disclosure is not new. The agency has had a program in place for several years and expanded the number of people covered after Ames was arrested. Before Ames, senior agency executives and some GS-15s in sensitive posts were required to submit a form and keep it regularly updated. Following Ames' conviction, the program was "expanded geometrically," says CIA spokesman Dave Christian. It now includes all CIA employees, contractors and consultants.

Harold James Nicholson, the CIA officer arrested last November for espionage, filed a personal financial form with the CIA in 1995. Ultimately, the statement helped show that Nicholson had no outside business interests or sources of income that accounted for the large sums of cash he was depositing in his bank account. Yet the forms themselves didn't tip investigators off to Nicholson's spying. Rather, polygraph examinations that were part of his routine security clearance updates alerted the agency that something was amiss, according to the FBI's affidavit detailing the charges against Nicholson.

More useful to the CIA was the ability to obtain, without Nicholson's knowledge, records of his bank transactions. President Clinton's executive order requires those with security clearances to permit their federal employers access to their bank accounts, credit histories, and travel records. Agencies may obtain this information if, as in Nicholson's case, there are grounds to believe the employee is a spy or could be recruited as one. While the requirement for a financial disclosure form touched a nerve, few objections were raised to the account access provision.

In the case of Earl Edwin Pitts, the senior FBI agent who was charged last December with selling secrets to the Russians, it wasn't reams of financial data that led investigators to their suspect. Rather, a former Soviet attache told federal agents Pitts was a spy, and he was brought down by a lengthy sting operation.

Given its experience, the CIA has been a key source of information in the effort to install financial disclosure governmentwide. Internal government documents indicate the program has been difficult to implement.

According to the minutes from a February 1996 Personnel Security Committee meeting, a CIA official briefed the panel on the agency's financial disclosure effort. "The program required a minimum of 32,000 staff hours and cost at least $1 million to implement," the minutes read. "The agency received up to 200 calls per day with queries regarding the program. Nearly a quarter of all forms received contained errors. The process has thus far had an 88 percent response rate; it appears that noncompliance is the result of administrative problems rather than any widespread refusal to comply with the requirement."

If the CIA has had this much trouble, implementing financial disclosure at the Defense Department, for example, would be a monstrous challenge. DoD has a far larger group of personnel that could be covered by the disclosure requirement. Government officials say every effort will be made to limit the number of public and private sector employees covered, yet the final tally depends on just how aggressively agencies want to implement the requirement.

"The intent is to keep the group subject to the form as small and tight as possible," says Peter Nelson, deputy director for personnel security in the office of the assistant secretary of Defense for command, control, communications and intelligence.

No one is more upset at the prospect of a widespread new financial disclosure system than defense contractors, since many of their workers would be covered. Before Clinton signed the executive order, a consortium of defense trade associations told National Security Adviser Anthony Lake that the disclosure requirement was "overly intrusive," and warned it would increase the cost of government contracts as well as discourage the best and brightest from pursuing careers in national security.

Concerns over the form fall into four basic areas: the potential burden of completing the detailed documents and keeping them regularly updated, finding the resources required to collect and manage the reports, protecting the information, and ensuring that whatever form is developed is not overly intrusive. The executive order provides no detail on any of these points, a shortcoming not lost on the Personnel Security Committee. "EO 12968 requires the [Security Policy Board] to develop a financial disclosure form; however, a form without an attendant process for dealing with the information it collects has no value," the committee's meeting minutes state.

Big Brother?

The Ames and Nicholson cases proved, once again, that the government must carefully examine who it allows to handle the country's secrets. The trick is to balance what the government really needs to know against an employee's right to privacy.

The White House isn't alone in its quest to crack down on would-be spies. Clinton's executive order on security clearances was prompted by Congress, which was also embarrassed by Ames' treason. In the 1995 Intelligence Authorization Act, lawmakers called on the president to create the governmentwide financial disclosure system.

Carol Bonosaro, president of the Senior Executives Association, which represents federal executives at various agencies, worries that Congress and the administration may have laid the foundation for a system that will become so cumbersome that trustworthy employees will find it difficult to keep up with all the requirements. And honest mistakes, she says, could lead to unwarranted investigations.

