Typically, this column poses issues about information security and privacy that relate to a couple broader themes. Many times it results from the week’s or month’s goings-on with federal agencies and their cybersecurity woes. Those being almost always about woes, rarely about wins coming from the District. The other general framework looks to your experiences with technology and securing your online activities and personal information. I didn’t do any sort of content analysis of the hundreds of thousands of words that have been printed under my Left to My Own Devices banner. It’s just my feeble memory in play and a general reflection about the overarching subjects.
Today, I’m going a little far afield. I have done so to much greater distances from said field in the past. To the extent that I ever stray from three-letter agencies’ cyber business or from diving into users’ experiences, I always find a nexus to security.
For one, as an attorney and ethicist I am a well-trained arguer. Not in the brutish sense of the verb. I just take pleasure in considering all sides of a healthy debate and buttressing one or more of them through research and critical thinking. Thus, to argue whether any of these brief reads connects to information security or privacy seems like a good exercise of one’s debate chops.
Secondly, and with greater importance, it’s much more challenging to be convinced that nearly any topic—government business, jelly or jam recipes, drag racing, whatever—is wholly separated from infosec. Technology, and therefore its security, is an omnipresent factor of life. It’s like saying that [insert anything] is unrelated to the English language. Nope. By virtue of the statement itself, made and understood in English, language is implicated.
I want to discuss information security in my atypical way by explaining the nature of some materials seized by the FBI from Mar-a-Lago. Actually, I’m not sure that I want to. By even mentioning the topic I know buttons are pushed, emotions are high, sides are claimed and reinforced under shared ideologies. All that. Who really wants to jump into that fray? Not it!
Here I go, though. I will not be discussing the precise facts of the event not only because most of them have not met our eyes but also because the most contentious factors are in those details. I just want to inform, not argue (this time). However, I do want to explain a little bit about security of information, especially information that is deemed as Top Secret SCI.
If you’re of the ilk to still be wondering whether this column is “on brand” with its cybersecurity focus, please just think for another moment about how discussing classified information that affects national security might be disconnected from the subject of information security. It’s information, the security about which is at its heart. It’s no hacking event, or password advice. But it’s information security, quite literally, nonetheless.
Federal government information can be classified according to its sensitivity. The current legal guidance to determine whether information is classified, and if so to what level, is found in Executive Order 13526 entitled “Classified National Security Information.” This Order is just the most recent one on the topic of classification. Before 1934 it was up to each agency to independently manage information. Without centralized, uniform procedures, information was kept, lost, destroyed, and shared both willy and nilly. If every McDonalds was free to create its own recipes and menus, no two of the billions of cheeseburgers would be of the same quality, potentially. Some things need a uniform approach, federal government information as much as any value meal.
In 1934 Congress created the National Archives Establishment, now known as National Archives and Records Administration, a stakeholder in last week’s events. It’s organized into the Executive Branch as an independent agency charged to “identify, protect, preserve, and make publicly available the historically valuable records….” Since 1934, leading to the current guidance under E.O. 13526, the way that government information is handled has evolved.
The classification of Top Secret is the highest of three classification levels. You and I both have seen that simple, legal truism made complicated by news reports representing all ideologies. Top Secret sits atop Secret, which supersedes Confidential. That’s it. Three levels. Otherwise, information isn’t classifiable at all. Now, if you happen to have worked in government, or read about these things, you know there’s Sensitive But Unclassified, which by its own verbiage escapes classification but is still a category. There’s For Official Use Only. Even back to pure cybersecurity principles we have Personally Identifiable Information. Those are all more like characteristics than classifications covered in the E.O.
Top Secret refers to information, “the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security….” Read the phrase “exceptionally grave” again. That’s not something attributable to Col. Sanders 11 herbs and spices, which incidentally seem to enjoy more security than any of what’s at issue here, notwithstanding the Chicago Tribune’s purported exposure of The Colonel’s recipe a few years ago, since refuted by Yum! Brands.
According to Intelligence Community Directive I, under the authority of the National Security Act and related legal frameworks…
SCI is classified national intelligence information concerning or derived from sensitive intelligence sources, methods, or analytical processes, which is to be handled exclusively within formal access control systems established by the Director of National Intelligence.
Back to the guidance of E.O. 13526, TS/SCI information “shall be declassified as soon as it no longer meets the standards for classification under this order.”
Whether what was absconded with and then seized was TS/SCI is a factual question, thusly, about its nature and whether it changed such that the standards no longer apply. Declassification, as a process, starts by determining that something about the information changed.
Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
