[Weekly Defense Monitor] - Volume 4, Issue #24

[William Knowles <wk () C4I ORG>]

----------------------------------------------------------------------------
                    The Center for Defense Information
                       The Weekly Defense Monitor

             1779 Massachusetts Ave., NW * Washington, DC 20036
              (202)332-0600 * Fax (202)462-4559 * www.cdi.org
----------------------------------------------------------------------------
VOLUME 4, ISSUE #24                                       June 16, 2000
----------------------------------------------------------------------------

TABLE OF CONTENTS

1. Keeping Secrets -- Or Not
Lost, stolen, or temporarily mislaid, secrets are out and about.

[...]

*********

1. Keeping Secrets -- Or Not
Colonel Dan Smith, USA (Ret.), Chief of Research, dsmith () cdi org

On June 8, Senators Bennett (R-VT) and Schumer (D-NY) introduced
S.2702, a bill that would require the Department of Defense to report
its progress on implementing Presidential Decision Directive 63
(PDD-63).

PDD-63, which addresses "cyber threats," charges DoD with a defensive
role in countering these threats but doesn't say what it is to do or
how its efforts are to be tied to those of other government agencies
and the public sector. S.2702 directs DoD to work with the
intelligence community to develop means to identify and counter cyber
threats. Furthermore, DoD is to integrate the countermeasures
developed into a national "indications and warning architecture" that
encompasses both governmental and public aspects of the National
Communications System.

All well and good, considering the dependence of critical elements of
the nation's military and civilian infrastructure on computers and
automated systems. But security of high-tech electronic systems and
critical information nodes against intrusion or other attempts by
foreign nations to obtain U.S. secrets does not address what seems to
be a growing problem -- the lapse of basic security procedures by
those who work with classified material. The record of the last few
months is so dismal it would be funny if not so serious.

First there was Wen Ho Lee, an employee at the Los Alamos National Lab
who is under arrest for mishandling classified information. Mr. Lee is
accused of downloading critical nuclear weapons design information
onto an unclassified computer and making seven tapes, none of which
can be found.

In January, the General Accounting Office started an enquiry into the
Defense Department's procedures for issuing security clearances.
Approximately 2.4 million military, DoD civilian, and government
contractors have clearances issued by the Pentagon and another 800,000
reportedly hold clearances issued by the Department of Energy and the
CIA. But the Pentagon cannot keep up with investigations and
investigation updates -- it has about 600,000 pending -- and many that
are conducted do not meet government guidelines for granting
clearances, according to the GAO.

Also in January the State Department discovered that a laptop computer
with highly sensitive information was missing. More recently, they
have admitted that another 15 laptops had been reported stolen or
misplaced, although these are said not to have contained secrets and
were all eventually located.

Nor has the CIA escaped. In May the Justice Department reopened an
investigation of former CIA Director John Deutch. When Mr. Deutch left
his position at the Agency, it was discovered that he had transferred
highly classified material onto his home computer, including
information on covert activities of the CIA and copies of memos
prepared for the President. The fact that an internal Agency review of
this security breach is now deemed flawed throws into comic relief a
new Washington Post report that the CIA is insisting it see questions
and answers that are part of a History Channel report on the Agency's
support for U.S. troops in Somalia in the early 1990s. If the
producers refuse, the Agency says it will not allow two of its past
employees to participate.

The latest public gaffe takes us full circle to Los Alamos, where two
hard discs containing instructions on procedures for disarming and
disabling U.S. and foreign nuclear weapons have turned up missing.
Presumably, such discs would also contain details about how the
weapons are put together or have enough information that sufficient
study would reveal such data. Obviously, if another nation obtained
one of these discs it would be able to learn U.S. bomb construction
secrets. It would also learn how much the U.S. knows about other
nations' nuclear weapons.

Finally, another Washington Post article this month notes that Senate
confirmation of seven foreign service officers for ambassadorial posts
has been held up because the nominees have from 10 to 22 security
lapses on their records. In fairness, most of the incidents described
-- leaving embassy safes unlocked or walking out of offices and
leaving classified papers unattended -- happened a number of years
ago. Nonetheless, a military person with that many violations would
probably have lost his or her security clearance a long time ago.

There are two quick ways out of this morass. Since people seem to be
the weak link, separate them from the secrets. Cancel all security
clearances and lock up all the documents and hard drives and computer
discs that have secrets. Alternatively, do away with all the secrets
or everything that needs to be kept secret -- such as nuclear weapons.
Then there would be no worries about secrets being stolen, mislaid, or
otherwise endangered from discovery. And we might also discover that
many of the "secrets" weren't secret at all or that we can get along
quite easily without them.

A side benefit of either course is that government could then
concentrate on S.2702 -- protecting the nation's infrastructure from
cyber attack.

(For the text of S.2702, see the Congressional Record, Vol. 146, No.
70, June 8, 2000 (pp. S4843-4844)).

************

[...]

+---------------------------------------------------------------+
Weekly Defense Monitor

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".