"I think Congress and the administration tend to legislate and regulate based on worst case scenarios," says Bonosaro. "There are lots of people in the private sector who might be able to contribute substantially but don't want to go through the divestiture and disclosure requirements.

"All this is driven because government [officials] live in a fishbowl," she says. When the worst occurs, senior federal executives are asked, 'Why didn't you prevent this?' There's seldom a case where the career workforce is the problem, but the laws are painted with a broad brush."

And it's not likely to get any better. The U.S. national security community must now deal with spies who are able to condense and transport information like never before. So it's likely security measures will become more stringent, not less.

The more intrusive approach to personnel security has its defenders. The FBI and CIA both heralded post-Ames counterintelligence reforms as key factors in their ability to catch Nicholson. But critics say there are more fundamental steps that should be taken. First and foremost, the United States needs to cut down on the amount of information it classifies. By extension, this will reduce the number of people who require security clearances, which automatically decreases the number of potential spies.

According to the General Accounting Office, roughly 3.5 million public and private sector employees have security clearances. Government executives and military personnel account for about 2.5 million of the total. In fiscal 1993 alone, agencies spent $326 million on background investigations. Hundreds of millions of dollars more are spent annually to protect classified government information and facilities. Kate Martin, director of the Center for National Security Studies in Washington, says these figures have to be whittled down. "The key is to have a small group of people, and focus your efforts on them," says Martin.

Tools of the Trade

Even without a governmentwide financial disclosure form, federal investigators have other methods for making sure personnel in sensitive positions walk the straight and narrow. The polygraph, according to investigators at U.S. intelligence agencies, is an invaluable tool and a cornerstone of the government's counterespionage effort. At the same time, the polygraph is invasive and the prospect of taking one sends shivers up the spine. Ames cited the polygraph as the one security measure he most feared.

Yet Ames was able to beat a polygraph exam administered shortly after he began spying and another five years later, which underscores a key point of contention surrounding the instrument. As the Joint Security Commission noted in its February 1994 report, "the scientific validity of the polygraph is yet to be established." And, the JSC added, "unless the validity of the process can be demonstrated, there is nothing to prevent a practiced deceiver from passing a polygraph examination."

Those shortcomings notwithstanding, the polygraph is here to stay. If anything, it may be viewed as more valuable than ever in the wake of the Nicholson case. Nicholson held a Top Secret clearance and also had access to "sensitive compartmented information," which is technical data about sophisticated U.S. intelligence-gathering systems. As part of a routine security update, Nicholson was given a polygraph in mid-October 1995, which showed a high probability of deception when he was asked if he was hiding any involvement with a foreign intelligence service, according to the FBI's affidavit. Two more polygraphs, both administered shortly after the first, scored roughly the same results. Based on those tests, CIA investigators began to dig deeper into Nicholson's personal affairs.

As helpful as polygraphs may be to government investigators, there is no uniform procedure for administering the tests. For example, the CIA and the National Security Agency use polygraphs to screen applicants for employment, but the Defense Department doesn't. (Some DoD employees who have access to highly classified information must take polygraphs.) The State Department, meanwhile, refuses to use lie detector tests for personnel screening, regardless of a person's level of access.

By law, no adverse action can be taken against an employee for refusing to take a polygraph. But declining a test can severely limit one's advancement in the national security field. As a result, employees must weigh their fear or philosophical opposition to the polygraph against a possible promotion or, at the CIA and NSA, even being hired in the first place.

According to Saderholm, efforts are under way to develop a polygraph policy that would be used by the Defense Department and other national security organizations. He also says efforts need to be made to show clearly how well the polygraph works, as well as spell out the shortcomings. "We need to very carefully document where the polygraph has proven particularly useful and why it should be maintained," says Saderholm. "If [we] can't do that, then it's always going to be suspect as a tool."

Drug testing also figures prominently in the personnel security arena. All active-duty military personnel must be tested at least once a year. For civilian federal employees, drug testing is not a requirement for employment or a security clearance. There are, however, "testing designated positions" whose occupants must submit to random urinalysis. According to Nelson, a positive test result would not only affect a person's security clearance but is grounds for firing in some circumstances.

