The continued discovery of national security classified information outside of government control
Screenshot of part of a declassified document from the Congressman Jamie Whitten Papers at the University of Mississippi on the Interagency Security Classification Appeal Panel website
As we wrote on Snapshot when classified documents were first discovered at the Penn Biden Center, the problem of senior officials taking classified documents when they leave office is much more common than most people realize.
Over a decade ago the Information Security Oversight Office (ISOO) set up a process to deal with this problem. That process is authorized in 32 Code of Federal Regulations (CFR) 2001.36:
Classified information in the custody of private organizations or
individuals.
(a) Authorized holders. Agencies may allow for the holding of classified information by a private organization or individual provided that all access and safeguarding requirements of the Order have been met. Agencies must provide
declassification assistance to such organizations or individuals.
(b) Others. Anyone who becomes aware of organizations or individuals who possess potentially classified national security information outside of government control must contact the Director of ISOO for guidance and assistance. The Director of ISOO, in consultation with other agencies, as appropriate, will ensure that the safeguarding and declassification requirements of the Order are met.
With former Vice President Mike Pence discovering classified documents at his home, following the discovery of classified documents at the Penn Biden Center and President Biden’s Wilmington home, following former President Trump’s refusal to return classified and Presidential Records Act documents leading to the FBI seizing the documents Trump refused to turn over, it is easy to feel like we are experiencing some kind of new security problem.
This is not a new problem and the remedies for it are relatively straight forward, but they do cost money that so far the Congress has been unwilling to appropriate.
The classification system has some immense challenges. It also has deeply dedicated professionals that work to minimize security risks despite ever shrinking resources.
Anti-tax activist Grover Norquist once said, “I don’t want to abolish government. I simply want to reduce it to the size where I could drag it into the bathroom and drown it in the bathtub.”
Starting with the sequestration that was the result of the last debt ceiling crisis in 2011, I had a front row seat to how Congressional hostage taking and disastrous appropriations decisions endangered the protection of classified information.
When sequestration started I was on a short-term leadership development detail assignment at the Pentagon working continuity of government issues.
The security ramifications were immediately clear. The sequestration resulted in Defense Department staff and others working in the national security community being furloughed a certain number of days, throwing national security professionals into economic hardship. These national security professionals and their families had budgeted that they would have a certain income and the sequestration was cutting their monthly income. You saw the anguished faces as you attended all-hands meetings on the sequestration. You heard the worried questions asked at these meetings.
One of the areas discussed was the impact of the sequestration on staff’s security clearances. To maintain a security clearance one must demonstrate financial responsibility. We know intelligence services take advantage of a person experiencing economic hardship to recruit them.
Suddenly the US Congress – driven by Republican hostage taking over the debt ceiling – was causing those with security clearances and their families to face economic hardship.
My regular job, when I was not on the detail assignment at the Pentagon, was on the Information Security Oversight Office (ISOO) staff overseeing the national security classification system.
ISOO is an office within the National Archives and Records Administration (National Archives) that has been tasked by the President in Executive Order (EO) 13526 and its preceding EOs with the responsibility for overseeing the classification system for the entire executive branch. Locating this office within the National Archives was a brilliant decision as it avoided having the defense, intelligence, and foreign policy agencies oversee themselves and grounded the institutional culture of ISOO in an Archives culture that valued minimizing classification and maximizing making government information available to the American people.
As I attended the Pentagon meetings on the sequestration I was horrified by the security threat it posed. In a disaster of Congress’s own making, we were handing foreign intelligence services a superbly fertile recruiting environment.
The vast majority of national security professionals would uphold their security commitments, but even a few new spies in our midst would be devastating to our national security.
Another ripple from the sequestration were slogans like “do more with less” or my favorite “do less with less.” This latter was used when someone higher in an organization didn’t want to hear that either their own directives or the legal documents that govern the organization require the organization to take actions that available resources didn’t allow.
The longer term ripple was that hiring had to pass through an ever tighter bottleneck. Massive cuts in staff resulted as vacancies were not authorized to be filled. Remaining staff across the government kept trying to achieve their mission, but often lacked the resources to even accomplish all of their core mission, much less do the ancillary support functions, like records management and classification management, that were increasingly unfunded mandates.
At the Pentagon this meant that major money-saving organizations, such as the Undersecretary of Defense for Policy’s staff, were not authorized to fill vacancies when people left. (Note: Undersecretary of Defense for Policy’s staff is a money-saving organization because getting policy right reduces the need to use expensive weapons systems.) Sometimes three or four people would have to leave an organization before it was authorized to fill one vacancy.
ISOO staff size decreased by half from 2011 to 2021.
