As this is likely to be a hot topic for the next few weeks – say, up to and possibly well beyond the DOJ’s near-inevitable attempt to indict President Donald Trump for something — I thought I’d throw what I learned about the classification system and the authorities pertinent to it into the pot. Mind you, I’m not in that world any longer. Some details might have changed. What I provide below is my best recollection of what I learned in my years in defense engineering.
First, the classification system has several degrees of severity. In the usual case, civilians not directly employed by the federal government will have access to one of the following three levels: the lowest levels of the classification pyramid:
- Confidential: This is the lowest level of information security, which pertains to information which, if revealed to unauthorized persons, would cause mild to moderate damage to American security interests.
- Secret: Information classified Secret, if revealed to unauthorized persons, would cause moderate damage to American security interests, which would be difficult to repair.
- Top Secret: Information classified Top Secret, if revealed to unauthorized persons, would cause severe damage to American security interests, from which it is doubtful that recovery would be possible.
The levels above Top Secret are not usually available to civilians not directly employed by the federal government. They usually involve compartmentation and codewords for extra security. Persons with access to those levels must undergo special vetting and training in the responsibilities involved. (NB: There’s no “Suicide After Reading” level, rumors to that effect notwithstanding.)
All media that contain any classified information, whether readable by eye or a form of analog or digital recording, when not in use must be kept in locked containers specifically authorized for the purpose and for their classification level. Violations of that particular requirement have cost several former colleagues their jobs.
You may have read or heard that all it takes to make a document classified is to type its classification level at the top of each page. That’s not quite correct. To create a classified document of any sort requires classification authority. There are two varieties:
- Original: One who holds this authority can create a classified document on the basis of his knowledge and judgment that the information in it should be classified. In the usual case, such authority is limited as to what level of classification the holder can declare an item to be. Also, it’s a violation to use it frivolously; a holder of Original authority can’t declare his grocery shopping list Top Secret.
- Derivative: One who holds this authority can create a classified document only if it contains classified information from an original document that’s already classified. (Note that the “original document” need not come from a source that holds Original authority. It can be one that was classified by Derivative authority. What matters is that some or all of the information in it was already classified.)
So the canard about “just typing TOP SECRET at the top” is simply false. The classifier must hold the correct authority and must use it correctly. Atop that, and perhaps most important of all, he must have a need to know the classified information he handles.
“Need to know” is central to the handling of classified information. One who seeks some item of classified data must have a need to know that item, deriving from his assigned responsibilities. Even the president of the United States must have a need to know any classified information he demands from the intelligence services. (In practice, the president’s need to know is rarely questioned.) Moreover, a person legitimately in possession of classified information must not disclose it to anyone until he has verified:
- The other’s access level as being equal to or higher than the classification level of the information;
- The other’s need to know;
…through the appropriate authorities.
For this reason, conferences in fields that deal with classified information can be complex, even unwieldy. There are a lot of steps involved in assuring that each attendee will have access only to information for which his level is adequate, and which he has a need to know. Special partitioning of meetings, special phones, special badges, and security coordinators abound in such venues.
What’s most likely to become a point of contention in the arguments over the FBI’s raid of President Trump’s Mar-a-Lago home is the president’s declassification authority. In theory, the sitting president has arbitrary authority to declassify whatever he pleases. In practice, he will normally consult subject matter experts from the military and the intelligence services before making such decisions. The bias of such experts tends to be toward keeping classified information classified. However, I have no personal knowledge of a case in which the president was on one side of such a matter while the subject matter experts were on the other.
Other persons in the federal government possess limited declassification authority, once again constrained by access level and need to know. However, they will seldom possess unilateral authority, and will always give great weight to the opinions of subject matter experts before proceeding.
Those are the “bare bones” of the classification and classified material handling rules. There are many others at the higher levels of classification. Fortunately, information classified above Top Secret is less voluminous. The two fundamental laws pertinent to information security, the National Security Act and the Espionage Act, only lay out the basic rules. The devil, as usual, is in the details, which are subject to change without much notice…if any.
Keep the above handy as the fur flies over the FBI raid on Mar-a-Lago.