Like the polygraph, government security experts have great faith in the rigorous, careful type of urinalysis used to detect illegal drug use. But also like the polygraph, the drug testing system is not flawless. Between the time a sample is collected and tested, mistakes, most often administrative foul-ups, can happen. And an incorrect positive test result is extremely hard to reverse.

The Armed Forces Institute of Pathology, which oversees the military's network of drug testing laboratories, reports that since 1983 none of its facilities has reported a "false positive," which means the urinalysis incorrectly reported the presence of a drug. Outside the labs, it's a different story. "AFIP investigations have uncovered some false positive reports which were attributed to clerical errors made by the submitting units such as incorrect transcription of Social Security numbers prior to the submission of the samples," AFIP said in a written response to questions.

Still, drug testing is viewed as an effective, and legal, security tool. In 1991, a federal court determined the Navy could require civilian employees holding Top Secret security clearances to submit to random drug tests.

Sex and Security

It's not just money and drugs agencies are interested in; they want to know about employees' sex lives as well-even though they're not supposed to concern themselves with their workers' sexual orientation.

Upon the signing of executive order 12968 in August 1995, the White House made much of the fact that the directive eliminates sexual orientation as a factor in making security determinations. This earned the administration kudos from gay rights organizations like the Human Rights Campaign Fund, which praised President Clinton for correcting "the discriminatory policy of denying clearances to people based on their sexual orientation."

National security agencies used to view homosexuals as potential blackmail targets and therefore greater security risks. But sexual orientation has not been an issue for some time. In a 1995 report, the General Accounting Office said it found "no evidence" in the last five years that sexual orientation has been used as a security clearance criterion. A 1993 case handled by the Pentagon's directorate for industrial security clearance review supports the GAO's findings. An administrative judge granted a security clearance to a transsexual after determining the individual was a solid employee whose "transsexualism will not form the basis for coercion or blackmail," according to a synopsis of the case.

Saderholm says the issue was addressed in the 1995 executive order "just to put the perception away."

What is very much an issue, however, is one's sexual behavior. The Security Policy Board last year crafted new adjudicative guidelines to be used by government agencies in evaluating security clearance applications. Sexual behavior is listed as one of 13 factors to be considered when examining an employee's background, along with such things as alcohol consumption, drug use and allegiance to the United States. Security officers must weigh potentially disqualifying activities against mitigating conditions, such as frequency, age and maturity, and motivation at the time of the activity.

For example, "sexual behavior of a public nature and/or that which reflects a lack of discretion or judgment" is a condition that could raise a security concern and may be grounds for disqualification. This could be mitigated, however, if "the behavior was not recent and there is no evidence of subsequent conduct of a similar nature," according to the guidelines, which have yet to be approved by the White House.

"Sexuality in the form of illegal conduct is an issue, and I believe that's appropriate. But orientation is not," says Saderholm.

A Delicate Balance

So do all these rules and regulations make for better security? That depends upon who's asked. From the government's perspective, no amount of scrutiny is too much. Ames disclosed the identity of U.S. undercover agents operating in the Soviet Union, and at least nine of them were executed. Senior government officials note the judiciary has determined no one has a right to a security clearance; rather, access is a privilege.

Ensuring only the right people get access to sensitive information is not easy. Robert C. Kim, a Navy computer specialist charged last September with giving classified documents to South Korea, appeared to be the ideal employee. An elder in his church, Kim lived modestly in suburban Washington. Based on the charges against him, however, Kim was more concerned with the interests of South Korea than those of the United States. But determining whether a government employee has a "foreign preference" requires painstaking, and often intrusive, investigative work.

Saderholm argues that he and other government officials responsible for crafting U.S. security policy are very concerned with individual rights and every effort is made to get input from the public sector. For example, the American Federation of Government Employees and the American Bar Association disagreed with the Clinton Administration's proposed policy on procedures for appealing the revocation or denial of a security clearance.

Both federal employee organizations were given ample opportunity to comment on the proposed clearance policy before the President signed the executive order, Saderholm says. The defense industry, which also holds strong opinions on personnel security subjects, acts as an additional counterweight.

"A person shouldn't have to provide us with information that is of no utility, and we should be able to provide sufficient insight and resources from the personnel security perspective to manage the data in a fashion where we can improve the probability that we're going to identify [an employee who is] living a lifestyle that's inappropriate," says Saderholm. "If we attempt to do something that's really foolish, industry will in fact go to the . . . White House and they will complain."

