I’ve noticed that a lot of the folks commenting on the
Clinton e-mail investigation do not seem to understand how classified
information comes about and is protected.
So I thought I would put together a short primer.
Information can be generated, received or collected. If its
disclosure to the wrong party could cause damage to the national security, the
information is classified at the confidential level. If disclosure could cause serious damage, the
information is classified at the secret level.
If disclosure would cause exceptionally grave damage, it is classified
top secret. If the protections required
for those three classification levels are not considered sufficient, the
information will be placed in a ‘compartment’ where access is limited and
additional security measures are applied.
Reportedly, some of the classified information sent through Hillary
Clinton’s non-secure ‘home’ server was at the compartmented level.
Information becomes classified when an Original
Classification Authority (OCA) designates it as such. Usually OCA’s are heads of agencies or
departments, though the ability to classify information at the lower security levels
is sometimes delegated to organization commanders or directors.
Usually, the OCA will approve a security classification
guide. Sometimes at agency and
department levels, there will be a security instruction (regulation). And you can even get guidance at the
Presidential level via Executive Orders.
What you find in these guides, instructions, or orders is a description
of what information is and is not classified, what is sensitive but
unclassified, and what security classification level is to be applied when the
information is classified. Usually,
there is a table in the guidance where the first column is a list of categories
or types of information. Each row in the
table describes the classification level and related information.
So, you might have a security classification guide on the
Joint Direct Attack Munition (JDAM). It
would tell government employees working with the JDAM what information is
classified and what is not. Usually, you
don’t get extreme detail. As an example,
the performance characteristics of the JDAM might be classified at the secret
level. The existence of the JDAM, and its
general uses, might be unclassified. Keep
in mind, this is a hypothetical case for me, I have no knowledge of the JDAM
other than what I’ve read in newspapers.
And I have absolutely no information, beyond what I’ve read
in newspapers, about classification guidance for State Department information.
What I do know is that a government employee, when documenting
something or communicating about something in their area of expertise, is
expected to be aware of the applicable classification guidance. They are expected to mark titles, headers,
and paragraph portions with the appropriate classification markings when they
generate a document. They also apply a
document classification header indicating the source for the
classifications: either the OCA, the classification
guidance reference, or the derivative classification source from which they have obtained the
classification markings. If you create a
document based on OCA guidance, your new document can become a derivative
classification source for other ‘authors’.
Everyone is briefed on the protections required of
classified information before they are given access. And they are given periodic refresher
training. They sign forms indicating
they have completed the training, and most of those forms indicate the criminal
penalties for mishandling or disclosure of classified information to
unauthorized individuals.
And here is a key point.
Once the classification guidance is issued, whether or not classified information
is properly marked, it is still classified.
And the guidance generally is written to cover categories of information,
not specific bits of info. It is
possible that some info could retroactively be classified. If, for example, the categories in the
guidance were not all inclusive. In my,
admittedly limited experience, I’ve never seen that happen.
Another part of security training is that publication of
classified information does not change the classification level to
unclassified. Properly cleared
government employees are still required to protect that information as
classified. In general, they are not
allowed to comment on any public information or disclosure. And everyone is told to refer any questions
to the Public Affairs office at their organization or agency.
A final training point is that everyone is told to transmit
information only on approved, secured networks and devices that are authorized
to handle the appropriate classification level.
There are specific networks for secret and higher levels of
classification. Everyone knows that it
is a security violation to transmit classified information on an unsecured
network such as the Internet.
So, with Clinton having upwards of 2,000 classified messages
on an unsecured system, it is extremely unlikely that more than a minute
fraction were not classified at the time.
Any government employee, with a clearance, knows that transmitting
classified information on the Internet, or giving it to unauthorized
individuals will cost you your clearance, your job, and probably your
freedom for a number of years.
On the subject of work emails and unclassified
networks. Over the years, the
availability of unclassified .gov and .mil email accounts on government
desktops has become wide spread, at least in government buildings and
installations. As the cyber threat has
grown, guidance has gone out to use only your .mil or .gov email account for
government work. For the last few years,
most organizations have provided government Blackberries or iPhones to those
senior employees that need to work away from the office or during travel. They are configured to use the .mil or .gov
email accounts and are secured as much as possible against intrusions. In most cases, you cannot access your .mil or
.gov accounts from your personal devices.
To my knowledge, US government systems do not permit automatic
forwarding of emails from .mil or .gov accounts. The only way to get an email off the unclassified
.mil or .gov network is to forward an individual email to an Internet account.
Also, it is supposed to be impossible to transmit an email
from a secure, classified network to an unclassified network or the Internet.
No comments:
Post a Comment