Keeping Secrets

By Richard Lardner

March 1, 1998

Democracy means government by discussion," wrote former British Prime Minister Clement Attlee, "but it is only effective if you can stop people talking." For the U.S. Security Policy Board, these should be words to live by.

The board, a senior-level group chaired by the Defense secretary and the director of central intelligence, was created by President Clinton in September 1994 to develop sensible and cost-effective security standards and practices. But it has yet to make serious progress in curbing the redundancies and complexities of the federal government's secrecy system. One reason is that the board has an abundance of participants doing too much talking.

With 35 agencies and departments represented in the structure of committees and working groups under the Security Policy Board (SPB), the decisions that do emerge tend to be consensus agreements rather than bold, but perhaps unpopular, policies. Agencies that don't care for a particular move can delay or dilute an action, undercutting one main reason the SPB was created.

Indeed, the congressional Commission on Protecting and Reducing Government Secrecy said in a March 1997 report that "not only has this approach delayed progress, but it has meant that SPB products often go no further than the extent that the least supportive agencies will accept."

Most of the talking takes place at the SPB's lower levels. In fact, the board itself, which is made up of 10 very senior government officials, including the deputy attorney general, the deputy secretary of State, the deputy Energy secretary and the vice chairman of the Joint Chiefs of Staff, has not met formally since March 1996. (It was scheduled to meet in late February.) Instead, SPB members keep in touch by phone and fax, the board's staff director says.

But critics say the failure to meet face to face regularly means important issues have been delegated to underlings. Worse, it suggests the board doesn't have anything to meet about. "It's a symptom of a kind of gridlock in the security policy process," says Steve Aftergood, a senior research analyst at the Federation of American Scientists and editor of Secrecy & Government Bulletin.

SPB officials, however, contend that all is well. In fact, they say, enormous advances have been made. The difficult job of establishing a series of baseline requirements for the protection of classified information has been completed, and now additional products can begin to flow.

"I think it's been a tremendous success story: starting from zero, getting agencies and departments together who had never been forced to really work together," says SPB staff director Dan Jacobson. "We've had numerous national [forums], but all they did was get together and generally agree to disagree. Finally, we have a process that forces us to resolve disputes."

Sharp Criticism

The SPB's harshest critic has been the Commission on Protecting and Reducing Government Secrecy. Chaired by Sen. Daniel Patrick Moynihan, D-N.Y., and Rep. Larry Combest, R-Texas, the commission was created by Congress to investigate ways to curb government secrecy while at the same time ensuring that information and people truly needing protection get it. The Moynihan panel, as it is known, agreed that under the board's umbrella, "many areas of security policy, such as personnel security, are coordinated more effectively than ever before." Yet, the panel said, "significant problems remain with regard to the SPB's overall functioning."

The SPB, the Moynihan panel said, has failed to make "meaningful progress" on major issues, like implementing key recommendations from a 1994 report produced by the Joint Security Commission, a group of distinguished national security experts. The Moynihan panel acknowledged the SPB has produced adjudicative standards and investigative guidelines, which are used to determine if a person should have access to classified information. But while these documents are intended to improve security clearance reciprocity between agencies, the panel said they are only "minimum standards;" that is, "agencies may go beyond these standards, thus limiting the extent to which there is genuine reciprocity of clearances."

Some of the Moynihan panel's sharpest criticism was reserved for the way the SPB operates. Below the board is the Security Policy Forum, made up of upper-level agency managers. Under the forum are committees and working groups that concentrate on specific areas, such as personnel security and classification management. There is also a Security Policy Advisory Board, which helps oversee the SPB. Finally, an SPB staff, run by Jacobson, supports the entire structure.

It's difficult to get things done in such a dense organization. For example, nearly two and a half years after President Clinton directed the board to develop a financial disclosure form for use by those with access to the nation's most sensitive secrets, the SPB has yet to produce such a document. An effort to set up an information security committee within the board's structure failed badly. Conflicts with the National Archives and Records Administration's Information Security Oversight Office have hampered the SPB's ability to forge classification and declassification policies.