Bonosaro says the fallout from high-profile cases like Ames' results in political solutions that may not be necessary. "The people are looking for Congress to do something and Congress does," she says. "They pass more legislation that subjects lots of people to more paperwork."

Simply filling out and signing the standard application forms for public trust and national security positions-SF 85P and SF 86, respectively-gives the government tremendous leeway to examine a person's life. Gaining access to classified information only increases the government's ability to know what you do outside the office, and with whom.

One of the striking lessons learned from the Ames case is that there was not a shortage of security requirements, but that those responsible for keeping watch did not act when they needed to.

The CIA's inspector general determined the polygraphs Ames was given in 1986 and 1991 were deficient. In December 1990, CIA counterintelligence officials knew Ames had purchased a $540,000 home in 1989, yet could find no record of a mortgage. The same year, Ames bought his Jaguar for $50,000. Despite serious questions about his finances, Ames was not arrested until early 1994.

The Ames case also highlighted the unwillingness, or inability, of the FBI and CIA to work together in pursuing suspected spies. In the wake of the case, a senior FBI official was placed in charge of the CIA's counterespionage group in order to provide better coordination between the two agencies. This reform, coupled with other organizational changes, has helped. Senior administration officials hailed the increased cooperation between the FBI and CIA as a key element in the capture of Nicholson, who has pleaded not guilty to the charges against him.

The key is to find the right balance. As the administration, Congress and the public debate how best to protect the nation's secrets without forcing talented people to look elsewhere for work, they all might heed Adlai Stevenson's words from a speech in 1952. "Carelessness about our security is dangerous; carelessness about our freedom is also dangerous."

]]>

Access Denied

Richard Lardner — Sat, 01 Feb 1997 00:00:00 -0500

he denial or revocation of a security clearance is serious business. Losing access can easily stunt one's prospects for promotion, or worse. In fiscal year 1995, the Defense Department denied Confidential, Secret or Top Secret clearances to 657 military, civilian and contractor employees, according to a January 1996 report to Congress. Another 9,591 had their clearances revoked or suspended. Roughly 30 percent of the civilian employees whose clearance was denied or revoked are no longer working at the Defense Department.

Government employees can appeal a decision to revoke or reject an application for clearance, although the Defense Department report suggests the odds of winning aren't very good. In fiscal 1995, 135 denials were appealed, yet only 20 employees succeeded in getting clearance. Of 228 revocations appealed, just 47 were restored.

Executive order 12968 improved the process for appealing clearance denials and revocations, but it didn't go nearly as far as some wanted. Federal labor unions and legal experts complain that private sector workers still have more substantial appeal rights, which were unaffected by the executive order. Under the order, government employees are provided a written explanation for the denial or revocation. They can obtain documents relating to their case, are informed of their right to be represented by counsel, and are provided an opportunity "to appear personally . . . at some point in the process before an adjudicative or other authority." Employees of government contractors, however, have a right to a trial-like hearing, which gives them the opportunity to cross-examine witnesses.

As the executive order was being drafted, the American Federation of Government Employees and the American Bar Association both complained to the administration about the disparity. The ABA claimed the right to counsel at a personal appearance is a "hollow one" unless evidence could be presented and witnesses challenged. But the administration elected not to go that far. "We're still concerned that [government] employees did not get all the rights they should get," says Sheldon Cohen, a member of the ABA's panel on administrative law and regulatory practice.

Cost and time were the two main reasons for not giving government employees the same appeal rights as contractors, says Peter Nelson, a personnel security specialist at the Pentagon. In its 1994 report, the Joint Security Commission said extending "such a broad hearing right to civilian employees could well result in a great many trial-type hearings in cases involving only undisputed facts." The commission also noted that government employees are less likely than contractor personnel "to lose their jobs, or to incur serious damage to their careers, if a clearance is denied or revoked."

The bottom line, says Nelson, is that the administration sought to make the appeal process better without bogging down an already overburdened system. "Federal employees now have all the rights they need to appeal a denial or revocation," he says.

