For decades, the US government has had systems in place for dealing with military secrets.
Information is classified as either "Confidential," "Secret," "Top Secret," or one of many compartments of information above "Top Secret."
Procedures for dealing with classified information used to be rigid: Classified topics could not be discussed on unencrypted phone lines, classified information could not be processed on insecure computers, classified documents had to be stored in locked safes, and so on. The procedures were extreme because the assumed adversary was highly motivated, well-funded and technically adept: the Soviet Union.
You might argue with the government's decision to classify this and not that, or with the length of time that information remained classified. But if you assume the information needed to remain secret, the procedures made sense.
In 1993, the US government created a new classification of information — Sensitive Security Information — that was exempt from the Freedom of Information Act. The information under this category, as defined by a Washington, D.C., court, was limited to information related to the safety of air passengers. This was greatly expanded in 2002, when Congress deleted two words — "air" and "passengers" — and changed "safety" to "security." Currently, there's a lot of information covered under this umbrella.
The rules for SSI information are much more relaxed than the rules for traditional classified information. Before someone can have access to classified information, he must get government clearance. Before someone can have access to SSI, he simply must sign a nondisclosure agreement, or NDA. If someone discloses classified information, he faces criminal penalties. If someone discloses SSI, he faces civil penalties.
SSI can be sent unencrypted in email; a simple password-protected file is enough. A person can take SSI home with him, read it on an airplane, and talk about it in public places. People entrusted with SSI information shouldn't disclose it to those unauthorised to know it, but it's really up to the individual to make sure that doesn't happen. It's really more like confidential corporate information than government military secrets.
The US government really had no choice but to establish this classification level, given the kind of information it needed to work with. For example, the terrorist watch list is SSI. If the list falls into the wrong hands, it would be bad for national security.
But think about the number of people who need access to the list. Every airline needs a copy, so they can determine if any of their passengers are on the list. That's not just domestic airlines, but foreign airlines as well — including foreign airlines that may not agree with American foreign policy. Police departments, both within this country and abroad, need access to the list. My guess is that more than 10,000 people have access to this list, and there's no possible way to give all of them a security clearance. Either the US government relaxes the rules about who can have access to the list, or the list doesn't get used in the way the government wants.
On the other hand, the threat is completely different. Military classification levels and procedures were developed during the Cold War and reflected the Soviet threat. The terrorist adversary is much more diffuse, much less well-funded and much less technologically advanced. SSI rules really make more sense in dealing with this kind of adversary than the military rules.
I'm impressed with the US government's SSI rules. You can always argue about whether a particular piece of information needs to be kept secret, and how classifications like SSI can be used to conduct government in secret. But if you take secrecy as an assumption, SSI defines a reasonable set of secrecy rules against a new threat.
Bruce Schneier is CTO of CounterPane Internet Security. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."
