Security policy and procedures need further examination.
In Case of Emergency, Break Glass. That phrase calls to mind the image of a firefighter’s axe in a glass box on a wall. It also is an appropriate analogy for the U.S. Defense Department’s approach to information operations, wherein powerful capabilities often are locked away from the hands of the warfighter. But unlike the firefighter, who is trained in the use of the axe, warfighters have virtually no opportunity to train with U.S. information operations capabilities or to factor them into their plans. Tight security controls that are designed to ensure the protection of many capabilities are, as an unintended consequence, locking the armed forces out of opportunities to learn to use them effectively. This, in a nutshell, is the problem of overprotection.
Information operations capabilities offer the National Command Authorities and joint force commanders a powerful means of shaping the environment and dominating the battlespace. Information operations incorporate capabilities such as psychological operations, deception, electronic warfare and computer network attack to affect adversaries’ information and information systems. The Defense Department is making a significant investment in developing these capabilities to augment its existing strengths. However, to be effective, the department must have properly trained people in position to execute information operations under proper authority, and there must be a clear chain of command and clear rules of engagement. While U.S. information operations capabilities must be protected from misuse or inappropriate disclosure, that protection must not prevent them from reaching the hands of the warfighter.
Overprotection is the result of applying overly stringent controls on access to programs and information. It is accepting the process of compartmentalization as a sufficient reason to limit access to information, regardless of the overall context, circumstances and operational requirements. Overprotection is a symptom of a culture that emphasizes security first and foremost, and the balancing of operational needs second.
One of the most common forms of overprotection is the general reluctance to share information. Most information operations capabilities are classified at some level. Good security practice encourages limiting access to information to the fewest number of people possible, and the Defense Department’s classification system provides guidelines for doing so. While this approach ensures that U.S. secrets remain secure, it also leads to a mindset that holds information close by instinct rather than one that seeks out where it can be most useful. The end result is an environment where information operations capabilities remain hidden from the very people who will be expected to use them. Overprotection prevents the warfighter from engaging in the experimentation, training and planning required to turn an information operations capability into an information operations weapon ready to be employed.
In many cases, overprotection stems from the overly stringent application of the existing policy for the protection of information about sensitive programs. Program managers are required under Department of Defense Directive 5200.39 to identify critical program information early in the program’s life cycle. If compromised, this data could negatively impact the direction and longevity of the program or could require additional work to counter its release. The identification of critical program information allows the Defense Department to take appropriate measures to protect it, whether with collateral classification or special access procedures.
An overprotection problem arises when the critical program information is defined too broadly or too ambiguously. Given the potential for damage from any compromise of critical information on information operations programs, managers may err on the side of caution by applying special access procedures to entire programs. Occasionally, as capabilities are fielded to the commanders in chief (CINCs), they continue to be handled with the same classification and protection levels as their parent development program. Consequently, a capability that was produced under an acquisition special access program (SAP) transitions to an operational SAP. Unfortunately, when this occurs, it locks out warfighters because very few people on their staff will have access to it.
Overclassification is a common manifestation of overprotection. There is a strong tendency in some segments of the information operations community to place almost any technical capability behind “the green door.” Even programs using commercial technology and well-known concepts have been classified as special access required. More importantly, the effects and operational concepts for these capabilities also are frequently restricted at the same levels. With the technology, the effects and the operational concepts visible only to a limited distribution list, it is very difficult to turn these capabilities into effective weapons.
The primary impact of overprotection on the planning and execution of information operations is that the military cannot properly prepare to use information operations. Simply put, military forces are not allowed to train as they fight. The few planners who have access to SAPs are unfamiliar with the capabilities, their effects and the support requirements and, thus, cannot effectively integrate them into their plans. This may be further complicated if the use of a capability requires the approval of the National Command Authorities.
