Compartmented control system

From Citizendium
Jump to navigation Jump to search
This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


Above and beyond their regular classified information|security classification systems for military, diplomatic, and intelligence information that needs protection, the United States, as do several other nations with complex security needs, have implemented compartmented control systems. While various commissions have complained the classification system is too complex and results in unneeded costs, what has already been written will not be undone. While the Director of National Intelligence (DNI)) has tried for clarity in markings, there is no single U.S. authority concerned with consistency. The Department of Defense, United States intelligence community, and United States Department of Energy each are responsible for different compartmented systems. The very existence of some systems was highly classified for a number of years (e.g., see National Reconnaissance Office), and there is absolutely no reason to assume that every convention is known; the DNI guidance cited here has, for example, a number of "ECI" categories, the details of which are deleted.

One of the reasons for this article is to assist those who might see declassified primary documents, and at least have some idea of the marking conventions. It cannot be overemphasized that the classifiers themselves do not always follow their own rules, both in formatting and in the types of markings. The latter include things variously called code words, nicknames, code names,[1] pseudonyms, and cryptonyms, with overlapping usage.

Especially for the intelligence-related systems described below, there is significant sharing among Australia, Canada, New Zealand, the United Kingdom, and the United States. Intelligence sharing is more selective among other NATO nations and with friendly countries in other areas. In NATO, and especially the UK, there is some level of sharing nuclear weapons information.

In a less formalized way, such systems came into use during the Second World War. MAGIC and ULTRA, respectively, covered communications intelligence on Japan and Germany. A strange term, BIGOT, derived from the stamping of orders for officers going to Gibraltar to plan the North African invasions, "TO GIB". Spelling this backwards gave BIGOT, which was a compartment for information about the Normandy invasion. The term "BIGOT List" remains in U.S. intelligence use, as the list of people given access to a particular compartment. In WWII, it was convenient, in trying to find out if someone had access to NEPTUNE and OVERLORD planning information, to ask "are you bigoted?" An indignant answer of "no" ended that part of classified discussion.

Compartmented control systems fall into several broad categories:

  • Special access programs (SAP) for military plans, weapons, special procurement, and other matters of unusual sensitivity, under regulations promulgated by the United States Secretary of Defense,
    • Single Integrated Operational Plan (SIOP-ESI), the ESI designating "extremely sensitive information", for fighting a nuclear war,
  • Sensitive compartmented information (SCI) for intelligence material, with regulations promulgated by the Director of National Intelligence,
  • Restricted Data (RD) and other labels for nuclear weapons design, naval power reactors, and other information. Critical Nuclear Weapons Design Information, which may have other labels, is one such subcategory.

The compartmented control systems are used in addition to the regular classification markings and control procedures. These are the main categories, although there have been specific programs, such as the PSALM compartment established by the President during the Cuban Missile Crisis (see example [2]

Formally, the system of "code names" and "nicknames", in U.S. military usage, is defined by the Joint Chiefs of Staff, in CJCSM 3150.29A "Codename, Nickname, and Exercise Term Report (NICKA)"[3]. An implementing regulation from a major Air Force command, which essentially repeats the JCS document, may be useful. [4] See also Parsch's "Code Names for U.S. Military Projects and Operations"[1] and Arkin's book, Code Names: Deciphering U.S. Military Plans, Programs And Operations In The 9/11 attack World. [5]

Compartmented control systems are sometimes called "codeword" systems. A CIA document containing SCI might have its cover page marked "TS-CODEWORD", indicating TOP SECRET material in a compartment, the actual code word for which is itself classified.

Collateral information

The term collateral or collateral-level is used to describe material that is classified, but not under a compartmented control system.

Special Access Program

Special Access Programs (SAP) deal with United States Department of Defense, not United States Intelligence Community, information. [6].

