[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
                      THE OVER-CLASSIFICATION AND
                         PSEUDO-CLASSIFICATION:
                          PART I, II, AND III

=======================================================================

                                HEARING

                               before the

         SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND
                       TERRORISM RISK ASSESSMENT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

           MARCH 22, 2007, APRIL 26, 2007, and JUNE 28, 2007

                               __________

                           Serial No. 110-20

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________


                   U.S. GOVERNMENT PRINTING OFFICE
35-279 PDF                  WASHINGTON : 2009
----------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092104 Mail: Stop IDCC, Washington, DC 20402ï¿½0900012009


                     COMMITTEE ON HOMELAND SECURITY

               BENNIE G. THOMPSON, Mississippi, Chairman

LORETTA SANCHEZ, California,         PETER T. KING, New York
EDWARD J. MARKEY, Massachusetts      LAMAR SMITH, Texas
NORMAN D. DICKS, Washington          CHRISTOPHER SHAYS, Connecticut
JANE HARMAN, California              MARK E. SOUDER, Indiana
PETER A. DeFAZIO, Oregon             TOM DAVIS, Virginia
NITA M. LOWEY, New York              DANIEL E. LUNGREN, California
ELEANOR HOLMES NORTON, District of   MIKE ROGERS, Alabama
Columbia                             BOBBY JINDAL, Louisiana
ZOE LOFGREN, California              DAVID G. REICHERT, Washington
SHEILA JACKSON LEE, Texas            MICHAEL T. McCAUL, Texas
DONNA M. CHRISTENSEN, U.S. Virgin    CHARLES W. DENT, Pennsylvania
Islands                              GINNY BROWN-WAITE, Florida
BOB ETHERIDGE, North Carolina        MARSHA BLACKBURN, Tennessee
JAMES R. LANGEVIN, Rhode Island      GUS M. BILIRAKIS, Florida
HENRY CUELLAR, Texas                 DAVID DAVIS, Tennessee
CHRISTOPHER P. CARNEY, Pennsylvania
YVETTE D. CLARKE, New York
AL GREEN, Texas
ED PERLMUTTER, Colorado
VACANCY

       Jessica Herrera-Flanigan, Staff Director & General Counsel

                        Todd Gee, Chief Counsel

                     Rosaline Cohen, Chief Counsel,

                     Michael Twinchek, Chief Clerk

                Robert O'Connor, Minority Staff Director

                                 ______

 SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK 
                               ASSESSMENT

                     JANE HARMAN, California, Chair

NORMAN D. DICKS, Washington          DAVID G. REICHERT, Washington
JAMES R. LANGEVIN, Rhode Island      CHRISTOPHER SHAYS, Connecticut
CHRISTOPHER P. CARNEY, Pennsylvania  CHARLES W. DENT, Pennsylvania
ED PERLMUTTER, Colorado              PETER T. KING, New York (Ex 
BENNIE G. THOMPSON, Mississippi (Ex  Officio)
Officio)

                 Thomas M. Finan, Director and Counsel

                        Brandon Declet, Counsel

                   Natalie Nixon, Deputy Chief Clerk

        Deron McElroy, Minority Senior Professional Staff Member

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Jane Harman, a Representative in Congress from the 
  State of California, and Chairman, Subcommittee on 
  Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     1
The Honorable David G. Reichert, a Representative in Congress 
  from the State of Washington, and Ranking Member, Subcommittee 
  on Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     3
The Honorable Bennie G. Thompson, a Representative in Congress 
  from the State of Mississippi, and Chairman, Committee on 
  Homeland Security..............................................     4
The Honorable Charles W. Dent, a Representative in Congress from 
  the State of Pennsylvania......................................    22
The Honorable Christopher P. Carney, a Representative in Congress 
  from the State of Pennsylvania.................................    84
The Honorable James R. Langevin, a Representative in Congress 
  from the State of Rhode Island.................................    21

                               Witnesses
                    Thursday, March 22, 2007, Part I
                                Panel I

Mr. Scott Armstrong, Founder, Information Trust..................     9
Ms. Meredith Fuchs, General Counsel, The National Security 
  Archive, George Washington University:
  Oral Statement.................................................    11
  Prepared Statement.............................................    14
Mr. J. William Leonard, Director, Information Security Oversight 
  Office, National Archives and Records Administration:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7

                                Panel II

Mr. Michael P. Downing, Assistant Commanding Officer, Counter-
  Terrorism/Criminal Intelligence Bureau, Los Angeles Police 
  Department:
  Oral Statement.................................................    29
  Prepared Statement.............................................    31
Chief Cathy L. Lanier, Metropolitan Police Department, 
  Washington, DC:
  Oral Statement.................................................    24
  Prepared Statement.............................................    26

                   Thursday, April 26, 2007, Part II
                                Panel I

Ambassador Thomas E. McNamara, Program Manager, Information 
  Sharing Environment, Office of the Director of National 
  Intelligence:
  Oral Statement.................................................    46
  Prepared Statement.............................................    48
Dr. Carter Morris, Director, Informational Sharing and Knowledge 
  Management, Office of Intelligence and Analysis, U.S. 
  Department of Homeland Security:
  Oral Statement.................................................    52
  Prepared Statement.............................................    54
Mr. Wayne M. Murphy, Assistant Director, Directorate of 
  Intelligence, Federal Bureau of Investigation:
  Oral Statement.................................................    57
  Prepared Statement.............................................    59

                                Panel II

Mr. Mark Zadra, Assistant Commissioner, Florida Department of Law 
  Enforcement:
  Oral Statement.................................................    66
  Prepared Statement.............................................    68

                   Thursday, June 28, 2007, Part III

Mr. Mark Agrast, Senior Fellow, Center for American Progress:
  Oral Statement.................................................    94
  Prepared Statement.............................................    95
Mr. Scott Armstrong, Founder, Information Trust:
  Oral Statement.................................................    84
  Prepared Statement.............................................    86
Mr. J. William Leonard, Director, Information Security Oversight 
  Office, National Archives and Record Administration............    83
Ms. Suzanne E. Spaulding, Principal, Bingham Consulting Group 
  LLC:
  Oral Statement.................................................    90
  Prepared Statement.............................................    92

                             For the Record
                         March 22, 2009, Part I

Prepared Statements:
  Hon. Jane Harman...............................................   111
  Hon. Bennie G. Thompson........................................   113

                        April 26, 2009, Part II

Prepared Statement:
  Colonel Bart R. Johnson, New York State Police.................    40



                   THE IMPACT ON INFORMATION SHARING


                                 PART I

                              ----------                              


                        Thursday, March 22, 2007

             U.S. House of Representatives,
                    Committee on Homeland Security,
    Subcommittee on Intelligence, Information Sharing, and 
                                 Terrorism Risk Assessment,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:09 a.m., in 
Room 311, Cannon House Office Building, Hon. Jane Harman 
[chairwoman of the subcommittee] presiding.
    Present: Representatives Harman, Langevin, Thompson, 
Reichert, and Dent.
    Ms. Harman. [Presiding.] The subcommittee will come to 
order.
    The chair apologizes for a late start. Even though my party 
is in the majority, I don't run the schedule here, and there 
was a conflicting hearing on emergency interoperability, and I 
was asking questions of witnesses. And that subject, obviously, 
is directly relevant to some of the tasks of this subcommittee, 
so I hope you will forgive me.
    A recurrent theme throughout the 9/11 Commission's report 
was the need to prevent widespread over-classification by the 
federal government. The commission found that over-
classification interferes with sharing critical information and 
impedes efficient responses to threats.
    The numbers tell us we are still not heeding the 
commission's warning. Eight million new classification actions 
in 2001 jumped to 14 million new actions in 2005, while the 
quantity of declassified pages dropped from 100 million in 2001 
to 29 million in 2005. In fact, some agencies were recently 
discovered to be withdrawing archived records from public 
access and reclassifying them.
    Expense is also a problem. $4.5 billion spent on 
classification in 2001 increased to $7.1 billion in 2004, while 
declassification costs fell from $232 million in 2001 to $48.3 
million in 2004.
    In addition, an increasing number of policies to protect 
sensitive but unclassified from a range of federal agencies and 
departments has begun to have a dramatic impact. At the federal 
level, over 28 distinct policies for the protection of this 
information exists--28 distinct policies. That is almost as 
many policies as we have watch lists--that was intended to be 
humorous.
    Unlike classified records, moreover, there is no monitoring 
of, or reporting on, the use or impact of protective, 
sensitive, unclassified information markings. The proliferation 
of these pseudo-classifications is interfering with the 
interagency information sharing, increasing the cost of 
information security and limiting public access.
    Case in point, this document from the Department of 
Homeland Security. This document, which I cannot release to you 
or the press, is called, ``Special Assessment: Radicalization 
in the State of California,'' a survey, and it is dated the 
22nd of November, 2006.
    In a few weeks, I will be leading a field hearing to 
Torrance, California to examine the issues of domestic 
radicalization and homegrown terrorism, but this DHS document, 
a survey, as I mentioned, is marked, ``unclassified, for 
official use only.''
    On page one, in a footnote, the survey states that it 
cannot be released ``to the public, the media or other 
personnel who do not have a valid need to know without prior 
approval of an authorized DHS official.''
    Our staff requested and was denied an approval. Staff also 
asked for a redacted version of the document so we could use at 
least some of its contents at the coming California hearing. 
DHS was unable to provide one.
    Let me be clear, and I say this as someone who served for 8 
years on the House Intelligence Committee, I am not denying 
that there may be sensitive information included in this survey 
and in lots of products prepared by our government, but it 
illustrates my point.
    What good is unclassified information about threats to the 
homeland if we can't even discuss them at a public hearing 
where the public is supposed to understand what some of those 
threats may be? How can we expect DHS and others to engage the 
public on important issues like domestic radicalization if we 
hide the ball?
    Unfortunately, this is nothing new. In 1997, the Moynihan 
Commission stated that the proliferation of these new 
designations are often mistaken for a fourth classification 
level, causing unclassified information with these markings to 
be treated like classified information.
    These continuing trends are an obstacle to information 
sharing across the federal government and vertically with 
state, local and tribal partners, including most especially 
with our partners in the law enforcement community.
    And in our second panel, we are going to hear from some of 
those partners, including Chief Lanier, and I want to welcome 
her today and congratulate her again on being one of the 
youngest ever police chiefs in the nation and a very well-
qualified person to hold this position.
    Until we have a robust intelligence and information-sharing 
system in place in this country with a clear and understandable 
system of classification, we run the risk of not being able to 
prevent a terrorist attack on the scale of 9/11 or greater, and 
I would even add on the scale of 9/11 or smaller. We are 
hurting ourselves by the way we unnecessarily protect 
information.
    This is why this subcommittee will focus some of its 
efforts in the 110th Congress on improving information sharing 
with our first preventers, the men and women of state, local 
and tribal law enforcement who are the eyes and ears on our 
frontlines. We will do this work in the right way, partnering 
with our friends in the privacy and civil liberties community 
who want to protect America while serving our cherished rights.
    I would like to extend a warm welcome to our witnesses who 
will be talking about these issues, first, some organizations, 
and then, two, on the frontlines in our law enforcement 
organizations.
    On our first panel, we have assembled an array of experts 
who will be testifying about the extent of these problems and 
where are things are trending, and, as I mentioned, our second 
panel will give us some real-life experiences where 
classification--and I don't want to put words in their mouths, 
but I have read their testimony--is an obstacle rather than 
some form of benefit to them in their role to prevent, disrupt 
and protect the American public.
    In addition, I hope witnesses will provide some 
constructive suggestions about how we might solve this problem, 
with the goal of ensuring the flow of information, the 
unfettered flow of necessary information between the federal 
government and state, local and tribal governments.
    Welcome to all.
    I now yield to the ranking member for opening remarks.
    Mr. Reichert. Thank you, Madam Chair, and thank you for 
organizing this hearing. It is a pleasure to be here this 
morning.
    And thank all of you for being here in time from your busy 
schedule to come and testify before us.
    We are all here this morning to discuss one of the 
subcommittee's major priorities, this over-classification and 
pseudo-classification. Over-classification, as most of you 
know, refers to decisions by the federal government to 
routinely restrict access to information using the designation, 
``confidential,'' ``secret'' or ``top-secret.''
    Pseudo-classification is a similar practice applied to 
sensitive but unclassified information. This practice involves 
federal, state or local entities adding restrictions based on 
internal policies. The GAO has found that there are at least 56 
different sensitive but unclassified designations at the 
federal level--56.
    Common examples include, ``for official use only,'' 
``sensitive but unclassified,'' ``sensitive security 
information,'' and ``law enforcement sensitive.'' Some of these 
designations make sense; some don't. Some, there is a real need 
to protect classified and sensitive information from 
disclosure.
    In a world where virtually piece of unclassified 
information is available on the Internet, we need to ensure 
that what needs to be protected remains protected. The lives of 
our federal, state and local agents in the field often depend 
on it.
    But as a classic military strategist once said, ``If you 
try to protect everything, you wind up protecting nothing.'' 
The more secrets you keep, the harder they are to keep. I can't 
tell you how many times I have emerged from a secret briefing 
only to find out that everything that I have just learned has 
already been in the newspaper.
    As a former sheriff, I have vivid memories of the federal 
government telling me that I could not access information that 
I needed to do my job because it was classified or otherwise 
restricted. And I have also watched as the federal government 
has taken sensitive information from the state and local law 
enforcement and treated it without regard for its sensitivity.
    I am just going to share a real brief story with you. Years 
ago, when we arrested our suspect in the Green River murder 
case, a serial murder case nationally known, internationally 
known as one of the worst serial murder cases in the world of 
50 victims, the FBI was a part of that team. They produced 
paperwork connected and associated with that case.
    Once the person was arrested and charged, of course, there 
was a request by the defense attorney for information. The FBI 
would not release the information to substantiate and help our 
case because they said it was classified.
    The fear there was this: Of course, they had information 
that we would have lost our case. Eventually, they came 
forward, presented the information for discovery; however, the 
fear was that because of the state laws that existed in the 
state of Washington, everything they disclosed then would be 
subject to public disclosure laws. So anything they released to 
us, the sheriff's office is required by state law to give that 
to the news media. So that was their concern.
    We have a lot of issues here to discuss today. I am not 
going to finish the rest of my statement. We are just happy to 
have you here, and you know that we understand the problem, and 
we are looking to help you find solutions.
    Thank you.
    Ms. Harman. I thank the ranking member and note that his 
experience as a sheriff is extremely useful to this 
subcommittee as we pursue issues like this.
    The chair now recognizes the chairman of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for an 
opening statement.
    Mr. Thompson. Thank you, Madam Chair. I join you in 
welcoming our distinguished witnesses today to this important 
hearing on the problem of over-and pseudo-classification of 
intelligence.
    Information sharing between the federal government and its 
state, local and tribal partners is critical to making America 
safer, but we won't get there if all we have is more and more 
classification and more and more security clearances for people 
who need access to that classified information.
    The focus should be different. The federal government 
instead must do all it can to produce intelligence products 
that are unclassified. Unclassified intelligence information is 
what our nation's police officers, first responders and private 
sector partners need most. They have told me time and time 
again that what they don't need is information about 
intelligence sources and methods.
    And I think all of us have been in enough briefings that 
were somehow classified at varying levels only to see it on the 
evening news and be shocked that, well, why would you keep it 
from members of Congress when all we have to do is delay the 
briefing 6 hours and we can see it? That occurred last week.
    I am sure Mr. Langevin understands very well. We had a 
briefing that we were told that was top-secret, took the 
BlackBerrys, took the cell phones, and, lo and behold, it was 
on the 5 p.m. news.
    So to some degree, the over-classification is a problem.
    If we are going to successfully address terrorism, then we 
have to share the information in real time and trust our 
partners to some degree. If we can't trust law enforcement, if 
we can't trust first responders, who can we trust?
    So I think it is a hearing that is pertinent to the 
challenge that we face. I look forward to the testimony of the 
witnesses, and, obviously, this is one of many, Madam Chair. I 
am sure we will be participating in over this session.
    I yield back.
    Ms. Harman. I thank the chairman and would point out that 
other members of the subcommittee can submit opening statements 
for the record, under our rules.
    I now welcome our first panel of witnesses.
    Our first witness, Mr. Bill Leonard, is the director of the 
Information Security Oversight Office at the National Archives. 
Mr. Leonard's office has policy oversight of the entire federal 
government-wide security classification system--that is a 
mouthful--and he reports directly to the president.
    His office receives his policy and program guidance from 
the national Security Council. More than 60 executive branch 
agencies create or handle classified national security 
information, and Mr. Leonard's work in this capacity impacts 
all of them.
    Welcome, Mr. Leonard.
    Our second witness is my Washington, D.C., neighbor and 
good friend, Scott Armstrong. Mr. Armstrong is the executive 
director of Information Trust, a nonprofit group that works 
toward opening access to government information.
    He has been inducted into the FOIA Hall of Fame--
congratulations--and was awarded the James Madison Award by the 
American Library Association in 1992. Mr. Armstrong has been a 
Washington Post reporter and is the founder of the National 
Security Archive at George Washington University.
    Our third witness, Meredith Fuchs, serves as the general 
counsel to the nongovernmental National Security Archives. At 
the Archives, she overseas Freedom of Information Act, called 
FOIA, and anti-secrecy litigation and frequently lectures on 
access to government information.
    She has supervised five government-wide audits of federal 
agency FOIA performance and one focused on the proliferation of 
sensitive but unclassified information labels.
    Without objection, the witnesses' full statements will be 
inserted in the record, and I would hope you could summarize in 
5 minutes or less--we have a little timer for your benefit--
your written testimony, and then hopefully we can have a lively 
exchange of views.
    Let's start with Mr. Leonard.

STATEMENT OF J. WILLIAM LEONARD, DIRECTOR, INFORMATION SECURITY 
 OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORDS ADMINISTRATION

    Mr. Leonard. Chairwoman Harman, Mr. Reichert, Chairman 
Thompson and members of the subcommittee, I wish to thank you 
for holding this hearing this morning on issues relating to the 
very real challenge of over-classification.
    The classification system and its ability to restrict the 
dissemination of information, the unauthorized disclosure of 
which would result in harm to our nation and its citizens. 
represents a fundamental tool at the government's disposal to 
provide for the common defense.
    As with any tool, the classification system is subject to 
misuse and misapplication. When information is improperly 
declassified or not classified in the first place, although 
clearly warranted, our citizens, our democratic institutions, 
our homeland security and our interactions with foreign nations 
can be subject to potential harm.
    Conversely, too much classification or the failure to 
declassify information as soon as it no longer satisfies the 
standards for continued classification unnecessarily obstructs 
effective information sharing and impedes an informed 
citizenry, the hallmark of our democratic form of government.
    In the final analysis, inappropriate classification 
activity of any nature undermines the integrity of the entire 
process and diminishes the effectiveness of this critical 
national security tool.
    In this time of constant and unique challenges to our 
national security, it is the duty of all of us engaged in 
public service to do everything possible to enhance the 
effectiveness of this tool. To be effective, the classification 
process is a tool that must be wielded with precision. Few, if 
any, both within and outside of government, would deny that too 
much of the information produced by our agencies is classified.
    In an audit of agency classification activity conducted by 
my office approximately one year ago, we discovered that even 
trained classifiers, with ready access to the latest 
classification and declassification guides, and trained in 
their use, got it clearly right only 64 percent of the time in 
making determinations as to the appropriateness of 
classification. This is emblematic of the daily challenges 
confronting agencies when ensuring that the 3 million plus 
cleared individuals with at least a theoretical ability to 
derivatively classify information get it right each and every 
time.
    In response to the findings of this audit, last year I 
wrote to all agency heads and made a number of recommendations 
for their consideration. Collectively, these recommendations 
help preserve the integrity of the classification system while 
at the same time reduce inefficiencies and cost. I have 
included a list of these recommendations in my prepared formal 
testimony.
    Recognizing that a focus of this hearing includes policies 
and procedures for handling sensitive, unclassified 
information, it is important to articulate recent initiatives 
by the president to ensure the robust and effective sharing of 
terrorism information vital to protecting Americans and the 
homeland from terrorist attacks.
    To that end, the president has mandated the standardization 
of procedures for designated marking and handling sensitive but 
unclassified information across the federal government. Once 
implemented, our nation's defenders will be able to share 
controlled, unclassified information more rapidly and 
confidently.
    The existence of such an option should significantly reduce 
the incentive to over-classify information. That happens now, 
in part, due to the absence of a dependable regime for the 
proper protection of sensitive information which should not be 
classified.
    Again, thank you for inviting me here this morning, Madame 
Chair, and I would be happy to answer your questions or those 
that the subcommittee might have.
    [The statement of Mr. Leonard follows:]

               Prepared Statement of J. William, Leonard

                             March 22, 2007

    Chairwoman Harman, Mr. Reichert, and members of the subcommittee, I 
wish to thank you for holding this hearing on issues relating to the 
very real challenge of overclassification of information within the 
Federal Government as well as for inviting me to testify today.
    By section 5.2 of Executive Order 12958, as amended, ``Classified 
National Security Information'' (the Order), the President established 
the organization I direct, the Information Security Oversight Office, 
often called ``ISOO.'' We are within the National Archives and Records 
Administration and by law and Executive order (44 U.S.C. 2102 and sec. 
5.2(b) of E.O. 12958) are directed by the Archivist of the United 
States, who appoints the Director of ISOO, subject to the approval of 
the President. We also receive policy guidance from the Assistant to 
the President for National Security Affairs. Under the Order and 
applicable Presidential guidance, ISOO has substantial responsibilities 
with respect to the classification, safeguarding, and declassification 
of information by agencies within the executive branch. Included is the 
responsibility to develop and promulgate directives implementing the 
Order. We have done this through ISOO Directive No. 1 (32 CFR Part 
2001) (the Directive).
    The classification system and its ability to restrict the 
dissemination of information the unauthorized disclosure of which would 
result in harm to our nation and its citizens represents a fundamental 
tool at the Government's disposal to provide for the ``common 
defense.'' The ability to surprise and deceive the enemy can spell the 
difference between success and failure on the battlefield. Similarly, 
it is nearly impossible for our intelligence services to recruit human 
sources who often risk their lives aiding our country or to obtain 
assistance from other countries' intelligence services, unless such 
sources can be assured complete and total confidentiality. Likewise, 
certain intelligence methods can work only if the adversary is unaware 
of their existence. Finally, the successful discourse between nations 
often depends upon confidentiality and plausible deniability as the 
only way to balance competing and divergent national interests.
    As with any tool, the classification system is subject to misuse 
and misapplication. When information is improperly declassified, or is 
not classified in the first place although clearly warranted, our 
citizens, our democratic institutions, our homeland security, and our 
interactions with foreign nations can be subject to potential harm. 
Conversely, too much classification, the failure to declassify 
information as soon as it no longer satisfies the standards for 
continued classification, or inappropriate reclassification, 
unnecessarily obstructs effective information sharing and impedes an 
informed citizenry, the hallmark of our democratic form of government. 
In the final analysis, inappropriate classification activity of any 
nature undermines the integrity of the entire process and diminishes 
the effectiveness of this critical national security tool. 
Consequently, inappropriate classification or declassification puts 
today's most sensitive secrets at needless increased risk.
    The challenge of overclassification is not new. Over 50 years ago, 
Congress established the Commission on Government Security (known as 
the ``Wright Commission''). Among its conclusions, which were put forth 
in 1955, at the height of the Cold War, was the observation that 
overclassification of information in and of itself represented a danger 
to national security. This observation was echoed in just about every 
serious review of the classification systems since to include: the 
Commission to review DoD Security Policies and Practices (known as the 
``Stillwell Commission'') created in 1985 in the wake of the Walker 
espionage case; the Joint Security Commission established during the 
aftermath of the Ames espionage affair; and the Commission on 
Protecting and Reducing Government Secrecy (otherwise known as the 
``Moynihan Commission''), which was similarly established by Congress 
and which issued its report in 1997.
    More recently, the National Commission on Terrorist Attacks on the 
United States (the ``9-11 Commission''), and the Commission on the 
Intelligence Capabilities of the United States Regarding Weapons of 
Mass Destruction (the ``WMD Commission'') likewise identified 
overclassification of information as a serious challenge
    It is Executive Order 12958, as amended, that sets forth the basic 
framework and legal authority by which executive branch agencies may 
classify national security information. Pursuant to his constitutional 
authority, and through the Order, the President has authorized a 
limited number of officials to apply classification to certain national 
security related information. In delegating classification authority 
the President has established clear parameters for its use and certain 
burdens that must be satisfied.
    Specifically, every act of classifying information must be 
traceable back to its origin as an explicit decision by a responsible 
official who has been expressly delegated original classification 
authority. In addition, the original classification authority must be 
able to identify or describe the damage to national security that could 
reasonably be expected if the information was subject to unauthorized 
disclosure. Furthermore, the information must be owned by, produced by 
or for, or under the control of the U. S. Government; and finally, it 
must fall into one or more of the categories of information 
specifically provided for in the Order.\1\
---------------------------------------------------------------------------
    \1\ Pursuant to Sec. 1.4 of the Order, information shall not be 
considered for classification unless it concerns: (a) military plans, 
weapons systems, or operations; (b) foreign government information; (c) 
intelligence activities (including special activities), intelligence 
sources or methods, or cryptology; (d) foreign relations or foreign 
activities of the United States, including confidential sources; (e) 
scientific, technological, or economic matters relating to the national 
security, which includes defense against transnational terrorism; (f) 
United States Government programs for safeguarding nuclear materials or 
facilities; (g) vulnerabilities or capabilities of systems, 
installations, infrastructures, projects, plans, or protection services 
relating to the national security, which includes defense against 
transnational terrorism; or (h) weapons of mass destruction.
---------------------------------------------------------------------------
    The President has also spelled out in the Order some very clear 
prohibitions and limitations with respect to the use of classification. 
Specifically, for example, in no case can information be classified in 
order to conceal violations of law, inefficiency, or administrative 
error, to restrain competition, to prevent embarrassment to a person, 
organization, or agency, or to prevent or delay the release of 
information that does not require protection in the interest of 
national security.
    It is the responsibility of officials delegated original 
classification authority to establish at the time of their original 
decision the level of classification (Top Secret, Secret, and 
Confidential), as well as the duration of classification, which 
normally will not exceed ten years but in all cases cannot exceed 25 
years unless an agency has received specific authorization to extend 
the period of classification.
    As I stated earlier, the ability and authority to classify national 
security information is a critical tool at the disposal of the 
Government and its leaders to protect our nation and its citizens. In 
this time of constant and unique challenges to our national security, 
it is the duty of all of us engaged in public service to do everything 
possible to enhance the effectiveness of this tool. To be effective, 
the classification process is a tool that must be wielded with 
precision. Few, if any, both within and outside Government, would deny 
that too much of the information produced by our agencies is 
classified. In an audit of agency classification activity conducted by 
my office approximately one year ago, we discovered that even trained 
classifiers, with ready access to the latest classification and 
declassification guides, and trained in their use, got it clearly right 
only 64 percent of the time in making determinations as to the 
appropriateness of classification. This is emblematic of the daily 
challenges confronting agencies when ensuring that the 3 million plus 
cleared individuals with at least theoretical ability to derivatively 
classify information get it right each and every time.
    In response to the findings of this audit, last year I wrote to all 
agency heads and made a number of recommendations for their 
consideration. Collectively, these recommendations help preserve the 
integrity of the classification system while at the same time reduce 
inefficiencies and cost. They included:
         Emphasizing to all authorized holders of classified 
        information the affirmative responsibility they have under the 
        Order to challenge the classification status of information 
        that they believe is improperly classified (Sec. 1.8(a) of the 
        Order).
         Requiring the review of agency procedures to ensure 
        that they facilitate classification challenges (Sec. 1.8(b) of 
        the Order). In this regard, agencies were encouraged to 
        consider the appointment of impartial officials whose sole 
        purpose is to seek out inappropriate instances of 
        classification and to encourage others to adhere to their 
        individual responsibility to challenge classification, as 
        appropriate.
         Ensuring that quality classification guides of 
        adequate specificity and clarity are prepared and updated to 
        further accurate and consistent derivative classification 
        decisions (Sec. 2.2 of the Order).
         Ensuring the routine sampling of recently classified 
        information to determine the propriety of classification and 
        the application of proper and full markings (Sec. 5.4(d)(4) of 
        the Order). Consideration should be given to reporting the 
        results of these reviews to agency personnel as well as to the 
        officials designated above who would be responsible to track 
        trends and assess the overall effectiveness of the agency's 
        efforts and make adjustments, as appropriate.
         Ensuring that information is declassified as soon as 
        it no longer meets the standards for classification (?3.1(a) of 
        the Order).
         Ensuring that prior to exercising the national 
        security exemption as set forth in 5 U.S.C. 552b(1) when 
        responding to FOIA requests, that agency personnel verify that 
        the information involved clearly meets the standards for 
        continued classification irrespective of the markings, to 
        include declassification instructions, contained on the 
        document.
    Recognizing that a focus of this hearing includes policies and 
procedures for handling sensitive unclassified information, it is 
important to articulate recent initiatives by the President to ensure 
the robust and effective sharing of terrorism information vital to 
protecting Americans and the Homeland from terrorist attacks. To that 
end, the President has promulgated a set of guidelines and requirements 
that represent a significant step in the establishment of the 
Information Sharing Environment (ISE) called for by section 1016 of the 
Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA).
    Specifically, to promote and enhance the effective and efficient 
acquisition, access, retention, production, use, management, and 
sharing of Sensitive But Unclassified (SBU) information, including 
homeland security information, law enforcement information, and 
terrorism information, the President has mandated the standardization 
of procedures for designating, marking, and handling SBU information 
across the Federal Government. A clear mandate for achieving this goal 
has been laid out for the entire Executive branch and significant 
progress is underway to develop for the President's consideration 
standardized procedures for handling controlled unclassified 
information. Once implemented, our nation's defenders will be able to 
share controlled unclassified information more rapidly and confidently. 
The existence of such an option should significantly reduce the 
incentive to overclassify information. This happens now, in part, due 
to the absence of a dependable regime for the proper protection of 
sensitive information which should not be classified.
    Again, I thank you for inviting me here today, Madame Chairwoman, 
and I would be happy to answer any questions that you or the 
subcommittee might have at this time.

    Ms. Harman. I thank the witness.
    Now, we will hear from Mr. Armstrong.

    STATEMENT OF SCOTT ARMSTRONG, FOUNDER, INFORMATION TRUST

    Mr. Armstrong. Thank you, Madam Chair. Thank you. I am 
pleased to be able to discuss these issues with this 
subcommittee, given the membership of the subcommittee and the 
full committee include many of the people that have provided 
the leadership, or attempted to provide the leadership, to dig 
into these difficult questions on this committee and other 
committees of the Congress.
    I am here on my own, of course, but I also would like to 
note that I participate in a dialogue, which is presently 
sponsored by the Aspen Institute, between the senior 
journalists, editors, publishers and high-level U.S. government 
officials from various national security intelligence agencies.
    The purpose of the dialogue has been to address recurring 
concerns about the handling of classified information, the fact 
that sensitive information can find its way into the major 
media and could potential cause damage.
    The discussions have included the attorney general, the 
director of Central Intelligence, the deputy director of 
National Intelligence, ranking members from the National 
Security Council, the Department of Defense, the National 
Security Agency, the FBI, the CIA, the Department of Homeland 
Security and the Department of Justice.
    The dialogue is continuing with a variety of initiatives 
that I hope will further involve members of this committee and 
your colleagues and members of your staff, and we will be in 
consultation with you on that issue.
    I would like to note three major areas today out of my 
testimony. Twenty-two years ago, in 1985, when I left the 
Washington Post, to found the National Security Archive, I went 
to the man who was then considered the maven of secrecy in the 
Reagan administration, General Richard Stillwell, and I 
developed an interesting and productive dialogue with General 
Stillwell who was chairing a commission to examine systemic 
vulnerabilities in the classification system.
    At that time, the Reagan administration's concern was not 
so much news media leaks but the fact that there were 
significant leaks in the form of espionage. General Stillwell 
not only quoted, and usually misquoted, a sentence in Supreme 
Court Justice Potter Stewart's concurrence in the Pentagon 
Papers case, ``When everything is classified, then nothing is 
classified,'' but he finished that sentence, ``And the system 
becomes one to be disregarded by the cynical or the careless 
and to be manipulated by those intent on self-protection or 
self-promotion.''
    Like Justice Stewart, General Stillwell believed that the 
hallmark of a truly effective internally security system would 
be the maximum possible disclosure, recognizing that secrecy 
can best be preserved only when credibility is maintained.
    Regrettably, the system then pertained a systemic use of 
special access programs and other compartmented intelligence 
controls by those that have now been extended even on 
classified information and created a labyrinth of security 
measures, often unaccountable and sometimes wholly 
unauthorized. That situation has not changed in the ensuing 20 
years.
    My experience has reinforced the notion that government 
needs to spend less energy on calculating how to punish 
unauthorized disclosures of politically sensitive information 
to the news media and more on distinguishing the truly 
sensitive information which must be protected. Once that 
information is identified as properly warranting protection, 
government officials and the news media have shown a 
willingness to honor reasonable requirements.
    The second issue is the question that this Congress 
addressed--the House addressed in 2002 when it passed the 
Homeland Security Information Sharing Act, which became part of 
the Homeland Security Act of 2004. It mandated the creation of 
a unique category of information, known as sensitive homeland 
security information, which was sensibly designed to allow this 
necessary sharing of information with state and local officials 
while withholding it from the general public.
    This designation has proven difficult for the executives to 
implement, so difficult that in fact it went in a different 
direction and the mandate instead became to disperse 
information control authority across of broad range of 
executive agencies. This resulted in a disjointed and 
uncoordinated proliferation of sensitive but unclassified 
designations to protect poorly defined categories of 
information.
    In one instance, the Department of Homeland Security 
drafted a draconian nondisclosure agreement designed to apply 
the restrictions on tens of thousands of federal employees and 
hundreds of thousands, potentially, of state and local first 
responders.
    Although it was only enforced briefly, this NDA was more 
severe than NDA's effect for sensitive, compartmented 
information and for a variety of controls over the most 
sensitive intelligence information the government has.
    While it has been withdrawn, it is an indicator of the 
extent to which there has been little progress.
    Lastly, the National Intelligence Reform Act of 2004 
provided another challenge which the administration found 
wanting. Congress provided a broad, centralized power for the 
new director of national intelligence and urged the new DNI to 
create a tearline report system by which intelligence gathered 
by an agency is prepared with the information relating to 
intelligence sources and methods is easily severed but for the 
report to protect such sources and methods from disclosure.
    The prospect of such a tearline encouraged many observers 
to believe the classification system could be improved by 
concentrating on the guidelines for protecting well-defined 
sources and methods. By making the refined decisions to protect 
that which truly requires protection, more of the remaining 
information would be available for sharing within the 
intelligence community, as well as with state and local 
officials charged with homeland security responsibilities. They 
were naturally a benefit for the public and the press as this 
information, other information, was decontrolled.
    Ms. Harman. Mr. Armstrong, if you could summarize now, we 
would appreciate it.
    Mr. Armstrong. Increasingly, officials in certain 
departments must greatly risk their security clearances and 
potentially their careers and their family's financial security 
in order to correct and guide public-to-public record.
    It is my hope that rather than attempt to repair the 
present system of over-classification to the public, that the 
public, the news media, the Congress and the intelligence 
community would benefit more from the specification of rigorous 
and tight definitions of sources and methods in accord with the 
tear-line processing of intelligence in order to maximize 
information sharing while protecting the nation's secrets.
    Ms. Harman. Thank you very much.
    Ms. Fuchs?

