Image courtesy of Flikr user Purple Slog.
By Captain John Goodwin
The value of information lies in its power to guide human action and, like anything of value, merits protection. Since the beginning of civilization, nation states sought to control information in the interest of security. Information as power manifests most clearly in the domain of military competition wherein knowledge of an adversary enables adventitious decision-making. Succinctly aphorized by Sun Zu (孫子) “know self know other, hundred battles, no peril” (知己知彼, 百戰不殆), the ancient military theorist recognized information as fundamental to military success. However, information security policy in the United States progressed haphazardly. Historical information security practices developed from various sources, and often lagged behind other nations. Prior to its era of global engagement, the United States faced a much lower risk from information compromise than it does today. This paper presents a brief history of American information security development to revel tendencies of belated implementation. As an ever evolving discipline, this reflection also highlights the adaptive character information security policy must maintain to remain effective.
On June 12, 1776, the Continental Congress formed “A Board of War and Ordnance” and with it an oath of secrecy. New government employees took the following oath:
I do solemnly swear, that I will not directly or indirectly divulge any manner or thing which shall come to my knowledge as (clerk, secretary) of the board of War and Ordnance for the United Colonies. . . So help me God.”[i]
Thus formed the origins of information security in what would become the government of the United States of America. The founding members of the United States recognized the need to secure sensitive government information in the seventh paragraph of Article IX of the Articles of Confederation. The article excludes information “relating to treaties, alliances or military operations, as in their judgment require secrecy” from public disclosure.[ii] However, the mandate for official government secrecy would not become the institutionalized program familiar to modern government employees are familiar with until the twentieth century.
Harold Relyea introduces American information security as originating with General George Washington during the Revolutionary War. Drawing on British practices, commanders marked communications with handwritten headings of “secret” or “confidential”. This precedent formed the basis of the new Federal Government’s information security program well into the 19th century. Early classification markings reflected crude control measures, designating information as sensitive or restricting circulation. Administrative guidance at the time provided statutory provisions for different types of information. Yet policy did not include the breadth of information control required, evident by the use of “administratively created” markings.[iii]
In a 1972 paper, Dallas Irvine rejects this claim, arguing information security practices were not institutionalized until much later. Irvine makes a distinction between official defense information and information with specific protective measures accorded to it. Prior to WWII, the Army “did not effectively distinguish between these two kinds of information,” he writes. Irvine characterizes the use of classification markings Relyea describes as “arbitrary,” contending that while the words secret and confidential have general English-language meaning, at the time there existed no “prescribed meaning” for these words. . Furthermore, he distinguishes the practice of marking information exclusive to wartime in which espionage, treason or spying by civilians against military operations remained punishable under legislation enacted in 1776. The specification implies attempts by military forces to collect sensitive military information on an opposing force were jus in bello, part of the normal course of conduct expected of warring armies. Thus early classification markings employed by the American Army were, Irvine contends, outside of the normal peacetime conduct of the U.S. government, which “ordinary law and regulations” did not govern.[iv]
In the 19th century, American government drew on the European model of controlling government related information by housing the documents in national archives to withhold them from public circulation. Timothy L. Erickson compares early American government information management to the French during the same time. By French established their national archives, less than a year after forming a new government and while the country was still in turmoil. The United States, by contrast, would dally for over 150 years, until finally establishing the National Archives in 1934.[v] In 1810, Congress appointed Representative Josiah Quincy of Massachusetts to investigate the storage of national records. Quincy’s investigation found sensitive documents from the State Department, War Department, and Navy Department piled in disarray “in the attic of a public building” housing a public post office. Quincy’s report warned that the documents “are much exposed both to fire and to robbery; the dangers of which are also greatly augmented by the total want of watchmen for that building.” Despite Representative Quincy’s findings, Congress took no action to secure the information.[vi] This disregard for information management practices struck French visitor Alex de Tocqueville as peculiar. American indifference to protecting the sensitive information he observed shaped Monsieur Tocqueville’s opinion on the Administrative Instability of the United States. In his book Democracy in America, Tocqueville notes “no archives are formed” and concludes the lack of “administrative education” contributed to the “instability” of American democracy.[vii] Tocqueville’s critique on the poor state of American information management proved a prescient warning that poor information security practices would lead to a breakup of the union; precisely what temporarily occurred fifteen years after its publication.
Institutionalization of information security policy during peacetime saw greater development in the United States after the Civil War. Owing to the industrial revolution in warfare, protection of industrial production methods and military became a concern. This was evident as European nations began adopting military technology developed by the United States during the Civil War such as telegraphy, observation balloons, and electrically fired explosives.[viii] In response, the Army issued General Order No. 35 of 1896 prohibiting surveillance of military sites and classifying such information as confidential.[ix] The Army’s Chief of Artillery, however, revealed in a letter to the Adjutant General in 1907 the term was applied inconsistently, noting, “there is great difference of opinion” and “considerable confusion,” over how to treat confidential information.[x] The letter brought to the War Department’s attention the need for policy to define what Irvine identifies as prescribed meaning. While Irvine argues the matter was not resolved until 1917, Quist notes the discussion did succeed in generating regulations that expanded the scope of information control. In 1912 the War Department required inventories of confidential documents and in 1913 issued a memorandum prescribing how such information should be stored and packaged for transmission.[xi]
At the beginning of the 20th Century, the United States was emerging as a global power, and information security policy developed through military cooperation with European allies and in response to the growing threat of foreign espionage. In 1911 Representative Ruben Moon of Pennsylvania submitted a report with House Resolution 26656 calling for a bill “to prevent the disclosure of national defense secrets.” In what would become the Defense Secrets act of 1911, Rep. Moon relates how a British subject in Calcutta, India found detailed notes on American defensive works on Corregidor Island, “the main stronghold of the United States in the Philippines,” and reported the find to the State Department. At the time, the United States was fighting the Moro Rebellion in the Philippines but the fact that this information made its way to India implied more powerful foreign adversaries could make use of it as well. In contrast to other nations with “any developed system of national defense,” Rep. Moon points out the United States is unique in that it “has no such law and our national defense secrets as a consequence have no protection against spies” noting how spies caught in America have evaded harsh punishments normally meted out in other nations for espionage.[xii] The Defense Secrets Act was the first piece of American legislation criminalizing the disclosure of defense related information.