The impact of overprotection is most obvious when a crisis erupts and U.S. forces are about to be engaged. Crises offer opportunities to put new capabilities into action. Information and capabilities that were kept away from CINCs and warfighters suddenly appear at the eleventh hour of a crisis with a program advocate describing the targets they can affect or attack. Unfortunately, at that point it is too late to integrate new capabilities into operational plans. The combatant commander and staff have no direct experience with these capabilities nor have the deployed forces trained in their use. Frequently, combatant commanders choose to ignore these last-minute offerings because they have no practical means to incorporate them into their plans.
The reluctance of commanders to use capabilities that appear just before a mission highlights the manner in which overprotection hampers the process of turning information operations capabilities into information operations weapons. Overprotection limits warfighter access to these information operations capabilities, preventing them from experimenting with how best to use them individually or in conjunction with other weapons. Without experimentation, it is difficult to develop sound doctrine or identify the skill sets required to use the capability. Without doctrine, the services cannot train or organize their personnel to use the capability.
CINC planning staffs do not have access to the full range of information operations capabilities and so have no means of assessing how information operations could or would contribute to mission success. The services have not clearly designated their personnel and units for information operations execution, creating confusion over the chain of command. Most CINC staffs and units lack regular exposure to information operations and do not understand how they relate to their missions and functions. Above all, the different elements of information operations still function within their own stovepipes—psychological operations, electronic warfare, computer network operations—such that even experienced personnel may not understand how to integrate the different pieces.
Information operations provide a set of very powerful tools and capabilities to help CINCs accomplish their tasks of shaping their environment, preparing for a mission and responding in a crisis. There must be another approach that will enable the U.S. military to make better use of information operations in support of national security objectives.
An initial step toward solving the problem would be to push for less restricted access to data associated with information operations capabilities. The Defense Department’s information security program describes in detail the standards for each level of classification. It defines information as Secret when its unauthorized disclosure could be reasonably expected to cause serious damage to national security. For Top Secret information, the risk is exceptionally grave damage. Designation as a SAP is necessary when normal need-to-know criteria offer inadequate protection. By definition, SAPs may be created or continued based on a determination that the vulnerability of, or threat to, the specific protected information is exceptional and that the normal classification criteria are insufficient. There are some instances when establishment of a SAP may be required by statute.
In response to the trend toward overprotection, the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (OASD C3I) has begun a review of SAP programs. When these programs do not meet the necessary criteria, OASD C3I will push for reductions in special protection measures. Substantial amounts of information relating to information operations programs could be reduced to the Secret collateral level, greatly enhancing information sharing in the Defense Department without harming national security. Furthermore, once the appropriate level of protection for a given program’s critical program information is determined, that same level should be utilized for similar critical program information across the services. Properly balanced application of existing directives can allow the information sharing necessary to turn information operations capabilities into information operations weapons, without any degradation in security.
While these measures will go a long way toward improving the situation, solving the overprotection problem ultimately involves a cultural shift. Personnel in every part of the information operations community—from program developers to intelligence analysts to warfighters—must commit to sharing information about technology, capabilities and operational concepts. Information exchange is a prerequisite for the transformation of information operations capabilities into information operations weapons. No policy or directive can make that a reality. Success depends on the involved individuals’ determination to create a new culture of information sharing to replace the culture of overprotection.
U.S. warfighters are asked to do a great deal under the terms of shape, respond and prepare. Information operations capabilities offer a myriad of means to help achieve those objectives across the full spectrum of Defense Department operations—from peace to crisis to conflict and back to peace. Toward that end, the Defense Department must adopt a process under which information operations capabilities are appropriately protected and accessible to those who need to plan for their use. Keeping these capabilities out of the hands of those who need them simply does not make sense. Information operations have become essential to success in modern conflict. The Defense Department must allow its forces to make full and appropriate use of developing information operations capabilities and protect them at the same time. It cannot afford to do otherwise.
Capt. Philip Ray, USN, is the director, information operations integration and strategy, Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.