  STATEMENT OF MEREDITH FUCHS, GENERAL COUNSEL, THE NATIONAL 
         SECURITY ARCHIVE, GEORGE WASHINGTON UNIVERSITY

    Ms. Fuchs. Thank you.
    Chairman Harman, Ranking Member Reichert and members of the 
subcommittee, thank you for having me appear today.
    After the September 11th attacks on the United States, 
there were many signs that official secrecy would increase. 
Some of it was legitimate, out of concern about risks posed by 
poorly safeguarded government information. In addition, in 
March 2002, White House Chief of Staff Andrew Card issued a 
directive to federal agencies, requesting a review of all 
records and policies concerning the protection of sensitive but 
unclassified information, also called SBU.
    This memorandum spurred agencies to increase controls on 
information.
    Mr. Leonard and Ms. Harman have already talked about the 
classification system and some of the statistics regarding 
that. I am going to focus on the SBU system where while we 
identified 28 different information labeling standards and GAO 
identified 56, I have heard from the Office of the Program 
Manager of the information-sharing environment that they have 
identified at least 100 different so-called safeguarding 
labels.
    There is no way to determine how many records are labeled 
with these safeguarding controls, because agencies do not track 
their use of these labels.
    When we issued our report a year ago, we identified a 
number of problems posed by these policies. Since that time, 
the Government Accountability Office and the program manager of 
the Information Sharing Environment themselves have expressed 
the same concerns. I am going to quickly list them, and my 
written testimony gives some additional detail.
    First, there is no monitoring of the use of safeguard 
labels. At many agencies, there are no limits on who can put a 
safeguard label on the information, and, indeed, at some 
agencies, that means hundreds of thousands of people are able 
to put these labels on. There is no time limit for how long the 
label lasts. Few agencies provide any procedure for the labels 
to be removed. Few agencies include restrictions that prohibit 
the use of labels for improper purposes, including to conceal 
embarrassing or illegal agency actions. Agencies have 
conflicting policies on the intersection of these labels and 
the Freedom of Information Act, but evidence certainly suggests 
that these labels are used to increase withholding of 
information.
    These labels likely increase the cost of information 
security, and there is no consistency among agencies about how 
to use these labels. So it seems likely that they inhibit 
information sharing.
    Focusing just on the three major concerns that my 
organization has, the absence of reporting mechanisms for 
sensitive but uncontrolled markings makes any assessment of the 
extent to which a policy is being used difficult, if not 
impossible.
    Because safeguarding sensitive unclassified information 
impacts safety, security, budget and information disclosure, 
all of which are important national concerns, there ought to be 
some sort of overarching monitoring.
    Second, in order to protect the important role that public 
access has played in government accountability, it is important 
that a system for challenging the use of these labels be 
established.
    Third, this unregulated use of safeguarding labels inhibits 
information sharing. Because the systems are sprawling in their 
scope and uncoordinated, they set up roadblocks for sharing. 
Lack of trust in the system likely leads to more 
classification, which also limits dissemination of the 
information.
    I would like to quickly touch on what progress has been 
made within the government. Mr. Leonard referred to this in his 
statement. As you know, Congress required the president to 
implement and information-sharing environment with the 
Intelligence Reform and Terrorist Prevention Act of 2004. 
Pursuant to that, the Office of the Program Manager of the 
Information Sharing Environment was established to assist in 
the development of the environment.
    A report and implementation plan for the information-
sharing environment was required within one year of enactment 
of the law. President Bush issued a memorandum on December 16, 
2005 that set up this office, and specifically directed 
departments and agencies to standardized procedures for 
handling SBU.
    The resulting working group completed an inventory of 
designations in March 2006, and there should have been a 
recommendation for submission to the president by June 2006 on 
standardization of SBU procedures. Well, it is now March 2007, 
and, as far as I know, that hasn't happened.
    Part of the problem may be that these legislative mandates 
are imposed on an executive branch that does not want Congress 
to interfere and is not as concerned as I would hope about 
government accountability. And while I am reluctant to express 
that sort of a sentiment, the lack of willingness by the 
executive branch to respond is evidenced by the refusal of the 
Office of the Director of National Intelligence to participate 
in a March 2006 report by the Government Accountability Office 
about this very matter.
    In its report, GAO noted that the ODNI, the Office of the 
Director of National Intelligence, declined to comment on the 
draft, stating that review of intelligence activities is beyond 
GAO's purview.
    I know that we are running short of time. I am going to 
just quickly raise three concerns about the process. I met, 
along with several other people, with Ambassador McNamara, who 
is now the program manager, and I was very impressed by him and 
the work that they have done, and I think that they have done a 
great analysis. However, there is nothing in the process that 
suggests to me that we are quickly moving to standardization of 
SBU labels.
    While they have done an analysis, they were supposed to 
have submitted a recommendation to the White House in January 
2007. That may have occurred. If it did, it hasn't been made 
public, and having public review of that is absolutely 
critical.
    Secondly, the program manager's effort is focused on 
information related to homeland security, law enforcement and 
terrorism, but this problem of SBU is far broader, and the 
category of information that affects our security is even 
broader than that.
    Placement of the program manager at the Office of the 
Director of National Intelligence possibly limits the 
likelihood that a governmentwide solution will be considered.
    And, finally, there just doesn't seem to be a schedule in 
place. They have collected and analyzed scores of information 
control policies, they have many ideas about how to fix the 
problem, but they have been perpetually behind schedule.
    I am hopeful my testimony today has been helpful, and I am 
happy to take any questions.
    Thank you.
    [The statement of Ms. Fuchs follows:]

                  Prepared Statement of Meredith Fuchs

                             March 22, 2007

    Chairwoman Harman, Ranking Member Reichert and Members of the 
Subcommittee on Intelligence, Information Sharing, and Terrorism Risk 
Assessment, I am honored to appear before you today to talk about the 
growing problem of government secrecy and the danger it poses to our 
security.
    I am testifying on behalf of the National Security Archive (the 
``Archive''), a non-profit research institute and leading user of the 
Freedom of Information Act (FOIA). We publish a wide range of document 
sets, books, articles, and electronic briefing books, all of which are 
based on records obtained under the FOIA. In 1999, we won the 
prestigious George Polk journalism award for ``piercing self-serving 
veils of government secrecy'' and, in 2005, an Emmy award for 
outstanding news research.
    In my five years at the Archive, I have overseen five audits of 
federal agency FOIA processing. Most relevant to this hearing is the 
report we issued in March 2006 entitled: ``Pseudo-Secrets: A Freedom of 
Information Audit of the U.S. Government's Policies on Sensitive 
Unclassified Information.''
    After the September 11, 2001, attacks on the United States, there 
were many signs that official secrecy would increase. The attacks 
themselves led to a wave of legitimate concern about the risks posed by 
poorly safeguarded government information. Additionally, in March 2002 
White House Chief of Staff Andrew H. Card issued a directive to federal 
agencies requesting a review of all records and policies concerning the 
protection of ``sensitive but unclassified'' information. This 
memorandum spurred agencies to increase controls on information. 
Further, during times of war or national crisis, the government's 
tendency to keep secrets always becomes more pronounced and pervasive. 
Thus, the U.S. entry into hostilities in Afghanistan and Iraq as part 
of the Global War on Terrorism necessarily led to an increase in the 
creation of secrets.
    The available statistics show that since the September 11 attacks 
on the United States, there has been a dramatic upsurge in government 
secrecy. Classification has multiplied, reaching 14.2 million 
classification decisions in 2005, nearly double the number in 2001. 
Officials throughout the military and intelligence sectors have 
admitted that much of this classification activity is unnecessary. 
Former Secretary of Defense Donald Rumsfeld acknowledged the problem in 
a 2005 Wall Street Journal op-ed: ``I have long believed that too much 
material is classified across the federal government as a general rule. 
. . .'' \1\ The extent of over-classification is significant. Under 
repeated questioning from members of Congress at a hearing concerning 
over-classification, Deputy Secretary of Defense for 
Counterintelligence and Security Carol A. Haave eventually conceded 
that approximately 50 percent of classification decisions are over-
classifications.\2\ These opinions echoed that of then-Chair of the 
House Permanent Select Committee on Intelligence Porter Goss, who told 
the 9/11 Commission, ``we overclassify very badly. There's a lot of 
gratuitous classification going on, and there are a variety of reasons 
for them.'' \3\
---------------------------------------------------------------------------
    \1\ Donald Rumsfeld, War of the Worlds, Wall St. J., July 18, 2005, 
at A12.
    \2\ Subcommittee on National Security, Emerging Threats and 
International Relations of the House Committee on Gov't Reform Hearing, 
108th Cong. (2004) (testimony of Carol A. Haave), http://www.fas.org/
sgp/congress/2004/082404transcript.pdf; See id., (Testimony of J. 
William Leonard, Director of ISOO) (``It is my view that the government 
classifies too much information.'').
    \3\ 9/11 Commission Hearing, (Testimony of then Chair of the House 
Permanent Select Committee on Intelligence Porter Goss) (2003), http://
www.9-11commission.gov/archive/hearing2/9-11Commission_Hearing_2003-05-
22.htmpanel_two.
---------------------------------------------------------------------------
    Alongside traditional classification are a plethora of new non-
statutory labels that are being applied to protect information that is 
deemed sensitive but unclassified. Some estimates count over 100 
different so-called ``safeguarding'' labels for records. There is no 
way to determine how many records are labeled with safeguarding 
controls, however, because agencies do not track their use of these 
labels.
    At the same time that the indicators all started to point to 
increasing secrecy, the numerous investigations into the September 11 
attacks on the United States each concluded that excessive secrecy 
interfered with the detection and prevention of the attacks.\4\ Other 
reports, including one by the Government Accountability Office and one 
by the successor body to the 9/11 Commission, have decried the delay in 
establishing a workable information sharing environment.\5\
---------------------------------------------------------------------------
    \4\ As the staff director of the Congressional Joint Inquiry on 9/
11 found, ``[t]he record suggests that, prior to September 11th, the 
U.S. intelligence and law enforcement communities were fighting a war 
against terrorism largely without the benefit of what some would call 
their most potent weapon in that effort: an alert and informed American 
public. One need look no further for proof of the latter point than the 
heroics of the passengers on Flight 93 or the quick action of the 
flight attendant who identified shoe bomber Richard Reid.'' Similarly, 
the entire 9/11 Commission report includes only one finding that the 
attacks might have been prevented: ``publicity about Moussaoui's arrest 
and a possible hijacking threat might have derailed the plot.'' Final 
Report of the National Commission on Terrorist Attacks Upon the United 
States, at 276 (emphasis added).
    \5\ In January 2005, the Government Accountability Office (GAO) 
added ``Establishing Appropriate and Effective Information-Sharing 
Mechanisms to Improve Homeland Security'' to its High Risk List, 
stating that they were ``designating information sharing for homeland 
security as a government-wide high-risk area because this area, while 
receiving increased attention, still faces significant challenges'' 
(GAO-05-207). On December 5, 2005, the 9/11 Public Discourse Project, 
the successor body of the 9/11 Commission, issued its Final Report on 
9/11 Commission Recommendations. Important areas on information 
sharing, including ``incentives for information sharing'' and 
``government-wide information sharing,'' received a D in the scheme of 
letter grade assessments.
---------------------------------------------------------------------------
    Against this background, the National Security Archive conducted an 
extensive audit of the actual policies used by agencies to 
``safeguard'' information.\6\ We filed targeted FOIA requests that 
identified information protection policies of 37 major agencies and 
components. We obtained and reviewed 28 distinct policies for 
protection of sensitive unclassified information, many of which allow 
any employee in the agency to designate sensitive unclassified 
information for protection, but few that provide any procedure for the 
labels to be removed. Only a small number of policies included 
restrictions that prohibit the use of the labels for improper purposes, 
including to conceal embarrassing or illegal agency actions, or 
inefficiency. Further, and perhaps most troubling from a security 
perspective, was the remarkable lack of consistency among agencies as 
to how to use these labels. Most of the policies were vague, open-
ended, or broadly applicable, thus raising concerns about information 
sharing, the impact of such designations on access to information, free 
speech, and citizen participation in governance. Given the wide 
variation of practices and procedures as well as some of their 
features, it is probable that these policies interfere with interagency 
information sharing, increase the cost of information security, and 
limit public access to vital information.
---------------------------------------------------------------------------
    \6\ The complete audit report is available at http://www.gwu.edu/
nsarchiv/NSAEBB/NSAEBB183/press.htm.
---------------------------------------------------------------------------
    Further, we concluded that there are almost no incentives to 
control the use or misuse of these safeguarding labels. Unlike 
classified records or ordinary agency records subject to FOIA, there is 
no monitoring of or reporting on the use or impact of protective 
sensitive unclassified information markings. In comparison, it is 
useful to look to the formal classification system, which is governed 
by Executive Order 12958, as amended, and is managed and monitored by 
the Information Security Oversight Office (ISOO) at the National 
Archives and Records Administration (NARA). ISOO publishes an annual 
report to the President in which it quantifies the number of 
classification and declassification decisions, the number of 
individuals with authority to classify material, and the type of 
information that is being classified. Such reports enable the Executive 
Branch and Congress to monitor the costs and benefits of the 
classification system and to identify trends that may suggest the need 
to reform the system.
    The absence of reporting mechanisms for sensitive but unclassified 
control markings makes any assessment of the extent to which a policy 
is being used difficult, if not impossible. Because safeguarding 
sensitive unclassified information impacts safety, security, budget and 
information disclosure--all important national concerns--some form of 
overarching monitoring of all information control would be valuable.
    Nor is there a procedure for the public to challenge protective 
markings. For classified information, the security classification 
system provides precise limits on the extent and duration of 
classification as well as a system for declassification, including 
public requests for declassification. For non-security sensitive 
information, the FOIA provides a relatively clear and user-friendly 
process for the public to seek access to information held by the 
government. Sensitive unclassified information, however, falls into a 
black hole. Based on anecdotal information, we believe that information 
previously available under FOIA or on unrestricted Web sites may no 
longer be available to the public. Yet, there is virtually no 
opportunity for the public or other government personnel to challenge a 
decision to mark a document for protection as SBU, FOUO, or SSI. 
Accordingly, in order to protect the important role that public access 
has played in government accountability, it is important that a system 
for challenging the use of sensitive unclassified information markings 
be established at each agency or, alternatively, that FOIA procedures 
be adjusted to counteract the chilling effect these markings may have 
on disclosure under FOIA.
    Congress began to respond to these problems from the outset. Both 
the Homeland Security Act of 2002 and the Intelligence Reform and 
Terrorism Prevention Act of 2004 (IRTPA) directed the development of 
policies for sharing classified and sensitive but unclassified 
information. IRTPA requires the rapid implementation of an information 
sharing environment (ISE) to facilitate the government-wide sharing of 
information about terrorist threats. As the subcommittee is aware, the 
office of the Program Manager of the ISE was established pursuant to 
IRPTA to assist, in consultation the Information Sharing Council (ISC), 
in the development of the ISE. A report and implementation plan for the 
ISE was required within one year of enactment of IRTPA. President Bush 
issued a Memorandum on December 16, 2005, directing federal departments 
and agencies to standardize procedures for handling SBU information.
    The President's December 2005 Memorandum setting up the office of 
the Program Manager contained specific direction related to the 
standardization of Sensitive But Unclassified (SBU) information. 
Specifically, Guideline 3 required each department and agency to 
inventory existing SBU procedures and their underlying authorities 
across the Federal government, and to assess the effectiveness of these 
procedures and provide this inventory and assessment to the Director of 
National Intelligence (DNI) for transmission to the Secretary of 
Homeland Security and the Attorney General. The working group completed 
an initial inventory of SBU designations in March 2006. The original 
schedule would have resulted in recommendations for submission to the 
President regarding the standardization of SBU procedures by June 2006. 
More than 5 years after the September 11 attacks, however, there still 
is no government-wide plan to standardize information controls and 
ensure government accountability.
    Part of the problem may be that these legislative mandates are 
being imposed on an executive branch that does not appreciate 
Congressional interference and does not seem concerned about government 
accountability. I am reluctant to express such strong sentiments, but 
the lack of willingness by the Executive Branch to respond to 
Congress's mandates is strongly evidenced by the refusal of the Office 
of the Director of National Intelligence to participate in a March 2006 
report by the Government Accountability Office about this very matter. 
In its report, GAO noted that the ODNI ``declined to comment on [GAO's] 
draft report, stating that review of intelligence activities is beyond 
GAO's purview.''
    Further, the responsibility for overseeing the development of a 
comprehensive plan has been shifted from office to office; it was first 
lodged at the Office of Management and Budget, then at the Department 
of Homeland Security and now in the Office of the Director of National 
Intelligence. Thus, despite the urgent need to better coordinate 
information sharing, it has taken some time for the program to find a 
home. Whether the ODNI is the proper home remains to be seen, 
especially in light of that office's unwillingness to be subjected to 
congressional scrutiny. Another delay was caused by the quick departure 
of the first Program Manager for the Information Sharing Environment 
(ISE) in January 2006. He was replaced by Ambassador Thomas McNamara.
    I had the opportunity, along with several other open government 
advocates, to meet with Ambassador McNamara on November 20, 2006. 
Ambassador McNamara described for our group the challenges that the 
office of the Program Manager is facing in rationalizing the system for 
safeguarding records. They must obtain the cooperation of many 
communities of interest, consider multiple users of information, and 
consider the concerns of both governmental and non-governmental 
entities. To date, they have only analyzed the problem. The November 
16, 2006, Report of the Program Manager, Information Sharing 
Environment, indicates that the interagency Information Sharing Council 
(ISC) created to develop an implementation plan for the ISE, along with 
standardizing procedures for sensitive but unclassified information, 
has now created a Coordinating Committee which will submit 
recommendations for SBU standardization through the White House policy 
process. We were told that a recommendation would be transmitted to the 
White House in January 2007, but I am not aware whether this has 
happened or whether the recommendation will ever be made public.
    For my own part, I was impressed with Ambassador McNamara's work to 
date, but I was not left with any strong impression that a transparent, 
government-wide information-sharing plan will emerge any time soon. 
First, there are many steps in the process that do not yet appear to 
have taken place. A recommendation has yet to be circulated for review 
by interested parties. Any recommendations should be made available to 
the public for comment. Even the general outline of a program, which 
was previewed to me and others in November 2006, raised several 
concerns about transparency, government accountability, and appropriate 
procedures. Once a recommendation is accepted, then an implementation 
plan will be necessary. It is possible that there will need to be 
statutory or regulatory changes to facilitate implementation. There 
certainly will be budgetary issues raised by any recommendation and 
plan for standardization.
    Second, the focus of the Program Manager's effort is solely on 
information related to homeland security, law enforcement and 
terrorism. The problem of sensitive unclassified information is far 
broader, and even the category of information that affects our security 
is likely more extensive than is covered by the Program Manager's 
mandate. Placement of the Program Manager at the ODNI further limits 
the likelihood that a government-wide solution will be considered or 
emerge as an outgrowth of the process. Because of the placement within 
the ODNI, the program manager is likely to face great challenges in 
implementing an information sharing network that includes agencies 
outside the intelligence community. Issues of information security, 
information sharing, and public access to information should not be 
addressed in a piecemeal manner. There are best practices in some 
agencies that should be shared, as well as lessons to be learned about 
the costs and benefits of secrecy and disclosure. If the problem of 
information controls interfering with information sharing is ever to be 
solved, it will require a government-wide commitment.
    Third, there does not appear to be any schedule in place for moving 
the process forward. The fact that the Program Manager has collected 
and analyzed scores of information control policies is progress. That 
analysis surely offers insight into what works and what does not. Now 
the analysis must be translated into a plan with strict deadlines and 
funding in order to make implementation a reality. Given that the 
project has been perpetually behind schedule, there is cause for 
concern about the development of an actionable plan and implementation.
    Unnecessary secrecy has been on the rise since September 11, with 
the result of threatening our safety and national security while 
impeding the process of democracy and the effective functioning of 
government. There is no time for turf wars or bureaucratic inertia. We 
are long overdue for solving the challenges of information sharing and 
overcoming the strain on government accountability brought about by 
excessive secrecy. SBU designations have been noted by government 
authorities as a major impediment to information sharing, yet no 
solution to the problem has been developed. I am hopeful that my 
testimony today offers a rationale and a sense of urgency for 
instituting stronger measures to encourage needed reforms in 
information-control programs across the federal government. I am 
grateful for your interest in these issues and am happy to respond to 
any questions.

    Ms. Harman. I thank the three witnesses. Your testimony is 
very helpful.
    And, Mr. Leonard, nobody doubts your good faith and hard 
work, but I do question whether we are making much progress 
rolling a big rock up a steep hill.
    Let me start there. As I said, I spent 8 years on the House 
Intelligence Committee, and I spent many years on virtually 
every security committee in this House since being elected in 
1992. I do respect the need to protect sources and methods. I 
have never, so far as I know, ever compromised a source or a 
method, and I understand that real people die if that happens, 
and we close down our ability to get sensitive information in 
the future, so we should never do that.
    But that is the purpose of our classification system. The 
purpose of our classification system is not to deprive the 
public of information it should have, and, surely, it is not to 
deprive our first preventers on the ground of information they 
need to know what to look for and what to do.
    Does anyone disagree with what I just said?
    Mr. Leonard. Absolutely not, Madam Chair.
    Ms. Harman. I am sure you don't.
    I also share Ms. Fuchs's opinion of Ambassador Ted 
McNamara, with whom I have met. His title is program manager, 
Information Sharing Environment, and he reports to the director 
of national intelligence, Mike McConnell. He is a good man, and 
he is trying to shift a lot of information out of the 
classification system into this SBU system.
    But, again, I am worried that we are just going to replace 
one protection system with another protection system.
    Does anyone disagree with that thought?
    No. Okay. Well, now I am really getting discouraged.
    So where do I come out? I am intrigued by Mr. Armstrong's 
suggestion at the conclusion of his testimony--and I know I was 
rushing you, but I am trying to be fair all our members and 
here and to our second panel. I think what you said is, we need 
to start over. We can't take this jerry-rig system and fix it. 
It is too complicated, and we aren't going to fix it, we are 
just going to move the boxes around. We really ought to think 
through what our goals and objectives are and start over.
    Is that what you said?
    Mr. Armstrong. Precisely. That is the lesson of 50 years of 
national security controls, 35 years since the Pentagon Papers, 
34 years since Watergate and 22 years, 25 years of these three 
commissions that have ensued. All have come back to the same 
thing: If we want to protect important information, we must 
identify it, isolate it, understand why it needs to be 
protected and communicate that to government employees. They 
will respect it, the press will respect it, in turn, and you 
will not have dangerous leaks of national security information.
    You will also have an enormous amount of information that 
is not contained in those categories that will freely available 
for public policy debate and discussion. That is what we need.
    Ms. Harman. Well, let me ask the other two witnesses to 
respond to this innovative and, I think, potentially visionary 
suggestion. I am not sure we are up to this, but I just want to 
ask what you think about it. It is basically to start over, to 
identify what we need to protect.
    And, as I heard you, Mr. Armstrong, you were saying if we 
do this right, then we actually discourage and stop leaks 
because information that should be in the public domain gets 
there, and we should presume we have patriots in our press 
corps who work for government, who serve in Congress and 
elsewhere who will protect secrets that they understand clearly 
need to be protected.
    So my question, let's start with you, Mr. Leonard, is, what 
do you think about this idea of starting over to isolate what 
truly needs to be protected?
    Mr. Leonard. Well, clearly, the challenge of over-
classification, as I included in my prepared testimony. As long 
ago as the 1950s, the Wright commission, established by 
Congress at the height of the Cold War, found that over-
classification was a threat to national security.
    The largest problem, as I see, with the current framework 
is that it is tilted toward encouraging people to withhold. 
Everyone is very mindful of the fact that they can be 
disciplined, fired, maybe even criminally prosecuted for 
unauthorized disclosure. Even though the policy makes an 
affirmative--at least the classification imposes an affirmative 
responsibility on cleared individuals to challenge 
inappropriate classifications, quite frankly, I am never aware 
of that ever happening.
    And, to me, it is the flipside of the coin: Yes, we have to 
hold people accountable for inappropriate disclosures, but 
unless we similarly have a system to hold people accountable 
for inappropriate withholding or hoarding of information, the 
system will remain dysfunctional.
    Ms. Harman. Thank you very much.
    My time is expiring, so, Ms. Fuchs, if you have any 
comments, please make them now.
    Ms. Fuchs. Right. I mean, I would second what Mr. Leonard 
said. I think that the secrecy is a reflexive response by 
people within the government, and it is going to be hard to 
fight that. There should be better training, and the incentives 
have to be changed. And the incentives are changed, I think, by 
doing oversight, having audits of secrecy decision making, 
making legal remedies available to the public, having 
whistleblower protection and having leadership on the issue.
    Ms. Harman. Thank you very much.
    The chair now recognizes Mr. Reichert for 5 minutes.
    Mr. Reichert. Thank you, Madam Chair, and, again, thank you 
for being here this morning.
    Mr. Leonard, you made a statement, I think it was you, that 
said that trained people only get it right 64 percent of the 
time. Why is that?
    Mr. Leonard. It harkens back to the point I just made, Mr. 
Reichert. I was in a similar forum with a very senior official 
from the Defense Department once and she indicated, I think, a 
very prevalent line of thought, and that is, especially in time 
of war, people want to err on the side of caution.
    And I am dumfounded by that approach, because, first of 
all, I never understand why we want to have error as part of 
any implementation strategy. But besides that, if we are ever 
going to get it right, to me, in time of war is the time we 
have to get it right.
    As Ms. Fuchs says, we have to change the incentives and 
have people recognize that the inappropriate withholding or 
hoarding of information can have just as much as a deleterious 
impact on the national security as any unauthorized disclosure 
can.
    Mr. Reichert. Mr. Armstrong, would you say that that is 
true? In your statement, you mentioned sensitive homeland 
security information for state and locals don't get to the 
state and locals. Is that part of the problem that Mr. Leonard 
is talking about?
    Mr. Armstrong. I believe it is. I think there are two 
reasons. One is the bureaucratic default to caution, that it is 
easier to control than it is to release. But, secondly, control 
has its own value and purpose. It allows a manipulation of the 
debate. It prevents people from having a more open and 
participatory discussion about the allocation of resources, 
about priorities.
    We heard in the dialogue from the Department of Homeland 
Security at one point that they were considering the 
prosecution or restraint on journalists publishing information 
about chlorine plants and their danger in metropolitan areas. 
Now, the plant doesn't become more dangerous because there is a 
publication of it. It is possible that some terrorist might 
learn that there is something there that they could blow up, 
but it is unlikely that they haven't already identified it.
    What happens is the public learns about it, and as that 
information is openly discussed, precautions are taken, 
political actors are held accountable, and those political 
actors who become decisions makers during crisis begin to take 
appropriate action.
    Mr. Reichert. Now, for all three of you, there has been--
Mr. Armstrong, you especially mentioned that you have been 
involved in discussions with just about every member of the 
intelligence community. I didn't hear you say that state and 
local agencies were involved in discussions that you were 
having. Did I incorrectly--
    Mr. Armstrong. No, that is correct. Our primary purpose was 
when the equivalent of an Official Secrets Act was passed in 
the year 2000 and the vetoed and then came up again the 
following year, we wanted to learn, in the press, we wanted to 
learn what the concern was in the federal government and how we 
might best meet that. But we have not had that discussion at 
the local level.
    Mr. Reichert. For all three of you, quickly, state or local 
public disclosure laws, have you been trying to connect with 
state officials and local officials to find out how to work 
through that problem?
    Ms. Fuchs. If I could respond, I wanted to mention(it is a 
big problem what happens at the state and local level, and 
there is going to have to be some coordination. I wanted to 
draw the subcommittee's attention to a report that was done by 
the American Society of Newspaper Editors that was released 
last week where they did an audit where they went to state and 
local offices to get copies of the Comprehensive Emergency 
Response Plan in each of those places.
    That is something that is mandated to be made public by the 
Emergency Planning and Community Right to Know Act of 1986, and 
it is something that, for instance, tells you escape routes 
that the public should be aware of if something happens in 
their community.
    More than a third of the public officials refused to 
provide the report. It is sort of the opposite of--a variation 
on the story that you told, Mr. Reichert at the outset----
    Mr. Reichert. Yes.
    Ms. Fuchs. --about not sharing information.
    But it is the kind of thing, for instance, I know that in 
D.C. that K Street divides which way you get out of the city if 
something happens. Well, I work on one side of K Street and my 
kid goes to school on the other side of K Street. Knowing that 
information is important to me as a member of the public.
    Mr. Reichert. Yes. I would make one last point. We can come 
up, devise the greatest system in the world, which we don't 
have right now, obviously, but if we start over, it could 
hopefully end up being better, but the system is made up of 
people, and that is going to be our major problem.
    I know on a number of occasions in my 33 years in the 
sheriff's office we were going to serve a search warrant and I 
showed up at an address to serve a search warrant on a suspect 
in that major serial case I was talking about earlier only to 
find a reporter standing on the front porch waiting for me. So 
we can build a great system, but it all boils down to the 
people and the responsibility that they take.
    Thank you. I yield.
    Ms. Harman. I thank the ranking member for yielding.
    The chair now recognizes Mr. Langevin for 5 minutes.
    Mr. Langevin. Thank you, Madam Chair.
    I want to thank our witnesses for testifying here today.
    Can you just walk me through the process of how people get 
access to this sensitive but unclassified information? Does 
this come down to the fact that we needed better information-
sharing environment among people like law enforcement, and one 
of the things I know that DHS is struggling through right now 
is creating an information-sharing environment for terrorism-
related issues, similar to the type of information sharing that 
law enforcement--that type of a system that law enforcement has 
right now.
    For example, in New England, we have RISNet, Regional 
Information Sharing Network, so that information on law 
enforcement issues can get out there to those that need it. DHS 
is struggling with creating that kind of a system. I think 
Charles Allen at DHS is doing a very good job of moving in the 
right direction, but we are certainly not there yet.
    So is that the model that we have right now? I just want to 
get an understanding of when something is sensitive but 
unclassified, can anybody in the law enforcement realm--you 
know, is that in the need-to-know category?
    Mr. Leonard. Although not in my official realm of 
responsibilities, I can address that and that is the bottom 
line. The challenge is, there is no one model. With over 100 
types of systems, I dare say there is no one individual in the 
entire federal bureaucracy who knows how to leverage access to 
all these types of controlled information.
    And the challenge then, of course, is, when agencies want 
to leverage technology to help disseminate this information, 
and there are all different types of controls and constraints 
on it, you are somewhat restricted in terms of what you can put 
into a technology system if you don't know the rules for 
handling and disseminating and access, because there currently 
are no systems. And this is what Ambassador McNamara's office 
is in fact trying to address.
    Mr. Armstrong. One issue you might consider, congressman, 
is the fact that the Department of Homeland Security does not 
seem to have a risk assessment matrix that allows them to put 
value on particular information and figure out what it is they 
are trying to control and from whom.
    When they issued, in 2004, a nondisclosure agreement, which 
I included a copy of, attached to my statement, they included 
the long list of things and then the words, ``and other 
identifier used by other government agencies to categorize 
information as sensitive but unclassified,'' and gave authority 
to any supervisor to create any such category. So people have 
millions of different interpretations.
    It requires leadership, it requires some identification of 
what the dangers are and what the purpose of controlling 
information is. If they can't identify that, don't control it.
    Mr. Langevin. Let's kind of elaborate on that, if we could, 
a little more. How might we go about creating a standardized 
system for sharing sensitive but unclassified information? And 
would a standard approach be a net positive? And furthermore, 
to what extent do you think there will be any resistance to 
such an effort and from whom?
    Ms. Fuchs. Well, I think that standardizing would be a 
benefit. I mean, we see it in the classification system, there 
is some regularity, there are reporting requirements, there is 
way to challenge classification decisions. It may not happen 
that often, but at least there is some transparency to the 
system and there is some control.
    What is happening in the SBU system is it is all over the 
place, and the absence of any type of regulation means that it 
is an interference with information sharing.
    But I want to also add that part of making information 
sharing work means including the public in information sharing, 
because the public has just as much concern as the government 
in protecting ourselves.
    I mean, we all know the story of the sniper in Washington, 
D.C. It was only because the license plate on that car got out 
and a trucker who stopped at the side of the street saw the car 
and reported it. The public has a role to play as well, so any 
kind of system should consider the importance of sharing 
information with the public.
    Mr. Leonard. And being a lifelong bureaucrat, I find rules 
can be empowering as well. Because, right now, with the mass 
confusion, people on the frontlines and the federal bureaucracy 
who have to make decisions, there is such confusion that the 
default is, well, I don't know if I am going to default.
    If we have clearly articulated rules, that can be 
empowering as well, because then it removes the uncertainty in 
people's minds. They know exactly what they can disclose, under 
what circumstances and who. And also then if people want to 
challenge those controls, we know what it is we are 
challenging.
    Mr. Armstrong. I think the standardization needs to be of 
the risk assessment process and of the process of engaging the 
partners with whom you want to share information. If you build 
it, they will come, but it has to be truly understood, as 
Meredith mentioned, those partners include the public. The 
chlorine plant situation, people who own chlorine plants do not 
want information distributed about them, particularly when 
there are risks from them.
    Ms. Harman. The time of the gentleman has expired.
    The chair now recognizes the very patient Mr. Dent of 
Pennsylvania for 5 minutes.
    Mr. Dent. Thank you, Madam Chairman.
    Mr. Leonard, the president directed that the designation of 
sensitive but unclassified information be standardized. In 
response, an interagency working group, led by DHS, DOJ and the 
program manager for the Information Sharing Environment, 
initiated an effort to address these issues. I understand that 
your office is part of that effort and that the working group 
has submitted recommendations to the president regarding the 
standardization of sensitive but unclassified procedures.
    When do you expect these recommendations to be approved by 
the president? And what outstanding issues are there?
    Mr. Leonard. Sure.
    Congressman I serve as an advisor to the working group that 
Ambassador McNamara heads up. Being an observer and an advisor 
to that group, I can attest that significance progress has been 
made. Those recommendations actually have not yet been passed 
up to the president as of yet, but my understanding is that the 
timeline is a matter of months of get it through the process.
    Mr. Dent. To get it to the president.
    Mr. Leonard. To get it to the president; yes, sir.
    Mr. Dent. Okay. Then what can we do to assist you through 
this process? I mean, what can Congress do?
    Mr. Leonard. Well, one of the challenges that I have always 
took note of is that many of the controls that agencies have 
placed on unclassified information are actually based in 
statute. And one of my observations has been is that each and 
every time we create one of these new homegrown controlled 
items, that we seem to do it from scratch and we don't pay 
homage to what has gone before.
    And I believe whenever Congress makes the observation that 
certain types of information needs to be controlled from a 
statutory point of view, that to whatever extent including in 
those mandates is the need to ensure that it is being done in a 
consistent manner, I think would be highly effective.
    Mr. Dent. More specifically, Mr. Leonard, I know you 
testified before that the classification authority is pursuant 
to the president's article 2 authorities under the 
Constitution, and that certainly complicates these legislative 
remedies.
    So, I guess, what, in your opinion, would a legislative 
remedy to the problem of over-classification and pseudo-
classification look like?
    Mr. Leonard. Well, my reference to the president's article 
2 authority, of course, is with respect to the classification 
for a national security information system, which I oversee. 
The pseudo-classification system, as I said, that has its 
origins in a number of different areas.
    Anything that we can do to change--the observation was made 
about ultimately it is people who make the system works, and 
anything that we can do to encourage people to recognize the 
need that inappropriate withholding of information is similarly 
deleterious and change that culture is, I think, ultimately 
what is required in this area.
    Mr. Dent. Thank you.
    And, finally, in August of 2004, you testified, 
essentially, that the creation of a director of national 
intelligence would be a good thing if the DNI could overcome 
all of the nuances in the classification system.
    Has this been the case, or does the DNI need more 
authorities to iron out the classification system, in your 
opinion?
    Mr. Leonard. The DNI has taken a leading role, from my 
observation, in terms of trying to establish greater 
consistency with respect to how the intelligence sources, 
methods and activities are handled across the board. That is 
obviously a work in progress, but my observation is that the 
DNI has taken a much needed leadership role in this area.
    Mr. Dent. Thanks, Madam Chairman. I yield back.
    Ms. Harman. I thank the gentleman.
    As this panel exits, I would just like to note that I was 
one of the godmothers for the creation of the Department of 
Homeland Security, and I was a coauthor of the legislation 
establishing the Office of the Director of National 
Intelligence, and our clear intent, on a bipartisan basis, was 
to simplify, not complicate, this system.
    So I am hopeful that this subcommittee, on a bipartisan 
basis, will take up Mr. Armstrong's challenge and see if we can 
accomplish that goal, which is a lot later than we intended but 
very timely.
    The first panel is excused, and as the second panel comes 
up, I would note that we are expecting votes between 11:15 and 
11:30. Mr. Reichert and I want to hear from both witnesses and 
ask our questions very promptly, because we don't want you to 
have to stay around for the half hour or more that we will have 
to recess.
    Thank the witnesses very much.
    Okay. Let's have the second panel takes your seats. Even 
without nametags, we know who you are.
    Our first witness, Cathy Lanier, is the chief of the 
Metropolitan Police Department here in Washington, D.C. She was 
named police chief by D.C. Mayor Adrian Fenty and assumed her 
position on January 2nd of this year. Before her appointment, 
she was tapped to be the first commanding officer for the 
police department's Office of Homeland Security and 
Counterterrorism, which was established in 2006.
    A highly respected professional in the areas of homeland 
security and community policing, Chief Lanier took the lead 
role in developing and implementing coordinated 
counterterrorism strategies for all units within the 
Metropolitan Police Department and launched Operation TIPP, 
which is D.C.'s Terrorist Incident and Prevention Program.
    Our second witness, Michael Downing, serves as the 
assistant commanding officer, Counterterrorism Criminal 
Intelligence Bureau, where he assists two regional operations, 
which command the Los Angeles Joint Regional Intelligence 
Center, called the JRIC.
    And we welcome him from L.A.
    I will skip all the rest of his wonderful credentials, 
because we want to get right to your testimony.
    And, without objection, the witnesses' full statements will 
be inserted in the record.
    I now ask each witness to summarize as quickly as possible, 
starting with Chief Lanier.

    STATEMENT OF CHIEF CATHY L. LANIER, METROPOLITAN POLICE 
                  DEPARTMENT, WASHINGTON, D.C.

    Chief Lanier. Thank you. Good morning.
    Chairman Harman, members of the committee, staff and 
guests, thank you for this opportunity to present this 
statement on the impact of over-classification on information 
sharing.
    To begin, I emphasize the important role that local law 
enforcement plays in homeland security efforts. We are more 
than merely first responders, as you have stated. We are first 
preventers who are uniquely positioned to detect and prevent 
terrorist incidents right here in our home. There are 800,000 
law enforcement members across the nation who know the 
communities they serve and are in the best position to detect 
the investigative criminal activity that might be connected to 
terrorism.
    Information provided by local police, if discovered early 
and matched with the right intelligence, can help detect, 
disrupt and prevent a terrorist plot. However, in order for 
local law enforcement to perform its critical role of first 
preventer, it is essential that the police officers and support 
personnel be provided with timely intelligence information. 
This requires an intelligence conduit consisting of an 
organized, effective and trusting flow of information between 
local law enforcement and our federal partners.
    It is important to note that in the national capital 
region, the flow of information among our federal partners is 
fairly good through the JTTF. Part of that reason for that is 
that our agencies have worked together for years sharing 
information and coordinating responses to a variety of 
situations. Pre-established relationships and a track record of 
trust has made smooth and eliminated obstacles experienced by 
other jurisdictions. The JTTF understands local law enforcement 
and appreciates the value of those relationships.
    Nonetheless, several issues remain as it relates to federal 
and local information sharing. Law enforcement needs better 
access to federal intelligence information as well as an 
enhanced ability to translate such information into local law 
enforcement activity. This involves classifying information 
appropriately as well as creating a more efficient local 
access, both classified and non-classified information.
    Access to federal intelligence information remains a major 
obstacle for local law enforcement. While the security 
classification system that mandates security clearances helps 
to ensure that sensitive information is protected, it also 
hinders the local homeland security efforts.
    Information collected by the federal government is 
sometimes overly classified and causes valuable information 
that should be shared to remain concealed. Law enforcement does 
not need to know the details about where information originates 
or how it is collected; however, we do need sufficient and 
timely information in order to know what to look out for as 
well as what scenarios to prepare for.
    Information provided by the federal government that is 
dated or only shared once the threat becomes imminent does not 
offer value to local law enforcement. At this point, it is too 
late for us to enhance our capabilities to effectively deal 
with a threat. Conversely, local law enforcement analysts 
should also ensure that intelligence they collect is assessed 
and shared with DHS, FBI and other local and state agencies.
    The significant challenges facing local law enforcement is 
in translating this intelligence once it is obtained from the 
federal government into actions for local jurisdictions. This 
challenge is notably exacerbated when the information provided 
is either not timely or is restricted so that it cannot be 
shared with other stakeholders.
    It is critical that the local law enforcement community be 
made aware of global trends regarding people and organizations 
that have a potential to commit crimes or pose a bona fide 
threat to our community. Awareness of these global trends will 
identify emerging threats and allow me to properly train my 
patrol officers on the individual elements needed to mitigate 
these emerging threats.
    As a police chief, I need various forms of intelligence 
that will come from a variety of different agencies. On the 
strategic side, I need a global view of known terrorist 
organizations, groups and individuals, both foreign and 
domestic, and the potential threat they may post to the 
homeland. This type of intelligence provides me with a better 
understanding of the history of these groups, their 
capabilities and their interest in particular targets or 
weapons.
    The broad nature of this type of intelligence, in my 
opinion, should not be classified beyond law enforcement 
sensitive. Even when it involves emerging groups and 
capabilities, as long as the information remains in the law 
enforcement community and is used for legitimate law 
enforcement purposes, it should not cause harm to any ongoing 
intelligence operation.
    In addition to increased awareness of global trends, I also 
need to be familiar with the local threat environment right 
here in the national capital region. Being familiar with the 
presence of known terrorist organizations in this region allows 
me to educate and train my officers on the known tactics used 
by these organizations so they can pay particular attention to 
the certain subtle activities while on routine patrol.
    For example, if it is known that a particular terrorist 
organization that has a presence in the NCR is known to engage 
in financing terrorist activities by selling unpacked 
cigarettes, my patrol officers need to be aware of this so that 
particular tactic--so they would know which information needs 
to be shared with the JTTF for further analysis.
    This intelligence, combined with information such as how 
these groups travel, communicate and influence will help me 
influence the resource allocation, training, prevention efforts 
and response practices.
    The bottom line, the frontline officers who see individual 
elements of crimes every day need to be knowledgeable of 
emerging threats and tactics in order to link these individual 
elements so that trends can be identified early and mitigated 
quickly.
    I will skip to the end of my testimony to stay within the 
time, but I do believe that ultimately improvements in the 
intelligence-sharing environment will make our nation safer, as 
the federal government and local first responders work jointly 
as first preventers.
    And I thank you for having this opportunity today.
    [The statement of Chief Lanier follows:]

                 Prepared Statement of Cathy L. Lanier

                             March 22, 2007

    Chairwoman Harman, members of the Committee, staff and guests--
thank you for the opportunity to present this statement on the impact 
of overclassification on information sharing. Specifically, I will 
address federal-level information sharing with local law enforcement.
    To begin, I emphasize the important role that local law enforcement 
plays in homeland security efforts. We are more than merely first 
responders. We are first preventers who are uniquely positioned to 
detect and prevent terrorist incidents right here at home. There are 
800,000 law enforcement members across the nation who know the 
communities they serve and are in the best position to detect and 
investigate criminal activity that might be connected to terrorism. 
Information provided by local police--if discovered early and matched 
with the right intelligence--can help detect, disrupt and prevent a 
terrorist plot.
    However, in order for local law enforcement to perform its critical 
role of first preventer, it is essential that police officers and 
support personnel be provided with timely intelligence information. 
This requires an intelligence conduit consisting of an organized, 
effective and trusting flow of information between local law 
enforcement and our federal partners. It is important to note that in 
the national capital region, the flow of information among federal, 
state and local partners through our Joint Terrorism Task Force (JTTF) 
is quite good. Part of the reason for this is that our agencies have 
worked together for years sharing information and coordinating 
responses to a variety of situations. Pre-established relationships and 
a track record of trust have smoothed many of the obstacles experienced 
by other jurisdictions. The JTTFs understand local law enforcement, and 
appreciates the value of local relationships. I believe other aspects 
of the federal homeland security community could learn from the 
experiences of the JTTFs.
    Nonetheless, several issues remain as it relates to federal-local 
intelligence sharing practices. Local law enforcement needs better 
access to federal intelligence information, as well as an enhanced 
ability to translate such information into local law enforcement 
activity. This involves classifying information appropriately, as well 
as creating more efficient local access to both non-classified and 
classified information. Further, we need to recognize the importance of 
smaller law enforcement agencies, as well as the need to expand 
homeland security efforts beyond our traditional partners. I will 
discuss these issues in greater detail in this testimony.
    Access to federal intelligence information remains a major obstacle 
for local law enforcement. While the security classification system 
that mandates security clearances helps to ensure that sensitive 
information is protected, it also hinders local homeland security 
efforts. Information collected by the federal government is sometimes 
overly classified, causing valuable information that should be shared 
to remain concealed.
    Local law enforcement does not need to know details about where 
information originates or how it was collected. However, we do need 
sufficient and timely information in order to know what to look out 
for--as well what scenarios to prepare and drill for. Intelligence 
analysts should assess intelligence information and synthesize it in a 
manner that allows pertinent information to be shared widely among 
local law enforcement personnel. This requires that they write the 
analysis for release and appreciate the type of actionable information 
useful to law enforcement. I want to also emphasize the importance of 
quickly sharing information--even if the information is not fully 
vetted. Information provided by the federal government that is dated or 
only shared once a threat becomes imminent does not offer value to 
local law enforcement. At this point it is too late for us to enhance 
our capabilities to effectively deal with the threat. Conversely, local 
law enforcement analysts should also ensure that intelligence they 
collect is assessed and shared with DHS, FBI, and other local and state 
agencies.
    A significant challenge facing local law enforcement is translating 
the intelligence information that is obtained from the federal 
government into action for local jurisdictions. This challenge is 
notably exacerbated when the information provided either not timely or 
is restricted and cannot be shared with other stakeholders. It does a 
local police chief little good to receive information--including 
classified information--about a threat if she cannot use it to help 
prevent an attack. Operationally, local law enforcement needs to be 
aware of the presence of possible terrorist organization activity in 
their jurisdiction and surrounding region. This intelligence--combined 
with information such as how these groups travel and communicate--
influence local law enforcement resource allocation, training, 
prevention, and response practices.
    It is critical that the local law enforcement community be made 
aware of global trends regarding people and organizations that have the 
potential to commit crimes or pose a bona fide threat to the community. 
Awareness of these global trends will identify emerging threats and 
allow me to properly train my patrol officers on the individual 
elements needed to mitigate these emerging threats. As a police chief I 
need various forms of intelligence that will come from a variety of 
different agencies. On the strategic side, I need a global view of 
known terrorist organizations, groups and individuals--both foreign and 
domestic--and the potential threat they may pose to the homeland. This 
type of intelligence provides me with a better understanding of the 
history of these groups, their capabilities and their interest in 
particular targets or weapons. The broad nature of this type of 
intelligence, in my opinion, should not be classified beyond ``law 
enforcement sensitive''. Even when it involves emerging groups or 
capabilities, as long as the information remains in the law enforcement 
community, and is used for legitimate law enforcement purposes, it 
should not cause harm to any ongoing intelligence operation.
    In addition to increased awareness of global trends, I also need to 
be familiar with the local threat environment in the national capitol 
region. Being familiar with the presence of known terrorist groups in 
the region allows me to educate and train my officers on the known 
tactics used by these organizations so they can pay particular 
attention to certain subtle activities while on routine patrol. For 
example, if it is a known that a particular terrorist group that has a 
presence in the NCR is known to engage in financing terrorist 
activities by selling untaxed cigarettes, my patrol officers need to be 
aware of these and other tactics so that they would know which 
information to pass to the JTTF for further analysis.
    The bottom line issue is that the frontline officers, who see the 
individual elements of crimes, need to be knowledgeable of emerging 
threats and tactics in order to link these individual elements so that 
trends can be identified early and mitigated quickly.
    Importantly, there are also occasions where local law enforcement 
officials may need to be apprised of classified information. There is 
no question that local law enforcement personnel have added value to 
federal task forces--such as the JTTFs--as well as Department of 
Homeland Security operation centers. It is for these reasons that 
appropriate security clearances must be granted--in a timely manner--to 
local police.
    While the Metropolitan Police Department (MPD) has obtained a 
number of security clearances for its members, that is not true for all 
law enforcement organizations. It is imperative that federal, state, 
and local law enforcement personnel that are working together to 
protect the nation from terrorist threats be on equal footing. While 
local law enforcement has seen some improvement in the process of 
receiving security clearances, more must be done to expedite the 
process.
    I am optimistic that the DHS-supported fusion centers that are 
becoming operational across the country will help bridge some the 
existing intelligence sharing gaps. This will be accomplished by having 
analysts from different agencies and perspectives talking to each other 
and working together. .
    While large-sized police departments have the ability to develop 
and implement more sophisticated intelligence functions, small agencies 
are sometimes left out of the loop. In the Washington area alone there 
are 21 municipal law enforcement agencies that have less than 40 police 
officers. It is incumbent upon the federal government and large police 
departments to ensure that smaller agencies are kept informed--and 
understand the importance of intelligence information. Formal liaisons 
should be established, and every agency--no matter how small--should 
have an accessible representative that is familiar with handling 
intelligence information.
    I also believe that federal and local law enforcement should 
consider expanding its homeland security efforts beyond traditional 
parameters. We need to examine the possibility of establishing 
intelligence conduits with other local government components. 
Firefighters, paramedics and health workers, are well positioned to 
contribute valuable information to help protect our communities. In 
order to harness these types of resources, intelligence-sharing 
networks must be more inclusive. Further, the intelligence community 
will also need to work on developing and sharing intelligence that is 
actionable for other professions. We should begin planning for this new 
front now.
    Finally, local law enforcement recognizes that in addition to 
needing timely intelligence from federal agencies, we also must be 
willing and able to share timely and useful information gathered at the 
local level with our federal state, and local partners. This is what 
the fusion center concept is all about. Local law enforcement stands 
ready to do its part in contributing to--and receiving and acting 
upon--the information that we hope will be shared more extensively in 
the future.
    Ultimately, such improvements in intelligence sharing will make our 
nation safer, as the federal government as local first responders work 
jointly as first preventers.
    Thank you again for the opportunity to appear before you today.

