The SBU Hydra

Inside an unmarked, secured office near the White House, intelligence officials, lawyers and police work to close a gaping hole in the nation’s counterterrorism system: the failure of people in the government to communicate with one another.

The Sept. 11 commission report singled out official resistance to sharing information as a key reason the government failed to thwart the 2001 terrorist attacks. In response, Congress authorized the president to create the group now based near his office, known as the “information-sharing environment” (ISE) program. Its goal is to create a system for moving terrorism-related information among officials — be it the president or a small-town mayor — quickly and securely.

In coming days, the group will send the president its recommendations for taming an explosion of “sensitive but unclassified” (SBU) documents. … So far, the ISE has collected 108 markers … more probably exist. Each marker dictates the rules for handling, distributing and storing the document that bears it. Confusing things further, the rules vary by agency, even for the same marker.

[The] goal is to narrow the number of SBU markers from more than 100 to a dozen or fewer, develop one set of handling rules, and make the documents available to all who need them.

Once approved, the new program will be rolled out in Washington and across federal and local agencies. That could take years.

There are a number of factors at play here, some more significant than others.

There is certainly a CYA aspect to the original designation given such files: harder to identify a screw-up if you can’t get access to the appropriate files. There is also the “special-ness” factor: if you don’t merit an actual “classification” you can always make one up and pretend you are part of a special club. SBU also helps reinforce existing bad practices, like the hording of potentially valuable information for – among other things – a chance at the spotlight if you happen to be successful in your mission.

I am of the mind that either your information merits classification (C, S, TS) or it does not. Classification determines whether or not a give piece of information – if leaked – would pose a threat to national security, so by definition everything not classified doesn’t (or shouldn’t). If you’ve looked at this issue at all you are already aware of the dramatic over-classification of national security-related information, which suggests that even information marked with an SBU stamp probably doesn’t rate it.

“Michael, you’re forgetting about the aggregation problem.”

What about it? Any adversary with a lick of sense can use OSINT and get 90% of what he needs for their own version of an NIE on the US. That’s been true for a long time and things have only tipped in the aggregator’s favor since the info age kicked off. The information cat is out of the bag and stamping codewords on her kittens isn’t going to help.

How much classified information do detectives work with? Effectively none (“LES” is not a classification), but ever try to pump a cop friend for information about their active cases? Wow, secrecy without classification, amazing!

People with SBU on the brain could also learn a lesson from the INFOSEC community, where full-disclosure – while not universally accepted – is the norm. The idea is that the more people know about a problem, the faster it is fixed. Both bad and good guys know about the problem simultaneously, but the rapid response almost always means that early compromises tend to be the only compromises.

“What if that one compromise is a downed airliner?”

I direct you to the testimony of the various FBI special agents who warned about 9/11. See how successful a closed system can be?

The solutions are simple:

  • For technical data anonymization and escrow. Provide clean but functional data that everyone can use safely and let the analysis drive legal proceedings (if warranted).
  • For most everything else you need one designation (IPI – infrastructure protection information) and if you are really anal use ten additional descriptors (one for each sector). Share freely with anyone working IP issues.

“What about insiders?”

What about them? You going to poly everyone? Ask Ames or Montes how well that worked. Corrupted insiders are going to be successful if an SBU system is in place or not. They don’t even have to go Sandy Berger on you: people have memories you know.

Save money, save time, improve sharing and improve security by killing this hydra.