SAPs are subdivided into three further groups [6]There is no public reference to whether SCI is divided in the same manner, but news reports reflecting that only the "Big 8" Members are briefed on certain intelligence activities, it may be assumed that similar rules apply for SCI. The groups are

  • Acknowledged: appears as a line item as "classified project" or the equivalent in the US budget, although details of its content are not revealed. The budget element will associate the SAP with an organization or major command, such as the Navy or Strategic Command
  • Unacknowledged: no reference in the published budget; its funding is hidden in another entry, often called the "black budget". The appropriate Congressional committees, however, are briefed on the nature of the SAP and approve it.
  • Waived: no mention in the budget, and briefed only to the "Big 8" members of Congress: Speaker of the House, House Minority Leader, Senate Majority and Minority Leaders, and the Chairman and Ranking Minority Members of the appropriate committees.

Codeword designations should not have any relationship to the information they protect, else they do not provide security. By renaming operations with a name that affects public perception, the resulting term does not really correspond for an operation, but becomes a non-neutral slogan. As one example, GEN Tommy Franks, commanding United States Central Command, designated the plans for the 2003 invasion of Iraq as POLO STEP, [7] although the name announced to the public was Operation IRAQI FREEDOM. Very briefly, the public name was Operation IRAQI LIBERATION, until a public relations person realized the unfortunate connotations of its abbreviation.

Single Integrated Operational Plan

Much of the detail of the master U.S. plans for nuclear warfare, until recently called the Single Integrated Operational Plan (SIOP), was in a Special Access Program compartment called Extremely Sensitive Information, written SIOP/ESI. SIOP/ESI dealt with military operations; other sensitive areas, such as Critical Nuclear Weapons Design Information (CNWDI), had their own compartments. While a bomber crew needed to know how to handle, arm, and drop a nuclear weapon, they had no need to know the physics of how the internals of the bomb worked. Some targeting staff did need such information, and thus needed to be indoctrinated both into SIOP/ESI and CNWDI (and other #Restricted Data|RESTRICTED DATA compartments of the SIGMA series).

Personnel Reliability Program

For more information, see: Personnel Reliability Program.

Sometimes called a SAP, but not an information security program as such, is the Personnel Reliability Program (PRP). All personnel that have physical access to nuclear weapons, or command and control systems for nuclear weapons, must have current PRP approval. While anyone on PRP status has already been granted a high-level security clearance, PRP is focused not on the information, but on the people. If, for example, a person in a PRP-designated position is receiving prescription medication that might cloud judgment, his or her PRP status is temporarily suspended and the person is assigned to a non-PRP job, or put on medical leave. In like manner, severe life stresses, such as divorce, bereavement, etc., can result in temporary suspension of PRP status. Suspension of PRP status is not a reflection on one's trustworthiness, but on one's decisionmaking under stress. In many respects, it is a generalization of rules already applied to aircrews; a pilot is not allowed to fly when taking a prescribed but sedating medication for allergy.

Sensitive Compartmented Information

For the most sensitive operations, there is essentially are systems parallel to, or perhaps above the regular security clearance system, of "Sensitive Compartmented Information" (SCI) [8]

To achieve selective separation of program information while still allowing full access to those working on the program, a separate "compartment," identified by a unique codeword (itself sometimes classified), is created for the information.

Sensitive Compartmented Information Facility

This entails establishing communication channels, data storage, and work locations Sensitive Compartmented Information Facility (SCIF), which are physically and logically separated not only from the unclassified world, but from general Department of Defense classified channels as well.

Facilities comparable to SCIFs may be required for Special Access Programs. SIOP-ESI material, for example, is handled in such shielded rooms. Since SIOP-ESI deals with nuclear warfare, it is subject to the supplemental "no lone zone"; it must always be in the sight of two cleared individuals.

Marking information to indicate compartment(s)

Thus established, all information generated within the compartment is classified according to the general rules above. However, to emphasize that the information is compartmented, all documents are marked with both the classification level and one or more special markings. The markings are not consistent. They may be a single word or set of letters such as UMBRA or SI.