The debate over appeal rights evoked strong responses from some elements of the national security community. In written comments to the Joint Security Commission's report, the Army, Navy and Air Force all disagreed with a recommendation to allow government employees to appear before an adjudicative authority; the Army called such a prospect a "logistical and financial nightmare."

The most remarkable response came from the National Reconnaissance Office, which operates the nation's constellation of spy satellites. While acknowledging the importance of due process, the NRO said the need to protect national security outweighs certain considerations, like permitting personal appearances.

"The physical presence of the individual at the hearing introduces certain subjective factors which cannot easily be evaluated," the NRO said. "For instance, the individual's personal powers of persuasion, debating skills, physical appearance, level of intelligence and other similar factors, although irrelevant, could not be excluded from the appeals decision process."

"In other words," argues Steven Aftergood, a senior research analyst at the Federation of American Scientists, "the basic procedural safeguards of American jurisprudence cannot be tolerated."

]]>

Behind Closed Doors

Richard Lardner — Mon, 01 Apr 1996 00:00:00 -0500

uarding the government's secrets is big business. Every year, hundreds of thousands of federal and private-sector employees spend billions of dollars making sure classified information, facilities and people are properly protected. But while business may be booming, it's not necessarily good. Over the years, U.S. national security policies, practices and procedures have produced a massive government secrecy system that is expensive, inconsistent and ineffective.

To help fix what had become badly broken, President Clinton created the U.S. Security Policy Board (SPB) in September 1994 and directed it to recommend major improvements in all phases of government security-from determining how secure your telephone line needs to be to deciding what kind of lock is required for your safe. "It will be responsible for not only what to protect but also how to protect it," SPB Staff Director Peter Saderholm explained in a 42-page manifesto outlining the new organization's sweeping mission.

Despite the SPB's broad mandate to advocate change in so many sensitive areas of government, it has received little media attention. Aside from a few passing references, the daily press has all but ignored the SPB. Indeed, the board itself is probably one of Washington's best kept secrets. And that's probably just the way the the board wants it. Navigating the intricacies of the U.S. security system is tough enough to do when you're working behind closed doors. Why complicate matters by going public?

But for government managers and their employees-whether they work in the national security arena or not-knowing even just a little bit about the SPB is probably a good idea. Just ask Sadie Pitcher, the Commerce Department's information technology security manager. In late 1994, Pitcher learned from a colleague at Commerce that the SPB was proposing to create a subgroup, the Information Systems Security Committee (ISSC), which would eventually dictate policy for all classified and unclassified computer networks.

Pitcher, co-chair of the interagency Federal Computer Security Program Managers Forum, and representatives from agencies outside the national security community knew little about the SPB, which was just beginning to take shape. Nonetheless, they were immediately concerned. Agencies like Commerce, Health and Human Services and the IRS routinely deal with information that is "sensitive" but not classified. Different policies and standards dictate how this kind of information should be safeguarded.

But the SPB proposed the Information Systems Security Committee merge the government's unclassified and classified computer worlds, presumably requiring the two to operate under the same security rules. This could make it difficult for agencies that deal regularly with the public and require fewer restrictions on the information they handle, Pitcher and her colleagues say. They also say the SPB's proposal ran counter to the 1987 Computer Security Act, which sought to maintain separate standards for classified and unclassified systems. Despite the ramifications of SPB's recommendations, Pitcher and the program managers forum, a group of senior computer security managers from civil agencies, never had been asked for their input.

The forum wrote to the Office of Management and Budget's information and regulatory affairs division in January 1995, asking that the SPB be told to back off. "We believe it is inappropriate for the national security and intelligence communities to participate in selecting security measures for unclassified systems at civil agencies," the group wrote. "Their expertise in protecting national security systems is not readily transferable to civil agency requirements."

Pitcher never received a formal response from OMB, but the message was passed on to the Security Policy Board. At a March meeting of the Computer System Security and Privacy Advisory Board, an organization made up of public and private-sector officials created by the Computer Security Act, Saderholm was conciliatory. He said he wanted to work closely with the advisory board in determining the best policy for protecting sensitive but unclassified information. He added the SPB would abide by the Computer Security Act and would not be solely responsible for unclassified systems, according to the minutes from that meeting.

