Commentary--For decades, the U.S. government has had systems in place for dealing with military secrets.
Information is classified as either "Confidential," "Secret," "Top Secret," or one of many compartments of information above "Top Secret."
Procedures for dealing with classified information used to be rigid: Classified topics could not be discussed on unencrypted phone lines,
You might argue with the government's decision to classify this and not that, or with the length of time that information remained classified. But if you assume the information needed to remain secret, the procedures made sense.
In 1993, the U.S. government created a new classification of information--Sensitive Security Information--that was exempt from the Freedom of Information Act. The information under this category, as defined by a Washington, D.C., court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words--"air" and "passengers"--and changed "safety" to "security." Currently, there's a lot of information covered under this umbrella.
The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get government clearance. Before someone can have access to SSI, he simply must sign a nondisclosure agreement, or NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.
SSI can be sent unencrypted in e-mail; a simple password-protected file is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn't disclose it to those unauthorized to know it, but it's really up to the individual to make sure that doesn't happen. It's really more like confidential corporate information than government military secrets.
The U.S. government really had no choice but to establish this classification level, given the kind of information it needed to work with. For example, the terrorist watch list is SSI. If the list falls into the wrong hands, it would be bad for national security.
But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their
On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded and much less technologically advanced. SSI rules really make more sense in dealing with this kind of adversary than the military rules.
I'm impressed with the U.S. government's SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.
Bruce Schneier is CTO of CounterPane Internet Security. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."