    Ms. Harman. Thank you, Chief. Your testimony is very 
important for the hearing record.
    Mr. Downing?

  STATEMENT OF MICHAEL DOWNING, ASSISTANT COMMANDING OFFICER, 
  COUNTER-TERRORISM/CRIMINAL INTELLIGENCE BUREAU, LOS ANGELES 
                       POLICE DEPARTMENT

    Mr. Downing. Chairman Harman, Ranking Member Reichert, 
members of the subcommittee, thank you for the opportunity to 
discuss the Los Angeles Police Department's efforts to fight 
terrorism and the important issue of the over-classification of 
intelligence.
    Having recently returned from an 8-week attachment to the 
new Scotland Yard's Counterterrorism Command, I have a much 
greater appreciation for change and why we need to change.
    In Peter Clarke's words, the national coordinator for 
counterterrorism, if you looked at the 30-year IRA campaign and 
look at the antithesis of that campaign, that is the threat 
that they have now. To take a 130-year-old organization's 
special branch and amalgamate it into the counterterrorism 
command is huge change for a culturally rich institution, and 
if they change, we certainly need to change.
    Local law enforcement's ability to play a significant role 
in stopping terrorism is seriously hampered by the over-
classification of intelligence by the federal government. In 
Los Angeles, we enjoy a positive constructive partnership with 
various federal agencies, but the classification process has 
been a substantial roadblock to our capacity to investigate 
terrorism cases.
    The terrorist threat to our communities currently involves 
continued domestic terrorism and international terrorists 
plotting to destroy American cities. Prior to September 11, 
local law enforcement agencies primarily investigated domestic 
terrorist groups, including white supremacists, hate groups, 
special issue groups conducting criminal activities. 
Investigations centered on familiar cultures that were socially 
motivated by political ideologies to commit terrorism.
    The bombing of the Alfred Murrah building in Oklahoma, in 
1995, the most notable domestic terrorist attack, had a 
catastrophic impact on American soil and brought together local 
and federal law enforcement to bring the terrorists to justice. 
Local law enforcement, in fact, played a critical role in the 
investigation and apprehension of the offenders.
    I understand that you are coming to Torrance in a few weeks 
for a field hearing. The JIS case was an unclassified case that 
dealt in prison radicalization and conversion to gangs and 
terrorism. That was an unclassified case because it didn't have 
an international connection. Had it had an international 
connection, it would have been classified and the outcome 
perhaps could have been much different.
    Prior to September 11, international terrorism was not in 
the national consciousness. Despite the first World Trade 
Center bombing, most Americans did not realize the significant 
threat of Islamic extremism and the consequences of this 
terrorism. September 11 changed the mindset of all Americans, 
including local law enforcement.
    In addition, in the war on Afghanistan, and later in Iraq, 
the face of Islamic terrorism changed. No longer was the only 
threat a group of dissident Saudis hijacking a plane to crash 
into American symbols of power. Throughout the world, suicide 
bombers attacked discos, train stations and buses. Islamic 
terrorism has continued to demonstrate its reach and power from 
changing the outcome of the 2004 national election in Spain to 
paralyzing the transportation system in London in 2005.
    The terrorist transformed himself from Middle East 
foreigner to second and third generation local citizen.
    The sheer number of terrorist threats to our communities 
across the country has increased dramatically, and the federal 
government's capacity to collect intelligence and investigate 
these threats has been overwhelmed. Consequently, local law 
enforcement's efforts to counterterrorism has never been more 
important and has never been more critical.
    Across the country, a new concept of fusion centers arose, 
where analysts from police departments, FBI, Immigration and 
Customs Enforcement and other agencies worked on the same 
information screens to identify possible terrorist threats.
    In Los Angeles, the LAPD provides personnel to participate 
in the JRIC located in Norwalk, California. We have 14 other 
participating agencies in that center.
    The JRIC provides critical information-sharing 
opportunities with the federal government. However, over-
classification of intelligence has become an impediment to full 
information sharing with the local law enforcement agencies who 
participate in the JRIC. As such, it has provided an impediment 
to the JTTFs, which is a great success story in our partnership 
with the federal agencies.
    After the 9/11 Commission issued its comprehensive report, 
America's local law enforcement community, consisting of over 
700 law enforcement officers, was reluctantly invited into the 
effort of countering the international terrorist threat. One 
part of the rationale was that neither the CIA or DOD could 
conduct intelligence operations within the U.S. against 
American citizens.
    Moreover, the total number of FBI special agents assigned 
to protect over 18,000 cities, towns and villages throughout 
the United States is slightly over 12,000 people. This number 
becomes less reassuring when one examines the number of agents 
needed to handle the FBI's other responsibilities, including 
white collar crime, organized crime, public corruption, 
financial crime, fraud against the government, bribery, 
copyright infringements, civil rights violations, bank robbery, 
extortion, kidnapping, espionage and so on.
    At the national level, local law enforcement was not deemed 
an important stopgap in the field of counterterrorism, 
particularly in the area of Islamic extremists. In addition, 
the significant role of----
    Ms. Harman. Mr. Downing, could you please summarize at this 
point, because we are concerned that a vote will be called.
    Mr. Downing. Thank you. I will conclude, Ms. Chairman.
    The United States faces a vicious, amorphous and unfamiliar 
adversary on our land. Our previous defensive strategy to 
protect our cities was ineffective, and our current strategy is 
fraught with issues. We cannot support any process that takes 
us closer to another failure.
    We have mutual interest in working common direction to 
prevent acts of terrorism in the United States. The 
classification levels are based on fear, the probability of 
information being disseminated to those that can cause serious 
damage to national security. What this system is not designed 
to do is to protect us against the threat itself.
    This is achieved by disseminating the information to people 
who stand the best chance of stopping violence against American 
cities, our first preventers and law enforcement.
    [The statement of Mr. Downing follows:]

                Prepared Statement of Michael P. Downing

                             March 22, 2007

I. Introduction
    Chairman Thompson, Chairwoman Harman, Ranking Member Reichert, and 
Members of the Subcommittee, thank you for the opportunity to discuss 
the Los Angeles Police Department's (LAPD) efforts to fight terrorism 
and the important issue of the over-classification of intelligence.
    Local law enforcement's ability to play a significant role in 
stopping terrorism is seriously hampered by the over-classification of 
intelligence by the federal government. While in Los Angeles we have 
enjoyed a very positive and constructive partnership with various 
federal law enforcement agencies, including the Federal Bureau of 
Investigation's (FBI) Los Angeles Field Office and the Department of 
Homeland Security's Immigration and Customs Enforcement (ICE), the 
classification process has been a substantial roadblock to our capacity 
to investigate terrorism cases and work hand-in-hand with these federal 
agencies.

II. The Terrorist Threat to Our Local Communities
    The terrorist threat to our communities currently involves 
continued domestic terrorism and international terrorists plotting to 
destroy American cities.

        A. Domestic Terrorism
    Prior to September 11, local law enforcement agencies primarily 
investigated domestic terrorist groups, including white supremacists, 
hate groups, and special-issues groups conducting criminal activity 
(e.g. the Animal Liberation Front). Investigations centered on familiar 
cultures that were socially motivated by political ideologies to commit 
terrorism. The bombing of the Alfred P. Murrah Federal Building in 
Oklahoma in 1995, the most notable domestic terrorist attack, had a 
catastrophic impact on American soil and brought together local and 
federal law enforcement to bring the terrorists to justice.\1\ Local 
law enforcement, in fact, played a critical role in the investigation 
and apprehension of the offenders.
---------------------------------------------------------------------------
    \1\ The 1993 World Trade Bombing was seen as international 
terrorism and investigated by the FBI.

        B. International Terrorism
    Prior to September 11, 2001, international terrorism was not in the 
national consciousness. Despite the first World Trade Center bombing, 
most Americans did not realize the significant threat of Islamic 
extremism and the consequences of international terrorism. September 11 
changed the mindset of all Americans including local law enforcement.
    Since September 11, the scope of terrorism and extremism has 
increased exponentially. In addition, as the war in Afghanistan and 
later in Iraq waged on, the face of Islamic terrorism changed. No 
longer was the only threat a group of dissident Saudis hijacking a 
plane to crash into American symbols of power. Throughout the world, 
suicide bombers attacked discos, train stations, and buses. Islamic 
terrorism has continued to demonstrate its reach and power from 
changing the outcome of the 2004 national election in Spain to 
paralyzing the transportation system in London in 2005. The terrorist 
transformed himself from Middle East foreigner to second and third 
generation local citizen.
    The sheer number of terrorist threats to our communities across the 
country has increased dramatically and the federal government's 
capacity to collect intelligence and investigate these threats has been 
overwhelmed. Consequently, local law enforcement's efforts to counter 
terrorism have never been more important or critical.

III. LAPD's Response to Terrorist Threats

        A. Counter-Terrorism Bureau
    The Los Angeles Police Department has taken the threat of 
international terrorism very seriously. The city has a population of 
over 4 million and spans over approximately 500 square miles. The 
region is home to numerous potential terrorist targets including the 
Los Angeles International Airport, the ports of Los Angeles and Long 
Beach, and the entertainment industry.In response, the LAPD has 
invested numerous hours and millions of dollars toward preparedness and 
response to a possible terrorist attack. In addition, the LAPD has 
created a Counter-Terrorism/Criminal Intelligence Bureau with nearly 
300 officers who are solely dedicated to counter-terrorism and criminal 
intelligence gathering. While this bureau has served a critical 
function in the war against terror, the LAPD has been required to 
dedicate officers to intelligence gathering, a function typically 
performed by the federal government.

        B. Joint Regional Intelligence Center and Joint Terrorism Task 
        Force
    Across the country, a new concept ``fusion centers'' arose where 
analysts from police departments, the FBI, Immigration and Customs 
Enforcement, and other agencies worked on the same information streams 
to identify possible terrorist threats. In Los Angeles, the LAPD 
provides personnel and participates in a Joint Regional Intelligence 
Center (JRIC), located in Norwalk, California, which includes fourteen 
participating agencies. The JRIC provides a critical information-
sharing opportunity with the federal government. However, the over-
classification of intelligence has become an impediment to full 
information sharing with the local law enforcement agencies who 
participate in the JRIC.
    The LAPD, as well as other Los Angeles-area law enforcement 
agencies, is an active participant in the Joint Terrorism Task Force 
(JTTF). Like the JRIC, the JTTF also serves as an excellent partnership 
with federal law enforcement agencies and provides the opportunity for 
extensive information sharing. The same impediments of the JRIC, 
however, apply to the local law enforcement agencies participating in 
the JTTF. The dissemination of critical intelligence is restricted due 
to its over-classification.

IV. The Consequences of Over-Classification of Intelligence
    After the 9/11 Commission issued its comprehensive report, 
America's local law enforcement community, consisting of over 700,000 
law enforcement officers, was reluctantly invited into the effort of 
countering the international terrorist threat. One part of the 
rationale was that neither the Central Intelligence Agency nor 
Department of Defense could conduct intelligence operations within the 
United States against American citizens. Moreover, the total number of 
FBI Special Agents assigned to protect over 18,000 cities, towns, and 
villages throughout the United States is slightly over 12,000. This 
number becomes less reassuring in the when one examines the number of 
agents needed to handle the FBI's other responsibilities including 
white-collar crime, organized crime, public corruption, financial 
crime, fraud against the government, bribery, copyright infringement, 
civil rights violations, bank robbery, extortion, kidnapping, 
espionage, interstate criminal activity, drug trafficking, and other 
serious violations of federal law.
    At the national level, local law enforcement was not deemed an 
important stopgap in the field of counter-terrorism particularly in the 
area of Islamic extremists. In addition, the significant role of local 
law enforcement in the fight against international terrorism was not 
viewed as significant. More than five years after the tragic events of 
September 11, local law enforcement involvement has still not been 
fully embraced because of the impediment of information sharing and the 
over-classification of intelligence.
    The result of including local law enforcement is that uniform 
police officers, bomb squads, and hazardous material teams now train 
together to address terrorist threats with the FBI, Department of 
Energy, Federal Emergency Management Agency, and the Department of 
Homeland Security, and train to respond to possible terrorist 
scenarios.
    Local law enforcement has had a long history in investigating 
individuals and groups while developing and handling human and 
electronic intelligence. No agency knows their landscape better than 
local law enforcement; it was designed and built to be the eyes and 
ears of communities. Over-classification, however, prevents a true 
partnership with federal agencies.
    An impediment for both federal and local agencies, for example, is 
that local FBI agents, cannot change the originating agency's 
classification level, and this problem is amplified when the response 
to the threat is time sensitive. Appropriate law enforcement response 
to substantial threats can be significantly impaired with minimal lead-
time, creating greater risk to the community, and impacting the ability 
for a ``First Preventer'' response. A local field agent, however, has 
the discretion to classify a case as ``secret.'' The criteria for this 
classification is ``secret shall be applied to information, the 
unauthorized disclosure of which reasonably could be expected to cause 
serious damage to the national security.'' Additionally, the standard 
used for ``secret'' for intelligence information is ``the revelation of 
significant intelligence operations.'' Many field agents may over-
classify their cases for fear of compromise. Unfortunately, this is a 
double edge sword because it stifles collaboration with local law 
enforcement.
    The burden to overcome is that the investigations push up against 
federal investigations, which in turn become classified. The result is 
the old adage of local law enforcement pushing information to federal 
agencies without getting anything back. The federal fix has been to 
brief the Chief of the executive staff of classified cases, but 
restricted the dissemination to their intelligence units (despite 
proper clearance levels of personnel). The result is to develop 
separate and likely redundant intelligence gathering operations. For 
example, New York was first in the country to disengage from relying on 
the federal agencies to protect their city, committing almost 1,200 
officers to counter-terrorism efforts. Currently, the association of 
Major Cities Chiefs of Police is campaigning in Congress to send police 
officers overseas to obtain information from their police counterparts 
rather than rely on our own federal agencies to share information.

V. Recommendation
    The declassification of information currently classified at the 
secret level would greatly improve the information-sharing environment 
and build upon the counter-terrorism capabilities of local law 
enforcement. Federal authorities should consider changing the criteria 
classification of terrorism-related intelligence to ``Law Enforcement 
Sensitive'' to enable the dissemination of information to critical 
personnel in the field. ``Top Secret'' should be an exceptional 
classification that requires extraordinary demonstration of need while 
``Secret'' should be a classification that requires more stringent 
demonstration of need than currently required.
    Local law enforcement already works in an environment with a 
``right and need to know'' and efforts made to declassify ``secret'' 
information to ``law enforcement sensitive'' would not only make for 
more effective and timely intelligence, but inspire true partnership, 
better collaboration, the building of more robust trust networks, and 
develop a richer picture with regard to community intelligence.

VI. Conclusion
    The United States faces a vicious, amorphous, and unfamiliar 
adversary on our land. Our previous defensive strategy to protect our 
cities was ineffective and our current strategy is fraught with issues. 
In Los Angeles, we cannot support any process that takes us closer to 
another failure. We have the mutual interest and are working in common 
direction to prevent acts of terrorism in the United States. The 
classification levels are based on fear: the probability of information 
being disseminated to those that can cause serious damage to national 
security. What this system is not designed to do is protect us against 
the threat itself. Local law enforcement has a culture and capacity 
that no federal agency enjoys; the know how and ability to engage a 
community and today it is a vital part of the equation. This is 
achieved by disseminating the information to people who stand the best 
chance of stopping violence against American cities: our first 
preventers in local law enforcement.

    Ms. Harman. Thank you very much.
    The chair now recognizes the chairman of the full 
committee, the gentleman from Mississippi, for 5 minutes of 
questions.
    Mr. Thompson. Thank you very much, Madam Chairman. I 
appreciate the opportunity.
    Chief Lanier, nice to see you again. You do us proud.
    Chief Lanier. Thank you.
    Mr. Thompson. Mr. Downing, New York City saw that they had 
a problem with cooperation and communication with respect to 
intelligence. So they created their own intelligence division 
to kind of address many of the items you shared with us today.
    What has the Los Angeles Police Department put together to 
address some of the issues that we are talking about today?
    Mr. Downing. We have our own intelligence section as well, 
probably 30 people dedicated to gathering intelligence within 
our major crimes division, which does not include the Joint 
Regional Intelligence Center.
    The Joint Regional Intelligence Center sits on top of seven 
counties that the L.A. FBI office is in charge of. We have 
approximately 44 people in that center, growing to 80. It is 
going to be a 7-day, 24-hour operation. It is an all crimes, 
all hazards approach to intelligence. However, with the minimal 
staffing right now, it is primarily terrorism. But that is how 
we deal with it.
    The FBI has established that as a top-secret level JRIC 
center. It is managed by the L.A. sheriffs, LAPD and the FBI, 
with the FBI as the functional lead in the center.
    Mr. Thompson. Thank you, and I will get back to the other 
part.
    Chief Lanier, do you believe that you are receiving all the 
information, or your department is receiving all the 
information necessary from federal government sources at this 
point?
    Chief Lanier. No, I am sure I am not.
    Mr. Thompson. And without pointing fingers, can you tell me 
who is good, who is not so good, who is deserving of being 
better? Because what we are trying to do with the hearings is 
trying to determine where we need to start to focus. For 
instance, I will give you a good example, our Capitol Police 
happen to use analog radios. Well, they can't talk to anybody 
but themselves, because everybody else is digital. And that is 
a problem. So if we can't talk to each other from an 
interoperability standpoint, I am wondering how much of the 
sharing of intelligence and other things.
    So if you could kind of give me your analysis of what you 
have found so far.
    Chief Lanier. I can walk that fine line there, sir.
    Mr. Thompson. All right.
    Chief Lanier. First of all, I always believe if I am going 
to criticize anybody for anything, we have to look at ourselves 
first. And I will say that local law enforcement needs to do a 
better job of clearly articulating what our intelligence needs 
are to the various intelligence agencies so they know what to 
give us.
    It took some pushing from me--fortunately, I had the 
support from Chief Ramsey--to go to the right people and the 
right agencies and say, ``This is what I need and why I need 
it.'' It is not enough to say, as a police chief, ``You are not 
giving me enough information; give me more.''
    If the other federal agency doesn't know what it is that I 
need, they are going to give me what they think I need. So I 
need to lay that out very clearly. So we are guilty as well.
    With that said, now I can throw other stones. I do think 
that the participation of the JTTF has increased the 
information-sharing flow with the FBI because there is a 
longstanding history there. The new players in the game, 
through the Department of Homeland Security, does not have that 
longstanding relationship and well-established conduit for 
information to flow clearly.
    And, I don't want to oversimplify this, but I think it is 
really, really important that in a lot of cases it boils down 
to the right people, in the right place, having an opportunity 
to sit down and have a dialogue. I would be happy to sit down 
with somebody in this classification issue and have them sit 
across the table from me, as a police chief in the nation's 
capital, and look me in the eyes and listen to what I have to 
say about what my needs are and then tell me why I shouldn't 
have that.
    Mr. Thompson. You do a good job.
    Chief Lanier. Thank you.
    Mr. Thompson. Thank you very much.
    I yield back, Madam Chair. Thank you.
    Ms. Harman. Thank you, Mr. Chairman.
    The chair now yields 5 minutes for questions to the ranking 
member, Mr. Reichert, from Washington.
    Mr. Reichert. This brings back memories to me.
    Ms. Harman. Nightmares.
    Mr. Reichert. Yes. Everything that you have each said I 
struggled with as the sheriff in Seattle. And the sharing of 
information between the federal agencies and local sheriff's 
office and the local Seattle Police Department and the other 38 
police departments in King County, every one of those chiefs 
would be saying exactly the same thing that both of the 
witnesses have said today.
    When you talk about information sharing, of course one of 
the things that we know is a necessity in these days is 
technology.
    Are either of you familiar with the LInX System?
    Chief Lanier. Yes.
    Mr. Reichert. Are you participants in that program or 
beginning to become involved in that program or where do you 
stand, each of you?
    Chief Lanier. We are not yet, but we are in the process of 
getting there. As you might have seen in some of my public 
testimony lately, technology is still a significant struggle 
for the Metropolitan Police Department. We are moving forward 
and bringing up our fusion center, so we are on our way, and we 
will be full participants in the LInX Program, so we are 
getting underway with that now.
    Mr. Reichert. Great.
    Mr. Downing. Yes. And we, as well, are beginning in that 
process. We have cops LInX, which connects the agencies within 
the different counties, and some of the counties that can't 
afford it are not participating but looking forward to the 
installation of LInX, which will also bring in the federal 
system.
    Mr. Reichert. Yes. Who is the lead on the LInX Systems in 
your areas?
    Mr. Downing. Chief Baca, Chief Bratton, Chief Corona, from 
Orange County.
    Mr. Reichert. Who from the federal government, do you know?
    Mr. Downing. Well, Steve Tidwell in the L.A. office is 
assisting us with that.
    Mr. Reichert. I just visited your fusion center a couple 
weeks ago.
    Chief?
    Chief Lanier. In Washington, D.C., it is being coordinated 
through the Council of Governments, the COG, which is regional.
    Mr. Reichert. How big is your department?
    Chief Lanier. We will be at 3,900 by the end of this year 
and probably 4,200 by the end of next year.
    Mr. Reichert. How many people are assigned to homeland 
security?
    Chief Lanier. You are going to get me in trouble with my 
local constituents, but I will tell you.
    [Laughter.]
    I have approximately 30 in the Office of Homeland Security 
and Counterterrorism, but I do have a Special Operations 
Division that is 225, 230 people, and I am about to merge those 
two units together so that every member of the Special 
Operations Division will now take part in that.
    Mr. Reichert. And other than UASI money, are you getting 
any federal assistance, grant monies to pay for those bodies?
    Chief Lanier. To pay for those bodies?
    Mr. Reichert. Yes.
    Chief Lanier. Now you are really going to get me in 
trouble.
    Mr. Reichert. I know the answer to that one, so go ahead.
    [Laughter.]
    Chief Lanier. There are a variety of grant funds under the 
homeland security program, LETPP, as you know, and the state 
funds as well, the UASI, but we struggle to get sometimes 
reimbursement for federal duties that involve dignitary 
protection and things----
    Mr. Reichert. You have some unfunded mandates.
    Chief Lanier. Yes.
    Mr. Reichert. Yes.
    Mr. Downing?
    Mr. Downing. Yes. Our department is 9,500. We have just 
under 300 assigned to the Counterterrorism Bureau, which is 
primarily the terrorist-related matters. We are one of the six 
tier one cities in UASI. This year's UASI allows us to get 25 
percent of the total grant toward personnel costs.
    Mr. Reichert. Okay. I have no further questions.
    I yield. Thank you.
    Ms. Harman. I thank the ranking member, and I have a few 
questions.
    First, I want to thank both witnesses for excellent 
testimony.
    Our goal in this session of Congress is to put ourselves in 
your shoes to think about what are the opportunities and 
frustrations of our local first preventers and how can we make 
the sharing of information with them and the tools that they 
need more effective? Because if you can't do your jobs well, we 
can't protect America. It is that simple.
    It is not all in Washington, D.C. I know that may come as a 
shock to a few folks, but it is not all here.
    And vertical information sharing has to be adequate, and 
horizontal information sharing at the local level has to be 
adequate too. And that is another issue that neither of you 
raised today but it is something that has been raised by prior 
witnesses.
    Both of you provided some useful information.
    I am quite horrified to think, Mr. Downing, that if the 
information about that cell in Torrance had had some 
international connection, we might have missed the whole thing.
    That gets my attention, because in a couple of weeks when 
we are in Torrance, California, congratulating the Torrance PD 
for excellent local police work, we are going to talk about how 
devastating could have been attacks by a homegrown terrorist 
cell living next door to some of my constituents had we not 
prevented them from doing anything. So I just want to observe 
that.
    And, Chief Lanier, you make a very good point when you say 
it is your obligation to make clear to federal agencies what 
you need and why you need it. I mean, that is a job you have, 
and you can't just assume they are going to figure it out. In 
fact, they are not going to figure it out. You have to be an 
advocate for your own needs.
    And it is in that connection that I want to ask this 
question. The chairman of the full committee has had a long and 
friendly conversation with Charles Allen of the Department of 
Homeland Security's Office of Intelligence and Analysis--we 
call it I&A--about the need for local participation either on 
the NCTC or connected to the NCTC. And some of us were dismayed 
to learn in a visit we made recently to the NCTC that the new 
agency about to be created, called the Interagency Threat 
Assessment and Coordination Group, the ITACG, might have on it 
one representative of law enforcement.
    In questions to Charlie Allen last week, he said, ``Well, 
maybe that will change to two or three.'' I clearly don't know 
how many members of the ITACG there will be, but I would just 
like to ask both of you, as consumers of necessary 
intelligence, what do you think about the idea of one person or 
maybe two or three participating in the NCTC process?
    Chief Lanier. Well, it is at least a start, but I will say 
this: Police departments around the country have very different 
needs based on the jurisdictions they serve as well as the 
capabilities that they have.
    So in the Metropolitan Police Department, a large city 
police department, I have a lot of capabilities that a small 
town police department may not have. But at the same token, 
that small town police department, or sheriff's department, may 
have some vulnerabilities and some other understandings that I 
don't have. So I think the representation needs to be fair and 
representative across the board.
    State agencies, state patrol, highway patrol officers have 
different skills and capabilities than transit police, than 
urban police, than university police. So there needs to be an 
adequate representation.
    Ms. Harman. Mr. Downing?
    Mr. Downing. I absolutely agree, and to take it even 
further, in coming back from the U.K., they have 17 people in 
17 different parts of the world, and they are growing to 21. 
And as New York, they have eight people in eight different 
parts of the world as well. We are interested in that as well, 
because we are not sure that the local perspective is being 
placed on foreign intelligence.
    Ms. Harman. I thank you for that, and I actually share that 
big time. I think that information sharing has to go 
horizontally and vertically and that your help in designing the 
products that you will use is absolutely indispensable. 
Otherwise, they may not be useful to you.
    It is your point, Chief Lanier, we have to be advocates for 
what we need and why we need it, so I think you should be 
sitting inside the room when our National Intelligence Fusion 
Center is developing products that you are supposed to use. And 
then I think our next problem is to make sure that the 
classification system gets revised so that you are in a 
position to use them.
    My time has expired. I don't want to abuse this 
opportunity. And I have spoken more than others.
    Let me just ask either of the members, starting with 
Chairman Thompson, whether you have any concluding remarks.
    The ranking member?
    Mr. Reichert. Thank you, Madam Chair.
    I just want to, again, thank you for being here and taking 
time out of your busy schedule to testify. And as we have 
learned today and previous hearings from this information, we 
have a lot of work to do, and we look forward to working with 
you to help make our country safer.
    Thank you all.
    Ms. Harman. The hearing is adjourned.
    [Whereupon, at 11:34 a.m., the subcommittee was adjourned.]


                      THE RESPONSE OF THE PROGRAM
                       MANAGER OF THE INFORMATION
                          SHARING ENVIRONMENT



                                PART II

                              ----------                              


                        Thursday, April 26, 2007

             U.S. House of Representatives,
                    Committee on Homeland Security,
    Subcommittee on Intelligence, Information Sharing, and 
                                 Terrorism Risk Assessment,
                                                    Washington, DC.
    The committee met, pursuant to call, at 10:05 a.m., in Room 
1539, Longworth House Office Building, Hon. Jane Harman 
[chairwoman of the committee] presiding.
    Present: Representatives Harman, Langevin, Thompson, 
Reichert, and Dent.
    Ms. Harman. [Presiding.] Good morning. The subcommittee 
will come to order.
    The subcommittee is meeting today to receive testimony on 
``The Over-Classification and Pseudo-Classification of 
Government Information: The Response of the Program Manager of 
the Information Sharing Environment.''
    We are here today because our classification system is 
broken and because pseudo-classifications are making effective 
information sharing nearly impossible.
    A few weeks ago, we heard from experts in these areas who 
described an expanding problem that is making securing the 
homeland harder. Last fall, the president appointed Ambassador 
Ted McNamara to take on the pseudo-classification issue, and 
the ambassador has worked a solution that the White House is 
reviewing.
    His proposed controlled unclassified information, CUI, 
framework holds a lot of promise, but no matter how good this 
solution might be, if federal agencies don't get on board, and 
fast, well-planned and well-meaning efforts will fail.
    I commend Ambassador McNamara, with whom I have met several 
times, for including state and local law enforcement officers 
in his process from the outset. The ambassador's working group 
welcomed law enforcement as part of the process from day one, 
as well they should have.
    Police and sheriff's officers are among the people who will 
be most affected by this new CUI framework. As all of us on the 
subcommittee have stated, we cannot have a successful fix to 
the pseudo-classification and other information sharing 
challenges unless all affected parties are involved in 
structuring the solution.
    I hope that DHS is listening. You should know, and I think 
you do, that this subcommittee is extremely concerned with the 
absence of numbers of state and local participants in the new 
ITACG that is being developed as an adjunct to the NCTC. We 
think that is a problem, and we are going to stay on that 
problem and hopefully change what is happening.
    So in this case, in addition to Ambassador McNamara and our 
DHS and FBI witnesses, we are joined this morning by Mark 
Zadra, the assistant commissioner of the Florida Department of 
Law Enforcement. Mr. Zadra will talk to us about the promise 
and potential pitfalls of the CUI framework from his state-
level perspective.
    I would note with sadness, however, that we are not joined 
today by Colonel Bart Johnson of the New York State Police, who 
had been invited as a witness and was originally scheduled to 
testify. Late yesterday, two of his officers were shot while 
attempting to apprehend a criminal suspect on Tuesday, and one, 
Trooper David Brinkerhoff, died from his injuries. Our 
condolences, and obviously the condolences of the entire 
Committee on Homeland Security, go to his family and his 
colleagues.
    And I ask unanimous consent to enter his prepared remarks 
into the record at this point. Hearing no objection, we will do 
so.
    [The statement of Colonel Johnson follows:]

                             For the Record

             Prepared statement of Colonel Bart R. Johnson

                             April 26, 2007

    Chairman Thompson, Ranking Member King, Chairwoman Harman, and 
Members of the Subcommittee, I sincerely appreciate the opportunity to 
appear before you today to discuss state and local law enforcement's 
involvement with standardizing procedures for sensitive but 
unclassified (SBU) information and related issues impacting local, 
state, and tribal law enforcement.
    I have served with the New York State Police for more than 24 
years, and I have over 30 years experience in law enforcement. 
Presently, I serve as the Deputy Superintendent in charge of Field 
Command. I oversee the Bureau of Criminal Investigation, the Uniform 
Force, the Office of Counter Terrorism, Intelligence, and the 
associated special details of these units. I also have the privilege to 
serve as the vice chair of the U.S. Department of Justice's (DOJ) 
Global Justice Information Sharing Initiative (Global) Advisory 
Committee, the chair of the Criminal Intelligence Coordinating Council 
(CICC) and of the Global Intelligence Working Group (GIWG). In these 
capacities, I have been fortunate to actively participate in 
discussions relating to intelligence reform, and I have provided 
significant input to the federal government regarding information 
sharing and intelligence.
    I expect that we would all agree that the current number of 
sensitive but unclassified (SBU) designations and the lack of 
consistent policies and procedures for unclassified information 
severely hinder law enforcement's ability to rapidly share information 
with the officials that need it to protect our country, its citizens, 
and visitors. Much progress has been made recently in addressing the 
classification issue by way of Guideline 3, and much of the headway is 
due to the leadership and efforts of Ambassador Thomas E. McNamara of 
the Office of the Program Manager for the Information Sharing 
Environment (ISE) and the other relevant federal agencies. I am 
gratified that I have also had the opportunity to contribute to this 
effort.
    For many years, law enforcement agencies throughout the country 
have been involved in the sharing of information with one another 
regarding investigations, crime reporting, trend analysis, and other 
types of information considered law enforcement sensitive. Oftentimes, 
these investigations involve public corruption, organized crime, 
narcotics, and weapons smuggling, and they frequently involve the use 
of undercover operations, confidential sources, and lawful covert 
electronic surveillance. State, local, and tribal law enforcement 
agencies do not have the ability to classify their material, and we 
must be assured that strict control is used when handling and 
distributing this type of data to ensure that the information and 
investigation are not compromised and that we do not sustain a loss of 
a life. Also, since September 11, 2001, law enforcement agencies 
nationwide are more fully involved in the prevention, mitigation, and 
deterrence of terrorism, and consequently, they receive more 
information and intelligence from their federal counterparts.
    Moreover, many law enforcement agencies generate their own 
information and intelligence (much of which is collected in a sensitive 
manner) that is passed to other law enforcement agencies for their 
possible action. Law enforcement agencies have also begun to share 
information with new stakeholders in the fight against terrorism. They 
now routinely share information with non-law enforcement government 
agencies and members of the private sector in order to assist in 
prevention efforts. This activity has altered the information sharing 
paradigm.
    Another issue that exists within the current environment is the 
apparent ``over-classification'' of material. Over-classifying data 
results in information and intelligence not being sent to the law 
enforcement professionals on the front lines of the fight against 
terrorism in this country--the officers, troopers, and deputies in the 
field. It still appears to be a difficult process for the federal 
intelligence community to develop ``tear-line'' reports that can be 
passed to law enforcement so that the intelligence can be 
operationalized in an effective and proactive manner.Up until a short 
time ago, there was a lack of a coherent, standardized process for 
marking and handling SBU data. Lack of consistency in markings led to 
confusion and frustration among local, state, tribal, and federal 
government officials and also a lack of confidence in knowing that the 
information that was shared was handled in an appropriate and secure 
manner. Recent studies by the Government Accountability Office, the 
Congressional Research Service, and other institutions have confirmed 
and highlighted the problems created by the various markings and the 
lack of common definitions for these designations. These studies 
revealed that there are over 120 different designations being used to 
mark unclassified information so that agencies can ``protect'' their 
information. These pseudo-classifications did not have any procedures 
in place outlining issues such as who can mark the material; the 
standards used to mark the material; who can receive the information; 
how the information should be shared, who it could be shared with, and 
how it should be stored; and what impact, if any, these markings have 
on the Freedom of Information Act.
    As a result of several key federal terrorism-related information 
sharing authorities, such as the Intelligence Reform and Terrorism 
Prevention Act of 2004, Executive Order 13388, and the December 2005 
Memorandum from the President regarding Guidelines and Requirements in 
Support of the Information Sharing Environment, specifically Guideline 
3, much work has been undertaken to bring about intelligence reform in 
this country. Local, state, and tribal law enforcement have been and 
continue to be active and collaborative participants in this 
undertaking.
    As a representative of the New York State Intelligence Center 
(NYSIC) \1\ and DOJ's Global Initiative, I have participated in a 
number of efforts to implement the guidelines and requirements that 
will support the ISE. Recognizing the need to develop a process for 
standardizing the SBU process, the CICC and GIWG commissioned a task 
team in May 2006 to develop recommendations that would aid local, 
state, and tribal law enforcement agencies in fully participating in 
the nationwide information sharing environment. This work was done with 
the Federal Bureau of Investigation, the U.S. Department of Homeland 
Security, the Office of the Program Manager for the Information Sharing 
Environment, and other law enforcement entities. The recommendations 
made by that team were provided to an interagency SBU working group. 
Subsequently, I participated on the SBU Coordinating Committee (CC) 
that was established to continue the Guideline 3 implementation efforts 
begun by the interagency group.
---------------------------------------------------------------------------
    \1\Formerly known as the Upstate New York Regional Intelligence 
Center (UNYRIC).
---------------------------------------------------------------------------
    As you know, the SBU CC recommendations are currently under review 
and awaiting ultimate Presidential approval. The CC recommends adoption 
of a new Controlled Unclassified Information (CUI) Regime that is 
designed to standardize SBU procedures for information in the ISE. The 
recommendations include requiring controls on the handling and 
dissemination of SBU information. By and large, I believe local, state, 
and tribal agencies will support the new CUI Framework because they 
want to be active participants in the ISE and are supportive of clear 
and easily understandable protocols for sharing sensitive information.
    Local, state, and tribal agencies want to be able to receive 
terrorism, homeland security, and law enforcement information from the 
federal government and clearly understand, based on the markings on the 
data, how the data should be handled and stored and to whom the 
information can be released. The data should be disseminated as broadly 
as possible to those with a need to know, including non-law enforcement 
public safety partners, public health officials, and private sector 
entities. Conversely, local, state, and tribal entities are frequently 
the first to encounter terrorist threats and precursor criminal 
information, and the new CUI markings will assist with sharing that 
type of information both vertically and horizontally while respecting 
originator authority.
    A number of critical issues must be addressed at the local, state, 
tribal and federal levels in order to facilitate a successful CUI 
Regime implementation, including training, policy and procedural 
changes, system modifications and enhancements, and funding to 
implement these recommendations.
    Emphasis must be placed on the development and delivery of training 
to local, state, tribal, and federal personnel on the CUI Framework. 
Because of the possibility of wide distribution of sensitive 
information, it is imperative that training be given a priority so 
recipients have a clear understanding of marking and handling 
procedures. In order to maximize the effectiveness of the training and 
reach the appropriate recipients at the local, state, and tribal 
levels, I recommend that it be provided on a regional basis across the 
country to personnel in the designated statewide fusion centers. 
Focusing on fusion center officials in the initial delivery phase 
directly supports the national information sharing framework that calls 
for the incorporation into the ISE of a national network of state and 
major urban area fusion centers.
    In support of the ISE, state and major urban area fusion centers 
will be contributing information to ongoing federal and national-level 
assessments of terrorist risks; completing statewide, regional, or 
site-specific and topical risk assessments; disseminating federally 
generated alerts, warnings, and notifications regarding time-sensitive 
threats, situational awareness reports, and analytical products; and 
supporting efforts to gather, process, analyze, and disseminate locally 
generated information such as suspicious incident reports. Over 40 
states currently have operational fusion centers, and it is critically 
important that center personnel receive timely, relevant training to 
enable them to fully function in the national ISE.
    Training will provide insight and an understanding of how the CUI 
handling and disseminating requirements affect business processes. This 
will cause agencies to execute policy and procedural changes and system 
modifications. There are potentially over 18,000 local, state, and 
tribal law enforcement agencies in our country that could be impacted 
by the implementation of the CUI Framework. I believe that the federal 
government--working collaboratively with local, state, and tribal 
authorities--should develop model policies and standards to aid in the 
transition to the Framework. Funding issues will be a major factor for 
local agencies, especially in regard to modifying/enhancing information 
technologies and applying encryption requirements to ensure proper 
transmission, storage, and destruction of controlled information.
    It will be through these ongoing collaborative efforts regarding 
Guideline 3 that the ISE will take another step towards being the 
meaningful and cooperative sharing environment that it was intended to 
be. These actions will result in the maturation of information sharing 
among state, local, and tribal agencies; private entities; and their 
federal counterparts, which will in turn assist in our collective 
efforts to prevent another terrorist attack and reduce violent crime. 
Our goal should be to share as a rule and withhold by exception, 
according to rules and policies that protect the privacy and civil 
rights of all.
    Being involved in the CUI Framework development process has been a 
rewarding and sometimes arduous experience. It is a process that I and 
the entire state, local, and tribal law enforcement community take very 
seriously. It is very encouraging to me that the Office of the Program 
Manager and other relevant partner federal agencies have made great 
strides in recognizing the value that local, state, and tribal 
officials bring to the table. We want to remain active, ongoing 
partners and participants with the federal government as we work 
towards a national information sharing environment.
    Mr. Chairman, I thank you and your colleagues for giving me the 
opportunity to speak to you today, and I hope my comments have been of 
some use to you in your deliberations.

