主题:关于国防研究的拟议安全控制 WHITE PAPER
Enclosures:
(1) OSD Memorandum, "Research and Technology Protection Within the DoD," 25 March 2002
(2)DepSecdef备忘录,“技术保护”,2000年2月17日
(3) DoD Directive 5200.39, "Research and Technology Protection within the Department of Defense"
(4)国防部5200.39-r,“国防部内的研究和技术保护的强制性程序”
(5) ASD(C3I) Memorandum, "Research and Technology Protection within the Defense Department, 30 January 2002
(6)National Security Decision Directive 189, "National Policy on the Transfer of Scientific, Technical and Engineering Information," 21 September 1985背景Enclosure (1) underscores the strong role that technology plays in the nation's defense and economic competitiveness. The memorandum's three signatories (Hon. E.C. Aldridge, Hon. J.P. Stenbit, and Hon. T.P. Christie) therefore resolve to protect U.S. research and technology from America's military adversaries and industrial rivals, and agree to work together to accomplish that goal. OVERVIEW
简而言之,备忘录表示要保护对国家安全至关重要的承诺。因此,它加强了长期存在的国家政策,要求国防部(DOD)通过分类过程来保护研究(国防部),以保护研究,并通过多种手段来保护技术,其中之一就是分类。备忘录中的关键点是,在30天内,在30天内,在由反智能(CI)/安全社区赞助的两个指令中,要求国防部长办公室(OSD)和军事部门完成协调。与备忘录不同,这些文件主张与现有政策的急剧偏差。
As currently written the draft directives contradict national policy on scientific information stipulating the use of the classification process when national security requires it. They contradict existing DoD policy that specifically prohibits gathering counter-intelligence "lists" for Science and Technology (S&T) projects. They propose a CI/Security database that duplicates the functions of the Militarily Critical Technologies List, an existing database used extensively by the Defense Security Service's Counter-Intelligence Office to develop its annual threat assessments. And,they create the possibility for criminal sanctions to be brought against individuals publishing unclassified research。
This paper is intended to: (1) help meet the commitment of OSD's tripartite memorandum, (2) assist the CI/Security community in its legitimate and important role to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel, (3) correct two misleading inaccuracies that are being used to justify changes in national policy, and (4) ensure that defense S&T will not be harmed by the very measures designed to protect it.
On 17 February 2000, the former Deputy Secretary of Defense (DEPSECDEF), Dr. John Hamre, issued a series of memoranda addressing security and counterintelligence (CI) in DoD's laboratories and Test & Evaluation centers. These memoranda conveyed a number of proposals for improving security procedures. An Overarching Integrated Process Team (OIPT), composed of executive-level officials1, developed the proposals. Dr. D. Etter, the former DUSD (S&T), chaired the group.
1Dr. A. Michael Andrews, II (HQ Army (SARD-ZT), Dr. William 0. Berry (ARFL/DC), RADM Paul G. Gaffney, II (Chief of Naval Research), W. John Gehrig (DOT&E(R&R)), Mr. Walter W. Hollis (DUSA Operations Research), Mr. David Crane (DODIG/OIR), Mr. Peter Batten (OUSD(P)PS), Mr. Ronald G. Garant (OUSD(C)), Mr. Peter Lennon (USD(AT&L)ARA), and Mr. Bill Leonard (DASD(S&IO)).
One of the actions directed by Dr. Hamre in enclosure (2) was for the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD C3I) and the Under Secretary of Defense for Acquisition, Technology & Logistics (USD AT&L) to create a directive requiring the services to develop "site-specific lists of critical program information for non-Science and Technology (S&T) programs." Critical program information (CPI) is a designator used to control information in some acquisition category (ACAT) programs, therefore the effect of Dr. Hamre's memo was to expand its use into other ACAT programs and into non-ACAT RDT&E Programs,excepting S&T(i.e., 6.1, 6.2, and 6.3).简而言之,Hamre博士的备忘录(从标题到文本)仅与“技术”保护有关。ISSUE
The ASD(C3I) has formally submitted two Directives, enclosures (3) and (4), for coordination among the Military Departments and the Office of the Secretary of Defense. Contrary to the stated DEPSECDEF policy, they require that all acquisition programs identify CPI throughout all RDT&E budget categories--including S&T. All non-acquisition activities are required to use a CPI-like designator, called Critical Research Technology (CRT), and likewise apply it to "all seven subcategories of RDT&E" -- including S&T (Encl. 3, p.2). The stated objective is to "protect DoD-funded research and technology."An ASD(C3I) memo, provided as enclosure (5), specifically urges protection "beginning with the idea phase within DoD-funded basic research."