The classified/unclassified systems debate is far from over, however. The Information Systems Security Committee has yet to be established, in part due to the concerns voiced by the civilian agencies over its scope. SPB officials say the committee will be up and running this year, but acknowledge there are challenges ahead. "This committee has not been established because of the unwillingness of the national security community and [civilian agency] officials to agree to have one body for both classified and sensitive, but unclassified, information," Saderholm said during public testimony in December. Saderholm declined to be interviewed for this article.

Wayward Bureaucracy?

To its critics, the SPB represents what is already wrong with the U.S. security system. It is excessively complex and sealed off from public view. "So far the SPB has been functioning like some wayward Eastern European bureaucracy, untainted by any hint of democratic principles or fair play," says Steven Aftergood, a senior research analyst at the Federation of American Scientists and editor of the monthly newsletter Secrecy & Government Bulletin.

A public interest organization called the Electronic Privacy Information Center (EPIC) filed a lawsuit last year arguing the board will have a major impact on the U.S. information infrastructure and therefore more should be known about the group. EPIC's suit demands that the National Security Council be forced to release documents relating to the SPB's activities. The council, to which the SPB ultimately reports, had rejected EPIC's earlier Freedom of Information Act requests.

"This is a battle over the accountability and oversight of government computer policy. These decisions must be made in the bright light of day," EPIC Director Marc Rotenberg said after the suit was filed in March 1995.

Lynn McNulty, former co-chair of the program managers forum and a former associate director for computer security at the National Institute of Standards and Technology, warns civilian agency officials must remain vigilant as the SPB continues its work. "No one is saying the unclassified world doesn't have problems, but adding another bureaucratic layer is not necessarily the solution," says McNulty, who co-signed with Pitcher the letter to OMB.

But to its supporters, the Security Policy Board is an absolute necessity. Before the SPB existed, the process of developing security policy was hopelessly fragmented and in need of a single body to provide direction and focus. "This piecemeal approach to security policy has led to a decentralized policy structure in which multiple groups with different interests and authorities work independently of one another," the Joint Security Commission said in its 1994 report, "Redefining Security." Many of the groups have overlapping memberships and responsibilities, "but all exact a cost in terms of time, energy and efficiency," the commission said.

Jeremy Clark, acting deputy assistant secretary of Defense for intelligence and security, believes the SPB will bring about needed efficiencies, which will save money without degrading the level of security the federal government requires. "It's a matter of building trust and cooperation and codifying it in a meaningful way so we have standards across the community," says Clark.

Willis Ware, chairman of the Computer System Security and Privacy Advisory Board, initially took a dim view of the SPB because of its plans to seize control of information security. In fact, his group passed a resolution recommending the SPB "not proceed with its plans to control unclassified but sensitive systems until broader input of these issues is gathered." Ware now says he is pleased with the SPB's willingness to attend his group's meetings and brief members on the issues. "In terms of responding to our requests, they've been up front and forthright," says Ware of the SPB staff.

Getting Started

The impetus for the SPB was provided by the Joint Security Commission, which produced its landmark report in February 1994. The Security Commission, a panel of distinguished national security experts, was directed in May 1993 by then-Defense Secretary Les Aspin and then-Central Intelligence Director R. James Woolsey to conduct a no-holds-barred assessment of the defense and intelligence communities' security policies and offer recommendations for changing them.

The commission concluded there was plenty that needed repairing. "Even without the end of the Cold War, it is clear that our security system has reached unacceptable levels of inefficiency, inequity and cost," the commission said in a report, "Redefining Security." "This nation must develop a new security system that can meet the emerging challenges we face in last years of this century and the first years of the next."

Key to all the commission's recommendations was the formation of a single organization, a "security executive committee," that would be responsible for the creation of new security policies and standards that would then be carried out by the national security community. An advisory board would provide "a non-government and public interest perspective to security policy," the commission said. In response, Woolsey and Aspin's successor at the Defense Department, William Perry, established the Joint Security Executive Committee (JSEC) in the summer of 1994.