    Ms. Harman. But I would also note that our police, sheriffs 
and firefighters are our front lines. They take all the risks 
to keep our country safe, and on behalf of a grateful nation, 
we send, again, our condolences and appreciation to the New 
York State Police.
    Today, we will also focus on how best to support the CUI 
framework at the federal level. That is why DHS and FBI are 
testifying. Last month, we learned that every agency in the 
federal government has invented pseudo-classifications for 
their particular brand of information. The increasing number of 
these markings has led to tremendous confusion.
    Obviously, that proliferation is a problem, and our goal 
here is to find out whether Ambassador McNamara's new framework 
is one that will be embraced, as it should be, by those federal 
agencies that are in the same line of work. If we can't get it 
right at the federal level, we can't expect state and local 
entities to do any better. We are late in this process, and we 
can and should move faster.
    I hope this hearing will help us figure out how to move 
from a good proposal to a good adopted strategy across the 
federal government and with our state and local partners.
    I would like to, again, extend a warm welcome to our 
witnesses who will be talking about these issues, and I look 
forward to your testimony.
    I now yield time for opening remarks to the ranking member, 
Sheriff Reichert.
    Mr. Reichert. Thank you, Madam Chair. I like that 
``sheriff'' title. Thank you for using that.
    I, first of all, apologize. My voice is a little hoarse 
this morning. I am experiencing some effect from the oak 
pollen, I think, that is flying around out here. I am not used 
to that back in Seattle.
    Second, let me also share my condolences with the New York 
State Police. I have experienced the loss of heartbreak myself 
in my 33-year career, and that is a tough one to take.
    Also, Ambassador, I would like to thank you for your 
briefing earlier this week. It was very helpful, and thank you 
again for being here today to share your thoughts on your new 
ideas and plans.
    I also want to say that I certainly recognize the 
difficulty that all three of you have in bringing the nation's 
state and local and federal agencies together to share 
information. Just on the local level, in the Seattle region, I 
know how tough that can be. So your job is going to be very 
tough, as we all recognize, but we certainly want to be a part 
of the solution with you.
    So today we meet on a topic of pseudo-classification, which 
is the use of document controls that protect sensitive but 
unclassified information. This is the second hearing in a 
series on the problems of over-classification and pseudo-
classification and information sharing.
    I believe it is essential that sensitive information be 
able to flow to those that need it, and I shared a story the 
other day with the ambassador, my own personal experience 
within the sheriff's office, people holding and withholding 
information and other police departments not wanting to share 
the information and therefore resulting in maybe a case not 
being resolved or solved or being solved much later than it 
could have.
    Information needs to flow in a trusted information sharing 
environment. The people who share sensitive information need to 
be able to trust that different federal agencies, as well as 
different states and localities, will treat their information 
with respect and protect sensitive information.
    Currently, there is no trusted information sharing 
environment for sensitive, unclassified information. There are 
currently over 107 unique markings for sensitive information 
and over 130 different labeling or handling processes, as we 
talked about the other day. This disparity creates confusion 
and leads to information not being properly protected. If a 
federal agency can't trust that sensitive, unclassified 
information will be protected, it will simply classify the 
document as secret or above, severely restricting access.
    If a private-sector entity or state/local agency does not 
believe its information will be protected properly, it simply 
will not share that, and I have experienced that myself. So 
without trust, the information sharing environment breaks down.
    Creating a trusted environment is essential to the work of 
the program manager. Cleaning up a messy system of sensitive 
but unclassified designations is essential to creating that 
trust.
    We are looking forward to the program manager's testimony 
as well as the testimony of our DHS and FBI witnesses who will 
be able to discuss how these policies are progressing and how 
we can ensure the information sharing is a success.
    From the second panel, hopefully, we will hear from state 
law enforcement. We have had a role in the process. The state 
and local perspective is essential, because without the state 
and local buy-in, as I said, collaboration will lead to not 
sharing information.
    We appreciate your testimony and your time this morning, 
and thank you again for being here.
    With that, I yield the balance of my time.
    Ms. Harman. The gentleman's time has expired.
    The chair now recognizes the chairman of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for an 
opening statement.
    Mr. Thompson. Thank you very much, Madam Chair, and I join 
you in welcoming our distinguished witnesses today to this 
important hearing on the work being done by Ambassador 
McNamara.
    I also join you and our ranking members and others in 
expressing our heartfelt sympathies to the New York State 
Police in the loss of their officer. Any front-line person puts 
his or her life on the line every day, and, unfortunately, 
sometimes these things happen. And that is why what we and is 
so important every day and what so many others do.
    But from information sharing, I think Representative 
Reichert spoke volumes when he said it is important to have 
information available in real-time. I was in local government 
before coming to Congress and I remember when agencies bragged 
about knowing something, and when other folks found out about 
it weeks and months later, they would say, ``Well, we knew 
about that all the time.''
    To me, it is a no-brainer not to share the information if 
we are supposedly all looking for the bad guys--or gals, in 
some instances.
    Ms. Harman. You had it right the first time, Mr. Chairman.
    [Laughter.]
    Mr. Thompson. But the notion is we absolutely need to do 
it, but we are concerned that sometimes government over-
classifies information so that it can't get out into the field.
    And, Ambassador, I know you have a tough challenge ahead of 
you. We talked a little bit about it before the hearing, and I 
am looking for this new framework. I want the commitment to be 
there, to carry it forward. I would not like to see it become 
another in a long line of acronyms that get put on the shelf 
never to be taken off. So I look forward to your testimony, and 
I look forward to pushing forward the new ideas.
    The comfort zone, as all of us know, is we have always done 
it this way, but that doesn't necessarily mean that it is 
correct. And these are different times, different challenges 
and it calls for broader strategies.
    So I look forward to the testimony and the questions to 
follow.
    And I yield back.
    Ms. Harman. The gentleman's time has expired.
    And I would just observe, the comfort zone ended on 9/11. 
There is no comfort zone anymore. I am looking at a press clip 
today in the New York Times, which says, ``British anti-
terrorism chief warns of more severe al-Qa'ida attacks.'' These 
are in Britain, but obviously we can imagine this here.
    So in that spirit, I would hope that what we are talking 
about never hits a shelf. That should not even be an option. We 
have to change the way we do business.
    I welcome our first panel of witnesses.
    Our first witness, Ambassador Ted McNamara, is the program 
manager of the Information Sharing Environment, a position 
established by the Intelligence Reform and Terrorism Prevention 
Act of 2004, a statute I am very familiar with.
    Ambassador McNamara is a career diplomat who originally 
retired from government service in 1998, after which he spent 3 
years as president and CEO of the Americas Society and Council 
of the Americas in New York. Following the September 11 
attacks, he was asked to return to government service as the 
senior advisor for counterterrorism and homeland security at 
the Department of State.
    Our second witness, Dr. Carter Morris, is currently 
director of information sharing and knowledge management for 
the Office of Intelligence and Analysis at the Department of 
Homeland Security. That is a mouthful. That can't even be one 
business card.
    He is a detailee to DHS from the Directorate of Science and 
Technology at CIA. Most recently, Dr. Morris served as the 
deputy assistant director of Central Intelligence for 
Collection where he helped coordinate all intelligence 
community collection activities.
    Thank you for that service.
    Our third witness, Wayne Murphy, is currently an assistant 
director at the FBI. He joined the bureau with more than 22 
years of service at the National Security Agency in a variety 
of analytic, staff and leadership positions. The bulk of his 
career assignments have involved direct responsibility for 
SIGINT analysis--that is signals intelligence analysis and 
reporting--encompassing a broad range of targets.
    Without objection, the witnesses' full statements will be 
inserted in the record, and I would ask each witness to 
summarize your statements.
    I think this time clock is visible to you, or I think it 
can be, or there is a time clock that is visible to you. And we 
will get right into questions following your testimony.
    Thank you.
    We recognize you first, Dr. Morris. Dr. Morris, we are 
recognizing you first. I am not sure why we are doing that, but 
that is what we are doing.
    Mr. Morris. Didn't realize I was going to go first, but I 
will be very happy to do that.
    Ms. Harman. Dr. Morris, you are relieved of going first.
    [Laughter.]
    Mr. Morris. Thank you.
    Ms. Harman. Because this chair, who must be visually 
impaired, skipped the top of the statement.
    Ambassador McNamara, you are recognized first. I think that 
does make more sense, because you are going to present the 
information, and then we will follow on with two people who 
will comment on it, which seems obvious. I apologize for the 
confusion.

 STATEMENT OF AMBASSADOR THOMAS E. McNAMARA, PROGRAM MANAGER, 
  INFORMATION SHARING ENVIRONMENT, OFFICE OF THE DIRECTOR OF 
                     NATIONAL INTELLIGENCE

    Mr. McNamara. Thank you very much, Madam Chair.
    Chairman Thompson, Madam Chairman Harman, Ranking Member 
Reichert and members of the subcommittee, it is a great 
pleasure to be here with my colleagues today. And I want to 
thank you for the continued focus and priority for building an 
effective information sharing environment that you and the 
committee have shown over the course of many months.
    I hope to especially discuss with you all work on the 
presidential priority to standardized sensitive but 
unclassified information.
    Our current efforts to provide the president 
recommendations for standardizing SBU procedures, sensitive but 
unclassified, have been successful because of the strong 
interagency commitment that we have found. I want to note that 
Wayne Murphy, who is a member of the SBU Coordinating Committee 
with me, has been a part of this process since the very 
beginning and, with his colleagues in the Department of Justice 
and the FBI, have been instrumental in bringing the state, 
local and private sector perspectives and concerns to the 
table.
    I also was hoping to thank Colonel Bart Johnson were he 
here today, but I will thank him in his absence. He is the 
chair of the Criminal Intelligence Coordinating Council of 
Global Justice Information Sharing Initiative. He has been 
giving so much of his time and expert advice to our group, and 
I join the committee in offering our condolences to the family 
of the slain officer and to Colonel Johnson and his colleagues.
    I have a personal sense of this loss. My son is a law 
enforcement officer and has been in a situation that occurred 
in the last 24 hours himself.
    Also, I would like to thank assistant commissioner for the 
Florida Department of Law Enforcement, Mark Zadra, who is here 
today, who was our host at the very first national conference 
on fusion centers, which was held earlier this year in Florida. 
It was an excellent, very astonishing, in some respects, 
conference. Over 600 people came to that conference. They 
closed the rolls for the conference about 3 or 4 weeks before 
the conference began.
    When I showed up in this job a year ago, if someone had 
told me in a year that that would happen, I would have said, 
``Well, you people are just overly optimistic.'' And I think 
that shows how far things have gone over the course of the last 
few years.
    Finally, I want to note that the Department of Justice and 
Department of Homeland Security were leaders in the initial 
effort to research this issue on SBU and to collect the 
information on which my committee has been working these last 6 
months.
    The lack of government-wide standards for SBU information 
is well known. More difficult has been charting a feasible way 
ahead to create such standards as part of a single regime. Over 
the years, because SBU is not considered a matter of national 
security concern, there has been no single control framework 
that enables the rapid and routine flow of this type of 
information.
    Throughout the Cold War, executive branch agencies and 
Congress responded in a piecemeal fashion, an uncoordinated 
way, to protecting SBU. It was left to each agency to decide on 
its control regime.
    For example, there are close to 107 unique markings and 
more than 131 different labeling or handling processes and 
procedures for SBU information. These markings and handling 
processes stem from about 280 statutory provisions and 
approximately 150 regulations.
    Protecting information and sharing information are critical 
and interdependent functions for the information sharing 
environment. Simply stated, sensitive information will not be 
shared unless participants have confidence in the framework 
protecting that information.
    Standardizing SBU procedures is a difficult endeavor made 
more complicated by the complex information management policies 
and practices which the government now has. Correcting these 
defects is especially important because some categories of SBU 
truly require controls as strong as those for national security 
information.
    There are sound reasons in law and policy to protect those 
categories from public release, both to safeguard the civil 
liberties and legal rights of U.S. citizens and to deny the 
information advantage to those who would threaten the security 
or the public order of the nation.
    Appropriately protecting law enforcement and homeland 
security related sources and methods, for example, are just as 
valuable to our nation as protecting our intelligence sources 
and methods. The global nature of the threat our nation faces 
today requires that our entire network of defenders be able to 
share information more rapidly and confidently so that those 
who much act have the information they need to act.
    This lack of a single rational standardized and simplified 
SBU framework is a major cause of improper handling. It 
heightens risk aversion and undermines the confidence in 
control mechanisms. These problems are endemic within the 
federal government between federal and non-federal agencies and 
with the private sector. This is a national concern because the 
terrorist threat to the nation requires that many communities 
of interest, at different levels of government, share 
information.
    Ms. Harman. Ambassador McNamara, let me suggest that you 
just describe the new system, and we can get into the arguments 
for it and so forth in the question period, because your 5 
minutes has expired.
    Mr. McNamara. Okay. I will then move to saying that I think 
this new system will enhance our ability to share vital 
information at the state, federal, local, tribal and private 
sector entities and also with our foreign partners.
    There are three major elements to the standardized SBU 
system that I am proposing. First, is the CU designation. The 
committee has decided that a clean break with the current SBU 
system would begin by calling it, controlled, unclassified 
information, CUI, thus eliminating the old term of SBU and any 
residual or legacy controls and habits that have grown up.
    Secondly, CUI markings, there will be a CUI framework 
recommended that also contains mandatory policy and standards 
for making safeguarding and dissemination of all CUI originated 
at the federal government level and shared in the ISE 
regardless of the medium used for its display, storage or 
transmittal. This framework includes a very limited marking 
schema that addresses both safeguarding and dissemination.
    Thirdly, there will be CUI governance recommended. A 
central management and oversight authority in the form of an 
executive agent and an advisory council would govern the new 
CUI framework and oversee its implementation. This CUI 
framework is one of the essential elements among many elements 
that make up the ISE.
    And since my time is short and over, I guess, I will say 
that I would like to close by saying how helpful and important 
it is to the work that I am doing for the Congress to focus on 
this matter, as this committee and subcommittee has done. This 
is a high-priority matter creating the ISE and in particular it 
is important that the amount and quality of the collaboration 
on implementing these reforms be noted and enhanced so that we 
can strengthen our counterterrorism mission at all levels of 
government.
    Thank you.
    [The statement of Mr. McNamara follows:]

           Prepared Statement of Abassador Thomas E. McNamara



I. Introduction
    Chairwoman Harman, Ranking Member Reichert, and Members of the 
subcommittee: I am pleased to be here with my colleagues and want to 
thank you for your continued focus and priority to building an 
effective Information Sharing Environment (ISE).
    As you and the Committee address classification of information 
issues, I would like to update you on a Presidential priority to 
standardize procedures for Sensitive But Unclassified (SBU) 
information. This is a priority because if we do not have a manageable 
SBU framework, we will not have an effective ISE.
    Information vital to success in our protracted conflict with 
terrorism does not come marked ``terrorism information''; it can and 
does come from many sources, including from unclassified information 
sources. Yet we lack a national unclassified control framework that 
enables the rapid and routine flow of information across Federal 
agencies and to and from our partners in the State, local, tribal and 
private sectors. This is especially important because some categories 
of unclassified information require controls as strong as those for 
national security information. There are sound reasons to protect those 
categories from public release, both to safeguard the civil liberties 
and legal rights of U.S. citizens, and to deny the information 
advantage to those who threaten the security or public order of the 
nation.
    This lack of a single, rational, standardized, and simplified SBU 
framework is a major cause of improper handling. It heightens risk 
aversion and undermines confidence in the control mechanisms. This 
leads to both improper handling and unwillingness to share information. 
These problems are endemic within the Federal government, between 
Federal and non-Federal agencies and with the private sector. This is a 
national concern because the terrorist threat to the nation requires 
that many communities of interest, at different levels of government, 
share information. They must share because they have each have 
important responsibilities in countering terrorism. The problem exists 
at all levels--Federal, State, local, tribal, and the private sector. 
All have cultures that are traditionally cautious to sharing their 
sensitive information, but this must be addressed if we are to properly 
and effectively share sensitive but unclassified information. Only when 
the Federal government provides credible assurance that it can protect 
sensitive data from unauthorized disclosure through standardized 
safeguards and dissemination controls will we instill confidence that 
sensitive information will be appropriately shared, handled, 
safeguarded, and protected, and thus make sharing part of the culture.

II. The Current SBU Environment
    Let me note at the outset that I will focus here on 
``unclassified'' information. Classified information is, by law and 
regulation, controlled separately in a single system that was 
established early in the Cold War years. The classification regime, 
currently governed by Executive Order 12958, as amended, applies to 
``national security information,'' which includes intelligence, 
defense, and foreign policy information. Other information, which 
legitimately needs to be controlled, is controlled by agency-specific 
regimes. Collectively, these regimes address information referred to as 
Sensitive But Unclassified (SBU) information. SBU information has grown 
haphazardly over the decades in response to real security requirements, 
but this information cannot be encompassed in the subject-specific 
classified control regime. The result is a collection of control 
mechanisms, in which most participants have confidence only when 
information is shared within an agency--and sometimes not even then.
    Let me give you some understanding of how complex SBU is: Among the 
20 departments and agencies we have surveyed, there are at least 107 
unique markings and more than 131 different labeling or handling 
processes and procedures for SBU information. Even when SBU information 
carries the same label marking (e.g. For Official Use Only), storage 
and dissemination are inconsistent across Federal agencies and 
departments. Because such markings are agency-specific, recipients of 
SBU information in a different agency must understand the processes and 
procedures of the originating Federal agency for handling the 
information, even if their agency uses the same marking. The result is 
an unmanageable collection of policies that leave both the producers 
and users of SBU information unable to know how a piece of information 
will be controlled as it moves through the Federal government and 
therefore reducing information sharing.
    I would like to highlight just two examples to convey the confusion 
created by the current SBU processes:
    The first example is a single marking that is applied to different 
types of information. Four agencies (DHS, DOT, USDA and EPA) use 
``SSI'' to mean ``Sensitive Security Information.'' However, EPA has 
also reported the use of ``SSI'' to mean ``Source Selection 
Information'' (i.e. acquisition data). These types of information are 
completely different and have vastly different safeguarding and 
dissemination requirements, but still carry the same SBU marking 
acronym. In the same way, HHS and DOE use ``ECI'' to designate ``Export 
Controlled Information,'' while the EPA uses ``ECI'' to mean 
``Enforcement Confidential Information.'' ``Export Controlled 
Information'' and ``Enforcement Confidential Information'' are clearly 
not related, and in each case, very different safeguarding and 
dissemination controls are applied to the information The second 
example is of a single marking for the same information, but with no 
uniformity in control. Ten agencies use the marking ``LES'' or ``Law 
Enforcement Sensitive.'' However, the term is not formally defined by 
most agencies nor are there any common rules to determine who can have 
access to ``law enforcement information.'' Therefore, each agency 
decides by itself to whom it will disseminate such information. Thus, 
an individual can have access to the information in one agency but be 
denied access to the same information in another. Further confusing the 
situation, SBU markings do not usually indicate the originating entity. 
As a result, even if a recipient had access to all the different 
control policies for each agency, he or she could probably not 
determine what rules apply because the recipient usually does not know 
which agency marked the document.
    Protecting the sharing of information is a critical and 
interdependent function for the ISE. Simply stated, sensitive 
information will not be shared unless participants have confidence in 
the framework controlling the information. Standardizing SBU procedures 
is a difficult endeavor, made more complicated by the complex 
information management policies.

III. Unclassified Information Framework Imperative
    Producers and holders of unclassified information which 
legitimately needs to be controlled must have a common framework for 
protecting the rights of all Americans. In the classified arena, we 
deal with information that will, mainly, be withheld from broad 
release. In the unclassified arena, we deal with information that is 
mainly shareable, except where statute and policy require restrictions. 
Agencies must often balance the need to share sensitive information, 
including terrorism-related information, with the need to protect it 
from widespread access.
    A new approach is required. Existing practices and conventions have 
resulted in a body of policies that confuse both the producers and 
users of information, ultimately impeding the proper flow of 
information. Moreover, multiple practices and policies continue to be 
developed absent national standards. This lack of standards often 
results in information being shared inappropriately or not shared when 
it should be. In December 2005, the National Industrial Security 
Program Policy Advisory Committee, described the consequences of 
continuing these practices without national standards in the following 
manner ``. . .the rapid growth, proliferation and inclusion of SBU into 
classified contract requirements without set national standards have 
resulted in pseudo-security programs that do not produce any meaningful 
benefit to the nation as a whole.'' Clearly this situation is 
unacceptable.

IV. A Presidential Priority
    The lack of government-wide standards for SBU information is well-
known. More difficult has been charting a reasonable way ahead to 
create such standards. This is an enormously complex task that requires 
a careful balance between upholding the statutory responsibilities and 
authorities of individual departments and agencies, and facilitating 
the flow of information among them--all the while protecting privacy 
and civil rights. We were successful in creating such a regime for 
classified national security information by setting national standards 
and requiring that they be executed uniformly across the Federal 
government. In addition, we established a permanent governance 
structure for managing the classified information regime. A similar 
approach is necessary to establish an unclassified information regime, 
with standards governing controlled unclassified information.
    As required by the Intelligence Reform and Terrorism Prevention Act 
of 2004, on December 16, 2005, the President issued a Memorandum to the 
Heads of Executive Departments and Agencies on the Guidelines and 
Requirements in Support of the Information Sharing Environment, which 
specified tasks, deadlines, and assignments necessary to further the 
ISE's development. Guideline 3, of his Memorandum, specifically 
instructed that to promote the sharing of, ``. . .Sensitive But 
Unclassified (SBU) information, including homeland security 
information, law enforcement information, and terrorism information,\1\ 
procedures and standards for designating, marking, and handling SBU 
information (collectively ``SBU procedures'') must be standardized 
across the Federal government. SBU procedures must promote appropriate 
and consistent safeguarding of the information and must be 
appropriately shared with, and accommodate and reflect the imperative 
for timely and accurate dissemination of terrorism information to, 
State; local, and tribal governments, law enforcement agencies, and 
private sector entities.''
---------------------------------------------------------------------------
    \1\ Pursuant to the ISE Implementation Plan, and consistent with 
Presidential Guidelines 2 and 3, the ISE will facilitate the sharing of 
``terrorism information,'' as defined in IRTPA section 1016(a)(4), as 
well as the following categories of information to the extent that they 
do not otherwise constitute ``terrorism information'': (1) homeland 
security information as defined in Section 892(f)(1) of the Homeland 
Security Act of 2002 (6 U.S.C. Sec. 482(f)(1)); and (2) law enforcement 
information relating to terrorism or the security of our homeland. Such 
additional information includes intelligence information.
---------------------------------------------------------------------------
    An interagency SBU Working Group, co-chaired by the Departments of 
Homeland Security (DHS) and Justice (DOJ), undertook an intensive study 
and developed several draft recommendations for a standardized approach 
to the management of SBU. Its work provided a solid foundation for 
completing the recommendations. It was determined, however, that 
additional work was necessary to fully meet the requirements of 
Guideline 3.
    Recommendations for Presidential Guideline 3 are coming close to 
completion in a SBU Coordination Committee (SBU CC), chaired by the 
Program Manager, Information Sharing Environment (PM-ISE), with 
Homeland Security Council oversight. The SBU CC began work in October 
2006 with the participation of the Departments of State, Defense, 
Transportation, Energy, Justice, and Homeland Security; the Federal 
Bureau of Investigation; the Office of the Director of National 
Intelligence; the National Security Council; and the Office of 
Management and Budget. The committee actively consults with 
representatives from other departments and agencies, the National 
Archives and Records Administration (NARA), the Information Security 
Oversight Office, the Controlled Access Program Coordination Office, 
the Information Sharing Council, the Global Justice Information Sharing 
Initiative, State, local, and tribal partners, and several private 
sector groups.
    The efforts of the SBU CC have focused on developing an SBU control 
framework that is rational, standardized, and simplified, and as such, 
facilitates the creation of an ISE that supports the individual 
missions of departments and agencies and enhances our ability to share 
vital terrorism information among Federal, State, local, tribal, and 
private sector entities, and foreign partners.
     Rationalization means establishing a framework based on a 
set of principles and procedures that are easily understood by all 
users. This should help build confidence among users and the American 
public that information is being shared and protected in a way that 
properly controls information that should be controlled, and protects 
the privacy and other legal rights of Americans.
     Rationalization means structuring a framework in which all 
participants are governed by the same definitions and procedures and 
that these are uniformly applied by all users. The objective is to end 
uncertainty and confusion about how others using the framework will 
handle and disseminate SBU information. Standardization helps achieve 
the ISE mandated by Congress: ``a trusted partnership between all 
levels of government.''
     Simplification means operating a framework that has 
adequate, but carefully limited, numbers and types of markings, 
safeguards, and dissemination of SBU information. Such a simplified 
framework should facilitate Federal, State, and local government 
sharing across jurisdictions; facilitate training users; and reduce 
mistakes and confusion.

V. The Controlled Unclassified Information (CUI) Framework
    I must reiterate that interagency discussions of a proposed 
detailed framework are still underway. Furthermore, no recommendation 
will become final unless and until it is approved by the President. Of 
course, the ability to implement any reform will depend upon the 
availability of appropriations. With respect to the present proposal, 
however there is general agreement that the SBU framework should 
include the following 6 main elements:
        1. CUI Designation: To ensure a clean break with past 
        practices, the Framework would change the descriptor for this 
        information to ``Controlled Unclassified Information'' (CUI)_
        thus eliminating the old term ``SBU.'' Participants would use 
        only approved, published markings and controls, and these would 
        be mandatory for all CUI information. All other markings and 
        controls would be phased out.
        2. CUI Mmarkings: The CUI Framework also contains mandatory 
        policies and standards for marking, safeguarding and 
        dissemination of all CUI originated by the Federal government 
        and shared within the ISE, regardless of the medium used for 
        its display, storage, or transmittal. This Framework includes a 
        very limited marking schema that addresses both safeguarding 
        and dissemination. It also provides reasonable safeguarding 
        measures for all CUI, with the purpose of reducing the risk of 
        unauthorized or inadvertent disclosure and dissemination levels 
        that with the purpose of facilitating the sharing of CUI for 
        the execution of a lawful Federal mission or purpose.
        3. CUI Executive Agent: A central management and oversight 
        authority in the form of an Executive Agent would govern the 
        new CUI Framework and oversee its implementation.
        4. CUI Council: Federal departments and agencies would advise 
        the Executive Agent through a CUI Council composed of senior 
        agency officials. The Council will also create mechanisms to 
        solicit State, local, tribal, and private-sector partner input.
        5. Role of Departments and Agencies: The head of each 
        participating Federal department and agency will be responsible 
        for the implementation of a functional CUI Framework within the 
        agency.
        6. CUI Transition Strategy a Transition Strategy for a phased 
        transition from the current SBU environment to the new CUI 
        Framework is needed. During the transition, special attention 
        would be paid to initial governance, performance measurements, 
        training, and outreach components.
    On a final note, our work has recognized that the substantive 
information that will be marked and disseminated in accordance with the 
proposed Framework is also subject to a variety of other legal 
requirements and statutes. Among some of the most important statutes 
and legal authorities that apply to this information are the Privacy 
Act of 1974, the Freedom of Information Act, the Federal Information 
Security Management Act (FISMA) and various Executive Orders, including 
Executive Order 12333, which governs the Intelligence Community and its 
use of United States Persons information. I would like to stress that 
this proposed Framework for handling SBU has thoroughly considered 
these legal authorities and does not alter the requirements and 
obligations imposed by these authorities. We will continue to work with 
the ISE Privacy Guidelines Committee to ensure that the appropriate 
privacy issues fully meet any legal requirements to protect the civil 
liberties and privacy of Americans.

VI. Conclusion
    For information sharing to succeed, there must be trust--the trust 
of government providers and users of information, or policymakers, and 
most importantly, of the public. Each of these must trust that 
information is being shared appropriately, consistent with law, and in 
a manner protective of privacy civil liberties. Building trust requires 
strong leadership, clear laws and guidelines, and advanced technologies 
to ensure that information sharing serves important purposes and 
operates consistently with American values.\2\
---------------------------------------------------------------------------
    \2\ Mobilizing Information to Prevent Terrorism: Accelerating 
Development of a Trusted Information Sharing Environment, Third Report 
of the Markle Foundation Task Force, July 2006
---------------------------------------------------------------------------
    The lack of a single, rationalized, standardized, and simplified 
SBU framework does contribute to improper handling or over-
classification. To instill confidence and trust that sensitive 
information can be appropriately shared, handled, safeguarded, and 
protected, we must adopt a standardized CUI Framework. This is 
especially critical to our counterterrorism partners outside the 
intelligence community. Appropriately protecting law enforcement and 
homeland security related sources and methods are just as valuable to 
our national security as protecting our intelligence sources and 
methods.
    The global nature of the threats our Nation faces today requires 
that: (1) our Nation's entire network of defenders be able to share 
information more rapidly and confidently so that those who must act 
have the information they need, and (2) the government can protect 
sensitive information and the information privacy rights and other 
legal rights of Americans. The lack of a government-wide control 
framework for SBU information severely impedes these dual imperatives. 
The CUI Framework is essential for the creation of an ISE which has 
been mandated by the President and the Congress. Only then can we meet 
the dual objectives of enabling our Nation's defenders to share 
information effectively, while also protecting the information that 
must be protected. A commitment to achieving standardization is 
essential--a vital need in the post-9/11 world.

    Ms. Harman. Thank you, Ambassador.
    We now recognize Dr. Morris for a 5-minute summary.

   STATEMENT OF CARTER MORRIS, Ph.D., DIRECTOR, INFORMATION 
 SHARING AND KNOWLEDGE MANAGEMENT, OFFICE OF INTELLIGENCE AND 
                         ANALYSIS, DHS

    Mr. Morris. Thank you, Madam Chairman, Chairman Thompson, 
Ranking Member Reichert, other distinguished members of the 
subcommittee.
    It really is a pleasure for me to be here this morning to 
talk about the activities that we are doing in DHS relative to 
information sharing and specifically to talk about the 
activities that we are doing with Ambassador McNamara, the FBI, 
our other federal partners and our state and local partners in 
developing a system that will effectively allow us to share 
information but also to protect the information that needs to 
be protected.
    When I go around and give my various talks that I give on 
information sharing, I like to quote from the Homeland Security 
Act that says one of the responsibilities of DHS is to share 
relevant and appropriate homeland security information with 
other federal agencies and appropriate state and local 
personnel together with assessments of the credibility of such 
information. And the act defines state and local to include the 
private sector.
    I think that is my charge in DHS to make that happen and 
that we take that very seriously that that is a major part of 
the responsibilities of the Department of Homeland Security.
    The challenge that we face, and the one we are talking 
about here today, is the issue that being able to share but to 
still protect the information that needs to be protected. Now, 
I know from the Congress we hear both things coming at us 
strongly, and we want to make sure that we do both effectively.
    In the national security community, we have had a 
classification system in place for a very long time. You can 
argue as to what is in it and what is out of it, but let me 
assure you, even in that community, we continue to look at need 
to know and originator control and third agency rules, all the 
things that people believe are an impediment to sharing, all of 
which are actively being debated at the moment.
    Outside of the national security community, as we have 
already talked about, there are also reasons to protect 
information. Some of this information is very vital to national 
security--privacy, law enforcement case information, witness 
protections, security practices, vulnerabilities in our 
critical sectors and even lots of others.
    These are very legitimate reasons, and what we have to do 
is figure out how to share, how to protect and how to build 
trust in the system, as Ranking Member Reichert pointed out, so 
that people will actually share the information. And that is 
the challenge that we have.
    Let me add a little bit of my own personal assessment here, 
speaking for myself. As I look around the information sharing 
business, information that is what I would call important is 
rarely not protected in some way. So in almost everything we 
talk about in information sharing, we have to couple that with 
a discussion of information protection. And so we can't talk 
about one without the other.
    We believe that DHS has moved forward in the information 
sharing business. If you look at my written statement, you will 
see that there are a number of references made, the things we 
have done. I would like to point out just two, and one of them 
is very relevant today.
    One is, in the classified domain, we have led a community 
effort with all of our partners to look at how we better 
produce unclassified tear lines from classified reporting and 
to not only produce that tear line with information but produce 
an assessment, let me say, of the credibility of that 
information. We believe we have a new system that is currently 
being implemented, and some of my intelligence community 
partners we have already seen a real change in how that is 
being implemented.
    The second area on the non-classified side is all of the 
efforts that we have put into working the controlled, 
unclassified information. As Ambassador McNamara said, DHS, 
working with the Department of Justice, that really started 
that planning into these activities, and we take this as a very 
important thing to accomplish. Some of the people who work for 
me are very rabid about the issue that we really do need to get 
this under control and do it very well.
    So that is the area that we really need to work on, this 
regime for how we handle and control information.
    Let me say that when we do this regime of looking at how 
this controlled, unclassified information, we believe there are 
three things that we particularly need to pay attention to. One 
is that we put in place a governance structure to run this, and 
we put it in quickly, effectively and from the beginning.
    The second thing is we believe any system is going to have 
to be easy to use. It is going to have to be convenient.
    And the third thing is that we believe that we are going to 
have to make sure that any system that we put in at the federal 
level is closely coordinated with the state and locals and how 
they handle information. As we know, there is law enforcement 
information at the federal level, there is law enforcement 
information at the state level. They are controlled 
differently, and we need to bring those systems together.
    Let me finish up then, since my light is on, and very 
quickly. One, we are dedicated to information sharing. We are 
dedicated to implementing a new system to run the controlled, 
unclassified information. We are very much on board with the 
program and the proposal that is currently being proposed.
    However, I will say, I do not believe this is easy. It is 
not easy at all, and I think that we are going to have to pay 
particular attention. We believe the phased approach that is in 
the initial proposal and how to get into this, we believe, is 
the right proposal.
    And I am here now to answer any questions that you might 
like to ask.
    [The statement of Mr. Morris follows:]

                Prepared Statement of Dr. Carter Morris

                             April 26, 2007

    Good morning, Chairwoman Harman, Ranking Member Reichert, and 
distinguished members of the subcommittee. My name is Carter Morris, 
and I am the Director of Information Sharing and Knowledge Management 
for the Office of Intelligence and Analysis at the Department of 
Homeland Security (DHS). It is a pleasure to be with you today to 
discuss the control of government information and the actions DHS is 
taking to address and improve our ability to share information without 
unnecessary restrictions and in a manner that protects what needs to be 
protected.
    The Homeland Security Act of 2002 authorizes DHS to access, from 
any agency of the Federal government, state, local, and tribal 
governments, and the private sector, all information relating to 
threats of terrorism against the United States and other areas; 
information relating to the vulnerabilities of the United States to 
terrorism; and information concerning the other responsibilities of the 
Department as assigned to and by the Secretary. After analyzing, 
assessing, and integrating that information with other information 
available to DHS, the Secretary must then ensure that this information 
is shared with state, local, and tribal governments; and the private 
sector, as appropriate. Concomitant with these responsibilities is the 
obligation of the Secretary to identify and safeguard all homeland 
security information that is sensitive, but unclassified, and to ensure 
its security and confidentiality. Information sharing, for 
counterterrorism and related purposes, therefore, is key to the mission 
of DHS.
    Moreover, the Intelligence Reform and Terrorism Prevention Act of 
2004 established the Program Manager of the Information Sharing 
Environment (PM-ISE) to assist in the development of policies, 
procedures, guidelines, rules, and standards, including those which 
apply to the designation, marking, and handling of sensitive but 
unclassified information, to foster the development and proper 
operation of the ISE. DHS, in coordination with the PM-ISE and other 
agencies on the Information Sharing Council, is actively participating 
in efforts to standardize procedures for sensitive but unclassified 
information and create an effective Information Sharing Environment. .

The Challenge
    The challenge that we face in handling information is balancing two 
important and competing factors: ``sharing the information that needs 
to be shared'' and ``protecting information that needs to be 
protected.'' Our goal is to share information unless there is a valid 
and necessary reason to protect such information and thus limit or 
control the dissemination to a discrete community or other set of 
users.
    The legitimate need to classify some information, for purposes of 
national security and to protect our sources and methods and allow 
information collection operations to be conducted without advanced 
notice to our adversaries, is well established. As sources and methods 
for acquiring information change, as well as our adversaries 
capabilities, we continue to evaluate and adjust our classification 
criteria.
    Similarly, there are many indisputably legitimate reasons for 
protecting certain unclassified information, which we refer to 
generically as Controlled Unclassified Information (CUI)--for example, 
privacy concerns relating to personal information, the danger of 
compromising ongoing law enforcement investigations or of endangering 
witnesses, the need to protect private sector proprietary information 
and, most importantly, the need to protect information containing 
private sector vulnerabilities and other security-related information 
that could be exploited by terrorists. Unauthorized disclosure of this 
information could cause injury to a significant number of individual, 
business, or government interests.
    Through DHS's work with state and local fusion centers, we have 
encountered examples of how the proliferation of internal policies for 
handling unclassified but sensitive information can create unintended 
barriers to information sharing. Existing markings that are meant to 
identify necessary safeguards and dissemination restrictions on 
information often create as much confusion as help. For example, a 
state fusion center received a report that contained actionable threat 
information bearing the marking ``LES'', meaning Law Enforcement 
Sensitive. The fusion center personnel were unsure to what extent they 
could disseminate information with such a marking. When they contacted 
the originating Federal agency, they were unable to speak with someone 
who knew the data and could explain the disclosure rules. The fusion 
center personnel erred on the side of caution and did not share the 
information--in this case not the best solution.
    Sensitive information (classified or unclassified) is only shared 
by people who trust the systems, policies, and procedures that guide 
that sharing. Any lack of confidence regarding the operation and 
effectiveness of a system reduces the willingness of consumers to share 
the information, therefore limiting any benefits it might offer.
    With that in mind, we continue working to transition from a 
historically risk averse approach to sensitive information sharing, to 
one where the risks are considered and managed accordingly, but 
consistent with a responsibility to provide information to our partners 
and customers who need it.
    In order to implement the mandates of the Information Sharing 
Environment we must both produce material at the lowest sensitivity 
level appropriate to allow it to be easily shared with all who need it 
and ensure that processes for protecting information that needs to be 
protected are defined and effective.

