How petabytes are crushing the security classification system

The official in charge of overseeing the federal government's information classification policy is warning that the current system is beginning to break – and he wants help and money to fix it.

secure file (Maksim Kabakou/

The official in charge of overseeing the federal government's information classification policy is warning that the current system is beginning to break – and he wants help and money to fix it.

Mark Bradley, the director of the Information Security Oversight Office, wrote in his report to the president covering classified national security information and controlled unclassified information for fiscal year 2018 that the current system "creates electronic petabytes of classified and controlled unclassified data each month, a deluge that we expect will continue to grow unabated." That report was publicly released today.

The amount of classified information being produced, Bradley said, will create a massive backlog when that information is set to be reviewed for declassification. Compounding the problem is that declassification policy as articulated in Executive Order 13526 was designed for a paper-based world and has been overtaken by transformations in technology.

"It can't do what it was designed to do," Bradley said of the 2009 executive order in an interview in his office at the National Archives in downtown Washington, D.C. "It wasn't built to run on this kind of road."

"The stakes are extraordinarily large," he said. "It's critical that the information that's being classified be thought of in two ways: one that the information needs to be protected; second it ultimately needs to be declassified because we're a democracy and we need to be able to inform our people of what we're doing."

Bradley, a former CIA agent, acknowledged that with national security threats blinking red every day, it's "difficult to get this on the radar screen in terms of priority" for the intelligence chiefs, legislative committee leaders and National Security Council policymakers who will be needed to build support for an all-of-government effort to modernize both classification policy and the technology that supports it.

Even with buy-in from all the stakeholders, Bradley wrote in his report, "I believe this transformation will take years to implement fully."

To try to generate support, Bradley streamlined his annual report to focus on problem areas and possible solutions. The report notes that the same technology that appears to be creating a future backlog for the declassification system can be brought to bear on the declassification process. For instance, the same artificial intelligence and predictive analytics capabilities that are utilized in agency programs could be used to help automate and accelerate the classification and declassification process.

"In meeting with agencies and the private sector, ISOO learned that these technologies remain untapped in this area even as they are deployed for core missions and operations," the report states.

One big risk of doing nothing is that eventually the architects, programmers and administrators of the cloud-based computer systems being adopted by the intelligence community could effectively take over the role of making policy for classified information governance.

"We're in danger of losing control of the system -- meaning 'us' the government -- if we don't step forward," Bradley said. "You'll have a much more decentralized, catch-as-catch-can system. You don't want that. You don't want people having oversight over themselves."

Bradley wants a plan to upgrade the tools of classification and declassification to be added to the Trump Administration's IT modernization plan. What he has in mind is something along the lines of a shared service that corrals the massive troves of data being produced by the CIA with its state-of-the-art cloud computing system, but doesn't leave behind agencies that aren't first and foremost in the business of producing and consuming classified information.

"We're trying to design a system not just for CIA but also for Commerce, also for Treasury, also for the agencies that deal with classified information but don't do it every day or every second like the IC does," Bradley said. "That's one of the great challenges: not to let these other agencies get so far behind."