Part of the problem, observers say, is that the people trying to fix the system may not know exactly what their bosses want them to do. "The SPB's plethora of committees and working groups has left the early stages of policy development in the hands of less senior representatives who may not even be aware of the positions advocated by the agencies' more senior officials," the Moynihan panel concluded. "Indeed, these representatives have at times spent months negotiating consensus products, only to have these overturned by their own senior management at higher levels within the SPB structure."

Retired Gen. Larry Welch, former Air Force chief of staff and chairman of the Security Policy Advisory Board, believes the SPB bit off more than it could chew when it got started.

"They took on this full panoply of issues with the full panoply of [entities]," Welch says. "Consequently, it creates a set of issues that are so complex that the Security Policy Forum, which is very, very active, has significant difficulty bringing [them] to the point where you would want the Security Policy Board to meet on something."

Aftergood says the board should meet anyway, if for no other reason than to demand to know why it doesn't have more on its plate. The board's membership, after all, makes it one of the most powerful groups in government.

Monumental Task

To be sure, the SPB was created to tackle a monumental chore. With numerous agencies having a stake in how the government decides to protect its people, property and information, the Clinton administration elected to get everyone involved-not just the defense and intelligence communities.

"We're negotiating a U.S. government security policy, rather than just an intelligence community security policy," says Carl Darby, who works with the SPB in his capacity as a senior policy analyst with the Community Management Staff, which supports the director of central intelligence.

While the SPB's approach may be logistically clumsy, board officials contend those who will be affected by a proposed policy should have a chance to comment on it. And the best people to comment are those who handle the day-to-day operations-the middle managers.

"We've found that if you really want to change something, you've got to get buy-in from your middle and upper management as part of the process," Jacobson says. "You can get every service secretary or agency head agreeing, you can have all the technical experts down below saying 'Yea verily,' but the people in the middle who have both arms up to their elbows in pots of money and resources who control what happens in an organization can kill it overnight if they don't buy in."

But the Joint Security Commission counseled against precisely this type of consensus-building, get-everybody-involved approach. While the SPB structure is consistent with what the commission envisioned, the process is not.

Even SPB staffers acknowledge the slow pace. An internal e-mail message from one employee to another notes that "it does seem that bureaucratic inertia is working against us at times." Another staffer wonders whether the real problem is not the number of federal offices involved in the SPB process, but the sluggishness of decision-making. This employee contends the process is better than it used to be "but is still so excessively layered that the standards process will by its own inertia bring about a lack of dynamism that we cannot afford in this fast-moving, information- and change-rich age."

For Better or Worse?

Is government better off now, in terms of setting security policy, than it was more than three years ago? The answer is probably not.

To be sure, the SPB has had some successes-the adjudicative and investigative standards, for example. It's also won some important supporters. Jeffrey Smith, a Washington attorney who chaired the Joint Security Commission and later served as CIA general counsel, says the SPB is "accomplishing what we [the Joint Security Commission] had in mind."

But the board has also perpetuated many of the problems that made security policy such a mind-boggling maze in the first place. Members of the Security Policy Forum "love to go to meetings and debate how many angels can dance on the head of a pin," one Capitol Hill observer says.

Because of the classified nature of some of the board's discussions, its activities are sealed off from public view. This seems to run counter to the JSC's concept of an organization that would be a "focal point" for congressional and public inquiries. Further, the cloistered approach limits outside pressure on the organization to move more quickly.

It may be time for the SPB's senior leaders to seize control of the situation. This, of course, would require them to meet more often, which doesn't seem likely to happen. Jacobson says it's important to keep the SPB's principals engaged, but there's no need for the board to meet unless there's a real disagreement over a particular issue. He says an annual "security summit" makes more sense, but even scheduling a yearly gathering has so far proved tough to do.

Maybe, as Smith says, the SPB just needs time to get its sea legs. Or maybe it's time for a little less talk and a lot more action.

Richard Lardner is general manager of Inside Washington Publishers' Defense Group.

By Richard Lardner

March 1, 1998