DHS is leading information sharing
    DHS has been a leader in establishing new approaches to information 
sharing--including federal sharing at all classification levels; 
sharing with our state, local, tribal, and territorial partners; and 
sharing with the private sector. In this sharing it is critical to 
address both operational needs and the appropriate security in 
transferring the information. I would like to talk about five specific 
DHS information sharing initiatives where we are addressing the need to 
share but still providing an appropriate level of control of this 
information.
    1. Like other Federal departments and agencies, DHS shares 
information with state, local, and tribal partners through state and 
local fusion centers. We are providing people and tools to these fusion 
centers to create a web of interconnected information nodes across the 
country that facilitates the sharing of information to support multiple 
homeland security missions. Working with the Federal government and its 
partners to establish this sharing environment, DHS is ensuring that 
its processes and systems not only achieve the sharing necessary but 
also provide the protection and control of the information that gives 
all parties confidence and trust that the information is appropriately 
used and that information which needs to be protected--such as 
personally identifiable information--is appropriately controlled and 
protected.
    2. DHS, DOJ and other federal entities are also creating a 
collaborative, unclassified information sharing community, based on 
establishing a trusted partnership between the fusion centers and the 
federal government. This environment is requirements driven, and 
focused on providing information to support the mission of the 
intelligence analysts, allowing both information sharing and 
collaboration with the state and local intelligence communities to 
encourage the development of mature intelligence fusion capabilities. A 
key to the development of such a sharing environment is providing a 
system and processes that build confidence that information will not 
only be shared but also protected and controlled as needed, which is 
what we are doing.
    3. As part of the Presidential Guideline effort, DHS led an 
interagency working group that developed the ``Recommended Guidelines 
for Disseminating Unevaluated Domestic Threat Tearline Reporting at the 
Unclassified Level.'' Federal agencies disseminate unclassified 
extracts from unevaluated classified threat reports to facilitate 
sharing of threat information with those on the domestic front lines. 
Federal dissemination of raw threat reporting to State and local 
authorities--before the relevant Federal agencies can assess the 
specific threat--has, at times, led State and Local authorities to 
misinterpret the credibility of the threat. This effort provided 
recommendations to support timely sharing of terrorist threat data with 
state and local officials with increased clarity on the credibility of 
the information while maintaining the appropriate security for sources 
and methods. These recommendations are now being implemented in the 
intelligence community.
    4. DHS is also leading the Federal Coordinating Group, to create 
coordinated federal intelligence products at the lowest appropriate 
levels of classification, for dissemination to state, local, tribal and 
private sector communities. The Group will coordinate three categories 
of ``federally coordinated terrorism information products''--time-
sensitive threat/incident reporting, situational awareness reporting, 
and strategic or foundational assessments. For each category of 
products, the Group will ensure originating agencies validate sourcing, 
ensure substantive completeness, and tailor the analysis for state, 
local, tribal, and private sector use. The Group will coordinate the 
downgrading and/or ``tearlining'' of classified materials where 
appropriate levels of classification or control that permit wider 
state, local, tribal, and private sector use but do not jeopardize 
national security or other sensitivities. Again the key is providing 
the necessary information while also providing clear understanding of 
the necessary protection and control of this information.
    5. And finally, DHS is active in the interagency group working to 
minimize the number of different CUI safeguard and dissemination 
requirements. We undertake these efforts with an eye toward 
facilitating appropriate information sharing--and significant progress 
can be made by eliminating internal safeguarding and dissemination 
policies that are inconsistent throughout Executive agencies and that 
are occasionally overly protective of information. We are committed to 
developing a system for Controlled Unclassified Information that 
effectively facilitates sharing while at the same time protecting 
sensitive information that requires robust protection.

DHS Key CUI elements
    There are three issues that we believe are critical to success in 
instituting an effective CUI framework.
    First, an effective and continuing CUI governance structure must be 
established. The lack of a government-wide governance structure is one 
of the primary reasons that we have been struggling to overcome 
confusion in this area. To advance the government's information sharing 
demands with the attendant need to appropriately safeguard sensitive 
information requires a permanent governance structure to oversee the 
administration, training, and management of a standardized CUI system.
    Second, DHS believes that the improved CUI framework must be clear 
and easy to implement for all stakeholders. It is important that we can 
justify and defend all information that is so controlled. If the 
framework is not readily understood it will not be used. Furthermore, 
adoption must be swift. Establishing the governance structure will aid 
this process by documenting the rules and standardizing the policies, 
processes, and procedures for handling CUI across the federal 
government.
    And third, we must ensure that all potential users of CUI have a 
clear understanding of the CUI framework so that we can facilitate a 
more effective and interactive information exchange. We understand that 
they have their own constraints surrounding systems and sensitive data, 
so we must work to identify mechanisms to integrate state and local 
systems with the Federal framework.
    Addressing these elements will help provide transparency and build 
confidence to increase sharing across communities--from intelligence to 
law enforcement, from law enforcement to the first responders, etc.

Challenges Facing CUI standardization
    Over 100 CUI designators or markings have been identified, and each 
of these has arisen to address a valid need to protect information. 
Most are codified as internal policies and procedures, some of which 
have actually served to enhance information sharing, i.e., clearly 
defined control systems create a trusted environment that encourages 
information sharing. Less often, such designators or markings are the 
result of legislative and/or regulatory requirements to protect certain 
information in a particular way. These practices worked well within a 
local environment, but the challenge is to leverage the successful 
practices and build a trusted environment that bridges communities and 
domains. We must exercise caution, however, as we go forward to 
consider and, where appropriate, revise operational practices in a 
manner that can achieve both sharing and protection in an expanded 
community.
    This caution is especially true in cases where controls were 
created more to facilitate, rather than limit, information sharing. 
Within DHS, there are three such information-protection regimes--
``Protected Critical Infrastructure Information (PCII),'' ``Sensitive 
Security Information (SSI),'' and the newly established ``Chemical 
Vulnerability Information (CVI).'' Congress mandated these categories 
of information be protected and DHS promulgated regulations 
implementing these regimes. Each was specifically created to foster 
private sector confidence to increase their willingness to share with 
the federal government crucial homeland security-related information. 
To date, PCII and SSI have been successful in this regard and have been 
well-received by the private sector. Moreover, these designations are 
ready examples of how robust control of information can actually 
promote appropriate sharing.

Summary
    Because we are changing established cultures and procedures and 
moving forward, in coordination with the PM-ISE, with a new framework 
for CUI, it is important that we adequately address all elements of its 
implementation. Governance, training, strategic communications, 
information technology systems planning, and the development of new 
standards and procedures are all important to the effective 
implementation of these reforms. Phased implementation and continuous 
incorporation of the lessons learned in this process are basic tenets 
of change management. It is important that the appropriate governance 
model is adopted to ensure systematic implementation of the framework 
and foster information sharing.
    That said, DHS is fully committed to this new framework and is, 
moreover, pleased that the framework fully recognizes the difficulties 
of implementation by proposing, among other things, a planning phase 
and phased implementation. Doing so will allow a smoother 
implementation and reduce the risk of losing the confidence that non-
federal partners have now found in current DHS programs.
    DHS looks forward to continue working with the PM-ISE, the 
Information Sharing Council, and each of our Federal partners, to 
address the challenges of what many perceive to be the ``over-
classification'' of information. We believe we made great strides in 
identifying the challenges. We also believe the paths forward are paved 
for interagency success in improving the sharing of information and 
providing an appropriate and streamlined system for controlling 
sensitive information. Nevertheless, and notwithstanding the good 
progress we have made to date, we should not underestimate the 
challenges that exist for implementing a new system for standardizing 
and handling Controlled Unclassified Information across the Federal 
government.
    Thank you for your time. I would be glad to answer any questions.

    Ms. Harman. Thank you, Dr. Morris.
    The chair now recognizes Mr. Murphy for a 5-minute summary 
of his testimony.

 STATEMENT OF WAYNE M. MURPHY, ASSISTANT DIRECTOR, DIRECTORATE 
        OF INTELLIGENCE, FEDERAL BUREAU OF INVESTIGATION

    Mr. Murphy. Good morning. Thank you, Madam Chairman Harman, 
Chairman Thompson, Ranking Member Reichert and members of the 
subcommittee.
    I am pleased to be here today to demonstrate the commitment 
of the Federal Bureau of Investigation to strengthening our 
nation's ability to share terrorism information. We are 
diligently working to fulfill the expectations that Congress 
set forth in the Intelligence Reform and Terrorism Prevention 
Act of 2004.
    As the assistant director for intelligence to the FBI and 
the FBI's senior executive for information sharing, I am at 
once responsible for, accountable to, and have a vested 
interest in a successful information sharing environment.
    I am particularly pleased to be testifying today with 
Ambassador Ted McNamara and Dr. Carter Morris. It has been my 
privilege over the past many months to work with these 
professionals and many others as we seek to craft an outcome 
that matches both the letter and spirit of the task before us.
    I join them today to discuss our collective efforts to 
develop a standardized framework for marking, safeguarding and 
sharing controlled, unclassified information. My nearly 24 
years in the intelligence community have largely been served in 
an environment where I dealt almost exclusively with classified 
national security information.
    While those regimes could be complicated and require great 
discipline and attention to detail, by comparison, they are far 
less challenging than my experience has been in working to 
organize a functional CUI framework. This is not because of a 
lack of commitment, focus and creativity and trying to address 
that framework but because of the myriad of issues and 
interests that one encounters in the transitional world of 
information between what is controlled and what is not.
    From an FBI perspective, getting it right is especially 
important. Our information sharing environment spans the range 
from classified national security information to fully open 
source. We must have the capacity to interpose information from 
all of these regimes and to do so in a dynamic manner. We must 
have the agility to rapidly move information across security 
barriers and into environments that make it more readily 
available and therefore of greater value to the broadest set of 
players.
    And across all of our partners, we must have a framework 
that allows for an immediate and common understanding of 
information's providence and the implications that that 
imparts. We must make the sharing of CUI a benefit, not a 
burden, especially on state, local and tribal police 
departments who would be disproportionately affected if asked 
to sustain a complex and expensive control framework. We must 
manage information in way that sustains the confidence of 
people and organizations who share information that puts them 
and their activities at risk.
    Most important of all, we must respect the power of that 
information and the impact it holds for the rights and civil 
liberties of American people who have trusted us to be its 
stewards. That means we must also never use control as a way to 
deny the public access to information to which they are 
properly entitled.
    With the FBI, achieving a streamlined CUI framework is much 
more than establishing a process; it is about shaping mindsets 
so that we can shift fully from a need to know to a duty to 
provide. The CUI framework, as proposed, creates opportunities 
and solves problems for me that I could not have solved on my 
own. The FBI is fully and completely committed to this process.
    All of us who have been part of this process wish we could 
move more quickly in reaching a point where we are today, but I 
believe the investment of time, the level of effort and the 
openness and commitment that has marked our dialogue has done 
justice to the expectations of the American people.
    Thank you for this hearing. I look forward to answering 
your questions.
    [The statement of Mr. Murphy follows:]

                 Prepared Statement of Wayne M. Murphy

                             april 26, 2007

    Good morning, Chairman Harman, Ranking Member Reichert, and members 
of the Subcommittee. I am pleased to be here today to demonstrate the 
commitment of the Federal Bureau of Investigation (FBI) to 
strengthening our nation's ability to share terrorism information. We 
are diligently working to fulfill the expectations Congress set forth 
in the Intelligence Reform and Terrorism Prevention Act of 2004. As the 
Assistant Director for Intelligence and the FBI Senior Executive for 
Information Sharing, I am at once responsible for, accountable to and 
have a vested interest in a successful Information Sharing Environment.
    I am particularly pleased to be testifying today with Ambassador 
Ted McNamara, the Information Sharing Environment Program Manager, and 
Dr. Carter Morris, Director for Information Sharing and Knowledge 
Management, Intelligence and Analysis from the Department of Homeland 
Security. It has been my privilege over the past many months to work 
with these professionals and others as we seek to craft an outcome that 
matches both the letter and spirit of the task before us.
    I join them today to discuss our collective efforts to develop a 
standardized framework for marking, safeguarding, and sharing 
``Controlled Unclassified Information'' (CUI), or as it is more 
commonly known, ``sensitive but unclassified'' information.
    On December 16, 2005, the President issued the ``Guidelines for the 
Information Sharing Environment'' as mandated by the Intelligence 
Reform and Terrorism Prevention Act of 2004. These Guidelines, among 
other things, set in motion a process for standardizing the handling of 
controlled unclassified information.
    My nearly 24 years in the intelligence community have largely been 
served in an environment where I dealt almost exclusively with 
classified national security information. While those regimes could be 
complicated and required great discipline and attention to detail, by 
comparison they are far less challenging than my experience has been in 
working to organize a functional CUI framework. This is not because of 
a lack of commitment, focus and creativity in trying to address that 
framework, but because of the myriad of issues and interests that one 
encounters in the transitional world of information between what is 
controlled and what is not.
    It is essential that we get it right, because it is information in 
this environment that can be of greatest utility when we need to share 
across a broad range of interests and constituencies. This framework 
provides a measure of protection for sensitive information to reassure 
those who might seek to hold such information in a classified or overly 
restrictive regime, which would deny others access and cause us to fail 
on our ``duty to provide.''
    From an FBI perspective--getting it right is essential. The 
Information Sharing Environment, which is the lifeblood of our mission, 
spans the range from classified national security information to fully 
open source. We must have the capacity to interpose information from 
all of these regimes and do so in a dynamic manner. We must have the 
agility to rapidly move information across security boundaries and into 
environments that make it more readily available and therefore of 
greater value to the broadest set of players. And across all of our 
partners, we must have a framework that allows for an immediate and 
common understanding of information's provenance and the implications 
that imparts. We must make the sharing of CUI a benefit, not a burden--
especially on State, Local and Tribal police departments who would be 
disproportionately affected if asked to sustain a complex and expensive 
control framework. We must manage information in a way that sustains 
the confidence of people and organizations who share information that 
puts them at risk. Most important of all, we must respect the power of 
that information and the impact it holds for the rights and civil 
liberties of the American people who have entrusted us as its stewards. 
That also means that we must never use ``control'' as a way to deny the 
public access to information to which they are entitled.
    For the FBI, achieving a streamlined CUI framework is much more 
than establishing a process, it's about shaping mindsets so we can 
fully shift from ``need to know' to ``duty to provide.'' This shift 
does not diminish our responsibility to properly protect the privacy 
rights and civil liberties of all Americans. It does not set up a 
framework that puts at greater risk our sources and methods and it does 
not compromise our capacity to conduct both an intelligence and law 
enforcement mission with full vigor and impact. Rather, this framework 
seeks to level the information sharing playing field through a common 
lexicon and a shared understanding of goals.
    Unfortunately, the present set of policies and practices make it 
extremely difficult for well meaning individuals to act responsibly, 
appropriately and completely in this regime. There are well over 100 
separate markings for CUI and there is no easy way for the recipient of 
information bearing an unfamiliar marking to find out what that marking 
means. Moreover, the same marking means different things in different 
parts of the Federal Government.
    The FBI, working in close coordination with the Department of 
Justice, have jointly drawn upon the experience and the wisdom of state 
and local law enforcement personnel to help us understand better what 
kinds of CUI policies would be most helpful to them as we strive to 
share information without compromising either privacy or operational 
effectiveness. The Criminal Intelligence Coordinating Council (CICC) of 
the Global Justice Information Sharing Initiative has played an active 
role in advising us on this matter, including the convening on December 
6, 2006 for an all-day meeting to discuss the practicability at the 
state and local level of various proposed ``safeguards'' for CUI. I 
would like to acknowledge here the particularly constructive role 
played by the CICC Chair, Col. Bart Johnson of the New York State 
Police. Col Johnson is forthright in explaining what Federal policies 
would be most helpful in enabling state and local law enforcement to 
play their part in preventing terrorism, but he is also sophisticated 
in his understanding of the many other factors that must be taken into 
account.
    In our view there are three aspects of the current draft framework 
that are particularly important:
        1. Every marking that appears on any CUI document in the future 
        must have a clear and unambiguous meaning. There should be a 
        website--accessible over the Internet to everybody--on which 
        the approved markings are defined, and no markings should ever 
        be used that are not defined on this website. This will mean 
        that recipients of shared information who want to do the right 
        thing will easily be able to find out what protective measures 
        are expected of them. I believe that this change will both 
        increase sharing and decrease the risks of sharing.
        2. All CUI information must be marked with a standardized level 
        of safeguarding. For most CUI this safeguarding will be no more 
        than ordinary prudence and common sense--don't discuss CUI when 
        you can be overheard by people you don't intend to share it 
        with, store it in an access controlled environment, as needed 
        protect it with a password.
        3. All CUI information must be marked with appropriate 
        dissemination guidance so that recipients can easily understand 
        what further dissemination is permitted.
    All of us who have been part of this process wish we could have 
moved more quickly in reaching the point where we are today, but I 
believe the investment of time, the level of effort and the openness 
and commitment that has marked our dialog has done justice to the 
expectations of the American people.
    Thank you for time, I look forward to answering your questions.

    Ms. Harman. Thank you very much. We are impressed that 
there is a minute and a half left over. You win the prize, Mr. 
Murphy.
    [Laughter.]
    Well, I do apologize for rushing Ambassador McNamara. He 
has important things to tell us. But unless we adhere to this 
format, we don't give adequate time to ask questions and to 
respect the fact that we have a second panel of witnesses and 
also probably that we are going to have to recess for votes at 
some point during this hearing.
    Well, I thank you all for your testimony.
    And I will now recognize myself for 5 minutes of questions, 
and I will strictly adhere to the time.
    Dr. Morris, I was sending DHS a message through you about 
frustration with the lack of progress on the ITACG and the 
inclusion of state, local and tribal representatives in the 
preparing of analytic products that is hopefully going to give 
those state, local and tribal authorities information they need 
in a timely way to know what to look for and what to do.
    Every terror plot is not going to be hatched in Washington, 
D.C. where we might have adequate FBI and federal resources at 
the ready. I don't believe that for a minute, and I know no one 
on this panel does.
    So I am sending this message that it is absolutely critical 
for DHS to spend more time supporting the inclusion of numerous 
state, local and tribal representatives in the ITACG and to 
stand up the ITACG promptly. We don't understand any reason for 
delay. I am speaking for myself. I have a feeling that the 
chairman is going to speak for himself shortly on this same 
issue.
    And the way to do it right is the way Ambassador McNamara, 
working with you and state and local and tribal authorities, 
has come up with this proposal. So there is a positive example 
to learn from, and I hope that DHS, through you, is going to 
learn.
    Are you going to learn?
    Mr. Morris. I think that we are all committed to bringing 
state and locals into this activity. I can tell you personally 
it has always been my objective to do that. I have a meeting 
with my staff this afternoon on how we do this.
    I think the challenge has been, the delay is that, in a 
sense, establishing the infrastructure for doing this kind of 
thing is more challenging than we would all like to have, but 
there is no lack of commitment, and we will move forward 
aggressively. And that is what we are doing.
    Ms. Harman. Well, I hope that is true. Some of us thought 
that these folks could just be included in the NCTC itself, and 
then we were told we need a separate entity. Now you are saying 
setting up a separate entity has problems. I think the 
principle is the critical piece, and so let's not create 
problems with the second entity if it is a problem. Let's just 
move forward on the principle.
    Mr. Morris. We agree. No, absolutely.
    Ms. Harman. Sure. Okay.
    Ambassador McNamara, I did rush you and you really didn't 
get a chance to lay out how this is going to happen. We all get 
it that the White House hasn't approved your proposal. We are 
hopeful that it will be approved. Surely, the other two 
witnesses were saying positive things about it, and we have 
been briefed, the members of this committee, by you on it, and 
we are positive.
    Could you put on the record how this is going to happen, 
what the governance structure will look like, and could you 
address the issue of whether you need legislation to accomplish 
this?
    Obviously, it makes no sense to have a brilliant proposal 
that no one follows, so I am sure you have already--I know you 
have already thought about this, and I don't think we have 
testimony yet on the record about how this will get adopted 
across the federal government.
    Mr. McNamara. Yes, Madam Chairman. First of all, how: Right 
now the committee that I am chairing is putting in what I hope 
is final form a series of recommendations that will be a report 
to the president. He has asked for that report. It is known as 
guideline three, and we will be responding to that in, I 
expect, within a month or two, say, by the end of this quarter.
    We will send forward for review by the interagency 
process--that means deputies, principals and then sent to the 
president--a series of recommendations. It is not a study, it 
is not an investigation. What it is, is a series of policy 
recommendations for changing the current system and instituting 
a new regime called, CUI, as I mentioned.
    Second, you asked about the----
    Ms. Harman. The need for legislation.
    Mr. McNamara. For legislation.
    Ms. Harman. To make certain there is compliance.
    Mr. McNamara. Correct. There is in fact a group, a subgroup 
of this committee that has been looking at the legislative 
history of SBU and what might be necessary in the way of 
legislation for the implementation of a new regime.
    It is headed by the Department of Justice, and we expect, 
once we have given them the final version of this, that they 
will come back to us with recommendations, and we will include 
those recommendations with the other recommendations. But those 
recommendations can't be made until they look at the product 
that we are telling them that we want implemented. And then 
they will give us their opinion as to whether or not 
legislation is needed.
    On whether legislation is needed to get acceptance of this, 
the answer, I think, is, no. The president has asked for this, 
he wants it, and he will review it, I think, with dispatch.
    Ms. Harman. I thank you for your answers. My time has 
expired.
    I would just alert you and the public listening in that we 
are considering legislation here on the issue of over-
classification, which Dr. Morris spoke to briefly, as well as 
this issue. We think it is absolutely critical that we have 
understandable and clear rules for what information is 
protected and what information is shared. Otherwise, we think, 
we are not going to be able to get where we need to get, which 
is to block Al Qaida plots coming our way in real-time.
    I now recognize the ranking member of the subcommittee, the 
gentleman from Washington, for 5 minutes for questions.
    Mr. Reichert. Thank you, Madam Chair.
    Just to follow up on the chairwoman's last question, 
governance and legislation, I was taking notes during your 
testimony and didn't find it in your written testimony, but you 
mentioned 280 pieces of legislation or ordinances and then 
another 150--
    Mr. McNamara. Regulations.
    Mr. Reichert. --regulations.
    Is the group in DOJ, are part of their tasks to take a look 
at those 280 and 150 to see----
    Mr. McNamara. Yes, indeed. In fact, they were the ones who 
came up with those numbers.
    Mr. Reichert. Oh, okay.
    Mr. McNamara. They did a research project to find out what 
legislation created the current SBU system and what regulations 
were adopted subsequently after the legislation was passed to 
implement the requirements of the legislation. That is where 
that comes from, from that group.
    Mr. Reichert. Because I can see that maybe some of what we 
could do, Madam Chair, is pass a law eliminating some of these 
rules and regulations that might be inhibiting you in 
accomplishing that task.
    Mr. McNamara. Let me note that the vast majority, I 
believe, not having looked at all of them, but I have been told 
that the great majority of those simply require controls 
without going into detail as to what control mechanism should 
be put on specific kinds of information. The details of what 
controls were put on were determined by the regulations. And, 
therefore, it is the opinion of this group at this point that 
many of those legislative mandates require just a change of the 
implementing regulations rather than go back and change the 
legislation.
    But the definitive answer will only come when we have a 
final set of recommendations that we can hand to the lawyers.
    Mr. Reichert. Great. Good. The subcommittee would be happy 
to be working with you on those changes.
    I wanted to ask Dr. Morris, you mentioned as a part of the 
DHS mandate that you have, in that statement that you read, it 
talks about appropriate state and local personnel, which 
includes the private sector.
    How do you define ``appropriate''? Who does that include?
    Mr. Morris. That is an interesting question. As part of my 
talks, I have talked about that word exactly, because it was 
written in there. I think that is something we have to work 
with the state and locals. The program that we currently have 
is certainly focusing on the fusion centers that operate at the 
state level and at the local ones that have that.
    We believe that in the DHS program right now, that is where 
we are focusing our efforts and then working with the people in 
those fusion centers to understand where it needs to go beyond 
that.
    One of the things that I have actually talked to some 
people who worked for me for awhile is, how do we define, in 
working with the fusion centers, what are the other 
distribution methods that need to be there? Who else has to get 
the information in order to act?
    Mr. Reichert. Yes.
    Mr. Morris. I think that is the key thing. But right now 
our focus is through the fusion centers and working with the 
FBI and the activities that they do in the JTTF.
    Mr. Reichert. Good. Well, I think we all know from our 
experience that there are a lot of people who think they are 
appropriate, and that is the tough part is letting some people 
that they are not.
    Also, we talked a few days ago, Ambassador, about cultural 
change as it relates to gaining trust and training, and it is 
also something that Mr. Murphy mentioned.
    I kind of know where you are at on that, Ambassador, but I 
was hoping maybe Mr. Murphy might comment since you mentioned 
it in here, in your opening statement. The cultural change, in 
your opinion, is the need to know versus the need to share. So 
I think you nailed it when you said that. How would you say we 
are going to reach that goal?
    Mr. Murphy. I wish I could take credit for that.
    What really brought it home for me was when I was 
supporting a military operation as part of my responsibility at 
NSA, and afterwards we were doing a hot wash, and a Marine 
infantryman who was working as part of the front end 
operational activity told me, ``What makes you think that you 
have my perspective? What makes you think you can make 
judgments about what I need to know and don't need to know? You 
need to understand my environment better and work within my 
environment.''
    That has resonated with me, particularly after 9/11, and 
the decisions I had made that made good sense at the time but, 
frankly, were parochial and limiting. I think this moves toward 
exposing our customers to the information that we have and 
letting them help us shape the message and shape the way it is 
delivered so the people that they represent is absolutely 
critical.
    And so changing the mindset, at the end of the day, is more 
important than any process thing that we do, because if the 
mindsets change, the processes will really take care of 
themselves.
    Mr. Reichert. I appreciate that answer very much, and we 
are all three on the same page.
    Ms. Harman. The gentleman's time has expired. I appreciate 
that answer very much too.
    I now yield 5 minutes to the chairman of the full 
committee, Mr. Thompson of Mississippi.
    Mr. Thompson. Thank you very much, Madam Chairman.
    Good answer, Mr. Murphy.
    Dr. Morris, if we implement CUI framework, do you think we 
can get DHS to come along?
    Mr. Morris. Well, I don't think there is any problem with 
us coming along. I think that the only issue that I believe 
that we need to address in the end is going to be, how do we 
make sure with any new system we come up with that we build the 
trust in that system and the trust in the markings, the 
controls, the disseminations that are specified by that?
    One of the big challenges for us in DHS has been working 
with the private sector, particularly, in the sharing of threat 
information on our critical infrastructure. And what we are 
dedicated to do under the new system is to make sure that 
whatever it says on the top of the piece of paper along an 
electronic message that people trust that system. And we think 
that is so critical in working with the private sector.
    Mr. Thompson. And so do you think we can get our ICE, CBP, 
TSA to buy into it also?
    Mr. Morris. I didn't say it was going to be easy. Yes, I 
do. Actually, I do. I think that we have socialized the 
proposal within the department. We haven't gotten back major 
pushbacks on it. I think people are still wondering how they 
are going to implement it, but in principle, yes, we have 
gotten acceptance.
    Mr. Thompson. Ambassador, what participation have we gotten 
in the development of this new framework from the private 
sector? Did you have any discussions with any private sector 
stakeholders or anything?
    Mr. McNamara. Yes, we have. We have been in consultation 
with them. There is a committee that the Department of Homeland 
Security has formed with private sector partners to examine 
many issues related to homeland security, not just this issue 
of the SBU and CUI. And we have gone over with them in some 
detail various aspects of this proposed and this recommendation 
for CUI that would affect the private sector in particular.
    We have had telephone conferences, we have had meetings 
with them here in Washington. They are about, I think, within a 
few days or a week to send in some final comments on the CUI 
proposal as well as some other proposals that they have been 
looking at to, I think, the chair of that committee or that 
group, the assistant secretary for infrastructure protection at 
the Homeland Security Department, Bob Stephan.
    And my understanding, from phone conversations, et cetera, 
is that they will be favorably disposed. They believe that 
their needs will be met by this new proposal for CUI.
    Mr. Thompson. I yield back, Madam Chair.
    Ms. Harman. Thank you, Mr. Chairman. We have been so 
efficient that I would ask Sheriff Reichert if he has an 
additional question, maybe one, and then we will move to our 
second panel.
    Unless you do, Mr. Chairman.
    Mr. Thompson. I have no further questions.
    Mr. Reichert. I would like to just give Dr. Morris a chance 
to address the cultural change. I noticed you had your hand up 
and you might have a comment there.
    Thank you, Madam Chair.
    Mr. Morris. I was just going to make a comment. I was on 
another panel recently and we were talking about information 
sharing, and there was a representative from private industry 
who came to the panel and basically said that approaching 
information sharing the way we are doing it now is going to 
fail, because it doesn't address the issue of discovery. And 
that gets back to the key point that you were making is that we 
have to put in place a system that promotes discovery of 
information, find the people out there who need it.
    And then that is an area that we really need to start and 
continue. It struck a note with me, and I certainly agreed with 
what I heard.
    Mr. Reichert. Madam Chair, if I could just quickly follow 
up. The public disclosure issue, as you mentioned discovery, is 
also one that I think the FBI might have to handle and deal 
with, isn't that true, all three, nod your head?
    Thank you.
    Ms. Harman. Well, I thank the witnesses and do agree with 
the ranking member that building trust is the key to making all 
of this work. Without that, discovery won't happen, changing 
cultures won't happen and getting information, accurate and 
actionable information in real-time won't happen.
    This is, as far as I am concerned, the critical mission for 
this subcommittee to drive home.
    Ambassador McNamara, I hope when you leave this room you 
will call the White House and ask them what minute they are 
going to approve your guidelines so we can get on with this. 
Right? Good. I know the phone number.
    [Laughter.]
    All right. This panel is excused. Thank you very much.
    Thank you very much, all.
    Are we now set up? Yes, we are. Counsel can take a seat 
next to me.
    I welcome our second panel.
    Our witness, Mark Zadra, serves as assistant commissioner, 
Florida Department of Law Enforcement, and is a 29-year veteran 
who has served in many leadership positions. Among them was 
overseeing the development and implementation of various 
intelligence and information technology systems.
    He served as special agent supervisor of the Domestic 
Security Task Force prior to his appointment to chief of office 
of statewide intelligence in 2002 and subsequently to special 
agent in charge of domestic security and intelligence. And as 
we heard, he welcomed 600 people to Florida recently to have a 
conference on the critical subject of fusion centers.
    Without objection, Mr. Zadra's full statement will be 
inserted in the record.
    And I would now ask you to summarize in 5 minutes.

   STATEMENT OF MARK ZADRA, ASSISTANT COMMISSIONER, FLORIDA 
                 DEPARTMENT OF LAW ENFORCEMENT

    Mr. Zadra. Thank you, Madam Chair and distinguished members 
of the committee. I am pleased to speak to you today about the 
importance of common federal information sharing protocols and 
the impact that they have on the state, local and tribal 
governments.
    Prior to 9/11, law enforcement agencies at all levels had 
little need to share sensitive information with non-law 
enforcement agencies. We had a generally accepted practice for 
sharing with one another, but because local and state law 
enforcement had minor involvement in the counterterrorism 
arena, we had limited experience with classified information. 
Little consideration was also given to sharing information 
outside of law enforcement, and particularly with respect to 
the private sector, it was generally not done.
    The paradigm shifted after 9/11 when it became known that 
14 or more of the hijackers had lived, had traveled and trained 
in the state of Florida while planning their atrocities. One 
month later, Florida experienced the first of several 
nationwide deaths from anthrax, which once again terrorized our 
nation.
    In light of these grim realities, we recognized that local, 
state and tribal resources, together with a whole new set of 
non-law enforcement partners, including the private sector, 
represent the frontline of defense against terror and our best 
hope for prevention.
    Over the years, since 9/11, collectively, we have made 
great strides in overcoming the cultural barriers to 
information sharing. Despite many successes and a new cultural 
that encourages information sharing, barriers that impede the 
establishment of the desired national information sharing 
environment remain.
    Perhaps the single largest impediment is the lack of 
nationally accepted common definitions for document markings 
and standard policy procedures for handling, storing and 
disseminating non-classified information.
    Some states like Florida have open record laws, while other 
states impose very restrictive requirements and afford broad 
protections from release. Florida's reputation is that of an 
open record state, and it is widely known.
    Exemptions provided by Florida's public record law are 
insufficient to protect against public disclosure of all types 
of sensitive information. The fear that sensitive information 
may not be protected under state law has a chilling effect on 
the free flow of information from out-of-state agencies and 
non-governmental to and from Florida.
    We also believe that a lack of a standard definition 
results in federal agencies over-classifying information in an 
effort to protect it.
    Developing and implementing a nationally accepted 
designation will provide Florida and other states with the 
justification that they need to encourage modification of state 
laws so that sensitive information can be protected.
    Florida supports the implementation of the controls, 
unclassified information framework to replace the existing, 
sensitive but unclassified designation. Implementation of the 
new standard will involve varying degrees of physical and 
legislative impacts. However, it is my opinion that acceptance 
will be facilitated if the guidelines are straightforward and 
delivered in clear and concise language that there is a single, 
nationally accepted, encrypted communication standard and 
system, which can also be used by non-law enforcement homeland 
security partners and that that be designated.
    The fiscal impacts are mitigated through the use of grants 
for the training and awareness programs and reprogramming of 
systems to allow this new framework.
    And then implementation timelines need to consider the need 
to change policies and laws, purchase new equipment, do 
programmatic changes and to do the training that I referenced.
    Federal agencies are now providing state and local agencies 
with significant amounts of threat information. Much of the 
information that is still needed, however, is classified at the 
national level in order to protect methods, means and 
collection and national security interests. Under most 
circumstances, however, we do not need to know the identity of 
the federal sources, nor the means, nor the methods of 
intelligence collection, only whether the information is deemed 
to be credible and specifically what actions that they want 
state, local and tribal authorities to take.
    Florida believes the implementation of state regional 
fusion centers is the key to the establishment of the desired 
information sharing environment. These centers bring properly 
trained and equipped intelligence professionals with 
appropriate clearances to connect the puzzle pieces and 
disseminate actionable intelligence.
    The problem remains that, unfortunately, most of the 
operational components at the state and local level that may 
benefit from the information and would otherwise be available 
to report on indicators and warnings we observed in the field 
will never have access to this information because of the 
classification.
    Tear line reports forwarded to fusion centers can help 
address this particular concern. So state, local and tribal law 
enforcement, in addition to other discipline partners and the 
private sector, can receive information that they can act upon.
    Madam Chair and members of the subcommittee, thank you for 
the opportunity to appear and testify before you. I can assure 
you that the state of Florida is encouraged by your interest in 
facilitating an enhanced information sharing environment across 
the nation. It is my hope that the testimony and the 
understanding of Florida's desire to be a strong participant in 
the flow of critical, sensitive information and intelligence 
nationally will be help on your endeavor.
    And, ma'am, if I may take 15 more seconds. I want to, from 
a state perspective and probably on behalf of Colonel Johnson, 
to thank you for the recognition and the gratefulness on behalf 
of the nation for the agency's loss of their trooper, the New 
York state trooper, the New York state police and lost his 
family and agency. And thank you for recognizing the sacrifice 
of the state and local and tribal multidisciplinary partners 
that are also part of this fight on terror.
    Thank you.
    [The statement of Mr. Zadra follows:]

        Prepared Statement of Assistant Commissioner Mark Zadra

    Good morning Madam Chair and distinguished members of the 
Subcommittee.
    My name is Mark Zadra and I am a 29-year member of the Florida 
Department of Law Enforcement (FDLE). FDLE is a statewide law 
enforcement agency that offers a wide range of investigative, technical 
and informational services to criminal justice agencies through its 
seven Regional Operations Centers, fifteen Field Offices, and six full 
service Crime Laboratories. Our primary mission is to promote public 
safety and strengthen domestic security by providing services in 
partnership with local, state and federal criminal justice agencies to 
prevent, investigate, and solve crimes while protecting Florida's 
citizens and visitors. FDLE utilizes an investigative strategy that 
comprises five primary focus areas including Violent Crime, Major 
Drugs, Economic Crimes, Public Integrity and Domestic Security.
    I was recently appointed as FDLE's Assistant Commissioner of Public 
Safety Services however, prior to that appointment I served as the 
Special Agent in Charge of Domestic Security and Intelligence and the 
state's Homeland Security Advisor. In those roles I have overseen the 
development and implementation of various intelligence and information 
sharing programs and systems for FDLE and subsequently for the State of 
Florida. I have also overseen the development and implementation of the 
prevention component of Florida's Domestic Security Strategy and 
Florida's implementation of national information-sharing initiatives 
such as the Homeland Security Information Network (HSIN) and Florida's 
fusion center. I have further been an active participant on the Global 
Justice Information Sharing Initiative--Global Intelligence Working 
Group (GIWG). The goals of the GIWG include seamless sharing of 
intelligence information between systems, allowing for access to 
information throughout the law enforcement and public safety 
communities, creating an intelligence sharing plan, determining 
standards for intelligence sharing, developing model policies, 
determining training needs, and creating an outreach effort to inform 
law enforcement of the result of this effort. Over the last ten months 
I have been afforded an opportunity to provide input to the GIWG 
regarding the development of the recommended common protocols for 
sharing and protecting sensitive information and intelligence among 
multiple agencies with a role and responsibility in homeland security.
    I am pleased to speak to the Committee today about the importance 
of common federal information-sharing protocols and the impact they 
have on state, local and tribal governments.
    Prior to 9/11, law enforcement agencies at all levels had little 
need to share sensitive information with non law enforcement agencies. 
We had generally accepted practices for sharing information with one 
another but, because local and state law enforcement had minor 
involvement in the counterterrorism arena, we had limited experience 
with federally classified information. Little consideration was given 
to sharing sensitive information outside the law enforcement community, 
and sharing information with the private sector was generally not done.
    The paradigm shifted after 9/11 when it became known that fourteen 
or more of the hijackers had lived, worked, traveled and trained across 
Florida while planning the atrocities they would ultimately commit. In 
their daily activities they left many clues that, if viewed together, 
may have predicted the plan and given authorities an opportunity to 
avert the catastrophic consequences. One month after the horror of 9/
11, Florida experienced the first of several nationwide deaths from 
Anthrax which once again terrorized our nation. In light of these grim 
realities, we recognized that local, state and tribal resources--
together with a whole new set of non-law enforcement partners including 
the private sector- represent the front line defense against terror and 
our best hope for terror prevention. Appropriately shared information 
is the key weapon in moving from the role of first responder to that of 
first preventer.
    Sharing information with agencies such as health, fire, emergency 
managers, and even non-governmental entities with a role in the fight 
against terror presented new challenges, not just the inherent cultural 
ones, but those relating to law, policy/procedure, technology and 
logistics. Over the years since 9/11, collectively, we have made great 
strides in overcoming the cultural barriers to sharing information. In 
Florida, through our Domestic Security Strategy and governance 
structure, we routinely work with and share information across all 
entities that have a role in protecting the safety and security of our 
citizens.
    Despite these successes and a new culture that encourages 
information sharing, barriers that impede the establishment of the 
desired national Information Sharing Environment (ISE) remain.

Common Document Markings and Dissemination Protocols
    Perhaps the single largest impediment to an effective national ISE 
is the lack of nationally accepted common definitions for document 
markings and standard policy/procedure for handling, storing, and 
disseminating non-classified information. Sensitive but unclassified 
information, which is routinely received from federal and other state 
agencies, is needed by state, local, tribal and private sector partners 
that have a duty and responsibility to utilize it to provide for our 
safety and security. Consistency in definition and protocol is 
paramount to both fully sharing useful and actionable information, and 
protecting information that should not be shared.
    Some states, like Florida have open record laws that mandate 
revealing information compiled by governmental agencies unless a 
specific ``chapter and verse'' exemption or confidentiality provision 
applies. Other states impose very restrictive dissemination 
requirements and afford broad protections from release to those without 
a need to know. Florida's reputation as an open records state is widely 
known. While Florida law exempts certain information from public 
disclosure, the most likely exemptions applicable to the type of 
information that I am discussing are limited to criminal intelligence/
investigative information and information that pertains to a facility's 
physical security system plan or threat assessment. Exemptions provided 
by Florida's Public Records Law are insufficient to protect against 
public disclosure of all types of sensitive information needed by 
Florida's domestic security partners. For example, there is no specific 
exemption in Florida's public records law for information provided to 
Florida by a non-Florida agency unless it is intelligence or 
investigative information--both of which have fairly narrow definitions 
under Florida law. The fear that sensitive information may not be 
protected under state law has a ``chilling effect'' on the free flow of 
important information from out-of-state agencies and non governmental 
entities to and from Florida. We also believe that the lack of a 
standard designation results in federal agencies over-classifying their 
information in an effort to protect it. Information and intelligence 
sharing partners need to know, with certainty, that the information 
they share will be appropriately protected. At the same time, we 
understand there must be appropriate limits on what is removed from 
public scrutiny and review, and a balance achieved between properly 
informing the public and ensuring the safety and security of our state 
and nation.
    Developing and implementing a nationally accepted designation, with 
clear and appropriate handling and dissemination standards for 
sensitive information, will provide Florida and other states with the 
justification they need to encourage modification of state laws so that 
sensitive information can be protected in compliance with an accepted 
national standard.
    Fortunately, there appears to be a workable solution to the 
concerns I have identified. Florida supports the implementation of the 
Controlled Unclassified Information (CUI) framework to replace the 
existing Sensitive But Unclassifed (SBU) designation. The SBU 
designation contains numerous confusing designations used to mark 
unclassified information. The recommended CUI framework streamlines 
existing designations and provides handling requirements that 
facilitate wide distribution among law enforcement, homeland security, 
other government sectors and the private sector. We strongly believe 
that the information sharing environment mandated by Presidential 
Guideline 3 cannot be fully achieved without the implementation of a 
model such as the CUI framework. In the absence of common protocols, 
existing classification schemes will continue to be over utilized and/
or improperly utilized, resulting in the inability of persons who 
receive information to adequately distribute it to those with a duty 
and responsibility to take action to protect our citizens.
    We believe that the recommendations made by the Sensitive But 
Unclassified Working Group reflect workable solutions that could be 
accepted and replicated by most states. As a state representative I 
have been afforded an opportunity to review and comment on these 
recommendations during their formulation. I have also had the pleasure 
of personally meeting with Ambassador Thomas E. McNamara, Office of the 
Program Manager for the Information Sharing Environment and espousing 
Florida's views with respect to this and other information sharing 
topics.

