Sensitive Security Information (SSI)
For decades, the U.S. government has had systems in place for dealing with military secrets. Information is classified as either Confidential, Secret, Top Secret, or one of many "compartments" of information above Top Secret. Procedures for dealing with classified information were rigid: classified topics could not be discussed on unencrypted phone lines, classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded, and technically adept: the Soviet Union.
You might argue with the government's decision to classify this and not that, or the length of time information remained classified, but if you assume the information needed to remain secret, than the procedures made sense.
In 1993, the U.S. government created a new classification of information -- Sensitive Security Information -- that was exempt from the Freedom of Information Act. The information under this category, as defined by a D.C. court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words, "air" and "passengers," and changed "safety" to "security." Currently, there's a lot of information covered under this umbrella.
The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get a government clearance. Before someone can have access to SSI, he simply must sign an NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.
SSI can be sent unencrypted in e-mail; a simple password-protected file is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn't disclose it to those unauthorized to know it, but it's really up to the individual to make sure that doesn't happen. It's really more like confidential corporate information than government military secrets.
The U.S. government really had no choice but to establish this classification level, given the kind of information they needed to work with. for example, the terrorist "watch" list is SSI. If the list falls into the wrong hands, it would be bad for national security. But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their passengers are on the list. That's not just domestic airlines, but foreign airlines as well -- including foreign airlines that may not agree with American foreign policy. Police departments, both within this country and abroad, need access to the list. My guess is that more than 10,000 people have access to this list, and there's no possible way to give all them a security clearance. Either the U.S. government relaxes the rules about who can have access to the list, or the list doesn't get used in the way the government wants.
On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War, and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded, much less technologically advanced. SSI rules really make more sense in dealing with this kind of adversary than the military rules.
I'm impressed with the U.S. government SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.
Background on SSI
TSA's regulation on the protection of SSI
Controversies surrounding SSI
My essay explaining why secrecy is often bad for security
Posted on March 8, 2005 at 10:37 AM • 47 Comments