A new memo from the White House Office of Management and Budget (OMB) details a new requirement for all federal agencies to assess aspects of their information security in the wake of a series of embarrassing disclosures by WikiLeaks. The memo directs agencies to consider 11 pages of questions relating to information security procedures, including whether employees are required to report contacts with journalists. Transparency advocates have criticized some aspects of OMB's strategy as potentially damaging to open government.

The memo comes in the context of other government actions to investigate and prosecute those involved with the WikiLeaks disclosures. Bradley Manning, an Army intelligence analyst suspected of leaking documents to the site, was arrested in June 2010 and has yet to stand trial. In December 2010, the Justice Department subpoenaed information from several Twitter accounts associated with WikiLeaks. In addition, in December 2010, OMB directed federal employees not to view the leaked classified documents, and the Air Force blocked access to sites that published the documents, including The New York Times.

The memo, issued Jan. 3, contains more than 100 questions developed by the National Archives and Records Administration's Information Security Oversight Office (ISOO) and the Director of National Intelligence (DNI). The memo builds upon a Nov. 28, 2010, OMB memo asking agencies to begin evaluating their procedures for safeguarding classified information. Agencies are directed to complete their initial assessments by Jan. 28. The memo indicates that ISOO and DNI may also conduct on-site inspections of agency compliance.

The questions ask agencies that handle classified information to describe their information security practices, including oversight, counterintelligence, training, personnel security, and technical measures. For instance, many of the questions relate to the use of removable media with classified systems; Manning is reported to have copied classified documents onto a rewritable CD.

Other questions, however, are more controversial. Agencies are asked to describe their efforts to detect "insider threats," including using psychiatrists to measure employees’ happiness and grumpiness as a means to gauge their "trustworthiness." The Federation of American Scientists' Steven Aftergood called the memo "paranoia, not security." Aftergood also criticized the question relating to contact with journalists:

This question seems out of place since there is no existing government-wide security requirement to report "contacts with the media." Rather, this is a security policy that is unique to some intelligence agencies, and is not to be found in any other military or civilian agencies. Its presence here seems to reflect the new "evolutionary pressure" on the government to adopt the stricter security policies of intelligence.

Such a requirement could be viewed as at odds with the administration's December 2010 scientific integrity memo, which called for freer communication between government scientists and the media, as well as the Open Government Directive that calls for more transparency throughout the executive branch.

Missing the Point?

Other transparency advocates criticized the administration's effort for focusing on the wrong issues. The National Security Archive's Tom Blanton said the review should address overclassification, noting, "I really don't see the kind of systemic reform that would protect the real secrets and push everything out into the public domain."

None of the questions attached to the memo explore the issue of overclassification or the possibility of improving information security by reducing the amount of information requiring stronger protections. Overclassification has long been an acknowledged problem for government, and even during the George W. Bush administration, which utilized government secrecy more than most administrations, officials estimated that as much as half the information being classified did not justify the marking.

Congress has also started to respond to the WikiLeaks issue. House Oversight and Government Reform Committee Chairman Darrell Issa (R-CA) is expected to investigate the administration's response to WikiLeaks. During the lame-duck session of the previous Congress, Sen. Joe Lieberman (I-CT) introduced the Securing Human Intelligence and Enforcing Lawful Dissemination Act (SHIELD Act) that would make it a federal crime for anyone to publish the name of a U.S. intelligence source. The bill was introduced so late in the session (Dec. 2, 2010) that no action beyond referring it to the Judiciary Committee occurred. The bill has not yet been reintroduced in the 112th Congress.

It is unclear whether the internal agency assessments will be combined and used to craft a unified, government-wide policy response to the WikiLeaks issue or if agencies will be given responsibility to improve those areas deemed to need attention.

Image in teaser by Wikipedia user Wikileaks, used under a Creative Commons license