Implementing CUI
    In the absence of federal guidance and standards, many states, 
including Florida, have already expended resources in building systems 
and programs to fill the information needs of their consumers. 
Implementation of the new standard will involve varying degrees of 
fiscal and legislative impacts, however it is my opinion that 
acceptance will be facilitated if:
        1. Guidelines are straight-forward and delivered in a clear, 
        concise language;
        2. A single, nationally accepted, encrypted communications 
        system and federal information sharing encryption standard that 
        can be used by non-law enforcement homeland security partners 
        is designated;
        3. Fiscal impacts are mitigated through grants for training and 
        awareness programs, as well as for new equipment and system re-
        programming; and
        4. Implementation timeline considers the potential need for 
        state, local, and tribal governments to:
                a. Change policy and/or rules to comply with new 
                information dissemination requirements;
                b. Purchase new equipment and/or system programming 
                changes; and
                c. Train appropriate personnel in markings, handling, 
                storage and dissemination requirements.

For Official Use Only Tear Line Reporting
    In response to post 9/11 criticism regarding failure to share 
information vertically and horizontally across the spectrum of homeland 
security partners, federal agencies are now providing state and local 
agencies with significant amounts of threat information. Much of the 
information that is still needed, however, is classified at the 
national level in order to protect sources, methods and means of 
collection and national security interests. State and local law 
enforcement fully understand and appreciate the need to protect certain 
information and restrict dissemination to only those with a need or 
right to know. Under most circumstances, however, we do not need to 
know the identity of federal sources or means and methods of 
intelligence collection--only whether or not the information has been 
deemed credible and specifically what actions that the state, local and 
tribal entities should take.
    Florida believes the implementation of state and regional fusion 
centers is key to the establishment of the desired Information Sharing 
Environment. These centers bring properly trained and equipped 
intelligence professionals with appropriate clearances to connect the 
pieces of the puzzle and disseminate actionable intelligence. The 
problem remains that once the classified material is fused with the 
non-classified information from which analysis is performed, the 
information takes on the restrictions with the classified information 
which significantly narrows to whom and how it can be shared. 
Unfortunately, most of the operational components at the state and 
local level that may be benefit from the information, and would be 
otherwise available to report on the indicators and warnings being 
observed within the field, will not ever have access to this 
information. Tear line reports forwarded to fusion centers can help 
address this particular concern so that state, local and tribal law 
enforcement in additional to other discipline partners and the private 
sector receive information that they can act upon.
    In conclusion, I would like to compliment our federal partners for 
recognizing the value of state, local and tribal representative's 
expertise and allowing input on such a critical initiative prior to its 
implementation. This has not always been the case, but is a testament 
to the positive change in the information sharing culture and 
established and improved partnerships. I have been honored to be a 
member of the Global Intelligence Working Group and would like to 
acknowledge the work done by those professionals under the guidance of 
their Chairman, New York State Police Deputy Superintendent, Bart 
Johnson.
    Lastly, Madam Chair and Members of the Sub Committee, thank you for 
the opportunity to have appeared and testified before you today. I can 
assure you the State of Florida is encouraged by your interest in 
facilitating an enhanced information sharing environment across the 
nation. It is my hope that this testimony and the understanding of 
Florida's desire to be a strong participant in the flow of critical 
sensitive information and intelligence nationally will be helpful in 
your endeavor.

    Ms. Harman. I thank the witness for your testimony and now 
yield myself 5 minutes for questions.
    Let me say, first, Mr. Zadra, that I think we need to 
bottle you. I am not sure what that process could involve, but 
I would like to a bottle of you to sit on Charlie Allen's desk 
and I would like a bottle of you to sit on the desk of the 
appropriate people at the CIA who have a great role to play in 
our present classification system.
    And I definitely want a big bottle of you to be sitting on 
Fran Townsend's desk in the White House, as we move forward. 
Because it is absolutely critical, as you said, that you have 
timely information. And we have both classification and pseudo-
classification systems that are making that more difficult than 
it should be.
    No one is arguing about the need to protect sensitive 
sources and methods. I served for 8 years in the House 
Intelligence Committee, and I think I get it, but I haven't 
found a defender, and I would disagree with such a person if I 
found one, who says that our present system works well. It 
doesn't, it is broken, and this is hearing is about how to fix 
at least a portion of it, and this subcommittee will focus on 
trying to fix as much of it as we can get our arms around.
    I want to ask you about a specific situation. I don't think 
anyone in the country and most people around the world missed 
the tragic events at Virginia Tech last week where 32 students 
and faculty lost their lives. Initially, it was not known who 
the shooter was. It turned out to be, we think, a mentally ill 
student acting alone.
    But I want to ask you, from your perspective, what were you 
thinking about when that information came over the wire? For 
example, were you thinking, is this a terrorist plot, is this 
the first phase, is this going to roll out in some of my 
universities in Florida?
    And what information were you able to get in real-time as 
you had those thoughts, and from whom?
    Mr. Zadra. Madam Chair, I can assure you that the state of 
Florida, there is not an incident that happens within our 
state, whether it is an accident of hazardous materials on a 
roadway or anything across the country, our mindset initially 
is first to determine whether or not it has a potential nexus 
to terrorism. I think we all learned a lesson after 9/11.
    Certainly, when this happened our immediate thought, the 
Florida Department of Law Enforcement has protective operations 
detail for our governor and also for our legislature and 
cabinet. And we, of course, when we first heard the news, were 
concerned, did we have a nexus to anything within our state and 
our particular universities and colleges that we needed to also 
be concerned with.
    Fortunately, because of the fusion center concept now, we 
have an embedded Department of Homeland Security analyst within 
our state fusion center. Very immediately two things happened. 
We reached out immediately, through our DH analyst, to the 
national operations center, and we were advised very quickly 
that there was no known nexus to terrorism. Of course, it was 
still unfolding at that time, but there were no initial 
indicators.
    The second thing that happened, which I think is proof 
positive about the fusion center concept is that the Virginia 
fusion center began putting out information that was made 
available to the other state fusion centers. And that was 
extremely critical and beneficial to us.
    I know the last thing that we would want to do as a state 
is to call and begin impacting the local law enforcement 
agencies that were responding to that tragic incident. They had 
their hands full. To have a state, a thousand or more miles 
away, calling and wanting to check to know the status of 
everything, it would be understandable that that could be an 
impediment to them.
    But because of the fusion center there and to be able to 
reach out to them directly and with them providing updates to 
us, and I know the last I saw was update number six, I know at 
least six updates were provided from that fusion center to all 
fusion centers across the nation.
    Ms. Harman. Well, that is a good news report. That is not a 
report you could have given a year or two ago, am I right?
    Mr. Zadra. Yes, ma'am, that is correct.
    Ms. Harman. Fusion centers, which have been the subject of 
other hearings, are beginning to work. DHS does have personnel 
embedded in 12 of them. You are obviously one of 12. We are 
trying to help move more DHS people there, and I am just 
assuming that the products you saw also reflected, for example, 
FBI input, since they are typically a part of the fusion 
center. Is that correct?
    Mr. Zadra. Yes, ma'am, that was my understanding, that 
there was a cooperative effort. And let me add, too, that we 
are awaiting our FBI analyst. We will have an FBI analyst also 
embedded in our state fusion center. The member has just not 
arrived yet, but we are expecting that soon.
    Ms. Harman. Well, I hope that does happen. I mean, the 
goal, again, is to get the right people and right information 
to the right places in real-time. Do you agree?
    Mr. Zadra. Absolutely.
    Ms. Harman. I thank you very much, Mr. Zadra, and now yield 
5 minutes to the ranking member for questions.
    Mr. Reichert. Good morning.
    Thank you, Madam Chair.
    First of all, you mentioned open record laws. I am from 
Washington state, was the sheriff there for a while. In 33 
years of law enforcement, one of the frustrating things in 
working with the federal government, and you touched on, was 
sharing that information and as they shared it with the local 
sheriff's office in Seattle, it became subject to the public 
disclosure laws of the state of Washington.
    Can you talk a little bit about that, how that discussion 
occurred within the framework of your involvement in discussing 
where one had the future of sharing information?
    Mr. Zadra. Yes, sir. In the state of Florida, we have some 
exemptions from public disclosure, and from our perspective 
there are usually three that we point to. One is active 
criminal investigation, the other is active criminal 
intelligence, and then the other deals with security plans, 
which include photographs, floor plans and things like that, of 
critical infrastructure.
    While those are good, there is a hole, so to speak, with 
sensitive information, because now, after 9/11, we have a lot 
of different partners that we need to share with--health, fire, 
emergency managers. So a lot of the information that we get is 
not active criminal investigation, it is not active criminal 
intelligence, and it is not a floor plan, it is not a 
photograph.
    For example, if we have mass prophylaxis from dealing with 
health issues and where that is stored and how it is 
transported, as we have hazardous materials come through our 
state, we want to alert our Florida highway patrol, we want to 
alert our motor carrier compliance, our Department of 
Agriculture, their weigh and inspection stations, of the flow 
of this.
    Under our current public records exemptions, that 
information is not criminal investigative, it is not criminal 
intelligence, and it is not a security plan. We attempt to 
protect it under those type things, and we have been pretty 
much successful.
    But to have a national framework that we--and I have talked 
to both our house and our senate in our state, and if we had a 
national framework that we could point to, to say, this is a 
nationally accepted, controlled, unclassified information that 
we could amend our state laws to provide those protections so 
that when we need to share with other states, they have 
confidence that the state of Florida, despite being an open 
records law state, that we can protect the information they 
share with us.
    Mr. Reichert. Very good. The last part of my question was 
going to address the last part of your answer.
    I was also wondering what your opinion might be in this 
whole area of governance, because local law enforcement has 
difficulty at the state level, the sheriff's level and the 
police chief. Who is going to be in control of the information? 
The governance issue is a big one, as you know. It is always a 
huge issue.
    How did that discussion play out in your discussion of SBU 
and all the players around the table? That governance issue is 
always touchy.
    Mr. Zadra. The state of Florida is a participant in the 
Global Intelligence Working Group under the global justice 
initiative, and so the state of Florida has been able to 
provide input. I personally have been able to review the 
recommendations and provide input to those.
    I also served as homeland security advisor until most 
recently, and we have seven regional domestic security task 
forces that all have intelligence operations and components. So 
we have had discussions with those, and everyone agrees that 
this is a difficult, and we need a national standard.
    We have awaited, of course, understanding the formal 
adoption of these before we have done a lot of pushing out to 
our state, because one thing that happens, while you want to 
have the input from your local state, one thing that has 
happened to us that encouraged our federal partners, it really 
needs to be done and it needs to be done right, so when we take 
it and share it, we can share it once, and it doesn't move, and 
it doesn't change.
    One of the most detrimental things that has happened to us 
in the past is the rollout of new programs, and I have heard 
them described as, well, we were building this airplane on the 
fly.
    To be honest with you, sir, I don't want to fly on an 
airplane that is being built while I am on it, as we are 
flying.
    And so what happens is you push these things out to the 
states, the locals. The federal government begins to lose 
credibility because it continues to change and morph.
    So, truthfully, from the state's perspective, what we have 
done is we would like to know that there are recommendations, 
we have provided input, and once we believe that they are close 
to being finalized, to be able then to really push that through 
our state framework.
    Mr. Reichert. Great. Thank you so much.
    I yield. Thank you, Madam Chair.
    Ms. Harman. Thank you, Mr. Reichert.
    We have votes coming up shortly, but I do have another 
question or two, and so I hope you will join me in a second 
round of questions until we can adjourn the hearing for voting.
    First of all, it is Mr. ``Zadra''? Is that correct?
    Mr. Zadra. Yes, ma'am, but anything is fine.
    [Laughter.]
    Ms. Harman. Well, you are very flexible, but this is my 
second goof of the morning here, besides recognizing another 
witness out of order. I apologize to you, and we will now 
produce Zadra pills, which we are going to put in every federal 
office.
    I surely agree with you, in answer to your last question, 
that it needs to be done right. But it also needs to be done 
now. Do you agree with that?
    Mr. Zadra. Yes, ma'am.
    Ms. Harman. Okay.
    Mr. Zadra. If not, the state and locals, like we have done 
on many things in the past, we have implemented our own 
methodologies and that continues to lead to the confusion and 
interoperability between states. So you are correct. It needs 
to be right, and it needs to be done as soon as possible.
    Ms. Harman. So we have the ambassador calling the White 
House today, and we will have approval later today. That would 
be nice, obviously. Then we need a forcing mechanism across the 
federal government.
    My question to you is, would some funds for training help 
push this concept into the states? I know there are some other 
issues that you were just discussing with Mr. Reichert, but 
would training money be of use to you?
    Mr. Zadra. Madam Chair, absolutely, and the recommendation 
for Florida that we have made, particularly through the 
Department of Homeland Security, deals with the federal grant 
funding programs, and I know that you are highly aware of those 
different ones.
    We would ask, because currently we fund our fusion center 
efforts through the Law Enforcement Terrorism Prevention 
Program, we would ask, because the fusion centers are so 
critical to this entire effort, that there be thoughts, just as 
there are designated port grants or transit grants, that we 
designate fusion center grants. And I believe that the money in 
a fusion center grant is so tied to what we are talking about 
that we would use those funds in conjunction with the fusion 
centers to deal with how we would train how to use CUI.
    Ms. Harman. Well, we are working right now on several 
proposals to push more money into fusion centers to help with 
local training, local involvement, also to get DHS people in 
every fusion center. I was confused about your answer before, 
probably my fault, about the Virginia Tech information. Your 
fusion center does or does not presently have a DHS person in 
it?
    Mr. Zadra. It does.
    Ms. Harman. It does.
    Mr. Zadra. It has since January.
    Ms. Harman. And that fusion center was what you contacted, 
and it got in touch with the Virginia fusion center; is that 
what happened?
    Mr. Zadra. Our state Florida fusion center made contact 
with the Virginia fusion center. Our Department of Homeland 
Security analyst made direct contact to the national operations 
center, which is the Department of Homeland Security. We went 
both ways.
    Ms. Harman. So we had a real live example of information 
sharing, horizontally at the local level and vertically with 
the federal intelligence community; is that correct?
    Mr. Zadra. Yes, ma'am. That is not the first time. I think 
we continually see progress and movement. And, again, the 
creation of state and the regional fusion centers and then 
having our federal components embedded in those, I think, are 
the best things that we could be doing.
    Ms. Harman. Well, we totally agree. We think that is one of 
the best things. We think another of the best things is to 
change the way we protect information so that we only protect 
what we need to protect and we share the rest of it, both on 
the classified side and the pseudo-classified or non-classified 
side. And that is why we are having this hearing. And I think 
you are on the same page; am I right?
    Mr. Zadra. Absolutely. I couldn't agree more.
    Ms. Harman. I thank you again for your very valuable 
testimony, Mr. Zadra, and now yield for additional questions to 
the ranking member.
    Mr. Reichert. I just have two or three follow-ups. Thank 
you, Madam Chair.
    How much of your budget is dedicated to homeland security 
efforts? Would you know the answer to that?
    Mr. Zadra. How much of our state budget or federal grant?
    Mr. Reichert. Your agency's budget.
    Mr. Zadra. Our agency budget? Not a tremendous amount, and 
the reason why is because our state legislature, and I can 
forward it to you later, if you would like, sir, our state 
statute that designates our domestic security efforts in 
Florida indicate that we are to maximize federal funding.
    I believe that Florida has placed approximately $25 million 
of state revenue into this. Florida, fortunately, because of 
the critical infrastructure landscape that we have, we have 
been treated very well from the national level. I mean, we 
would always want more, but Florida has been a recipient and 
last year was the third largest amount of federal funding from 
the Department of Homeland Security.
    Mr. Reichert. What is your agency's training budget? What 
percentage of your budget goes to training?
    Mr. Zadra. Sir, I don't know the answer to that. I don't 
have that with me today. I can certainly provide that as a 
follow-up to you. I do note that we also maximize our federal 
homeland security funds to deal with our training.
    Mr. Reichert. And to further follow up on the chair's 
question regarding funding, would it be helpful to you to have 
additional funds that would pay for backfill as you send people 
to training?
    Mr. Zadra. Yes, sir. To be honest with you, I am sure it 
would be greatly appreciated. I think I can say on behalf of 
the state of Florida, particularly from the law enforcement 
component, is that this is our mission. It is clear to us. This 
is just as important as responding to any burglary, rape, 
robbery, and we would do it if you didn't give us backfill.
    I will say this from the fire side: The fire, we do provide 
backfill and overtime for them. Because when you take a 
hazardous material truck and you send them all to training, 
that is loss. So if you take one member and they don't have 
enough to have that team, so they have to backfill that. Law 
enforcement, we are a little bit different.
    So I guess the best way to answer that, we would be happy 
to receive it and it would be a benefit, but I will assure you 
the state of Florida is going to do what is necessary, even if 
we did not have it.
    Mr. Reichert. Well, one of the things we talked about--this 
is the last question I have--is creating an environment of 
trust. And I just have to smile, still being probably new here 
in my second term, beginning my third year at the federal 
acronyms, so just today SBU, CUI, ISE, PCI, ICC. So when you 
talk about building trust and user friendly, the local cops 
really would like language they can understand, don't you 
agree?
    Mr. Zadra. Sir, interesting that you bring that up, as 
Governor Crist, our newly elected governor, his very first 
executive order was a plain language initiative in the state of 
Florida.
    Mr. Reichert. Yes. I think it is a great idea.
    Mr. Zadra. We concur wholeheartedly. It needs to be very 
plain, it needs to be simple. And no disrespect to our law 
enforcement officers who are obviously very confident, but it 
makes sense that whatever we do has to be simple so that we can 
assure it is done properly and that it will be utilized. If it 
is too complicated, it is not going to be utilized and we won't 
effect what we are after.
    Mr. Reichert. Well, certainly appreciate your time, and 
thank you for your service to your community.
    And I yield back.
    Ms. Harman. I thank the gentleman for yielding back.
    The time for questions has expired.
    I would just note to Mr. Zadra that I often say the 
dirtiest four-letter word in government is not an acronym; it 
is spelled T-U-R-F, and it has a lot to do with the subject we 
are discussing today.
    The hearing is adjourned.
    [Whereupon, at 11:22 a.m., the subcommittee was adjourned.]


 MAKING DHS THE GOLD STANDARD FOR DESIGNATING CLASSIFIED AND SENSITIVE 
                     HOMELAND SECURITY INFORMATION



                                PART III

                              ----------                              


                        Thursday, June 28, 2007

             U.S. House of Representatives,
                            Committee on Homeland Security,
    Subcommittee on Intelligence, Information Sharing, and 
                                 Terrorism Risk Assessment,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:08 a.m., in 
Room 311, Cannon House Office Building, Hon. Jane Harman 
[chairwoman of the subcommittee] presiding.
    Present: Representatives Harman, Langevin, Carney, Reichert 
and Dent.
    Ms. Harman. The hearing will come to order.
    I apologize to my colleagues and our witnesses for needing 
to be in two places at the same time, but the Energy and 
Commerce Committee is marking up the energy bill, and that 
includes things like plug-in hybrids, which are a huge issue 
for California. So I will, as soon as my BlackBerry goes off, 
have to go out; and Mr. Langevin will chair the hearing for a 
period.
    But I would like to welcome our witnesses and welcome our 
panel and take a deep breath and launch. Good morning.
    According to last Sunday's Washington Post, the Vice 
President is inventing his own classified and unclassified 
designations to keep his work products secret. My personal 
favorite--and I have never heard of this designation in my 8 
years on the House Intelligence Committee--is, quote, treated 
as Top Secret SCI, unquote.
    According to the Post, experts in and out of Government 
said Cheney's office appears to have invented that designation, 
which alludes to Sensitive Compartmented Information, the most 
closely guarded category of Government secrets. By adding the 
words ``treated as'', the Post noted, the Vice President seems 
to be seeking to protect his unclassified work as though its 
disclosure would cause exceptionally grave damage to national 
security.
    The problem is that the Vice President and some other law 
enforcement and security agencies believe that they should 
decide which information they can keep secret, regardless of 
the law, rules or what the needs are of our local law 
enforcement community.
    In my view, this is bad policy. But, not only that, it 
poses huge obstacles to our need to connect the dots in time to 
protect, to prevent or to disrupt the next terrorist attack 
against us.
    I ask the question, what hope is there for the controlled 
unclassified information regime being developed by the program 
manager of the Information Sharing Environment at the DNI's 
office if we have agencies and parts of our White House that 
are going to continue to make their own decisions on what 
information they keep secret?
    One of our witnesses today is a player, a participant, in 
the controversy involving the Vice President's office. Bill 
Leonard of the Information Security Oversight Office testified 
before this subcommittee this past March, and we welcome him 
back. At the prior hearing, he and other witnesses helped paint 
a picture of the consequences of abusing the classification 
regime and its outrageous costs to both taxpayers and our 
information-sharing efforts.
    I am aware, Mr. Leonard, that the Justice Department is 
currently trying to resolve the issue between your office and 
the Vice President, and I anticipate that you may not be able 
to comment on the issue, but surely I personally admire your 
courage, and I think you are on the right side.
    Mr. Leonard appears today to testify about what he believes 
the Department of Homeland Security should do to reduce the 
problems from overclassification and pseudo-classification.
    And our other witnesses, each of our other witnesses, 
brings enormous expertise to this. Several of you have been 
witnesses before us before. All of you are people whom I talk 
to on a regular basis about what this committee should be doing 
to get the problem right.
    Let me just state a few other tentative conclusions that we 
have reached after exploring this issue for some time.
    Number one, the only way to insure that relevant homeland 
security information is shared between the Federal Government 
and its State, local, tribal and private sector partners is to 
create a classification and pseudo-classification system that 
is enforceable, understandable and applicable to everyone.
    Number two, almost 6 years after 9/11, we should be 
treating far less information as classified.
    Number three, fixing this should be a top priority.
    Number four, classified markings are not--repeat not--to be 
used to protect political turf or hide embarrassing facts from 
public view. They should only be used to properly hide--if that 
is a good word--or protect sources and methods from public view 
because if those sources and methods are disclosed, people die 
and information dries up.
    Indeed, a recurrent theme throughout the 9/11 Commission's 
report was the need to address the problems of over--and 
pseudo--classification to clear up a major stumbling block to 
dealing with terrorist threats.
    While I hope that Congress will fashion a Government-wide 
solution, this committee, the Homeland Security Department and 
this subcommittee is a good place to start. We can try to 
figure out what Homeland Security should be doing, and we can 
hope that what we propose for the Homeland Security Department 
can become the best practices Government-wide.
    As I mentioned, we have phenomenally good witnesses before 
us today; and I look forward to working with them, continuing 
to work with them, and to working on a bipartisan basis with 
Sheriff Reichert getting this right.
    I would like to extend a warm welcome to everyone and would 
now yield to the ranking member for his opening comments.
    Mr. Reichert. Thank you, Madam Chair; and welcome to all of 
you.
    I have a couple of pages of prepared comments, but I am 
just going to read one paragraph, and then I am going to 
comment from more of a local perspective.
    This subcommittee is to focus on the Department of Homeland 
Security and actions that they can do better in terms of 
overclassification, pseudo-classification. However, in crafting 
legislation, we must not lose sight of the fact that 
overclassification is a Government-wide problem, and that 
requires Government-wide solutions. I think really that kind of 
boils the whole thing down.
    I just want to again comment from a local perspective. It 
has only been a little over 2 years since I came from the 
Sheriff's Office in Seattle. I had 33 years experience there, 
some working with the Federal officials, the FBI, Secret 
Service and DEA and ATF and you name it, from a detective's 
perspective in sharing information and working as partners in 
investigating crimes.
    One of those crimes, as I mentioned in earlier hearings, is 
a well-known case called the Green River Murder Investigations, 
where we had nearly 50 to 60 Federal agents assigned to the 
task force. I operated there as the lead investigator from the 
middle 1980s into the early 1990s. We had difficulty obtaining 
information from the Federal agencies and agents that worked 
there with us, right alongside, side by side.
    My partner, FBI agent Special Agent Bob Agnew, shared 
information with me because we built a relationship. We had a 
friendship where we trusted each other. But the agency itself 
classified the documents that were associated with our case at 
a level where I had no access to the documents in our own case. 
So this is back in the 1980s.
    So when we finally come to make an arrest years later, 19 
years later, while I then served as the first elected sheriff 
in 30 years in Seattle, I had the opportunity once again to 
oversee for 2 years the investigation of this serial murder 
case that solved 50 murders. Part of that investigation then 
required that we go back to the Federal agency, the FBI, and 
acquire the documents that they had produced during that 
investigation for discovery so that we could pursue charges 
against the suspect. They refused to give them to us. That is 
ridiculous, and it touches on the level that the Chair 
mentioned at a local level.
    Really, it boils down to, look, cops on the street, the 
local cops, the local sheriff's deputies, the State Patrol, you 
know, the State agencies, and all the other Federal agencies, 
the guys and gals on the street do not care one iota about the 
Vice President and the politics of this stuff. What they want 
is a system in place where we can share information, where we 
can build that trust, that sort of friendship that Bob Agnew 
and Dave Reichert had back in the mid-1980s, where we could 
share the information vital to investigating a local crime.
    Now, in today's world, after September 11th, vital to the 
security of this Nation, because, as we have all said over and 
over again in this subcommittee and in our full committee, the 
involvement of local law enforcement is critical in the 
protection of our country. And if we don't share information 
with our local agencies and we can't trust each other and build 
trust between local agencies and Federal agencies, this 
country's safety is at great risk.
    So I know all of you are working hard to overcome this 
problem, but I wanted to share with you just one of my 
experiences in my 33-year career working with one Federal 
agency. I have other stories I could share with you that would 
illustrate this point, but I won't take the time this morning.
    So I appreciate you being here this morning and look 
forward to your testimony.
    Madam Chair, I yield.
    Ms. Harman. I thank the gentleman for his comments and 
would note that other members of the subcommittee are reminded 
that, under committee rules, opening statements may be 
submitted for the record.
    Ms. Harman. As mentioned, I welcome our four witnesses.
    Our first witness, Mr. William Leonard, is the Director of 
the Information Security Oversight Office. The ISOO reports to 
the President and is responsible for policy and oversight of 
the Federal Government-wide security classification system and 
the National Industrial Security Program.
    Mr. Leonard has testified several times before Congress 
about the need to break down the classification impediments to 
information sharing. Some of them were just graphically 
mentioned by Mr. Reichert.
    Our second witness, and a very long-standing friend of 
mine, is Scott Armstrong, who is the Executive Director of the 
Information Trust, a nonprofit group that works toward opening 
access to Government information. He has been inducted into the 
Freedom of Information Act, FOIA, Hall of Fame--that is 
impressive; I hope you are wearing the medal--and was awarded 
the James Madison Award by the American Library Association.
    Mr. Armstrong has been a Washington Post reporter, a member 
of the board of several nonprofits, is the founder of the 
National Security Archive of the George Washington University 
and co-author of a major book on the Supreme Court.
    Our third witness, Suzanne Spaulding, is an authority on 
national security issues, including terrorism, homeland 
security, critical infrastructure protection, cybersecurity, 
intelligence, law enforcement, crisis management and issues 
relating to the threats of chemical, biological, nuclear and 
radiological weapons. She just knows everything.
    She started working on national security issues on Capitol 
Hill over 20 years ago. More recently, she was the Executive 
Director of two congressionally mandated commissions, the 
National Commission on Terrorism, on which I was a member and 
where I met her, and the Commission to Assess the Organization 
of the Federal Government to Combat Proliferation of Weapons of 
Mass Destruction, which was chaired by former CIA Director John 
Deutch; and she also was the chief of staff to the then 
minority on the House Intelligence Committee when I was the 
ranking member.
    Welcome back, Suzanne.
    Ms. Spaulding. Thank you.
    Ms. Harman. Our fourth witness, Mark Agrast, is a Senior 
Fellow at the Center for American Progress, where he focuses on 
the Constitution, separation of powers, terrorism, civil 
liberties, and the rule of law.
    Prior to joining the Center for American Progress, Mr. 
Agrast was counsel and legislative director to Congressman 
Delahunt of Massachusetts. He serves on the 37-member Board of 
Governors at the American Bar Association, past Chair of ABA's 
section on Individual Rights and Responsibilities, and a former 
colleague of mine in law practice. Very, very knowledgeable 
about this subject.
    Without objection, all the witnesses' full statements will 
be inserted in the record; and I would now urge you each to 
summarize, in 5 minutes or less, your principal points.
    We do have a timer. You will see it. It will start blinking 
at you. But it will be much more productive if we can have a 
conversation here, not just having you read from a prepared 
text. And all of us are very eager to learn from you today.

STATEMENT OF J. WILLIAM LEONARD, DIRECTOR, INFORMATION SECURITY 
 OVERSIGHT OFFICE, NATIONAL ARCHIVES AND RECORD ADMINISTRATION

    Ms. Harman. Please start, Mr. Leonard.
    Mr. Leonard. Thank you, Madam Chair, Mr. Reichert, members 
of the subcommittee. I want to thank you for holding this 
hearing today and giving me the opportunity to appear.
    Obviously, the ability and the authority to classify 
national security information is a critical tool at the 
disposal of the Government and its leaders to protect our 
Nation and its citizens.
    As with any tool, the classification system is subject to 
misuse and misapplication. When information is improperly 
declassified or not classified in the first place, although 
clearly warranted, our citizens, our democratic institutions, 
our homeland security, and our interactions with foreign 
nations can be subject to potential harm.
    Conversely, too much classification, the failure to 
declassify information as long as it no longer satisfies the 
standards for continued classification, or inappropriate 
reclassification unnecessarily obstructs effective information 
sharing and impedes an informed citizenry, the hallmark of our 
democratic form of Government.
    In this time of constant and unique challenges to our 
national security, it is the duty of all of us engaged in 
public service to do everything possible to enhance the 
effectiveness of this tool. To be effective, the classification 
tool is a process that must be wielded with precision.
    Last year, I wrote to all agency heads and made a number of 
recommendations for their consideration. Collectively, these 
recommendations help preserve the integrity of the 
classification system, while at the same time reduce 
inefficiencies and cost. They included things such as 
emphasizing to all authorized holders of classified information 
the affirmative responsibility they have under the order to 
challenge the classification status of information they believe 
is improperly classified.
    I also suggested requiring the review of agency procedures 
to ensure that they facilitate classification challenges. In 
this regard, agencies were encouraged to consider the 
appointment of impartial officials ombudsmen, if you will, 
whose sole purpose is to seek out inappropriate instances of 
classification and to encourage others to adhere to their 
individual responsibility to challenge classification as 
appropriate.
    Also, I suggested ensuring that quality classification 
guides of adequate specificity and clarity are absolutely 
necessary in order to insure accurate and consistent derivative 
classification decisions.
    In this letter, I also suggested ensuring the routine 
sampling of recently classified products to determine the 
propriety of classification and the application of proper and 
full markings. Agency inspector generals, for example, could be 
involved in this process.
    Consideration should also be given to reporting the results 
of these reviews to agency personnel as well as to officials 
designated who would be responsible to track trends and assess 
the overall effectiveness of the agencies' efforts and make 
adjustments as appropriate.
    Finally, I suggested that agencies need to ensure that 
information is declassified as soon as it no longer meets the 
standards for continued classification.
    Again, thank you for inviting me here today, Madam Chair; 
and I would be happy to answer any questions you or the 
subcommittee may have.
    Ms. Harman. Thank you, Mr. Leonard.
    [The statement of Mr. Leonard follows:]
    Ms. Harman. I just want to announce to all that I have to 
leave to return to this markup. I will try to get back. Mr. 
Carney will assume the Chair, because Mr. Langevin has to 
depart shortly. But we will hear testimony from all four of 
you, and then we will ask questions of all four of you.
    Again, I would like to thank you all, but I would like to 
say to you particularly, Mr. Leonard, that you are in a tough 
fight, and your courage and integrity are very impressive. 
Thank you very much.
    Mr. Leonard. Thank you.
    Ms. Harman. Without objection, I will now turn the Chair 
over to Mr. Carney.
    Mr. Carney. [Presiding.] Thank you, Mr. Leonard, for your 
testimony.
    Mr. Armstrong. Thank you.
    Mr. Armstrong. I was intending to wish our chairwoman, Mrs. 
Harman, a happy birthday, as today is her birthday, but we can 
sing to her when she returns.
    Mr. Carney. Not me. I want to get re-elected.

    STATEMENT OF SCOTT ARMSTRONG, FOUNDER, INFORMATION TRUST

    Mr. Armstrong. I appreciate the opportunity to address 
these issues of classification and pseudo-classification at the 
Department of Homeland Security.
    My views are my own, but I should note I have been working 
closely within the Aspen Institute to sustain a 6-year dialogue 
between senior journalists, editors and publishers and high-
level Government officials from various national security 
agencies, including senior members of Congress and their 
staffs. We met from time to time with the Director of Central 
Intelligence and the Attorney General and ranking members of 
the various intelligence bureaucracies. The product of those 
meetings I think is an agreement that the goal is to have a 
well-informed citizenry that is assured of its safety, without 
sacrificing its liberty.
    The lessons of 9/11 were focused on sharing more 
information within Government agencies, laterally across 
Government agency barriers, and among Federal, State, and local 
governments and with critical private industries, community 
first responders and the public at large.
    The challenge for the Department of Homeland Security is 
not so much how to withhold information or secrets from the 
public but how to share information so as to promote our 
security. For once, the Government's first mission is not to 
silence leaks but to effectively share official information 
outside of its usual constraints.
    The discipline of controlling information needs to give way 
to the creative task of selectively selecting previously 
withheld information and pushing it rapidly and articulately 
out to the extraordinarily varied organizations that protect 
us, from local law enforcement, first responders, medical and 
emergency response teams, community leaders, utility industry 
managers with nuclear facilities, or farms of chemical and 
electrical storage tanks, mass transportation, and on and on.
    Homeland security requires the vigilance of the many, 
rather than the control of the few. Awareness, prevention, 
protection, response and recovery are not hierarchical tasks 
delegated or dictated from the top.
    The National Intelligence Reform Act of 2004 allowed--in 
that Congress took a major step to address these needs. It 
authorized broad central power for the new Director of National 
Intelligence and urged the DNI to create a tear-line report 
system, in which intelligence gathering by agencies is prepared 
so that information relating to intelligence sources and 
methods is easily severable within multi-layered products to 
allow wide sharing, while still protecting truly sensitive 
sources and methods from unauthorized disclosure.
    The benefit of the protection to our communities lies on 
the other side of that tear-line. By concentrating on 
classification guidelines for protecting well-defined sources 
and methods and making refined decisions to protect that which 
really, truly require protection, more of the remaining 
information will be available for sharing with the public.
    Your attention today follows a series of extraordinary 
efforts by this administration to control information with such 
severity and vengeance that it has blinded its constitutional 
partners here and in the judiciary. Most startling, this 
administration has used the information controls to institute 
policy and decision-making layers which have deemed even senior 
departmental officials from working--have doomed them to 
working in the sort of isolated stovepipes that are repeated 
again and again in the lessons of 9/11.
    The practices that I have outlined in my prepared statement 
of DHS that have frustrated this effort can be read there. But 
I emphasize that it is DHS that is the place to start. By 
adopting legislative features, you can directly address your 
interests. Give DHS near-term objectives and extra resources to 
achieve results. Hold the Secretary of Homeland Security 
accountable for the mandates already contained in the law which 
dispensed such sweeping power.
    The DNI has the authority to mandate DHS as a test-bed and 
to direct other departments and agencies to cooperate in 
changing the range of intelligence information controls. Hold 
the DNI accountable for regularly measuring achievements within 
the organizations under his control. Provide built-in 
monitoring by independent and experienced observers, such as 
Bill Leonard and the Information Security Oversight Office and 
Public Interest Declassification Board.
    The tear-line system defined by Congress 4 years ago is the 
right standard. It is the place to start. It needs major 
attention to standardize guidance materials which can be 
applied with precision. Training and performance evaluation is 
necessary throughout.
    But, most of all, demand and reward less information 
control in order to maximize communication. Translate the 
classification guides that Mr. Leonard referred to into action 
directives about what and how Congress--what and how should be 
communicated, rather than simply whether information might be 
classified and decontrolled. Hold Government officials and 
employees accountable for their decisions. When mistakes come 
to light, reeducate and retrain and emphasize the importance of 
the supervisors in that process.
    Lastly, encourage the Office of the DNI and the full range 
of agencies under the DNI authority. This includes, not limited 
to DHS, to take careful cognizance of the well-established 
tradition of background briefings in which national security 
officials and the news media communicate informally in a manner 
meant to inform the public, including Congress and others in 
the executive, and provide a degree of confidence that secrecy 
is not being used to erode or impede civil liberties and free 
expression.
    We would all do well to recall that our freedom has been 
protected and our homes have been secure because we as a people 
have understood how to best share information and how to best 
respond together to mutual threats. We look forward to 
cooperating with you in that effort.
    Thank you.
    Mr. Carney. Thank you, Mr. Armstrong.
    [The statement of Mr. Armstrong follows:]

                 Prepared Statement of Scott Armstrong

                             June 28, 2007

    Chairwoman Harman, Ranking Member Reichert, and members of the 
Committee, thank you for this opportunity to address the issues of 
classification and pseudo-classification at the Department of Homeland 
Security.
    My views today are my own, but I should note that I have been 
working closely with the Aspen Institute to sustain a six-year Dialogue 
between senior journalists, editors and publishers and high level US 
government officials from various national security and intelligence 
agencies, including senior members of congress and their staffs. The 
Dialogue on Journalism and National Security has attempted to address 
recurring concerns about the handling of sensitive national security 
information by government officials and representatives of the news 
media. The discussions have included the Attorney General, the Director 
of the Central Intelligence Agency and ranking officials from the 
National Security Council, the Department of Defense, the National 
Security Agency, the FBI as well as the CIA and the Department of 
Justice.
    The Dialogue grew out of mutual concerns that legislation passed by 
both Houses of Congress in 2000 was, in effect, America's first 
Official Secrets Act. Although vetoed by President Clinton, the bill 
was reintroduced in 2001. In the wake of 9/11, high ranking officials 
of the national security community and the leadership of national press 
organizations recognized that the disclosure of sensitive national 
security information was a reason for concern. We found considerable 
agreement that legislation which inhibited virtually all exchanges of 
sensitive information--even responsible exchanges designed to increase 
public appreciation of national security issues--was not likely to make 
America more secure.
    The goal, we seemed to agree, has been to have a well-informed 
citizenry that is assured of its safety without sacrificing its 
liberty. The lessons of 9/11 focused on sharing more information within 
government agencies, laterally across federal agency barriers and among 
federal, state, local governments and with critical private industries, 
community first responders and the public at large.
    The Homeland Security Information Sharing Act, first passed by the 
House in 2002 and incorporated into the Homeland Security Act of 
2004,\1\ mandated the creation of a unique category of information 
known as ``sensitive homeland security information.'' This category of 
SHSI information--as we have transliterated the acronym--was designed 
to permit the sharing of certain critical information with state and 
local authorities without having to classify it and require its 
recipients to hold clearances thus creating new barriers to 
communication. At the same time, SHSI designates information deemed 
necessary to withhold briefly from the general public while appropriate 
measures are taken to protect our communities.
---------------------------------------------------------------------------
    \1\ PL.107-296
---------------------------------------------------------------------------
    The challenge for the Department of Homeland Security is not so 
much how to WITHHOLD secrets from the public and its local governmental 
representatives. The challenge is how to SHARE information so as to 
promote our security. For once government's first mission is not to 
silence ``leaks,'' but to effectively share official information 
outside its usual restraints.
    The discipline of controlling information needs to give way to the 
creative task of selecting previously withheld information and pushing 
it rapidly and articulately out to the extraordinarily varied 
organizations that protect us: local law enforcement; first responders; 
medical and emergency response teams; community leaders; utility 
industry managers with nuclear facilities or farms of chemical and 
energy storage tanks; mass transportation operators, and so forth.
    Homeland security requires the vigilance of the many rather than 
the control of the few. Awareness, prevention, protection, response and 
recovery are not hierarchical tasks dictated from the top. Secrecy must 
yield to communication. This is no trivial task. The mission of 
information sharing is difficult enough within the cumbersome and 
slumbering giant newly merged from dozens of agencies and populated 
more than 180,000 employees. But that job is only the beginning since 
DHS is the focal point for leveraging some 87,000 different 
governmental jurisdictions at the federal, state, and local level which 
have homeland security responsibilities involving tens of millions of 
Americans whose responsibilities cannot be choreographed from afar, but 
must be inspired by shared information.
    In the National Intelligence Reform Act of 2004, the Congress took 
another major step to address this phenomenon. It authorized broad 
centralized power for the new Director of National Intelligence and 
urged the new DNI to create a tear-line report system by which 
intelligence gathered by an agency is prepared so that the information 
relating to intelligence sources and methods is easily severable within 
multiple layered products to allow wide sharing while protecting truly 
sensitive sources and methods from unauthorized disclosure.
    The benefit to the protection of our communities lies on the other 
side of that ``tear-line'' system. By concentrating on the 
classification guidelines for protecting well-defined sources and 
methods and making refined decisions to protect that which truly 
requires protection, more of the remaining information should be 
available for sharing within the intelligence community as well as 
within the diversified and distributed elements of the colossus of 
those charged with Homeland Security responsibilities. The public 
benefits from these designations within internally published 
intelligence requiring protection because it makes majority of fact and 
analysis available for expedited release--not just to homeland security 
organizations--but also to the media and the public.
    Your attention today follows a series of extraordinary efforts by 
this administration to control information with such severity and 
vengeance that it has blinded its constitutional partners here and in 
the judiciary. Most startling, this administration has used these 
information controls to institute policy and decision making layers 
which have doomed even senior departmental officials to work in the 
sort of isolated stovepipes described in the repetitious texts of 9/11 
failures.
    This is no longer a question of issues of over-classification but 
one of wholesale compartmentalized control and institutionalized 
intimidation through the use of draconian Non-Disclosure Agreements. It 
appears designed more to inhibit and constipate internal communications 
in the federal government than to protect the national security.
    Not surprisingly, the Department of Homeland Security wasted no 
time in replicating the move to Non-Disclosure Agreements (NDA's). But 
it combined it with an effort to side-step the congressional mandate to 
foster information sharing. Rather than educate the rest of the 
government on how to effectively communicate information, DHS dispersed 
new information control authority across the full spectrum of executive 
agencies. The uncoordinated proliferation of Sensitive But Unclassified 
designations--of the sort you address today--already includes some 
remarkable missteps.
    In one instance, the Department of Homeland Security drafted a 
draconian Non-Disclosure Agreement (NDA) designed to impose 
restrictions on tens of thousand federal employees and hundreds of 
thousands of state and local first responders. This NDA \2\ for 
unclassified information more severe than the NDA's covering Sensitive 
Compartmented Information and even more sensitive information under the 
government's control.
---------------------------------------------------------------------------
    \2\ DHS Form 11000-6 (08-04) ``NON-DISCLOSURE AGREEMENT''.
---------------------------------------------------------------------------
    This NDA required officials, employees, consultants and 
subcontractors to protect such ``sensitive but unclassified 
information,'' which is defined as ``an over-arching term that covers 
any information. . . which the loss of, misuse of, or unauthorized 
access to or modification of could adversely affect the national 
interest or the conduct of Federal programs, or the privacy [of] 
individuals . . . but which has not been specifically authorized under 
criteria established by an Executive Order or an Act of Congress to be 
kept secret in the interest of national defense or foreign policy. This 
includes information categorized by DHS or other government agencies 
as: For Official Use Only (FOUO); Official Use Only (OUO); Sensitive 
Homeland Security Information (SHSI); Limited Official Use (LOU); Law 
Enforcement Sensitive (LES); Safeguarding Information (SGI); 
Unclassified Controlled Nuclear Information (UCNI); and any other 
identifier used by other Government agencies to categorize information 
as sensitive but unclassified.''
    This overbroad--but legally binding requirement--was implemented as 
a condition of access to certain unclassified information. Such an NDA 
represented a vast increase in government secrecy. It left control in 
the hands of an undefined and virtually unlimited number of 
supervisors. Those who signed the agreement were bound perpetually 
until it was explicitly removed. The NDA had no statutory authority and 
thus no defined criteria, rules, limitations or effective oversight. 
Although it did not provide an explicit rationale for withholding 
``Sensitive But Unclassified'' information under the Freedom of 
Information Act, it surely provided an incentive to err in favor of 
using other exemptions to deny release.\3\
---------------------------------------------------------------------------
    \3\ See also DHS directive (MD 11042) on ``Safeguarding Sensitive 
But Unclassified (For Official Use Only) Information,'' dated May 11, 
2004.
---------------------------------------------------------------------------
    Although this NDA was withdrawn by DHS in January 2005, it was used 
last year at the Department to silence private Wackenhut guards who 
were speaking to the press about security breakdowns at the 
Department's Nebraska Avenue headquarters. Other instances of SBU 
constraints by government agencies, contractors and utilities appear to 
be used most often to discourage and prevent the public from 
participating in its government. Provisions similar to the DHS NDA have 
since appeared in other employee and contractor agreements both within 
DHS and within other departments.\4\
---------------------------------------------------------------------------
    \4\ See CRS Report RL33303, ``Sensitive But Unclassified'' 
Information and Other Controls: Policy and Options for Scientific and 
Technical Information, February 15, 2006 Genevieve J. Knezo, Specialist 
in Science and Technology Policy, Resources, Science, and Industry 
Division.
---------------------------------------------------------------------------
    I repeat the details of DHS's failed practices to underline the 
suggestion that DHS is dramatically out of synch with its mandate to 
increase our security at home by aggressively--and yet carefully--
sharing information in order to frustrate terrorists through prepared 
and coordinated responses of the most sophisticated intelligence 
capabilities on one hand, and our most formidable first line of 
defense--local law enforcement and first responders, on the other hand.

