Where’s the Report on the Security of Unclassified IT Systems?

The White House and the intelligence community faced a deadline last week to inventory unclassified IT systems from which attackers could glean classified material.

Last December's $1.8 trillion federal spending bill ordered the Obama administration to provide its findings to Congress within 180 days. 

On Monday, the Office of the Director of National Intelligence and the Office of Management and Budget, who were tasked with the audit, could not provide Nextgov with a progress report.

It is unclear if the mandate is a response to Hillary Clinton's private email server, which reportedly contained messages that referenced classified activities -- or concerns about the sensitive contents of unclassified systems in general. 

The administration must "identify all unclassified information systems that provide access to information that may provide an adversary with the ability to derive information that would otherwise be considered classified," the legislative text states. 

Defense Department and intelligence systems are exempt from the scavenger hunt.  

The evaluation must describe what dangers might unfold should there be a breach of one of the unclassified systems. In addition, the law requires estimates for the cost and impact of redesignating the at-risk systems as a "national security system."

The report to lawmakers was supposed to be unclassified, with a classified annex.

Over the past few years, there have been incidents involving the State Department and military where classified information was shared via unclassified systems.

The Army's Deployable Disbursing System conducted 655 transactions that contained classified pieces of data relating to Operation Iraqi Freedom, Patricia Marsh, then-assistant inspector general for defense business operations, said in a 2010 audit. 

"The unauthorized disclosure of classified information in an unclassified system, such as DDS," she said, "could place unsuspecting warfighters or trusted foreign officials in harm's way and cause damage to national security." The Federation of American Scientists obtained the Army report through an open records request. 

The tool, at the time, stored data from commercial and miscellaneous payments processed by the Army, including expenditures supporting Operation Iraqi Freedom.

An adversary could discover classified intelligence by mashing up information from multiple sources or by breaching an unclassified system that holds mismarked sensitive information. 

For example, more than 20 emails on former State Secretary Clinton's reportedly insecure unclassified homemade server were later classified as “top secret” by the CIA because they discussed the program to hunt and kill terrorist suspects using drones, among other intelligence sources and methods.

"The emails contain direct and indirect references to secret programs," officials told The New York Times in late February.

More recently, it was revealed that attackers can aggregate information -- from Clinton’s insecure machine, a reportedly insecure State email server, and redacted Clinton messages -- to discern secrets. 

At least 47 of the redacted Clinton emails contain the notation "B3 CIA PERS/ORG," meaning the deleted material refers to CIA personnel or agency-related matters.

"Because both Clinton's server and the State Department systems were vulnerable to hacking, the perpetrators could have those original emails, and now the publicly released, redacted versions showing exactly which sections refer to CIA personnel," the Tribune news service reported June 9.