Last Friday the Administration released a new Executive Order (EO) on Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. The EO represents the Administration's approach to preventing future disclosures of classified information like the troves of national security material posted to WikiLeaks last year.
On January 3, 2011, shortly after the November WikiLeaks disclosures, the Office of Management and Budget (OMB) sent a memo giving agencies guidance on conducting initial assessments of the security of their systems. Several organizations weighed in with OMB on that memo, noting that most of the practices described in the attached "check-list" were a natural, and appropriate, response to address some of the vulnerabilities in our system. Other practices – like monitoring employee "grumpiness" and monitoring employee's pre- and post-employment use of sites like WikiLeaks – threaten privacy and civil liberties, however. The organizations were also concerned that the memo seemed to apply to all agencies, not just those dealing with classified national security information.
Representatives of these organizations were later able to discuss these concerns with OMB officials, and created a letter outlining guidelines and principles that we believe should be included in the government's plans to address information security. These include balancing critical information security practices with checks and balances that protect public access to government information, civil liberties, whistleblower activities, and privacy rights.
We are pleased to see that Section 1 of the new EO reflects our advice: it clearly states all "structural reforms to ensure responsible sharing and safeguarding of classified information…shall be consistent with appropriate protections for privacy and civil liberties," and directs agencies to meet these "twin goals." In order to be successful and baked-in to the way we monitor, develop and implement information system security policies, though, this charge must be specifically extended to the Senior Information Sharing and Safeguarding Steering Committee, Insider Threat Task Force, and the Executive Agent for Safeguarding Classified Information on Computer Networks created by the EO.
We are also pleased to see that new EO explicitly recognizes the rights of whistleblowers. One of the many concerns organizations expressed with the January 3 OMB memo was that some of the suggested actions would permit targeting of employees who have complained of discrimination, waste, fraud, abuse or illegality within the agency. However, the memo also creates an Insider Threat Task Force that is charged with developing a government-wide program that includes "user audits and monitoring." As Steve Aftergood of the Federation of American Scientists points out, "while the systematic tracking of online behavior may not deliberately “seek” to deter or detect whistleblowers, it’s hard to see how it could fail to produce such effects."
We urge the Administration to ensure that the positive language of the EO is reflected in the practices and structural reforms developed to implement it.