                         The Necessary Response

Adopt into legislation features which directly address your intentions.
    1. DHS is the right place to begin. The current classification 
system within government is out of control and likely uncontrollable. 
Someone needs to start over with a new test-bed. DHS, with its 
critically mission of communicating effectively across the federal 
government and with all other layers of state and local institutionsm 
has the greatest incentive for change.
    2. Give DHS near-term objectives and extra resources to achieve 
concrete results. Hold the Secretary of Homeland Security accountable 
for the mandates contained in the law which dispensed such sweeping 
power.
    3. The DNI has the authority to mandate DHS as a test-bed and to 
direct other departments and agencies to cooperate in changing the 
range of intelligence and information control systems. Hold the DNI 
accountable by regularly measuring achievements within organizations 
under his control.
    4. Provide built-in monitoring by independent and experienced 
observers such as the Information Security Oversight Office and the 
Public Interest Declassification Board and provide the monitors with 
the resources to do their job.
    5. The tear-line system designated by Congress four years ago is 
the right standard. It needs major attention to standardize guidance 
materials which can be applied with precision. All intelligence 
publication and sharing should be premised on carefully and formally 
defining sources and methods which require protection by isolating the 
smallest number of critical details. Information which requires less 
protection will receives greater circulation and earlier decontrol.
    6. Provide training and performance evaluation incentives 
throughout all levels of DHS, in order to assure that the information 
which needs tight sources and methods control--and only that 
information--receives the ultimate protection.
    7. Create an electronic metadata tagging system which requires that 
rigorous classification decision making will follow established 
guidance. Use it to assure that all levels understand they must conform 
with established practice and their effectiveness can and will be 
calibrated. Such a tagging system not only improves accountability, but 
also allows corrections and the protection of information improperly 
handled.
    8. Demand and reward less information control in order to maximize 
communication.
        Changing goals require reinforcement that professionalizes 
        every level and every aspect of the information control 
        process.
         Translate Information Control Guides (Classification 
        Guides) into action directives about what and how to 
        communicate rather than simply what and when information might 
        be declassified or decontrolled.
         Provide opportunities for training and conceptual 
        exercise which insist on communication up and down the line as 
        well as lateral reviews and find mechanisms to make sure that 
        the communication runs to, as well as from, all intended 
        recipients.
    9. Hold government officials and employees accountable for their 
decisions.
         When mistakes come to light, reeducate and retrain.
         Rethink the scope and purpose of both past practices 
        and contemporary innovations by insisting managers manage the 
        process with a willingness to keep changing procedures until 
        they truly work.
         Remove authority from those who abuse it.
         Hold supervisors responsible by requiring them to 
        assume additional monitoring and training responsibilities if 
        those reporting to them fail to perform well-defined and 
        specifically designated responsibilities. Similarly reward them 
        when their aides perform their communication roles well.
         End the incentive to classify simply because over 
        classifying has no consequences to individuals but information 
        released can be career ending.
         Institute pro-active audits and correlated retraining.
         Allow government employees and motivated citizens--
        such as users of the FOIA--to bring mistakes to light. Follow-
        up in a transparent manner to demonstrate that improved 
        communication and improved information controls are not 
        necessarily on separate planes but are integrated concerns of 
        all stakeholders in a democracy.
    10. Encourage the Office of the DNI and full range of Agencies 
under DNI authority--including but not limited to DHS--to take careful 
cognizance of the well established tradition of background briefings in 
which national security officials and the media communicate informally 
in a manner meant to inform the public (including the Congress and 
others in the Executive) and provide a degree of confidence that 
secrecy is not being used to erode or impede civil liberties and free 
expression.
         Include training for national security officials on 
        responsible interaction with the news media by including the 
        news media in the training
         Offer the media opportunities to learn about the laws, 
        regulations and practices which involve secrecy and other 
        national security protocols.
    We would all do well to recall that our freedom has been protected 
and our homes have been secure because--as a people--we have understood 
how to best to share information and how best to respond together to 
mutual threats.

    Mr. Carney. Ms. Spaulding for 5 minutes, please.

     STATEMENT OF SUZANNE E. SPAULDING, PRINCIPAL, BINGHAM 
                      CONSULTING GROUP LLC

    Ms. Spaulding. Thank you, Chair, ranking member and members 
of the committee. I very much appreciate this opportunity to be 
here today to testify about classification issues at the 
Department of Homeland Security. It is a very important issue, 
and I commend the committee for making it a priority.
    In my 20 years working national security issues for the 
Government, I have seen firsthand how important it is to get 
this classification issue right. It may seem counterintuitive 
to some, but avoiding overclassification is essential to 
protecting vital national security secrets. Those handling 
classified documents will have greater respect for that Top 
Secret stamp if they know that things are only classified when 
they their disclosure will truly harm national security.
    When things are classified that clearly would not harm 
national security, it tempts some individuals to believe that 
they can decide what is really sensitive and what is not. Now 
let me be clear that, in making that observation, I am in no 
way trying to excuse the disclosure of classified information, 
merely to note that the risk of leaks I believe is heightened 
by overclassification.
    A similar phenomenon follows the increasingly common 
practice of selective declassification by Government officials. 
Strategic and carefully considered decisions to make previously 
classified information available to the public can be important 
in increasing transparency. But when the disclosures appear to 
be designed to advance a particular political agenda or to gain 
an advantage in a policy dispute, it again undermines the 
respect for and confidence in the classification system. And 
this risk is heightened when the declassification is done 
selectively, so as to reveal only intelligence that supports 
one side of the issue, leaving contrary intelligence 
classified.
    It is equally essential for our national security that 
information that can be shared without jeopardizing national 
security is not prevented by overclassification from getting to 
those who need it and could make use of it.
    It is appropriate that the committee has decided to begin 
with an effort to make the Department of Homeland Security the 
gold standard for reducing overclassification, because it is 
DHS that faces the most significant imperative to provide 
relevant information to a wide range of users, including those 
at the State and local level, the private sector, and even 
within DHS who are not traditional members of the national 
security community and are unlikely to hold security 
clearances. If information is unnecessarily restricted, it 
threatens homeland security by hampering the ability of these 
key players to contribute to the mission.
    I know the committee is considering a number of ideas, a 
number of which have already been articulated here today, and I 
think these are very sound suggestions. There are additional 
near-term and longer-term steps that the committee might also 
consider.
    One, require that intelligence documents be written in an 
unclassified version first to the maximum extent possible. 
Rather than creating a tear-line of unclassified or less 
sensitive information at the bottom of a document, why not set 
up the system so that no classified document can be prepared 
without first entering information into the unclassified 
section at the top of the document? This exercise could prompt 
a more careful effort to distinguish between truly classified 
information and that which can be shared more broadly and 
provide a visual reinforcement of the importance of writing in 
an unclassified form.
    Two, enforce portion marking. This used to be the standard 
practice, where each paragraph was determined to be whether it 
was classified or unclassified. We have drifted away from that, 
and I think we should go back to really enforcing that 
requirement.
    Three, use technology to tag information as it moves 
through the system. This provides even greater granularity than 
the paragraph portion marking, indicating which precise bits of 
information are classified. And then these tags, perhaps 
embedded in metadata, can move through the system with that 
information, facilitating the production of less classified 
documents.
    Reverse the incentive to overclassify. This will not change 
until performance evaluations consider classification issues. 
It should be a specific factor when employees are evaluated for 
moving up or for raises. Employees who routinely overclassify 
should be held accountable and receive additional training, and 
employees should be rewarded for producing reports that can be 
widely disseminated.
    Five, identify key Federal, State and local officials who 
can receive relevant classified information by virtue of their 
office, rather than by having to get a clearance. This is how 
we have always handled it for Members of Congress. More 
recently, we have included Governors; and DHS should consider 
extending it to other key officials.
    And, six, develop innovative ways of sharing information 
without handing over documents; and I have got some specifics 
on that in my prepared testimony.
    In conclusion, these are just a few ideas, based on 
practical experience working in the classified environments for 
nearly 2 decades. I know the committee is aware of the 
outstanding work of the Markle Foundation and others, and I 
recommend those to your consideration as well.
    The problem of overclassification is an enduring one and 
presents a daunting challenge. The committee is to be commended 
for taking up that challenge and endeavoring to set a new 
standard at DHS, and I appreciate the opportunity to contribute 
to that effort.
    Thank you.
    Mr. Carney. Thank you, Ms. Spaulding.
    [The statement of Ms. Spaulding follows:]

               Prepared Statement of Suzanne E. Spaulding

                             June 28, 2007

    Chairwoman Harman, Ranking Member Reichert, and members of the 
Committee, thank you for this opportunity to testify today about 
classification issues at the Department of Homeland Security. This is 
an important issue and I commend the committee for making it a 
priority.
    I was fortunate enough to spend 20 years working national security 
issues for the government, including 6 years at CIA and time at both 
the Senate and House Intelligence Committees. I have seen first hand 
how important it is to get the classification issue right.
    It may seem counterintuitive to some, but avoiding over-
classification is essential to protecting vital national security 
secrets. Those handling classified documents will have greater respect 
for that ``Top Secret'' stamp if they know that things are only 
classified when their disclosure would truly harm national security. 
When things are classified whose disclosure clearly would not harm 
national security, it tempts some individuals to believe that they can 
decide what is really sensitive and what is not. This could apply to 
employees in the intelligence community or others, such as members of 
the media, who receive classified documents. In making this 
observation, I certainly do not mean in any way to excuse the 
disclosure of classified information, merely to note that the risk of 
leaks is heightened by over-classification.
    A similar phenomenon follows the increasingly common practice of 
``selective declassification'' by government officials. This selective 
declassification can be accomplished either by unofficial leaks to the 
media or by official decisions to declassify material. Strategic and 
carefully considered decisions to make previously classified 
information available to the public can be an important and effective 
way of increasing the transparency that is so vital for a functioning 
democracy. However, when the disclosures appear to be designed to 
advance a particular political agenda or to gain advantage in a policy 
dispute, it again undermines the respect for and confidence in the 
classification system. An employee or reporter who sees senior 
officials deciding that classification isn't as important as their 
particular agenda may be emboldened to make similar decisions. This 
risk is heightened when the classification is done selectively so as to 
reveal only intelligence that supports one side of the issue, while 
leaving contrary intelligence classified.
    Just as getting the classification process right is vital for 
protecting true secrets, it is essential that information that can be 
shared without jeopardizing national security is not prevented by over-
classification from getting to those who could make use of it. As the 
9/11 Commission Report made clear, this is particularly urgent for our 
counterterrorism efforts.
    It is appropriate that the Committee has decided to begin with an 
effort to make the Department of Homeland Security the ``Gold 
Standard'' for reducing over-classification, since DHS faces the most 
significant imperative to provide relevant information to, and receive 
and analyze information from, a wide range of users who are not 
traditional members of the national security community. Key players at 
the state and local level, in the private sector, and within DHS? own 
entities, are unlikely to have clearances. Yet they serve vital roles 
in protecting the homeland and can provide, benefit from, and help 
analysts to better understand, information that is gathered overseas 
and in the US. If this information is unnecessarily restricted, it 
threatens homeland security by hampering the ability of these key 
players to contribute to the mission.
    I know that the committee is considering a number of ideas, 
including a certification process to ensure that those who have 
authority to classify documents are properly trained to recognize when 
information is truly sensitive and regular audits of existing 
classified documents to assess the scope and nature of any over-
classification. I think these are sound suggestions. There are 
additional near-term and longer-term steps that the Committee might 
also consider.
    1. Require that documents be written in unclassified version first, 
to the maximum extent possible. Traditional practice in the 
intelligence community has been to prepare a classified document 
reflecting the intelligence and then, if dissemination to non-cleared 
individuals was required, to prepare an unclassified version at the 
bottom of the document after a ``tear line.'' These are known as ``tear 
sheets;'' the recipient would tear off the bottom portion to provide to 
the un-cleared recipient. Instead, to facilitate the admonition to move 
from a ``need to know'' to a ``need to share'' culture--what the Markle 
Foundation called a ``culture of distribution''--why not set up the 
system so that no classified document can be prepared without first 
entering information in the unclassified section at the top of the 
document. There may be times when almost nothing can be put it the 
unclassified portion, but the exercise could prompt more careful effort 
to distinguish between truly classified information and that which can 
be shared more broadly. And putting the unclassified version at the top 
visually reinforces the shift in priorities.
    2. Enforce ``portion marking.'' It used to be standard practice 
that each paragraph of a document had to be individually determined and 
marked as classified or unclassified. This requires more careful 
consideration of what information is actually sensitive and assists in 
any later efforts to provide an unclassified version of the document. 
My sense is that, over time, documents are increasingly classified in 
their entirety, with no portion marking, making it far more difficult 
and cumbersome to ``sanitize'' the information for wider dissemination. 
A simple immediate step would be to enforce the requirement for portion 
marking for every classified document.
    3. Use technology to tag information as it moves through the 
system. The optimum system would provide even greater granularity than 
the paragraph portion marking, indicating what precise bits of 
information are classified. These classification ``tags''--perhaps 
imbedded in metadata--would then move with the information as it flows 
through the system and facilitate the preparation of unclassified 
versions of documents. The more precisely we can isolate truly 
sensitive information, the easier it will be to identify and 
disseminate unclassified information.
    4. Reverse the ``default'' incentive to over-classify. Virtually 
all of the incentives today are in favor of over-classification. The 
danger of not classifying information that is indeed damaging to 
national security is well understood. What is not as widely appreciated 
in the national security risk of over-classification. Thus, there are 
effectively no penalties in the system for an individual decision to 
classify unnecessarily. This will not change until performance 
evaluations consider classification issues. Regular audits can provide 
insight into individual patterns as well as overall agency performance, 
for example. Employees who routinely over--classify should be held 
accountable and receive additional training. And employees should be 
rewarded for producing reports that can be widely disseminated. In 
addition, the system should make it easy to produce unclassified 
documents and require a bit more effort to classify something. 
Requiring that unclassified documents be written first and enforcing 
the requirement for portion marking are some examples. Requiring that 
the specific harm to national security be articulated in each case 
might be another possibility, although it is important not too make the 
system so cumbersome that it undermines the ability to be quick and 
agile when necessary. Ultimately, you want a process that makes it 
harder to go around the system that to use it.
    5. Identify key federal, state, and local officials who can receive 
relevant classified information by virtue of their office rather than 
having to get a clearance. This is how it has always worked with 
Members of Congress. More recently, this was adopted as the policy for 
governors. DHS should consider extending this to other key officials.
    6. Develop innovative ways of sharing information without handing 
over documents. Ultimately, the key is to enhance understanding and 
knowledge. Too much emphasis is sometimes placed on sharing documents, 
rather than on sharing ideas, questions, and insights gleaned from 
those documents. This can often be done without revealing the sensitive 
information in the documents. In addition, when dealing with 
unclassified but sensitive information, such as business proprietary 
information, DHS could consider ``partnership panels'' where the 
government and business would come together in a neutral space, share 
information such as vulnerability assessments and threat information, 
so as to enhance mutual understanding and benefit from each others 
insights, but then leave the space without having handed over the 
documents.
    These are just a few ideas based on practical experience working in 
classified environments for nearly two decades. I know that the 
Committee is aware of the outstanding work by the Markle Foundation and 
others in developing recommendations for improving information sharing 
and will take those under consideration as well.
    The problem of over-classification is an enduring one and presents 
a daunting challenge. This Committee is to be commended for taking up 
that challenge and endeavoring to set a new standard at DHS. I 
appreciate the opportunity to contribute to that important effort.

    Mr. Carney. Mr. Agrast, please summarize for 5 minutes.

 STATEMENT OF MARK AGRAST, SENIOR FELLOW, CENTER FOR AMERICAN 
                            PROGRESS

    Mr. Agrast. Thank you, Mr. Carney.
    My name is Mark Agrast. I am a Senior Fellow at the Center 
for American Progress, where I focus on civil liberties and 
national security concerns; and I previously spent a decade on 
Capitol Hill.
    Most Americans understand and accept the need to protect 
Government information whose disclosure would endanger the 
Nation's security. But as the 9/11 Commission found, too much 
secrecy can put our Nation at greater risk, hindering 
oversight, accountability and information sharing, concealing 
vulnerabilities until it is too late to correct them, and 
undermining the credibility of the classification system 
itself.
    Ten years ago, the Moynihan Commission concluded secrets 
could be protected more effectively if secrecy is reduced 
overall. Unfortunately, while the Clinton Administration made 
much headway in reducing unnecessary secrecy, today we are 
moving in the opposite direction. There were nearly three times 
as many classification actions in 2004 as in the last year of 
the Clinton Presidency; and while President Clinton 
declassified nearly a billion pages of historical material, the 
pace has slowed to a trickle in the last 6&ars.
    Today's epidemic of overclassification stems in part from 
rules that resolve all doubts in favor of nondisclosure and in 
part from standards so hard to administer that even skilled 
classifiers often get it wrong. Sometimes material is 
classified only to suppress embarrassing information.
    Take the decision to classify the Taguba Report on prisoner 
abuse at Abu Ghraib. A reporter who had seen a copy of that 
report asked Secretary Rumsfeld why it was marked Secret. You 
would have to ask the classifier, Rumsfeld said. Or the 
decision to reclassify a 1950 intelligence estimate written 
only 12 days before Chinese forces entered Korea, predicting 
Chinese entry in the conflict was not probable.
    Still, despite such failures, at least there are rules what 
can be classified, for how long and by whom. The same cannot be 
said for the designations used by Federal agencies to deny 
access to sensitive but unclassified information. Few of these 
pseudo-classifications have ever been authorized by Congress. 
They allow virtually any employee, and even private 
contractors, to withhold information that wouldn't even rate a 
Confidential stamp, with few standards or safeguards to prevent 
error and abuse.
    As the Chair noted, last Sunday's Washington Post described 
a pseudo-classification scheme invented by the Vice President 
himself. His office has been giving reporters documents labeled 
treat as Top Secret/SCI, an apparent attempt to treat 
unclassified material as though it were Sensitive Compartmented 
Information, a special access designation reserved for secrets 
whose disclosure would cause exceptionally grave damage to 
national security.
    I commend the committee, the subcommittee for its 
commitment to doing the oversight that is so long overdue; and 
I hope you won't stop at oversight. It has been 10 years since 
the Moynihan Commission urged Congress to legislate the rules 
that protect national security information, rather than leaving 
it up to the executive branch to police itself. It is time for 
Congress to take up that challenge.
    In some cases, this will require Government-wide solutions. 
For example, Congress could and should reinstate the 
presumption against classification in cases of significant 
doubt, the Clinton era policy which the Moynihan Commission 
urged Congress to codify.
    Congress should also rein in the use of pseudo-
classification, at a minimum prohibiting agencies from adopting 
unclassified designations that are not expressly authorized and 
mandating strict standards for any designations it does 
authorize to minimize their impact on public access.
    Better still, Congress could refrain from authorizing 
unclassified designations in the first place. Such powers are 
all too easily given; and, once they are in place, it is 
virtually impossible to get rid of them.
    Finally, Congress can take steps to reform the system one 
agency at a time by initiating reforms at the Department of 
Homeland Security. By making DHS the gold standard, Congress 
can promote best practices throughout the system.
    My full statement includes recommendations to improve 
oversight of the classification system at DHS and to reduce the 
harmful effects of pseudo-classification as well. I would just 
review a couple of those in the half a minute or so that I have 
left.
    I would recommend that Congress establish an independent 
DHS Classification Review Board to ensure that information is 
declassified as soon as it no longer meets the criteria for 
classification. Congress should establish an independent ombuds 
office within DHS to assist with declassification challenges 
and requests for declassification. It should require the DHS 
Inspector General to conduct periodic audits of the DHS 
classification program and report to Congress on the 
appropriateness of classification decisions. And it should 
require DHS to implement a system of certification for DHS 
officials with classification authority and to provide them 
with training and proper classification practices.
    I would refer you to my testimony for recommendations 
regarding sensitive information controls.
    I do think that by helping to ensure that the Government 
keeps secret only what needs to be kept secret, these measures 
and others would enhance both openness and security at DHS and 
throughout the Government.
    Thank you.
    [The statement of Mr. Agrast follows:]

                  Prepared Statement of Mark D. Agrast

                             June 28, 2007

    Madame Chair, Ranking Member Reichert, and members of the 
subcommittee, thank you for conducting this hearing and inviting me to 
testify.
    My name is Mark Agrast. I am a Senior Fellow at the Center for 
American Progress, where I work on issues related to the Constitution, 
separation of powers, terrorism and civil liberties, and the rule of 
law.
    Before joining the Center, I was an attorney in private practice 
and spent over a decade on Capitol Hill, most recently as Counsel and 
Legislative Director to Congressman William D. Delahunt of 
Massachusetts. A biographical statement is appended to my testimony.
    In an address to the Oklahoma Press Association in February 1992, 
former Director of Central Intelligence, Robert M. Gates, now the 
Secretary of Defense, noted that the phrase ``CIA openness'' can seem 
as much an oxymoron as ``government frugality'' and ``bureaucratic 
efficiency.'
    That seeming contradiction in terms illustrates the anomalous role 
that secrecy plays in a democracy that depends so profoundly on an 
informed and engaged citizenry.
    At the same time, most Americans understand and accept the need to 
withhold from public view certain national security information whose 
disclosure poses a genuine risk of harm to the security of the nation.
    But the events of 9/11 taught us how dangerously naive it would be 
to equate secrecy with security. As the 9/11 Commission conclude, too 
much secrecy can put our nation at greater risk, hindering oversight, 
accountability, and information sharing.
    Too much secrecy--whether through over-classification or through 
pseudo-classification--conceals our vulnerabilities until it is too 
late to correct them.
    It slows the development of the scientific and technical knowledge 
we need to understand threats to our security and respond to them 
effectively.
    It short-circuits public debate, eroding confidence in the actions 
of the government.
    And finally, it undermines the credibility of the classification 
system itself, encouraging leaks and breeding cynicism about legitimate 
restrictions. As Associate Justice Potter Stewart famously cautioned in 
the Pentagon Papers case:
    I should suppose that moral, political, and practical 
considerations would dictate that a very first principle of that wisdom 
would be an insistence upon avoiding secrecy for its own sake. For when 
everything is classified, then nothing is classified, and the system 
becomes one to be disregarded by the cynical or the careless, and to be 
manipulated by those intent on self-protection or self-promotion. I 
should suppose, in short, that the hallmark of a truly effective 
internal security system would be the maximum possible disclosure, 
recognizing that secrecy can best be preserved only when credibility is 
truly maintained.\1\
---------------------------------------------------------------------------
    \1\ N.Y. Times Co. v. U.S., 403 U.S. 713, 729 (1971) (Stewart, J., 
concurring).
---------------------------------------------------------------------------
    The Commission on Protecting and Reducing Government Secrecy, 
chaired by Sen. Daniel Patrick Moynihan, reached a similar conclusion 
in its 1997 report: ``The best way to ensure that secrecy is respected, 
and that the most important secrets remain secret, is for secrecy to be 
returned to its limited but necessary role. Secrets can be protected 
more effectively if secrecy is reduced overall.'' \2\
---------------------------------------------------------------------------
    \2\ Report of the Comm'n on Protecting & Reducing Gov't Secrecy 
(1997) at xxi [hereinafter Moynihan Commission Report].

Classification, Declassification and Reclassification
    The Moynihan Commission was created by Congress to consider whether 
it was time to rethink the vast system of secrecy that had been brought 
into being during the Cold War. The Commission recommended a series of 
statutory reforms to the classification system that were widely praised 
but never implemented.
    The spirit of the Moynihan recommendations can certainly be 
discerned in the contemporaneous amendments to the classification 
system that were instituted by President Clinton under Exec. Order No. 
12958. The order established a presumption of access, directing that 
``If there is significant doubt about the need to classify information, 
it shall not be classified.'' Similarly, the order provided that ``If 
there is significant doubt about the appropriate level of 
classification, it shall be classified at the lower level.'' The 
Clinton order also: .
         Limited the duration of classification, providing that 
        where the classifier cannot establish a specific point at which 
        declassification should occur, the material will be 
        declassified after 10 years unless the classification is 
        extended for successive 10-year periods under prescribed 
        procedures.
         Provided for automatic declassification of government 
        records that are more than two years old and have been 
        determined by the Archivist of the United States to have 
        permanent historical value, allowing for the continued 
        classification of certain materials under specified procedures.
         Established a balancing test for declassification 
        decisions in ``exceptional cases,'' permitting senior agency 
        officials to exercise discretion to declassify information 
        where ``the need to protect such information may be outweighed 
        by the public interest in disclosure of the information.''
         Prohibited reclassification of material that had been 
        declassified and released to the public under proper authority.
         Authorized agency employees to bring challenges to the 
        classification status of information they believe to be 
        improperly classified.
         Created an Interagency Security Classification Appeals 
        Panel (ISCAP) to adjudicate challenges to classification and 
        requests for mandatory declassification, and to review 
        decisions to exempt information from automatic 
        declassification.
    The changes instituted by President Clinton were largely erased by 
his successor, who issued a revised executive order in 2003. Exec. 
Order No. 13292 eliminated the presumption of access, leaving officials 
free to classify information in cases of ``significant doubt.'' It 
also:
         Relaxed the limitations on the duration of 
        classification, and made it easier for the period to be 
        extended for unlimited periods.
         Postponed the automatic declassification of protected 
        records 25 or more years old from April 2003 to December 2006, 
        and reduced the showing that agencies must make to exempt 
        historical records from automatic declassification.
         Revived the ability of agency heads to reclassify 
        previously declassified information if the information ``may 
        reasonably be recovered.''
         Allowed the Director of Central Intelligence to 
        override decisions by ISCAP, subject only to presidential 
        review.
    The results of this shift in policy are reflected in the annual 
classification statistics published by the Information Security 
Oversight Office (ISOO). The number of classification actions by the 
government hit an all-time high of 15.6 million in 2004, with only 
slightly fewer (14.2 million) reported in 2005. This was nearly twice 
the number of classification actions (8.6 million) taken in 2001, the 
first year of the Bush administration, and three times the number (5.8 
million) taken in 1996, the last year of President Clinton's second 
term.\3\
---------------------------------------------------------------------------
    \3\ Info. Sec. Oversight Office, Nat'l Archives & Records Admin., 
Report to the President 2005 at 13.
---------------------------------------------------------------------------
    As classification actions have soared, declassification actions 
have plummeted. President Clinton oversaw the declassification of more 
historic materials than all previous presidents combined. During his 
last six years in office, 864 million pages were declassified, hitting 
an all-time high of 204 million pages in 1997 alone. Under the Bush 
administration, the numbers have fallen precipitously. Only 245 million 
pages were declassified from 2001--2005, with fewer than 30 million 
pages were declassified in 2005.\4\
---------------------------------------------------------------------------
    \4\ Id. at 15.
---------------------------------------------------------------------------
    Apart from its costs to both openness and security, all this 
classifying and declassifying comes at a heavy financial cost as well. 
In 2005, the cost of securing classified information was $7.7 billion, 
of which only $57 million was spent on declassification. In all, for 
every dollar the federal government spent to release old secrets, it 
spent $134 to create new ones.\5\
---------------------------------------------------------------------------
    \5\ OpenTheGovernment.org, Secrecy Report Card 2006 at 4.
---------------------------------------------------------------------------
    What the numbers cannot reveal is whether classification decisions 
are lawful and appropriate. Estimates of the extent of over-
classification vary, but I was particularly struck by Mr. Leonard's 
testimony before this subcommittee last March, in which he said that an 
audit conducted by the Information Security Oversight Office found that 
even trained classifiers, armed with the most up-to-date guidance, 
``got it clearly right only 64 percent of the time.'' \6\
---------------------------------------------------------------------------
    \6\ Overclassification and Pseudo-classification: The Impact on 
Information Sharing: Hearing Before the Subcomm. on Intelligence, 
Information Sharing and Terrorism Risk Assessment of the House Comm. on 
Homeland Sec., 110th Cong. (2007) (statement of J. William Leonard).
---------------------------------------------------------------------------
    There are also instances in which over-classification is the 
result, not of honest error, but of a desire to conceal. Both the 
Clinton and Bush executive orders prohibit the use of the 
classification system to ``conceal violations of law, inefficiency, or 
administrative error'' or prevent embarrassment to a person, 
organization, or agency.'' Yet at least some recent classification 
decisions could have had little purpose other than to suppress 
information that might be embarrassing to the government.
    A particularly troubling example is the decision by the Department 
of Defense to classify in its entirety the March 2004 report of the 
investigation by Maj. Gen. Antonio M. Taguba of alleged abuse of 
prisoners by members of the 800th Military Police Brigade at Baghdad's 
Abu Ghraib Prison. According to an investigation by the Minority Staff 
of the House Committee on Government Reform:
        One reporter who had reviewed a widely disseminated copy of the 
        report raised the issue in a Defense Department briefing with 
        General Peter Pace, the Vice Chairman of the Joint Chiefs of 
        Staff, and Secretary Rumsfeld. The reporter noted that `there's 
        clearly nothing in there that's inherently secret, such as 
        intelligence sources and methods or troop movements' and asked: 
        `Was this kept secret because it would be embarrassing to the 
        world, particularly the Arab world?' General Pace responded 
        that he did not know why the document was marked secret. When 
        asked whether he could say why the report was classified, 
        Secretary Rumsfeld answered: `No, you'd have to ask the 
        classifier.' \7\
---------------------------------------------------------------------------
    \7\ Minority Staff of House Comm. On the Judiciary, 10TH Cong., 
Report on Secrecy in the Bush Administration (2004) at 50.
---------------------------------------------------------------------------
    The desire to prevent embarrassment seems also to have played a 
role in the Bush administration's aggressive reclassification campaign. 
According to a February 2006 report by the National Security Archive, 
the administration has reclassified and withdrawn from public access 
9,500 documents totaling 55,500 pages, including some that are over 50 
years old. For example:
         complaint from the Director of Central Intelligence to 
        the State Department about the bad publicity the CIA was 
        receiving after its failure to predict anti-American riots in 
        Colombia in 1948.
         A document regarding an unsanctioned CIA psychological 
        warfare program to drop propaganda leaflets into Eastern Europe 
        by hot air balloon that was canceled after the State Department 
        objected to the program.
         A document from spring 1949, revealing that the U.S. 
        intelligence community's knowledge of Soviet nuclear weapons 
        research and development activities was so poor that America 
        and Britain were completely surprised when the Russians 
        exploded their first atomic bomb six months later.
         A 1950 intelligence estimate, written only 12 days 
        before Chinese forces entered Korea, predicting that Chinese 
        intervention in the conflict was ``not probable.'' \8\
---------------------------------------------------------------------------
    \8\ Matthew M. Aid, Nat'l Sec. Archive, Declassification in 
Reverse: The U.S. Intelligence Cmty's Secret Historical Document 
Reclassification Program (2006).
---------------------------------------------------------------------------
    These reclassification actions call to mind the observations of the 
late Erwin N. Griswold, former Solicitor General of the United States 
and Dean of Harvard Law School, who argued the Pentagon Papers case 
before the Supreme Court in 1971. Presenting the case for the 
government, he had argued that the release of the Pentagon Papers would 
gravely damage the national security. Nearly two decades later, 
Griswold reflected on the lessons of that case:
        It quickly becomes apparent to any person who has considerable 
        experience with classified material that there is massive 
        overclassification and that the principal concern of the 
        classifiers is not with national security, but rather with 
        governmental embarrassment of one sort or another. There may be 
        some basis for short-term classification while plans are being 
        made, or negotiations are going on, but apart from details of 
        weapons systems, there is very rarely any real risk to current 
        national security from the publication of facts relating to 
        transactions in the past, even the fairly recent past. This is 
        the lesson of the Pentagon Papers experience, and it may be 
        relevant now.\9\
---------------------------------------------------------------------------
    \9\ Erwin N. Griswold, Secrets Not Worth Keeping: The Courts and 
Classified Information, Wash. Post, Feb. 15, 1989, at A25.