The National Security Council saw a need for a governmentwide organization whose security policy responsibilities were not limited to the military and intelligence communities. So on Sept. 16, 1994, Clinton signed presidential decision directive 29 redesignating the JSEC the Security Policy Board. Co-chaired by the deputy Defense secretary and the director of central intelligence, other members of the SPB include the vice chairman of the Joint Chiefs of Staff, deputy secretary of State, undersecretary of Energy, deputy secretary of Commerce, deputy attorney general, and one deputy secretary from another "non-defense related" agency.

According to the directive, the SPB is the "the principal mechanism for reviewing and proposing" to the National Security Council legislative initiatives and executive orders that deal with security policy, practices and procedures.

The Security Policy Forum established under the JSEC would now report to the SPB. Here, representatives from virtually every sector of government meet to evaluate proposed security policies from an "operational perspective," says Saderholm, who refers to the forum as the SPB's "heart." If the forum is doing its job right, most issues will be resolved before being submitted to the SPB for final consideration. The forum's broad representation-27 departments and agencies-is intended to allow all sectors of government to have a say in how security policies are fashioned.

As recommended by the Joint Security Commission, the directive called for the creation of a Security Policy Advisory Board of five members appointed by the president to ensure that U.S. security policies are consistent with the overall goals of government-open, fair and cost-effective. The Advisory Board will "provide a nongovernmental and public interest perspective on security policy initiatives," the directive stated. While no time was wasted in creating the SPB and solidifying the role of the forum under it, the Advisory Board has yet to be established.

The failure to create the Advisory Board has irked public interest advocates, most notably Aftergood of the FAS. He notes that representatives from U.S. defense companies regularly attend security policy meetings, which he says calls into question who the SPB is really working for. "This is poor strategy since it needlessly antagonizes concerned citizens whose interests may not precisely coincide with those of defense contractors," says Aftergood.

Meanwhile, Clark insists there is nothing sinister about the delay in establishing the Advisory Board. A list of nominees has been sent to the National Security Council for approval and a formal announcement of the panel's creation is "imminent," Clark says. "I wouldn't say in any way that [the delay] indicates security policy is a lower priority," says Clark, who co-chairs the Security Policy Forum. "I guess other higher priorities like Bosnia and budget deliberations have kept it off the plate."

And the SPB includes defense contractors in meetings because it has been "told to work with industry," which is directly affected by the recommendations of the board, Clark says. "We're trying to lower costs across the federal government including industry," he says. "The industry people have made a number of suggestions that have been really useful in how you apply risk management techniques and procedures to their areas."

Action by Committee

In keeping with the President's directive, a series of committees has been created to support the Security Policy Forum. For example, the personnel security committee will address "all personnel security policies, procedures and practices applicable to U.S. government departments and agencies," according to an SPB document.

The SPB also has committees for facilities protection, training and professional development and classification management, which recommends policies for reducing the amount of information the government labels secret. Saderholm chairs the policy integration committee, charged with making sure overarching themes like cost accountability are assimilated into security policy. Once the national security and civilian sectors agree, an information committee will round out the SPB structure.

In the last year, the SPB has focused on getting its new organization established, overhauling the "fragmented security policy structures that existed prior to the founding of the board," Saderholm told the Commission on Protecting and Reducing Government Secrecy, a panel of government and private sector officials, during a public hearing in December. Where eight organizations once developed facilities protection policies, now the SPB handles it all, except for securing overseas facilities, such as embassies, that remain under the State Department's control.

The SPB has busied itself with the implementation of two recent Clinton executive orders. E.O. 12958, "Classified National Security Information," creates a new system for classifying, safeguarding and declassifying the nation's secrets. E.O. 12968, "Access to Classified Information," is the first presidential directive to establish a uniform set of rules for granting security clearances.

The Joint Security Commission's report served as a blueprint for the SPB and during its first year the board has completed more than 20 percent of the commission's 76 recommendations, says Saderholm.

This year, the SPB faces one of its thorniest challenges: the government's polygraph program. Unquestionably invasive, the lie detector test is also one of the most useful tools in assessing a person's fitness to be trusted with sensitive information, national security experts say. According to Saderholm's testimony during the public hearing, the SPB "will review the efficacy of the polygraph and evaluate its utility."