My final responsibility before leaving ISOO was running the largest information security reform the federal government has ever undertaken: the creation of a new Controlled Unclassified Information (CUI) program to standardize how unclassified information that laws, regulations, and government-wide policies direct be protected are protected and appropriately shared. This was one of the reforms recommended by the 9/11 Commission after they realized that differences in how agencies marked and protected unclassified information inhibited information sharing that would have allowed the US government to identify and find the terrorists before the attack. My predecessors running the CUI program told me they estimated that by the time CUI reached the point when I took over it would need a staff of 30 within ISOO. I was tasked to run this program overseeing nearly 100 agencies with a staff of myself and one other person.
Responsibilities were growing and number of people were shrinking.
I was seeing this throughout the government. As I oversaw agencies – both CUI and before that their national security classification programs – the staffing shortages were abundant everywhere.
Grover Norquist’s goal was being actualized.
So let’s talk about protecting classified information.
Office of the Director of National Intelligence (ODNI) reported in 2019 that 2.9 million people have US security clearances. ISOO reported that in 2017 (the last year data was collected and published) 49 million classification decisions were made…a classification decision in this case being the decision to classify information irregardless of medium (i.e. it could be a paper document, electronic document, three dimensional model of a prototype, etc.).
The FY 2021 ISOO Annual Report states that agencies reported only having 620 personnel working on self-inspections of their classification programs.
That is 620 people at the agency-level checking to make sure classified information was being managed appropriately. For most of these personnel this responsibility was probably one of many responsibilities of their job.
These are the people who spot, for example:
if policies and procedures are up-to-date
if a pattern of security incidents requires changes in training or procedure
if documents are being marked correctly
if physical and cyber security practices are in place
if over-classification is going on and requires changes in training or procedure
if training programs cover the required topics and are accurate
A little over 600 people overseeing 2.9 million people scattered across the world is not going to lead to good oversight.
This is but one example of how funding shortages are weakening our classification system.
In my prior article on classified information outside government control, I wrote about how the George W. Bush administration dedicated several staff members time for a couple weeks to go document-by-document through the records being transferred as part of the Bush-Obama Transition to make sure that Special Access Program (SAP) information was not mixed in with other records. That is a dedication of staff resources that most organizations are not funded at levels large enough to conduct.
Co-mingling of classified and unclassified documents is both something national security professionals are trained not to do and – extremely importantly – something history shows even diligent top performers will occasionally do. No human is ever perfect, particularly when you overburden what they need to accomplish in limited available time.
Congress members are actually some of the more frequent officials that have classified records outside of government control. This was highlighted in our prior article with the image of one of the classified documents in a collection of material Senator James Eastland donated to the University of Mississippi.
Fixing the classification system takes money and anything involving money – similar to anything involving classification policy – ultimately comes down to a cost-benefit and risk analysis. How much money is the US government willing to spend to reduce how much risk? What are bigger risks to classified information getting in the hands of a foreign adversary?
The wide knowledge that President Biden and former Vice President Pence had classified information in their homes increases risk that a foreign adversary will view those homes as easier targets than a government facility. Yet these homes were not without extensive protection with the Secret Service protecting President Biden’s Wilmington home and providing protection for former Vice President Pence for at least the first six months after he left office. As a result these are relatively secure locations. Since a foreign intelligence service would not have known where at such locations to look in a way that would have allowed an easy entry and exit undetected it is immensely unlikely the information in these documents was obtained by a foreign intelligence service as a result of the documents being taken to and stored at these locations.
Similarly it was extremely unlikely foreign intelligence services were aware that there were classified documents at the Penn Biden Center as it seems that Biden and his staff self-reported the discovery. As of now it appears this was a surprise discovery, which they reported immediately, even though this was a couple days before the midterms and it could have been politically devastating for Biden to report the discovery when his staff did. This combined with the documents not being in a readily publicly accessible location means it is unlikely the information in these documents was obtained by a foreign intelligence service as a result of the documents being taken to and stored at this location.
The Trump documents found at Mar-a-Lago are entirely different in this regard. There was knowledge among multiple people of their existence in specific locations in a widely-trafficked public venue. It is also not clear, based on some documents being found in Trump’s desk and his history of showing off, who he was showing these documents to or who he was telling that he had them.
So as we look at risks, first it is very clear that the Trump documents were in much more risk of having the classified information in them be obtained by foreign intelligence services than either the Biden or Pence documents.
Second, the risks resulting from increased fertile ground for foreign intelligence services to recruit cleared national security professionals as spies are much higher and put significantly more classified information at risk than a small number of documents taken outside government control to where no one is aware they exist at that location.
The image at the top of this article is a screenshot of one of the classified documents in a collection that were discovered by university staff among the papers Congressman Jamie Whitten donated to the University of Mississippi after his service as Chair of the House Appropriations Committee (1979-1993) and Dean of the House of Representatives (1979-1995), which is the title of the Member of the House of Representatives that has served the longest. The university staff reported the discovery to the Information Security Oversight Office (ISOO). ISOO then processed these documents for declassification. This is one of the documents that were declassified in full. You can review this fully declassified document here.
I feel like this is very much worth a letter to the editor of the Washington Post or NYT.