I’ve noticed that a lot of the folks commenting on the Clinton e-mail investigation do not seem to understand how classified information comes about and is protected. So I thought I would put together a short primer.
Information can be generated, received or collected. If its disclosure to the wrong party could cause damage to the national security, the information is classified at the confidential level. If disclosure could cause serious damage, the information is classified at the secret level. If disclosure would cause exceptionally grave damage, it is classified top secret. If the protections required for those three classification levels are not considered sufficient, the information will be placed in a ‘compartment’ where access is limited and additional security measures are applied. Reportedly, some of the classified information sent through Hillary Clinton’s non-secure ‘home’ server was at the compartmented level.
Information becomes classified when an Original Classification Authority (OCA) designates it as such. Usually OCA’s are heads of agencies or departments, though the ability to classify information at the lower security levels is sometimes delegated to organization commanders or directors.
Usually, the OCA will approve a security classification guide. Sometimes at agency and department levels, there will be a security instruction (regulation). And you can even get guidance at the Presidential level via Executive Orders. What you find in these guides, instructions, or orders is a description of what information is and is not classified, what is sensitive but unclassified, and what security classification level is to be applied when the information is classified. Usually, there is a table in the guidance where the first column is a list of categories or types of information. Each row in the table describes the classification level and related information.
So, you might have a security classification guide on the Joint Direct Attack Munition (JDAM). It would tell government employees working with the JDAM what information is classified and what is not. Usually, you don’t get extreme detail. As an example, the performance characteristics of the JDAM might be classified at the secret level. The existence of the JDAM, and its general uses, might be unclassified. Keep in mind, this is a hypothetical case for me, I have no knowledge of the JDAM other than what I’ve read in newspapers.
And I have absolutely no information, beyond what I’ve read in newspapers, about classification guidance for State Department information.
What I do know is that a government employee, when documenting something or communicating about something in their area of expertise, is expected to be aware of the applicable classification guidance. They are expected to mark titles, headers, and paragraph portions with the appropriate classification markings when they generate a document. They also apply a document classification header indicating the source for the classifications: either the OCA, the classification guidance reference, or the derivative classification source from which they have obtained the classification markings. If you create a document based on OCA guidance, your new document can become a derivative classification source for other ‘authors’.
Everyone is briefed on the protections required of classified information before they are given access. And they are given periodic refresher training. They sign forms indicating they have completed the training, and most of those forms indicate the criminal penalties for mishandling or disclosure of classified information to unauthorized individuals.
And here is a key point. Once the classification guidance is issued, whether or not classified information is properly marked, it is still classified. And the guidance generally is written to cover categories of information, not specific bits of info. It is possible that some info could retroactively be classified. If, for example, the categories in the guidance were not all inclusive. In my, admittedly limited experience, I’ve never seen that happen.
Another part of security training is that publication of classified information does not change the classification level to unclassified. Properly cleared government employees are still required to protect that information as classified. In general, they are not allowed to comment on any public information or disclosure. And everyone is told to refer any questions to the Public Affairs office at their organization or agency.
A final training point is that everyone is told to transmit information only on approved, secured networks and devices that are authorized to handle the appropriate classification level. There are specific networks for secret and higher levels of classification. Everyone knows that it is a security violation to transmit classified information on an unsecured network such as the Internet.
So, with Clinton having upwards of 2,000 classified messages on an unsecured system, it is extremely unlikely that more than a minute fraction were not classified at the time. Any government employee, with a clearance, knows that transmitting classified information on the Internet, or giving it to unauthorized individuals will cost you your clearance, your job, and probably your freedom for a number of years.
On the subject of work emails and unclassified networks. Over the years, the availability of unclassified .gov and .mil email accounts on government desktops has become wide spread, at least in government buildings and installations. As the cyber threat has grown, guidance has gone out to use only your .mil or .gov email account for government work. For the last few years, most organizations have provided government Blackberries or iPhones to those senior employees that need to work away from the office or during travel. They are configured to use the .mil or .gov email accounts and are secured as much as possible against intrusions. In most cases, you cannot access your .mil or .gov accounts from your personal devices. To my knowledge, US government systems do not permit automatic forwarding of emails from .mil or .gov accounts. The only way to get an email off the unclassified .mil or .gov network is to forward an individual email to an Internet account.
Also, it is supposed to be impossible to transmit an email from a secure, classified network to an unclassified network or the Internet.