Pseudo-Classification
    For all its faults, the classification system has many virtues as 
well. Classification actions are subject to uniform legal standards 
pursuant to executive order. These actions can be taken by a limited 
number of officials who receive training in the standards to be 
applied; they are of limited duration and extent; they are monitored by 
a federal oversight office; they can be challenged; and they can be 
appealed.
    The same cannot be said for the potpourri of unclassified control 
markings used by federal agencies to manage access to sensitive 
government information, most of which are defined by neither statute 
nor executive order, and which collectively have come to be known 
pejoratively as the ``pseudo-classification'' system.
    Among the better known are Sensitive But Unclassified (SBU), 
Sensitive Security Information (SSI), Sensitive Homeland Security 
Information (SHSI), Critical Infrastructure Information (CII), Law 
Enforcement Sensitive (LES), and For Official Use Only (FOUO).
    While some of these control markings are authorized by statute,\10\ 
others have been conjured out of thin air. Some of these pseudo-
classification regimes allow virtually any agency employee (and often 
private contractors) to withhold information without justification or 
review, without any time limit, and with few, if any, internal controls 
to ensure that the markings are not misapplied.
---------------------------------------------------------------------------
    \10\ See, e.g., Aviation and Transp. Sec. Act, Pub. L. No. 107-71; 
Fed. Info. Sec. Act, Pub. L. No. 107-347; Homeland Sec. Act, Pub. L. 
No. 107-296; Critical Infrastructure Info. Act, Pub. L. No. 107-296.
---------------------------------------------------------------------------
    A March 2006 report by the Government Accountability Office (GAO) 
found that the 26 federal agencies surveyed use 56 different 
information control markings (16 of which belong to one agency) to 
protect sensitive unclassified national security information. The GAO 
also found that the agencies use widely divergent definitions of the 
same controls.\11\
---------------------------------------------------------------------------
    \11\ U.S. Gov't Accountability Office, Rep. No. GAO-06-385, 
Information Sharing: The Federal Government Needs to Establish Policies 
and Processes for Sharing Terrorism-Related and Sensitive but 
Unclassified Information (2006).
---------------------------------------------------------------------------
    According to the GAO report, the Department of Homeland Security 
(DHS) employs five of these control markings: For Official Use Only 
(FOUO) (agency-wide); Law Enforcement Sensitive (LES) (agency-wide); 
Limited Official Use (LOU) (U.S. Secret Service); Protected Critical 
Infrastructure Information (PCII) (Directorate for Preparedness); and 
Sensitive Security Information (SSI) (Transportation Security 
Administration and U.S. Coast Guard).
    The department's approach to the use of these designations is set 
forth in a DHS management directive regarding the treatment of 
sensitive but unclassified information originating within the 
agency.\12\ The directive is chiefly concerned with the For Official 
Use Only designation, which it says will be used ``to identify 
sensitive but unclassified information within the DHS community that is 
not otherwise specifically described and governed by statute or 
regulation.'' The directive identifies 11 categories of SBU information 
that can be designated as FOUO, and provides that the designation can 
be made by any DHS employee, detailee, or contractor and will remain in 
effect indefinitely until the originator or a management official 
determines otherwise.
---------------------------------------------------------------------------
    \12\ Safeguarding Sensitive But Unclassified (For Official Use 
Only) Information, Mgt. Dir. No. 11042 (2004), at http://www.fas.org/
sgp/othergov/dhs-sbu.html, revised by Mgt. Dir. No. 11042.1, (2005), at 
http://www.fas.org/sgp/othergov/dhs-sbu-rev.pdf [hereinafter 
Safeguarding].
---------------------------------------------------------------------------
    For good measure, the directive notes that where other agencies and 
international organizations use similar terminology but apply different 
requirements to the safeguarding of the information, the information 
should be treated in accordance with whichever requirements are the 
more restrictive.
    A 2004 report by the JASON Program Office at MITRE Corporation 
suggests that the designation authorities at DHS are not atypical: 
``'Sensitive but unclassified' data is increasingly defined by the eye 
of the beholder. Lacking in definition, it is correspondingly lacking 
in policies and procedures for protecting (or not protecting) it, and 
regarding how and by whom it is generated and used.'' \13\
---------------------------------------------------------------------------
    \13\ JASON Program Office MITRE Corporation, Horizontal 
Integration: Broader Access Models for Realizing Information Dominance 
5 (2004).
---------------------------------------------------------------------------
    As in the case of classification and reclassification actions, 
these designations have at times been used not to protect legitimate 
national security secrets, but to spare the government from 
embarrassment. In a March 2005 letter to Rep. Christopher Shays, then 
the Chairman of the House Committee on Government Reform, Rep. Henry 
Waxman cited examples in which:
         The State Department withheld unclassified conclusions 
        by the agency's Inspector General that the CIA was involved in 
        preparing a grossly inaccurate global terrorism report.
         The State Department concealed unclassified 
        information about the role of John Bolton, Under Secretary of 
        State for Arms Control, in the creation of a fact sheet that 
        falsely claimed that Iraq sought uranium from Niger.
         The Department of Homeland Security concealed the 
        unclassified identity and contact information of a newly 
        appointed TSA ombudsman whose responsibility it was to interact 
        daily with members of the public regarding airport security 
        measures.
         The CIA intervened to block the chief U.S. weapons 
        inspector Charles A. Duelfer, from revealing the unclassified 
        identities of U.S. companies that conducted business with 
        Saddam Hussein under the Oil for Food program.
         The Nuclear Regulatory Commission sought to prevent a 
        nongovernmental watchdog group from making public criticisms of 
        its nuclear power plant security efforts based on unclassified 
        sources.\14\
---------------------------------------------------------------------------
    \14\H.R. Rep. No. 109-8, at 16 (2005) (letter from Henry Waxman to 
Christopher Shays).
---------------------------------------------------------------------------
    In another case, currently in litigation, a federal air marshal 
blew the whistle when TSA attempted to reduce security on ``high risk'' 
flights, and the agency allegedly retaliated by retroactively 
designating the material he had disclosed as Sensitive Security 
Information (SSI).\15\
---------------------------------------------------------------------------
    \15\ Project on Gov't Oversight, Alert: Robert MacLean v. DHS 
(2007), at http://pogo.org/p/government/rmaclean-dhs.html
---------------------------------------------------------------------------
    Another concern arises out of the interplay between unclassified 
control markings and the Freedom of Information Act (FOIA). Certain 
unclassified control markings, including Sensitive Security Information 
(SSI) and Critical Infrastructure Information (CII), are specifically 
exempt by statute from release under FOIA. But some agencies have 
claimed that other unclassified control markings constitute an 
independent legal basis for exempting information from public 
disclosure under FOIA--even in the absence of an express statutory 
exemption and even where the information does not fit within an 
existing exemption.
    Such claims prompted the American Bar Association's House of 
Delegates to adopt a resolution in February 2006 urging the Attorney 
General to clarify that such designations should not be used to 
withhold from the public information that is not authorized to be 
withheld by statute or executive order.
    As it happens, the DHS directive meets the ABA standard. It 
provides that FOUO information is not automatically exempt from 
disclosure under FOIA and that FOUO information may be shared with 
other agencies and government entities ``provided a specific need-to-
know has been established and the information is shared in furtherance 
of a coordinated and official governmental activity.'' \16\
---------------------------------------------------------------------------
    \16\ Safeguarding, supra note 11.
---------------------------------------------------------------------------
    But whether or not an agency has a legal basis for withholding 
pseudo-classified information not otherwise exempt under FOIA is almost 
beside the point. The designation is itself sufficient to exert a 
chilling effect on FOIA disclosures. As Thomas S. Blanton of the 
National Security Archive testified before a subcommittee of the House 
Committee on Government Reform in March 2005, ``the new secrecy stamps 
tell government bureaucrats `don't risk it'; in every case, the new 
labels signal `find a reason to withhold.' '' \17\
---------------------------------------------------------------------------
    \17\ Emerging Threats: Over-classification and Pseudo-
classification: Hearing Before the Subcomm. on Nat'l Sec., Emerging 
Threats and Int'l Relations of the House Comm. on Gov't Reform, 109th 
Cong. (2005) (statement of Thomas S. Blanton).
---------------------------------------------------------------------------
    An article published in the Washington Post on June 24, 2007, 
brought to light a pseudo-classification scheme apparently invented by 
the Vice President of the United States. His office has been giving 
reporters documents labeled: ``Treated As: Top Secret/SCI''--an 
apparent attempt to treat unclassified material as though it were 
Sensitive Compartmented Information (SCI)--a special access designation 
reserved for secrets whose disclosure would cause `exceptionally grave 
damage to national security.'' '\18\
---------------------------------------------------------------------------
    \18\ Barton Gellman & Jo Becker, A Different Understanding with the 
President, Wash. Post, June 24, 2007, at A1.
---------------------------------------------------------------------------
    Unlike the Cheney innovation, Special Access Programs (SAPs), which 
limit access above and beyond the three-tiered classification system, 
are authorized by law, and are confined to a relatively limited circle 
of senior officials. Exec. Order No. 12859, as amended, provides that 
unless otherwise authorized by the President, only certain named 
officials are authorized to establish such programs. The list includes 
the Secretaries of State, Defense, and Energy, and the DCI, or the 
principal deputy of each. Interestingly, the list does not include the 
Vice President--perhaps in anticipation of his novel assertion that the 
Office of the Vice President is not an agency of the Executive Branch 
and need not comply with the requirement under Exec. Order 12859 that 
such agencies file an annual report with ISOO.\19\
---------------------------------------------------------------------------
    \19\ Peter Baker, Cheney Defiant on Classified Material: Executive 
Order Ignored Since 2003, Wash. Post, June 22, 2007, at A1.
---------------------------------------------------------------------------
    The fact that SAPs are authorized by executive order does not mean 
they are immune from the deficiencies of pseudo-classifications. The 
Moynihan Commission noted a ``lack of standardized security 
procedures'' that ``contributes to high costs and other difficulties,'' 
and recommended the establishment of a single set of security standards 
for Special Access Programs--another of its sensible recommendations 
which, as far as is known, has not been carried out.\20\
---------------------------------------------------------------------------
    \20\ Moynihan Commission Report at 28.

Recommendations for Congress
    Madame Chair, you and the subcommittee should be commended for 
exercising your oversight authority over the treatment of national 
security information--both classified and unclassified--at the 
Department of Homeland Security. Such scrutiny is essential, and it is 
long overdue.
    I would also respectfully suggest that the time has come for the 
committee, and for Congress, to exercise its legislative authority over 
these matters. For 67 years, Congress has largely ceded that authority 
to the president, and as I hope I have explained, the results have been 
decidedly mixed.
    It has been ten years since the Moynihan Commission urged Congress 
to legislate the rules that protect national security information, 
rather than leaving it up to the executive branch to police itself. It 
is time for Congress to take up that challenge.

A. Systemic solutions
    Many of the problems facing the classification system are systemic, 
and they require comprehensive, government-wide solutions. Among other 
things, Congress should reinstate the provisions of Exec. Order No. 
12958 which (a) established a presumption against classification in 
cases of significant doubt (a policy which the Moynihan Commission 
urged Congress to codify); (b) permitted senior agency officials to 
exercise discretion to declassify information in exceptional cases 
where the need to protect the information is outweighed by the public 
interest in disclosure; and (c) prohibited reclassification of material 
that had been declassified and released to the public under proper 
authority.
    Congress also should undertake a thorough and comprehensive 
examination of the growing use of agency control markings to restrict 
access to unclassified information. Much has been said, and rightly so, 
about the importance of information sharing among government agencies. 
But what is the justification for a system that entrusts low-level 
employees and private contractors with the non-reviewable discretion to 
determine whether an unclassified document--a document that doesn't 
even rate a ``Confidential'' stamp--a document that may not even 
qualify for a FOIA exemption--is too sensitive for public view?
    Before Congress acquiesces in the further proliferation of these 
designations, it should consider whether those that already exist place 
an unwarranted burden on the free exchange of information, not only 
among government officials, but between the government and the people 
who elect it.
    At a minimum, Congress should prohibit agencies from adopting 
unclassified controls that are not expressly authorized by statute (or 
executive order), and should mandate strict standards for any controls 
it does authorize to minimize their impact on public access.
    H.R. 5112, the Executive Branch Reform Act, which was reported by 
the House Government Reform Committee during the 109th Congress, 
directs the Archivist of the United States to promulgate regulations 
banning the use of information control designations not defined by 
statute or executive order. If the Archivist determines that there is a 
need for some agencies to use such designations ``to safeguard 
information prior to review for disclosure,'' the regulations shall 
establish standards designed to minimize restrictions on public access 
to information. The regulations shall be the sole authority for the use 
of such designations, other than authority granted by statute or 
executive order.
    This approach would ameliorate some of the worst features of what 
is today an unregulated wilderness of inconsistent standards and 
insufficient checks. But it begs the question of whether Congress 
should be authorizing agency officials to withhold unclassified 
information in the first place. Such powers are all too easily given, 
and once they are in place, it is virtually impossible to get rid of 
them.
    I hope that Congress will consider codifying standards that 
incorporate these policies. But there are also many steps that can be 
taken to reform the management of national security information one 
department at a time. By undertaking such reforms at the Department of 
Homeland Security--by making DHS the ``gold standard''--Congress can 
create a model for best practices that other agencies can adopt.

B. The Classification System at DHS
        (1) Congress should establish an Information Security Oversight 
        Office, modeled after the Information Security Oversight Office 
        at the National Archives and Records Administration, to oversee 
        security classification programs at DHS. Its responsibilities 
        would include development of implementing directives and 
        instructions; maintenance of liaison with ISOO and agency 
        counterparts; monitoring of agency compliance and preparation 
        of reports to Congress; and development of security 
        classification education and training programs.
        (2) Congress should establish an independent DHS Classification 
        Review Board to ensure that information is declassified as soon 
        as it no longer meets the criteria for classification. Among 
        the responsibilities of the board would be to facilitate and 
        review requests for declassification and classification 
        challenges, and to conduct an independent ongoing review of 
        classified materials to determine whether they are properly 
        classified.
        (3) Congress should establish an independent ombuds office 
        within DHS to provide assistance with classification challenges 
        and requests for declassification.
        (4) Congress should require the DHS Inspector General to 
        conduct periodic audits of the DHS classification program and 
        report to Congress on the appropriateness of classification 
        decisions.
        (5) Congress should require DHS to implement a system of 
        certification for DHS officials with classification authority 
        and to provide them with training in proper classification 
        practices.

C. Sensitive Information Controls at DHS
    As noted above, I hope that Congress will reconsider the question 
of whether agency employees and private contractors should be given a 
license to withhold unclassified, non-FOIA exempt information from the 
public. But short of curtailing the use of unclassified control 
markings, there are steps that can be taken by DHS to minimize error 
and abuse, and reduce the impact of pseudo-classification on public 
access to information.
        (1) Congress should require DHS to place strict limits on the 
        number of agency officials authorized to designate FOUO and 
        other unclassified information as controlled, to implement a 
        system of certification for DHS officials with designation 
        authority, and to provide authorized officials with training in 
        proper designation practices.
        (2) Congress should require DHS to limit the duration of 
        controls on unclassified information and provide procedures by 
        which such controls can be removed.
        (3) Congress should require DHS to develop procedures by which 
        members of the public can challenge unclassified designations.
        (4) Congress should require the DHS Inspector General to 
        conduct periodic audits of the use of controls on unclassified 
        information and report to Congress on the appropriateness of 
        designations.
        (5) The Homeland Security Committee should oversee DHS 
        implementation of--
                a. The directives regarding the use of the SSI 
                designation by TSA which Congress included in the DHS 
                Appropriations Bill for FY 2007 (Pub. L. 109-295). 
                Those directives require review of any document 
                designated SSI whose release is requested and require 
                release of certain documents designated SSI after three 
                years unless the DHS Secretary provides an explanation 
                as to why it should not be released.
                b. The recommendations included in the GAO report of 
                June 2005 evaluating the use of the SSI designation by 
                TSA.\21\ The GAO found significant deficiencies in 
                TSA's management of SSI, and recommended that the 
                Secretary of DHS direct the TSA Administrator to:
---------------------------------------------------------------------------
    \21\ U.S. Gov't Accountability Office, Rep. No. GAO-05-677 
Transportation Security Administration: Clear Policies and Oversight 
Needed for Designation of Sensitive Security information (2005).
---------------------------------------------------------------------------
                        i. Establish clear guidance and procedures for 
                        using the TSA regulations to determine what 
                        constitutes SSI.
                        ii. Establish clear responsibility for the 
                        identification and designation of information 
                        that warrants SSI protection.
                        iii. Establish internal controls that clearly 
                        define responsibility for monitoring compliance 
                        with regulations, policies, and procedures 
                        governing the SSI designation process and 
                        communicate that responsibility throughout TSA.
                        iv. Establish policies and procedures within 
                        TSA for providing specialized training to those 
                        making SSI designations on how information is 
                        to be identified and evaluated for protected 
                        status.

Conclusion
    By helping to ensure that the government keeps secret only the 
information that needs to be secret, these measures would enhance both 
openness and security--at DHS and throughout the government.
Thank you.

    Mr. Carney. Well, I thank the witnesses for their 
testimony; and I remind each member he or she will have 5 
minutes to question the panel.
    I now recognize myself for 5 minutes, and this is for all 
the witnesses. If you could do one thing to overcome the 
overclassification or pseudo-classification problem at DHS, 
what reform initiative or best practice would you adopt? I know 
Mr. Agrast, you just mentioned a few, but Mr. Leonard and Mr. 
Armstrong, Ms. Spaulding?
    Mr. Leonard. One that I would recommend, some agencies, 
such as State and CIA, as a best practice have independent 
advisory commissions comprised of historians that advise those 
agencies on the effectiveness of their agencies' 
declassification program. There is no reason why such an 
advisory committee could not be established on the front end of 
the process. An advisory committee may be of the principal 
consumers, State and local officials with appropriate 
clearances who could provide advice back to the Department as 
to the effectiveness of what they are classifying and its 
impact on their information needs.
    Mr. Armstrong. Mr. Carney, I would emphasize--I think Ms. 
Spaulding made reference to the same phenomenon--in the tear--
line system, or something like the tear-line system, emphasize 
the communication of important information in the least--
controlled manner necessary. Remember that the purpose of all 
communication in Government, whether it is the most sensitive 
intelligence or not, is to influence someone somewhere to take 
cognizance of it and to change their behavior or focus their 
analytical skills. In doing so, put the emphasis on 
communication and then minimize and restrict the sources and 
methods portion of the communication to protect it. But put the 
emphasis on communicating, not withholding.
    Ms. Spaulding. I think the most important thing is to do 
something to begin to change the culture and the mindset, and I 
think that is set at the top. That is a tone and an emphasis 
that is set at the top.
    So I would consider issuing, maybe even from the President, 
an Executive Order, for example, that would direct the 
agencies, Department of Homeland Security to begin with, to 
include in their performance evaluations the issue of 
overclassification and underclassification, how employees do in 
terms of getting the classification right, that that would be a 
factor in how they are evaluated. I think that would go a long 
way in setting the right tone.
    Mr. Carney. Are the evaluators in your opinion able to do 
that? Don't they have a vested interest in kind of keeping the 
system as it is?
    Ms. Spaulding. Well, I think it would be combined with the 
kinds of recommendations that have been made at this table, 
including regular audits of documents that have been 
classified; and that would help to inform those kinds of 
performance appraisals as to whether this employee regularly is 
found to have overclassified documents, for example, or whether 
this employee has written a great number of unclassified 
reports that have been able to be widely disseminated.
    Those performance appraisals are fairly standardized 
actions; and if those forms have a specific thing that you have 
to fill in that relates to how this employee does in terms of 
their classification decisions, I think that would provide an 
appropriate incentive.
    Mr. Leonard. If I could add to that, as a follow-on, 
another best practice that is very closely related to that, the 
CIA, even though it is not required at the national level, 
requires a personal identifier on every product they produced 
as to who was responsible for the classification decision; and 
something like that facilitates a follow-up and holding people 
accountable.
    Mr. Agrast. If I could also add, I completely agree with 
the recommendations, particularly with the remarks of Ms. 
Spaulding.
    Mr. Reichert opened his portion of the hearing by talking 
about his experience as a law enforcement officer at the State 
and local level. I think there are two kind of prosecutors. 
There are two kinds of law enforcement officers. There is the 
kind that says my job is to convict as many people as possible, 
and there is the other kind who says my job is to get the 
truth, and I will be satisfied that I have done my job if I 
convict the people who are guilty and don't convict the people 
who are not guilty.
    I think that is the cultural change that has to happen at 
these agencies so the premium is set not solely on the number 
of documents you have successfully kept from the public but 
using discernment and using fine judgment in determining when 
and whether classification decisions should be made.
    Mr. Carney. Thank you.
    Mr. Leonard, I know your office is responsible for 
regulating classification by agencies within the executive 
branch; and you consistently stated that the Government 
classifies too much information. Why is this happening, in your 
opinion? What is the reason?
    Mr. Leonard. Reasons are varied, but I would agree more 
than anything else with Ms. Spaulding's assessment that it is 
really one of culture. We are very effective in terms of 
holding people accountable for the inappropriate disclosure of 
information, either administratively or criminally. Very 
rarely, if ever, have I ever seen anyone held accountable for 
inappropriately withholding or hoarding information.
    Mr. Carney. Too many people have classification power?
    Mr. Leonard. Yes.
    Another best practice--and Mr. Agrast mentioned this--is 
DOE follows it. They actually require people to be trained and 
certified before they can affix classification controls on the 
product, as opposed to just having clearance and having access 
to it.
    So something along those lines would facilitate 
accountability, because you could have something to take away 
from them now if they abuse it, and it restricts the universe 
of people that you have to make sure are appropriately trained. 
So there is a lot of benefits to it all around.
    Mr. Carney. Thank you.
    I now recognize the ranking member, my good friend from 
Washington, Mr. Reichert.
    Mr. Reichert. Thank you, Mr. Chairman.
    I just wanted to go back to Mr. Carney's original question, 
which was if you do one thing. I want to ask it in just a 
little bit of a different way.
    What is the biggest hurdle--I have an answer in my mind, in 
my experience, but what is the biggest hurdle to overcome in 
this whole issue of not sharing information and 
overclassifying?
    Okay, I will give you a hint at least where I am going with 
this. Somebody mentioned the stovepipe thing. And, to me, 
really to get more specific, governance, who has control over 
the information? Who is the lead person? At the local level in 
the sheriff's office, with 38 police departments and the 
sheriffs in the county, you know, the battle is over who 
controls the server that has the information. And you are 
running into that sort of an issue at the Federal level. I am 
sure you are.
    Mr. Armstrong. I think what we have seen, Mr. Reichert, is 
that the leadership of the various departments--that we had the 
merger into the Department of Homeland Security and specific 
incentives given--direction given to the DNI to begin to break 
down the barriers, break down the stovepipes. But it requires 
the leadership to do that.
    The drift in the bureaucracy is toward safety, is toward 
the norm, is toward withholding, is toward not exposing oneself 
to criticism. Until and unless someone initiates a test-bed of 
a new direction and puts the incentive on making sure that 
everyone knows what they need to know, but all of what they 
need to know, this will not happen. Things will not change. It 
will default back to the old system. I think that is the 
problem we are faced with.
    Mr. Reichert. Certainly the difficulty is highlighted as 
you bring the 22 departments under the one Homeland Security 
umbrella. But it even gets more complicated then as you reach 
outside to the other agencies that don't report to the homeland 
security effort. So I mean it is a huge issue to overcome. Does 
anyone have any suggestions?
    Mr. Leonard. I would suggest, Mr. Reichert, another major 
hurdle is the myriad of information protection regimes that 
exist within the Federal Government. There is no individual who 
can comprehend and understand all of them, even know of all of 
them. While there are efforts under way within the executive 
branch to streamline that and what have you, there are still 
contributing issues, many of them statutorily based, in terms 
of establishing requirements for protecting critical 
infrastructure information and things along those lines. What 
that results in is it is incomprehensible to me how an 
operator, who has decisions to make on a day-to-day basis and 
getting information from multiple sources, how they can even 
begin to understand what they can and what they can't disclose. 
And it can result in paralysis.
    Mr. Reichert. It almost seems as though the local agencies 
take the lead in this arena. As we in Seattle took a look at 
the LInX System spearheaded by the U.S. attorney's office, the 
FBI choosing not to participate in that information-sharing 
experiment and the U.S. Naval Intelligence then taking the lead 
with the U.S. attorney's office, finally after a few years we 
have a system in Seattle now that we have partners.
    I think one team at a time, one maybe part of the country 
at a time coming together, being able to showcase a success, 
would you not agree that might be a way to address this issue? 
Mr. Agrast?
    Mr. Agrast. Yes, I very strongly agree. I think pilot 
programs and State experimentation is really a very useful tool 
here. When people, as you have heard, are reluctant to change, 
I think they need to see success stories. They need to see that 
it can work and that there is a better way to do these things.
    Mr. Reichert. Ms. Spaulding, you mentioned along the same 
lines this cultural change, and several of you have. I really 
see that as really the biggest issue, and it is a leadership 
concern, you know, from protecting to sharing. Do you have any 
ideas on how to really jump-start that?
    Ms. Spaulding. Well, the Markle Foundation talks about 
creating a culture of distribution. But I think you are right. 
That is the most important thing. And, as I said, I think there 
are some suggestions in terms of creating--there is already, as 
Mr. Leonard pointed out, a huge incentive for classifying 
documents. It is career ending if you fail to classify 
something that is then disclosed and causes harm to national 
security. So there is a huge incentive to classify. It is much 
easier to classify a document. It is just a safe bet. And we 
have to create incentives for being more careful about that 
decision and incentives for creating unclassified documents. 
You know, as I said, I have got a number of suggestions for 
that in my testimony.
    But I do think there are legitimate concerns that present a 
stumbling block. You asked about what are some of the major 
stumbling blocks. Having the trust that an agency isn't going 
to take your information and somehow disrupt your operational 
activity, and I am sure you understand exactly what I am 
talking about.
    Mr. Reichert. Yes, I do.
    Ms. Spaulding. And it is a legitimate concern, but it is 
also one of the major reasons why we find problems sharing 
information, particularly among law enforcement and, you know, 
agencies that have the ability to take action or are 
undertaking operations. And I saw this in spades when I was at 
the intelligence, when I was at CIA, and their relationships 
with the other agencies, FBI, Customs, whatever, the concerns 
on both sides of that that one or the other would take the 
information and run an operation that would mess up what the 
other agency had going.
    So the challenge there, the solution there it seems to me 
has got to be operational coordination. It can't be that you 
are allowed to withhold that information, and there I think is 
a place where particularly State and locals can provide 
excellent models.
    Mr. Reichert. Those agencies that have ongoing 
investigations, especially with CIs, are very concerned about 
sharing information.
    My time has expired. Mr. Chairman, I yield back.
    Mr. Carney. Thank you, Mr. Reichert.
    I will now recognize Mr. Dent from Pennsylvania for 5 
minutes, and we will probably do another round. Okay.
    Mr. Dent. Thank you, Mr. Chairman.
    Ms. Spaulding, you just brought up an issue that I find 
interesting, and I wonder if we could talk about this issue. 
There are incentives to overclassify right now, but the only 
real control over information resides in the classification 
realm. Isn't overclassification a natural reaction to 
unauthorized disclosure of sensitive but unclassified 
materials? There is no punishment for--serious punishment for 
releasing sensitive material.
    Ms. Spaulding. As I said in my testimony, I think that 
overclassification actually contributes to a lack of respect 
for the classification mark and therefore actually makes it 
harder to protect true national security secrets.
    I think overclassification is a detriment to protecting 
truly secret information. So I do think that that is also part 
of the incentive structure in terms of when you are looking at 
leaks is that overclassification does contribute to that kind 
of culture as well.
    I think in addition to clearly trying to find ways to 
identify people who disclose classified information and take 
action, firm action against people who disclose classified 
information, I think it is important also at all levels of 
Government to reinforce the respect for classification 
markings.
    Mr. Dent. Well, I guess as a follow-up, how can the Federal 
Government really balance the need? You know, how do we balance 
this need I guess to share information on the one hand, and at 
this unclassified level, with the knowledge that somebody 
somewhere continues to leak sensitive but unclassified 
information? I think that is really the crux of the problem 
here.
    Ms. Spaulding. My sense is that trying to hold more tightly 
to that information within those stovepipes has not been an 
effective way of preventing those disclosures. And therefore, I 
think, as I said, in addition to trying to use technology to 
help us with audit trails to keep track of who is accessing 
information, who is printing information, who has access to the 
information that might be disclosed and trying to identify 
those people and hold them accountable, that it really is 
important that we indicate that we have taken more care in 
labeling things. So that when they are labeled, whether it is 
classified or sensitive, law enforcement sensitive, that in 
fact there has been a reasoned determination that could be 
upheld as we look at it after the fact that this would harm 
national security or homeland security or law enforcement 
interests.
    Mr. Armstrong. Mr. Dent?
    Mr. Dent. Yes.
    Mr. Armstrong. After three decades as a journalist in this 
town, I have to recognize that there is an information economy, 
there is an information currency within secrecy, that every 
major agency at every senior level leaks classified 
information, controls and manipulates classified information, 
and in parallel at other levels, either in other agencies or in 
the same agencies, other people speak candidly, but they speak 
in terms of things that aren't genuinely secret.
    When everything is secret, as Potter Stewart said, nothing 
is secret. No one knows what to respect. Most senior officials 
have some criteria, make judgments every day, several times a 
day, about how to share information that is technically 
classified but to get it out in some form that it believes the 
public needs to know or their colleagues need to know, without 
filing all the forms. It has caused problems from time to time, 
but there is an ongoing communication about what those 
standards are. And it is possible, particularly in the form 
that we are talking about today, to emphasize how to 
communicate without damaging the national security. Better to 
do it within the system than have it done without the system.
    Mr. Dent. I guess you are addressing it, but the question I 
have, how do we balance this need to share this information at 
the unclassified level with the knowledge that somebody 
somewhere continues to leak sensitive but unclassified 
information? I guess that is the question. How do you balance 
this?
    Mr. Agrast. Mr. Dent, one thing I guess I would hope we 
would do is have these unclassified markings regulated by 
Congress. They have taken on a life of their own. They are so 
numerous and so varied, there are so few standards and 
safeguards. You know, the classification system, with all its 
problems, looks pretty good compared to the pseudo-
classification nonsystem.
    So rather than have agencies making ad hoc decisions and 
bringing the entire system of controlled information into 
disrepute, shouldn't Congress take a look at this 
comprehensively and decide whether such categories should exist 
at all? Or whether, instead, if information is truly in need of 
safeguarding, it ought not to be classified in the first place?
    Mr. Dent. Yield back.
    Mr. Carney. Thank you, Mr. Dent.
    We will start a second round of questions here.
    Mr. Armstrong, in your estimation, how effective has DHS 
been in producing reports and products at the unclassified 
level?
    Mr. Armstrong. Well, we read unclassified material when it 
is presented by DHS. But, more often, we read the relevant 
information when it is put in unclassified form when it is 
leaked to DHS because of the form of controls that have been 
established that effectively discourage and inhibit candid 
communication. The number of inappropriate things that have 
happened to try and block contractors or the employees of 
contractors in using information in labor disputes, for 
example, does not increase respect for the system; and the 
difficulty we have had is the difficulty of accountability.
    Mr. Leonard administers some degree of accountability 
within a classified system, but it is very difficult to do 
when, effectively, a department has authority to create all 
sorts of constraints on communication that are not necessarily 
constraints designed to protect national security; and the 
farther we move away from those for the original purpose to 
protect sources and methods, to protect short-term objectives 
that need to be accomplished, to coordinate at different levels 
of our government, and we move into areas where political 
control and sensitivity--it seems to us on the outside that the 
Secretary of Homeland Security has been virtually unaccountable 
to Congress, unaccountable to other agencies and ineffective in 
the administration of his mandates.
    Mr. Carney. What is the solution to that?
    Mr. Armstrong. Well, I don't know what you need to do to 
get him here to talk with you, but I think there are issues 
that can be addressed about in a public executive session. He 
has unbelievably large sets of responsibilities, but at various 
levels throughout the Department there are professionals who 
would like to do their job properly. I don't believe that they 
are getting the leadership. The leadership sometimes emerges 
when it is variegated by questions.
    The truth--the most important purpose, Woodrow Wilson said, 
for Congress is not to pass legislation but to inquire into how 
government is effectively being done; and it is that process 
that needs to occur and occur more publicly.
    Mr. Carney. Thank you.
    Mr. Agrast, in your estimation, how much information is 
being withheld by DHS and its private contractors that is 
unclassified and non-FOIA exempt?
    Mr. Agrast. I actually have no idea how much is being 
withheld. We have indications that, to the extent there are 
standards, they aren't being followed. I will give you one 
example, if I may, from my prepared testimony.
    The GAO, the Government Accountability Office, issued a 
report in June of 2005 evaluating the use of the SSI 
designation by the TSA, which is of course a unit of the 
Department; and they found significant deficiencies in TSA's 
management of SSI information and recommended that the 
Secretary direct the Administrator to take a number of remedial 
actions.
    One is to establish clear guidance and procedures for using 
the regulations to determine what constitutes SSI. The second 
is to establish clear responsibility for the identification and 
designation of information that warrants SSI protection. The 
third was to establish internal controls that clearly define 
responsibility for monitoring compliance with regulations, 
policies and procedures governing the designation process and 
to communicate that responsibility throughout TSA. And, 
finally, to establish policies and procedures within TSA for 
providing specialized training to those making SSI designations 
on how information is to be identified and evaluated for 
protected status.
    Clearly, those recommendations have yet to be implemented 
in a proper way; and it is surely within the purview of this 
subcommittee to inquire as to the progress that is or is not 
being made.
    Mr. Carney. How should DHS implement the new control of 
unclassified information originating from CUI that Ambassador 
McNamara developed? Mr. Agrast, sorry to interrupt your drink 
there.
    Mr. Agrast. You know, I would have to give more 
consideration to how they ought to go about it on an agency 
basis. Certainly there are some of these areas that are 
interdepartmental in nature, and some of these kinds of 
policies and practices require coordination. I am not sure that 
a single agency can do it.
    Mr. Carney. So you don't think it is something that DHS 
could do quickly or necessarily?
    Mr. Agrast. Not sure.
    Mr. Carney. Ms. Spaulding, do you have any idea?
    Ms. Spaulding. Certainly one thing to consider, and 
particularly when you are talking about these pseudo-
classifications, is requiring that they be done at a fairly 
senior level. Mr. Leonard touched on this both with respect to 
classification and pseudo-classification, having people well-
trained and certified with the authority to, you know, put that 
stamp on the document. But particularly in this area I think it 
would be helpful to move those decisions to a more senior 
level.
    Mr. Carney. Thank you.
    Mr. Reichert, any more questions?
    Mr. Reichert. Thank you. I will just make mine pretty quick 
here.
    Last year, we passed a bill that directed some cooperation 
in fighting terrorism, cooperating at the international level, 
mostly through technology, those countries like Israel and 
Canada and the U.K. and others who have been--Australia--who 
have been kind of dealing with this a little longer than we 
have, a lot longer in some cases. They have developed some 
technologies and some systems. Would you consider that we 
should consult these countries who have had this experience in 
classifying and unclassifying and overclassification and 
pseudo--classification? Should we be looking for leadership 
from those other countries? And do you have any information or 
knowledge about that occurring now? Anybody.
    Mr. Leonard. I don't have any knowledge, direct knowledge 
in terms of whether it is occurring or not, Mr. Reichert. But 
something along those lines, that definitely has merit, if only 
from the perspective of ensuring that we have congruous 
systems. Because I know that we do that on the classification 
level where we routinely, especially with our close allies and 
friendly nations, work to ensure that we have congruous systems 
that facilitate the sharing of classified information, 
especially when we are in a coalition environment and things 
along those lines. So those types of efforts clearly could bear 
fruit on the unclassified level.
    Now to the extent of whether they are occurring or not, I 
really don't know.
    Mr. Reichert. Anyone else have--
    Mr. Armstrong. Most of the technologies that I think to 
which you are referring that would be helpful here are employed 
in the business realm already and for different reasons and 
with different levels, obviously, of security and devotion to 
principles. But we are talking about techniques. The notion of 
embedding metadata begins to track intellectual product and the 
ability to not only determine where it has gone or how it has 
been used or whether it has been appropriately dealt with but 
also to automatically begin to alert people to the fact that it 
is no longer controlled or it requires additional controls for 
an additional reason.
    All of those things are present at high levels in certain 
business environments, but they are expensive, and the 
incentives have to be high. Capitalism tends to find some 
degree of incentives. One would think that homeland security 
and anti-terrorism measures could find at least as high a 
level.
    Mr. Reichert. Mr. Agrast, did you have--
    Mr. Agrast. Congressman, I think it is an extraordinarily 
thoughtful question. There has been a tendency not to look 
abroad for answers, and I think that has demonstrated itself to 
be a mistake. We don't have to do what other countries do, but 
we should at least learn what we can from them.
    Mr. Reichert. Yes. Thank you.
    One last thought. With this new world of technology and our 
soldiers fighting around the world and their access to various 
communication devices, cell phones and cameras in their cell 
phones and computers, they are communicating back to their 
families and friends real-time info on battles occurring or 
briefings that are occurring. How do you see that issue being 
addressed in the sharing of information that could be critical 
to our operations in fighting terrorism?
    Mr. Leonard. Well, what I see that is emblematic of a 
challenge we always have, and that is we are playing catch-up 
to technology all the time, especially from the point of, A, 
leveraging it but, B, understanding the ramifications from a 
security or vulnerability point of view as well. And then when 
we attempt to address it, we usually do it in a hand-fisted 
way, which is sometimes analogous to trying to repeal gravity.
    So the challenge is to somehow, some way get in front of 
that curve all the time and fully understand the capabilities 
and the limitations of the technology and try to keep our 
policies abreast of it, rather than being in that proverbial 
catch-up mode which we seem to be in.
    Ms. Spaulding. I don't think there is a technological 
solution, whether it is some new technology or shutting down 
some of those technology outlets, because you will never get 
them all. I think the only solution to that particular issue is 
training. I mean, you have simply got to sensitize, you know, 
those folks to what they can and should not be sharing and 
disclosing publicly. And you will never have perfect success 
with that, but it seems to me that trying to attack that, the 
basis of technology, is not going to be very successful.
    Mr. Reichert. Yeah. You know--one of the experiences I will 
share real quick--in the Green River investigation in 1987, the 
search warrant to be served on the suspect who we finally 
arrested years, years later--we had a meeting on the service of 
the search warrant. I was the detective in charge of the search 
of this subject's house; and, as I arrived, standing on the 
front porch was a reporter from our local newspaper to greet 
me. So someone within the meeting immediately shared the 
information.
    That is really one of the frustrations I think in this 
whole thing. You talked about building trust and in those local 
agencies and within those agencies within the Federal 
Government, too, in having the knowledge that their information 
is protected as the investigation is ongoing. The firewalls 
that can be built in a system to protect that information is a 
huge hurdle I think to overcome and also plays into the 
cultural change.
    So I appreciate you being here this morning, and thank you 
so much for your testimony.
    Mr. Carney. Well, I want to thank the witnesses as well for 
their invaluable testimony. This truly is an issue that we have 
to further explore to shed light on the classification issue. 
It is absolutely essential.
    The members of the subcommittee will probably have 
additional questions for the witnesses, and we ask that you 
respond expeditiously in writing.
    Hearing no further business, the subcommittee stands 
adjourned.
    [Whereupon, at 11:15 a.m., the subcommittee was adjourned.]

                             For the Record

  Prepared Opening Statement of the Honorable Jane Harman, Chairman, 
 Subcommittee on Intelligence, Information sharing, and Terrorism Risk 
                               Assessment

                             March 22, 2007

     Good morning. I'd like to welcome you all to this hearing 
on the increasing problems of over-classification and pseudo-
classification and their impact on what is the lifeblood of our 
homeland security: effective information sharing with our State, local, 
and tribal law enforcement officers.
     The United States has had a classification regime in place 
for decades: information and intelligence typically falls into one of 
three categories: Top Secret, Secret, or Confidential.
     Our nation adopted this regime for one reason: to protect 
sensitive sources and methods.
     Contrary to the practice of some in the federal 
Intelligence Community, classified markings are NOT to be used to 
protect political turf or to hide embarrassing facts from public view.
     Indeed, a recurrent theme throughout the 9/11 Commission's 
report was the need to prevent widespread over-classification by the 
Federal government. The Commission found that over-classification 
interferes with sharing critical information and impedes efficient 
responses to threats.
     The numbers tell us that we are still not heeding the 
Commission's warning.
     Eight million new classification actions in 2001 jumped to 
14 million new actions in 2005, while the quantity of declassified 
pages dropped from 100 million in 2001 to 29 million in 2005.
     In fact, some agencies were recently discovered to be 
withdrawing archived records from public access and reclassifying them!
     Expense is also a problem: $4.5 billion spent on 
classification in 2001 increased to $7.1 billion in 2004, while 
declassification costs fell from $232 million in 2001 to $48.3 million 
in 2004.
     In addition, an increasing number of policies to protect 
sensitive but unclassified information from a range of Federal agencies 
and departments has begun to have a dramatic impact.
     At the Federal level, over 28 distinct policies for the 
protection of this information exist.
     Unlike classified records, moreover, there is no 
monitoring of or reporting on the use or impact of protective sensitive 
unclassified information markings.
     The proliferation of these pseudo-classifications is 
interfering with interagency information sharing, increasing the cost 
of information security and limiting public access.
     Case in point: this document from the Department of 
Homeland Security (HOLD UP RADICALIZATION IN THE STATE OF CALIFORNIA 
SURVEY).
     In a few weeks, I will be leading a field hearing to 
Torrance, California, to examine the issues of domestic radicalization 
and ``home grown'' terrorism.
     This DHS document--a survey on radicalization in the State 
of California--is marked ``Unclassified/For Official Use Only.''
     On Page 1 in a footnote, the survey states that it cannot 
be released ``to the public, the media, or other personnel who do not 
have a valid ?need to know' without prior approval of an authorized DHS 
official.''
     Staff requested and was denied that approval.
     Staff also asked for a redacted version of the document so 
we could use at least some of its contents at the coming California 
hearing. DHS was unable to provide one.
     Let me be clear: I'm not denying that there may be 
sensitive information included in this survey, but it illustrates my 
point: what good is unclassified information about threats to the 
homeland if we can't discuss at least some of it at a hearing?
     How can we expect DHS and others to engage the public on 
important issues like domestic radicalization if we hide the ball?
     Unfortunately, this is nothing new. In 1997, the Moynihan 
Commission stated that the proliferation of these new designations are 
often mistaken for a fourth classification level, causing unclassified 
information with these markings to be treated like classified 
information.
     These continuing trends are an obstacle to information 
sharing across the Federal government and with State, local, and tribal 
partners--including most especially with our partners in the law 
enforcement community.
     Unless and until we have a robust intelligence and 
information sharing system in place in this country, with a clear and 
understandable system of classification, we will be unable to prevent a 
terrorist attack on the scale of 9/11 or greater.
     That is why this Subcommittee will focus its efforts in 
the 110th Congress on improving information sharing with our first 
preventers--the men and women of State, local, and tribal law 
enforcement who are the ``eyes and ears'' on our front lines.
     And it's why we will pay particular attention to the 
issues of over-classification and pseudo-classification of 
intelligence--and what we can do to ensure that we err on the side of 
sharing information.
     We'll do this work in the right way--partnering with our 
friends in the privacy and civil liberties community who want to 
protect America while preserving our cherished rights.
     I would like to extend a warm welcome to our witnesses who 
will be talking about these issues.
     On our first panel, we have assembled an array of experts 
who will be testifying about the extent of these problems and where 
things are trending.
     Our second panel of law enforcement leaders will talk 
about how over-classification and pseudo-classification are impacting 
their ability to keep our communities safe.
     In addition, I hope the witnesses will provide the 
Subcommittee with a sense of how we might solve the challenges ahead of 
us, with the goal of ensuring the flow of information between the 
Federal government and State, local and tribal governments.
     Welcome to you all.

   Prepared Statement of the Honorable Bennie G. Thompson, Chairman, 
                     Committee on Homeland Security

                             March 22, 2008

     Thank you, Madame Chair, and I join you in welcoming our 
distinguished witnesses today to this important hearing on the problem 
of over- and pseudo-classification of intelligence.
     Information sharing between the Federal government and its 
State, local and tribal partners is critical to making America safer.
     But we won't get there if all we have is more and more 
classification, and more and more security clearances for people who 
need access to that classified information.
     The focus should be different.
     The Federal government instead must do all it can to 
produce intelligence products that are unclassified.
     Unclassified intelligence information is what our nation's 
police officers, first responders, and private sector partners--need 
most.
     They have told me time and time again that what they DON'T 
need is information about intelligence sources and methods.
     An officer on patrol in Jackson, Mississippi, or Des 
Moines, Iowa, has no use for the name of the person in Afghanistan, 
Africa, or elsewhere who provided the information or whether it was 
obtained from an intercepted communication.
     What he or she wants to know is if the information is 
accurate, reliable and timely.
     If so, police chiefs and sheriffs can use it to drive 
their daily operations--especially when it comes to deciding where to 
put their people to help prevent attacks.
     That's what intelligence is all about: if it can't tell an 
officer on the beat what to prepare for and how, what good is it?
     Over-classification and pseudo-classification are nothing 
new, but 9/11 has made these problems worse.
     It's my understanding that security concerns after the 
September 11th attacks prompted some agencies and departments to shield 
whole new categories of information with Confidential, Secret or Top 
Secret markings.
     What might have started as a noble intention to protect 
the homeland has broken down into a system of often excessive, abusive 
and/or politically motivated classification decisions.
     It's time to fix things.
     This hearing will be the first of several on over- and 
pseudo-classification and will help us get a handle on the scope of the 
problem.
     I hope each of the witnesses will be forthcoming in their 
assessments of these issues and how we can help.
     Welcome to you all. I look forward to your testimony.

                                 
