Why it's time for a major tech overhaul of the classification system

In a new report, the chief of the Information Security Oversight Office warns that the system by which critical security information is created, classified and shared is overburdened by a reliance on paper, legacy policies and incompatible tech.

secure file (Maksim Kabakou/Shutterstock.com)

Spending on information security classification has ballooned over the last 10 years, and legacy policies are preventing critical information from being shared between security agencies, according to a new report from the Information Security Oversight Office, which manages classification policy at the National Archives and Records Administration.

Mark Bradley, a former CIA officer and Justice Department attorney who has headed ISOO since late 2016, said the report is "a clarion call that these are issues that need to be looked at -- otherwise something is going to snap."

The federal government spent more than $18.3 billion on security classification in fiscal year 2017, with contractors adding another $1.5 billion. Government spending was up 9 percent over the previous year and has almost doubled since 2009.

But cost is just part of the problem, Bradley said. The primary issue is that classification and declassifications systems are overburdened and vary widely from agency to agency -- and even within agencies. They don't leverage technology to automate processes, and there's a large volume of paper records involved. Most classification and declassification decisions revolve around entire documents rather than focus on marking or redacting specific information. The result is not just that too much is being classified and not enough is being declassified, but that the national security officials who are the customers for the information aren't able to share enough quickly enough.

"We're at a pivot point. Technology is moving one way, but we're staying static," Bradley told FCW. "What are the repercussions of that if we don't move forward?"

Bradley said he hopes the report to the president, which is dated May 31 but was released publicly July 12, will spur an effort at the top of the administration and the National Security Council to address the gaps and limitations in the system before it breaks.

"The White House, coupled with the support of senior agency leaders, must lead the charge in modernizing technology that underpins our country’s security classification system," the report states.

ISOO is an obscure government office with a $4 million budget and little authority over the federal agencies it is trying to influence. Bradley framed the current report as shining a light on the problems and trying to induce higher authorities to lay  down the law. 

Bradley needs the backing of the NSC to move, but if he gets it, he hopes that some of these issues will be taken up by agency leaders, the CIO Council and technology innovation groups around government.

The small shop is the only place in government "thinking about this in a writ-large way," Bradley said. "I thought it was incumbent on us to begin making recommendations and judgments and to try to see whether we could get some attention."

The report calls for a "government-wide technology strategy for the management of classified information to combat inaccurate classification and promote more timely declassification."

Additionally, ISOO reported that many agencies are giving short shrift to new policies governing "controlled unclassified information" created by a 2010 executive order and molded in exhaustive detail in a 2016 rule. ISOO reported that just 61 of 136 agencies supplied required reports on CUI policy implementation.

The report also calls for better data on information security classification spending from agencies and wants the Office of Management and Budget to require the cost data as a line item in budget requests. In preparing the report and tallying the spending, ISOO got numbers from agencies, but the data is a little opaque.

"Is the CIA counting the guards at the gate," in its tally of classification spending, Bradley asked. "Honestly, I can't answer that question, but I'd like to know."

Additionally, Bradley wants to promote transparency by adding a non-government seat to the Interagency Security Classification Appeals Panel, which makes decisions about declassification of archival intelligence and military secrets. Bradley, who helped draft the ISCAP statute as legislative director for Sen. Pat Moynihan, is looking to increase public trust in the process "by making the public part of the function."

The report notes approvingly efforts by the National Geospatial-Intelligence Agency to consolidate its security classification guidances -- rulebooks that help officials making classification decisions -- into a single document. Across government, there are currently 2,154 active security classification guidelines, and ISOO wants to reduce that number to eliminate redundancy and contradictory guidance.

"I don't know what the final number should be, but I know it should be fewer than what we have now," Bradley said.