The SPB cites as a success the elimination of outdated control markings that have limited the distribution of information within the U.S. intelligence community. The absence of markings such as NOCONTRACT (not releasable to contractor/consultants) and WINTEL (warning notice sensitive sources and methods involved) expands the number of people who can have access to sensitive documents while ensuring the sources of the information are properly protected. National security experts insist this is not a trivial change.

"In the years of risk avoidance, if an analyst was working at his workstation, he almost automatically put his 'headers' on in advance," says Clark. "He'd have a blank sheet of paper to write his intelligence report for the day. At the top he'd have 'secret, no foreign dissemination, limited distribution, originator control, and proprietary information.' And now we tell him, get rid of all those words off the top and come at it from the bottom up."

A Rocky Road

Proponents of the SPB believe the new structure eventually will result in a more efficient and effective system for protecting the government's secrets. But they know it won't be easy. "I have to admit there has been some disappointment in that at the lower echelons of the process. People are still circling their wagons and wanting to do business as usual-afraid of change, not wanting change and resisting change," Saderholm said in December. Bold leadership is required to ensure that status quo ideas are rejected, he said.

And if the SPB has found the going tough so far, the process will only get more difficult. The single committee not yet part of the SPB's structure deals with information security, which Saderholm acknowledges "is the greatest and most exciting challenge facing the board." The Joint Security Commission called protecting the nation's information systems and networks "the major security challenge of this decade and possibly the next century."

Further complicating the development of information security policy is the business community. Not only must the national security and civilian agencies come to an agreement, but private contractors will have a say as well. Whatever policies the government adopts will have a major impact on the companies it does business with, and they won't stay quiet if they believe a proposed action is too restrictive or costly.

The SPB also faces financial challenges. The Joint Security Commission's report acknowledged some of its recommendations will require an up-front investment, especially in the information and personnel security areas. To save money, some will have to be spent. In this era of tight federal budgets, coming up with the cash that will be needed to completely overhaul the U.S. security system will be a tall order.

Still, steps must be taken to repair a security system gone haywire. One need look no further than EPIC's lawsuit to see the inconsistencies in government security decisions. Among the documents the Washington, D.C.-based organization sought through its FOIA request was a copy of presidential decision directive 29, which created the SPB. In response to the request, the National Security Council told EPIC it is not subject to FOIA, and, furthermore, the unclassified presidential decision directive was not "releasable." But the directive and other unclassified documents relating to the SPB are immediately available to anyone who wants them on Aftergood's "Government Secrecy Project" home page on the World Wide Web at http://www.fas.org/pub/gen/ fas/sgp/.

"Our real fear is that [the Security Policy Board] is going to go beyond the national security realm," says David Sobel, EPIC's legal counsel. "[The lawsuit] is our vehicle to know what they're doing."

]]>

The Board Meets in Private, But Is It Legal?

Richard Lardner — Mon, 01 Apr 1996 00:00:00 -0500

he U.S. Security Policy Board, its subgroups and committees conduct their meetings in private. Only designated government officials and invited defense industry representatives are permitted to attend the gatherings. Due to the extreme sensitivity of the often classified material discussed, this is understandable. But is it legal?

Well, yes and no. According to a draft memorandum prepared by the Justice Department's civil division and delivered to SPB Staff Director Peter Saderholm, much depends upon how the meetings are conducted. If the contractor representatives play too large a role in making security policy decisions, Justice says the board might run afoul of the 1972 Federal Advisory Committee Act (FACA). The law was established to govern the activities of blue ribbon commissions and advisory panels set up to counsel the executive branch.

The confidential draft memo, written by David J. Anderson, director of Justice's federal programs branch, states that a court is likely to find the SPB "exempt from FACA" because it is composed of senior-level government officials. Still, the memo states, "we suggest that federal committees conduct their meetings with consideration that FACA may nonetheless be implicated if the private nonmembers in attendance at the meetings perform functions similar to those of the federal members."

To prevent this from happening, the memo recommends the SPB and its subgroups "consider distinguishing the functions of the private nonmembers from federal members." Also, Justice says it's probably a good idea to avoid "the formulation or adoption of federal policies or recommendations in the presence of private nonmembers."

Jeremy Clark, acting deputy assistant secretary of Defense for intelligence and security and co-chairman of the Security Policy Forum, said he was not aware of the memorandum. And Anderson, the author, refused to comment.

]]>