Periodically, there is an attempt to make the system somewhat more coherent. The most recent, with several subsequent updates, and a fairly small amount of redactions in the released document, is [9]

Code words and nicknames

Technically, a single word, the meaning of which is classified, is a nickname and a two-word designator, the meaning of which may or may not be classified, is a code word (often written codeword). It also may be written as a short phrase such as caveat "Handle via <compartment name> Channels Only", which may be abbreviated CCO.

For example, the NSA domestic telephone surveillance program is almost certainly designated "Handle through COMINT Channels Only", so its documentation would read, at least, TOP SECRET-CCO, probably with a special compartment within CCO, which, hypothetically, would be an arbitrary word such as ORWELL. It is presumably SCI, which does not appear in the markings.

Examples of compartmented topics are sensitive intelligence activities (SCI), nuclear secrets (Restricted Data), and stealth technology (SAP).

Special Access Required

SAP's are to be written in full, "SPECIAL ACCESS REQUIRED-[program identifier][10]

Subcompartments

One or more compartments may be created for each area, and each of these compartments may contain multiple programs or projects (e.g., a specific reconnaissance satellite, ICBM, or stealth aircraft), themselves with their own codenames or nicknames.

So, it is a reasonable assumption that the NSA telephone surveillance program might be a designated a Waived SCI program, with documentation stamped TS-CCO-ORWELL.

Cryptonyms and pseudonyms

The Central Intelligence Agency has yet other sets of markings, called cryptonyms and pseudonyms. [11] A cryptonym is a combination of a two-letter digraph, which are either free-standing (e.g., ECFLUTTER is a digraph for counterintelligence and FLUTTER refers to a polygraph).[12] It is considered especially elegant if the digraph is part of the word, so if the digraph for "Eastasia"[13] were EA, EASTWOOD would be a perfectly acceptable cryptonym.

When the cryptonym refers to the leader of a clandestine human-source intelligence cell, the cryptonym for the first subagent might be EASTWOOD-1. See clandestine cell system.

Pseudonyms sound like perfectly acceptable names, but are fake and backed up with cover documentation; the pseudonym, such as "Nancy Drew", might have a real name of "Mychelle Holmes".

Actual marking of documents

The basic rule on how to mark documents, intended for people authorized to do so and cleared for the contents, really deserves to be reproduced so that all the nuances of its clarity may be appreciated:

The first value in the banner line (classification) should be followed by a double

forward slash if additional categories are used. US classified documents must always have a classification marking. Non-US or JOINT documents must always have the US classification left blank and the banner line start with a double forward slash followed by the Non-US or JOINT classification marking. In the Marking Title column, items that are indented are subsets of the immediately preceding non-indented items. SCI Control systems and their subsets should be kept together, separated by a hyphen.

SCI Control Systems should be separated from each other by a single forward slash. Foreign Government Information markings, if any, should follow, preceded by a double forward slash. Multiple FGI countries should be separated by a single space. Dissemination controls, if any, should follow, preceded by a double forward slash. A single forward slash with no space interjected should be used to separate multiple dissemination controls. Dissemination controls and their subsets should be kept together, separated

by a hyphen. The hierarchy for markings must follow the order in which they appear in the above Register. The banner line must always have the classification spelled out, but the caveats may be abbreviated.[14]

Some examples, with random words substituted for redactions, include:

  • (U) Basic Example: CONFIDENTIAL//NOFORN
  • (U) Multiple SCI Examples: TOP SECRET//CCO-GAMMA/TALENT KEYHOLE-RUFF/ORIGINATOR CONTROLLED, abbreviated as TOP SECRET//CCO-G/TK-RUFF//ORCON
  • (U) Multiple SCI and SAP Examples:TOP SECRET//HCS/TALENT KEYHOLE//SPECIAL ACCESS REQUIRED-BUTTER POPCORN//NOT RELEASABLE TO FOREIGN NATIONALS abbreviated as: TOP SECRET//HCS/TK//SAR-BP//NOFORN
  • (U) ECI Examples, some of which are US only and some releasable to selected countries, include:
    • TOP SECRET//CCO-ECI-XYZ//NOFORN
    • TOP SECRET//CCO-ECI-ABC//REL TO USA, AUS, GBR
    • TOP SECRET//CCO-ECI-LMN
    • TOP SECRET//CCO-ECI QRS//REL TO USA, AUS, CAN, GBR, NZL[15]
  • (U) Multiple ECI Example: TOP SECRET//CCO-ECI-ABC CCO-ECI-EFG CCO-ECI-XYZ
  • (U) Multiple COMINT Sub-Control Systems Example:TOP SECRET///CCO-G CCO-ECI-ABC//ORCON

Major control systems

The major compartmented control systems, whose names, and even the classification of the name, have changed over time, all have subcompartments. In any event, the major SCI systems are:

Type of information Protected Representative Marking
Human-source intelligence Humint Control System (HCS)
Imagery intelligence TALENT-KEYHOLE (TK)
Signals intelligence, including communications intelligence and electronic intelligence HANDLE THROUGH COMINT CHANNELS ONLY (CCO), but still sometimes SI (Special Intelligence)
Designs and operations of National Reconnaissance Office airborne and space reconnaissance programs BYEMAN (B), no longer used

No coherent explanation has ever been published on why the compartment CCO isn't SIGINT channels only, given that ELINT and COMINT are both subsets of SIGINT. CRYPTO, incidentally, is a special handling and channel, but isn't necessarily SAP/SCI unless the cryptosystem is authorized for those channels.

Restricted Data

Sensitive information about nuclear weapons is under a control system called RESTRICTED DATA,[16]

The especially sensitive compartments dealing with design also bearing CRITICAL NUCLEAR WEAPONS DESIGN INFORMATION, or SIGMA-xx (where xx is a number).Cite error: Invalid <ref> tag; invalid names, e.g. too many There is also a category of FORMERLY RESTRICTED DATA that does not have detailed design information, but puts a tighter control on data about specific nuclear weapons. CRITICAL NUCLEAR WEAPONS DESIGN INFORMATION includes some SIGMA compartments. [17] for more fine-grained control than RESTRICTED DATA.

The Atomic Energy Act of 1954 sets requirements for protection of information about nuclear weapons and special nuclear materials (i.e., materials capable of bomb-grade fission of fusion). Such information is "born secret|classified from birth," unlike all other sensitive information, which must be classified by some authorized individual. However, authorized classifiers still must determine whether documents or material are classified or restricted.[18]

Substantial information has been published, by the Department of Eneergy, on the history of decisions to compartment, or remove compartmentation, from specific types of information. [19]

FORMERLY RESTRICTED DATA

Certain material, originally designated as RESTRICTED DATA, have been determined not to contain any nuclear-specific material that would keep it in RD. Typically, these are specific to the military application of nuclear weapons, but revealing no details of the weapons themselves.

This material is labeled FORMERLY RESTRICTED DATA, which, as a marking, does not seem to have terribly specific requirements for handling. It appears to continue to have a NO FOREIGN NATIONALS restriction, but may simply be considered to be an example of the relabeling of "born classified" data.

Critical Nuclear Weapon Design Information

Critical Nuclear Weapon Design Information (CNWDI) (colloquially pronounced "Seen-Windy") reveals the theory of operation or design of the components of a nuclear weapon.[20] As such, it would be SIGMA 1 or SIGMA 2 material, assuming laser fusion is not involved in the information.

Access to CNWDI is supposed to be kept to the minimum number of individuals needed. In written documents, paragraphs containing the material, assuming it is TOP SECRET, would be marked (TS)(RD)(N), where (N) is a shorter way of writing CNWDI. SIGMA information of especial sensitivity may be handled much like SAP or SCI material.

