The New Executive Order on Information Security: Managing the Balance between Sharing and Safeguarding

On Friday, October 7, the White House released a new Executive Order, “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.” This order, signed by the president and carrying the force of law, seeks to improve the governance of classified systems and reduce network vulnerabilities to ensure that the sharing of information between departments and agencies, vital to national security, continues.

Q1: What is the current state of information sharing?

A1: The 9/11 Commission Report identified the inability or unwillingness of agencies to share intelligence with one another as a major weakness in U.S. government efforts to combat threats such as terrorism. Since 9/11, U.S. intelligence, law enforcement, and security agencies have rapidly expanded national security intelligence and information sharing and have embraced a “need to share” model. As James Clapper, director of national intelligence, has noted, these communities have made great progress in building a culture that encourages sharing and have come together to eliminate many of the technological and bureaucratic barriers that had inhibited sharing between agencies.

Such efforts have better equipped the United States to address threats such as terrorism and have proven vital in foiling a number of plots. Yet despite its successes, the “need to share” model has created vulnerabilities that should be addressed by policymakers. The WikiLeaks scandal, in which a U.S. Army soldier stationed in Iraq is accused of leaking thousands of classified State Department cables, highlighted the inherent risks in this model. This new Executive Order seeks to address these critical security gaps and provide the guidance required to ensure that agencies continue to share information while simultaneously protecting it.

Q2: How does this Executive Order seek to overcome some of the security challenges currently facing the future of information sharing?

A2: By establishing a body to set standards on how classified networks operate, the Executive Order addresses some of the least secure elements of information sharing. Given the multitude of agencies and departments involved, information currently must be shared across a patchwork of different systems. The varying levels of security applied to these information systems present an opportunity for an intruder to access classified information through a weak point.

To address these concerns, the Executive Order calls for the creation of a Senior Information Sharing and Safeguarding Steering Committee and tasks it with driving the process of implementing standards for information sharing and safeguarding. These standards will then be applied across agencies in order to ensure that systems are uniform, both in how they operate and in the level of protection they provide. While standards for information sharing have previously been put forward, they have not yet been implemented consistently across the various agencies. A governing body such as the steering committee is necessary for directing and driving this process, as well as providing guidance to address future challenges. Cochaired by representatives from the National Security Staff and the Office of Management and Budget, the steering committee is well positioned to tie policy to budget authority. The efforts of the committee to improve information security will be vital for information sharing to continue at the appropriate rate.

Q3: How does this Executive Order address the potential for decreased information sharing as a reaction to the WikiLeaks release?

A3: The Executive Order protects the “need to share” information culture by addressing a critical vulnerability of information security—the insider threat. In the rush to share information over the past decade, some security risks to classified networks, especially those posed by individuals who already have access, have been underappreciated. However, the WikiLeaks scandal has made clear that threats from insiders cannot be ignored. Future breaches could be increasingly detrimental and dangerous, as ease of access to highly classified information has increased under previous information-sharing guidelines. An insider providing a hostile government or organization with highly classified or extremely sensitive information would almost certainly be more damaging to the U.S. government than the WikiLeaks scandal.

To prepare for and combat this threat, the Executive Order establishes an Insider Threat Task Force designed to deter, detect, and mitigate the exploitation of security networks by insiders. The order calls for the task force to develop policies to incorporate increased security, counterintelligence, user audits and monitoring, and perhaps most importantly, a model for sharing based on context. Until now, there has been little consideration of what information a given individual does or does not need access to within a system. However, there is likely no need to grant a soldier in Iraq access to thousands of State Department cables covering issues outside of the scope of his analytic or operational portfolio, as the information is unlikely to pertain to his duties. Under a context-based model, the soldier’s access to such information would be limited. By establishing this task force and seeking to implement a context-based model for sharing, the administration is taking important steps to ensure that the very real threat of a devastating insider breach is minimized.

Q4: What does this Executive Order mean for the future of information sharing?

A4: This Executive Order is necessary to influence and shape continued information sharing. To this end, it both recognizes remaining challenges and, most importantly, directs initiatives to address them. Without such an effort, the “need to share” model is placed at risk, and information sharing could precipitously decrease due to a fear of security breaches. By providing guidance to establish standards and safeguards, especially against insider threats, this Executive Order takes vital action to help ensure that we continue forward in our information-sharing efforts and do not revert to an ineffective, pre-9/11 model.

Rick “Ozzie” Nelson is director of the Homeland Security and Counterterrorism Program at the Center for Strategic and International Studies in Washington, D.C.

Critical Questions is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2011 by the Center for Strategic and International Studies. All rights reserved.