The Defense Secrets Act proved short-lived, however, as the threat from domestic terrorism and America’s entry into the First World War required a more robust information security policy. Signed into law on June 15, the Espionage Act of 1917 became the definitive piece of legislation governing American information security in the 20th century. The act included an expanded range of activities that constituted espionage and made the crime a capital offense, which remains in effect today. The act also identifies loss of sensitive information “through gross negligence” or failing to report its loss as punishable.[xiii] Later that year, American Expeditionary Forces in France refined military information security policy with the implementation of General Order No. 64 which adopted British classification markings of “Confidential,” “Secret,” and “For Official Use Only,” becoming the first institutionalized classification system of the U.S. government. The order even identified the problem of, “carelessness in the indiscriminate use of the terms,” and provided precise definitions and handling instructions appropriate to each classification marking. When General Order No. 64 made its way back to the United States, The War Department immediately adopted its guidance as regulation on December 14, 1917. The new regulation was unique in that it invoked the punitive authority of the Espionage Act for violations.[xiv] For the first time, failure to implement information security procedures as specified by Army regulation were punishable under a national statue, one that included the death penalty for a much broader range of activities than what the regulation named.
At the outset of the WWII, information security policy reached a new era, one that came to characterize the implementation of security policy to the present day. The Roosevelt Administration expanded executive power through the use of the executive order which successive administrations have employed to update and expand information security policies. Executive Orders enable the president to quickly issue guidance and update policy in response to emerging situations that require immediate action and remain the primary tool of the executive to refine information security policy.
The preeminence of the United States at present rests on the knowledge it has developed and protected. It would not be disingenuous to claim the United States is only as secure as its information. Yet a comprehensive information security policy only came about relatively recently. America’s early history carries both precedent for reforming information security practices from myriad sources and warning that the information age will be less forgiving to the intransigence that characterized the better half of our nation’s history.
Captain John Goodwin is a West Point graduate and U.S. Army officer currently forward stationed in Korea.
[i] Central Intelligence Agency, Intelligence Techniques, last updated September 05 2013, https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/intelligence/intelltech.html (accessed October 10, 2014).
[ii] Articles of Confederation, Paragraph 7, Article IX. Available at http://avalon.law.yale.edu/18th_century/artconf.asp#art9 (accessed October 10, 2014).
[iii] Harold C Relyea, “Security Classified and Controlled Information: History, Status, and Emerging Management Issues,” CRS Report for Congress June 26, 2006, 1. http://www.law.umaryland.edu/marshall/crsreports/crsdocuments/RL33494_06262006.pdf (accessed October 10, 2014).
[iv] Dallas D. Irvine “Origin of Defense-Information Markings in the Army and Former War Department,” The National Archives November 1972. 2. http://fas.org/sgp/library/irvine.pdf (accessed October 10, 2014)
[v] U.S. National Archives and Records Administration, “About the National Archives of the United States,” General Information Leaflet, Number 1, 2007. Available from http://www.archives.gov/publications/general-info-leaflets/1-about-archives.pdf
[vi] Timothy L. Erickson, “Building our own “Iron Curtain”: The Emergence of Secrecy in American Government,” The American Archivist, Vol. 68, Spring/Summer 2005: 28. http://archivists.metapress.com/content/9m260j244177p553/fulltext.pdf (accessed October 10, 2014).
[vii] Alex de Tocqueville, Democracy in America. Translated by Henry Reeve. available at http://xroads.virginia.edu/~HYPER/DETOC/1_ch13.htm (accessed October 10, 2014).
[viii] Arvin S Quist, “Security Classification of Information,” Vol I: Introduction, History and Adverse Impacts, Oak Ridge Classification Associates, LLC. September 20, 2002, 14. http://fas.org/sgp/library/quist/chap_2.pdf (accessed October 10, 2014).
[ix] Irvine, 3.
[x] Quist, 20.
[xi] Irvine, 16; Quist, 21
[xii] House Committee on the Judiciary, To Prevent the Disclosure of National Defense Secrets, 61st Cong. 3rd Sess. 1911, H. Doc. 1942, 1-3. http://books.google.com/books?id=ENpGAQAAIAAJ&pg=PA151&source=gbs_toc_r&cad=4#v=onepage&q=defense&f=false (accessed October 10, 2014.)
[xiii] United States Code, Title 18, § 793 “Gathering, transmitting or losing defense information,” Cornell University Law School, http://www.law.cornell.edu/uscode/text/18/793 (accessed October 10, 2014).
[xiv] Quist, 23-25.