Naval Nuclear Propulsion Information

While most Naval Nuclear Propulsion Information is sensitive, it may or may not also bear RESTRICTED DATA and certain SIGMA caveats.[21] Since naval reactors normally run with highly enriched fuel and, as opposed to most other reactors, possibly could be driven into an uncontrolled fission reaction, however, design details will almost certainly be classified.

Sharing of classified information with other countries

In cases where the United States wishes to share classified information bilaterally (or multilaterally) with a country that has a sharing agreement, the information is marked "REL" (release) and the three-letter country code.

For example, if the U.S. wanted to release classified information to the governments of France, UK, and Canada, it would mark the document "REL TO CAN, FRA and GBR." There are also group releases, such as NATO or UKUSA. Those countries would have to maintain the classification of the document at the level originally classified (TOP-SECRET, SECRET, etc.).

In practice, documents may be marked NOFORN EXCEPT (Country or countries).

Criticism

At least in the U.S. government, questions have been raised about the true utility of compartmented security and its contribution to stovepiping. [22]

References

  1. 1.0 1.1 Parsch, Andreas, "Code Names for U.S. Military Projects and Operations", Designation-systems.net
  2. SNIE [Special National Intelligence Estimate 11-18-62: Soviet Reactions to Certain US Courses of Action on Cuba], 19 October 1962, SNIE 11-18-62
  3. Joint Chiefs of Staff, Codename, Nickname, and Exercise Term Report (NICKA), CJCSM 3150.29A
  4. Headquarters, North American Air Defense Command (NORAD) (25 August 1989), Administrative Practices: CODE WORDS, NICKNAMES, AND EXERCISE TERMS, NORAD REGULATION 11-3
  5. Arkin, William M. (2005), Code Names: Deciphering U.S. Military Plans, Programs And Operations In The 9/11 attack World, Random House
  6. 6.0 6.1 Department of Defense Overprint to the National Industrial Security Program, February 1995
  7. Tommy, Franks (2004), American Soldier, Reganbooks p. 396
  8. Director of Central Intelligence Directive 1/7: Security Controls on the Dissemination of Intelligence Information (June 1998). Retrieved on 2000-09-30.
  9. (U) Director of National Intelligence (DNI) Special Security Center(SSC), Controlled Access Program Coordination Office (CAPCO) (12 May 2008), (U) Authorized Classification and Control Markings Register, vol. Volume 1, Edition 2 (Version 1.2)
  10. DNI-SSC, p. 9
  11. Stockwell, John (1978), Excerpts from the book, In Search of Enemies, W.W. Norton
  12. Agee, Philip (1975), excerpt from the book, Inside the Company: CIA Diary, Penguin Note: this excerpt contains examples of cryptonyms, but not the actual syntax discussed in the hard-copy book
  13. One of the always-warring nations in George Orwell's 1984
  14. DNI-SSC, p. 24
  15. Apparently a classified compartment, proably dealing with communications intelligence because it bears CCO, the basic COMINT compartments
  16. Los Alamos National Laboratory, Guide to Portion Marking Documents and Material, Appendix B, Definitions}}
  17. [no title, apparent extract from University of California laboratory security briefing]. University of California (n.d.).
  18. , Chapter 9. Special Requirements: Section 1. Restricted Data and Formerly Restricted Data, National Industrial Security Program Operating Manual, DOD 5220.22M
  19. Restricted Data Declassification Decisions, 1946 to the Present, U.S. Department of Energy, 1 January 2002, RDD-8
  20. U.S. Deparment of Defense (12 January 1978), Access to and Dissemination of Restricted Data, DoD Directive 5210.2
  21. Naval Nuclear Propulsion Program Classification Review, October 1995
  22. Critique of the Codeword Compartment in the CIA, Center for the Study of Intelligence, Central Intelligence Agency, March 1977