保护研究的拟议过程
Once a project is designated as CPI, or CRT, specific requirements and procedures become mandatory. For example:
这最后的要求并不是微不足道的,因为大学,工业,联邦资助的研发中心和非营利组织的所有DOD资助研究的64%(6.1和6.2)。2The actual figure is higher because the DoD laboratories outsource a significant amount of their work.
- 必须报告任何损失,折衷或盗窃的事件,必须报告已确定的CPI或CRT的任何事件(ENCL.3,p.4)。
- All CRT must be appropriately marked with the following warning (Encl. 4, p. 28):
"This material contains critical research technology as defined by DODD 5200.39. Unauthorized disclosure subject to administrative and/or刑事制裁(强调)。需要特定的正式authorization for foreign dissemination."
- Foreign travel of personnel with access to CPI or CRT must be reported to security and CI organizations (Encl. 3, p.4).
- The ASD(C3I) will maintain a "Horizontal Assessment and Protection Database" that identifies all CPI and CRT requiring protection. Horizontal assessment and protection refers to a process ensuring that research in more than one organization is protected to the same degree by all organizations (Encl. 3, p. 13).
- A Defense Research and Technology Protection Council will provide oversight for seamless integration of CPI and CRT protection within DoD (Encl.3, p.4).
- DoD Components are required to include appropriate requirements to protect research in external contracts and grants (Encl. 3, p.9), and the Defense Security Service must conduct periodic security assessments at contractor facilities (Encl. 3, p.7).
2AAAS Report XXVI: Research & Development FY2002
Finally, it should be noted that the CRT designation is applicable to unclassified information. Therefore,these procedures create the possibility for criminal sanctions to be brought against individuals publishing unclassified research, or failing to control it according to the measures prescribed.ANALYSIS AND FINDINGS
A. THE DIRECTIVES CONTRADICT NATIONAL AND DOD RESEARCH POLICY
外壳(6),National Security Decision Direclive (NSDD) 189,编码有关科学,技术和工程信息转移的国家政策。研究由16岁的政策定义为科学与工程学中的基础研究(6.1和6.2)。它规定了这一点,
“在国家安全需要控制的地方,控制学院,大学和实验室在科学,技术和工程领域的联邦资助基础研究中产生的信息的机制是分类。”
In other words, when research requires protection, classification is the only tool permitted by national policy. NSDD 189 endorsed this approach because the strength of American science requires "an environment in which the free exchange of ideas is a vital component."However, the Directives require that research be protected by means in addition to classification, i.e., the CPI and CRT control procedures. The Directives state that they "recognize the normally unrestricted nature of fundamental research, as identified in National Security Decision Directive 189" (Encl. 3, p.2), and have "implemented relevant portions" of it (Encl. 3, p.1).That claim is misleading because the Directives clearly violate national policy。
Another misleading claim is made by enclosure (5), an ASD(C3I) memo being circulated to justify the controls on research. It states that Dr. Hamre's memorandum (i.e., enclosure (2), "directed the ASD(C3I), with support from the USD(P) and the USD(AT&L), to revise or create a DoD directive and define a new process or discipline of integrating support for protecting research and technology... "(Encl. 5, p. 1).
But the former DEPSECDEF's statements are very different from those offered by the ASD(C3I) memo.Hamre博士不仅从未使用过“研究”一词,而且他特别将S&T排除在任何控件之外。Hamre博士从ASD(C3I)备忘录引用的同一来源引用:
"I direct action on the following initiatives designed to improvetechnology(添加了强调)对习得计划的保护...实施一个新的综合支持计划为裁缝technology(emphasis added) protection for individual RDT&E sites, including development of site-specific lists of critical program information fornon-S&T(emphasis added) programs."
B. THE PROPOSED ASD(C3I) DATABASE DUPLICATES FUNCTIONS OF THE MILITARILY CRITICAL TECHNOLOGIES LIST建议1。Delete the requirement to protect research outside of the classification process (e.g., eliminate CRT), and reorient the Directives' focus toward protecting critical technologies (as required by enclosure (2)). This would ensure that the Directives are in conformance with national and DoD policy, as well as avoid the possibility of criminal sanctions being brought against individuals publishing unclassified research. This reorientation also raises the option of using the Militarily Critical Technologies List (MCTL) as a vehicle to accomplish the goals of the CI/Security community (see following section).
The MCTL identifies emerging militarily critical technologies. In fact, the MCTL process reviewed over 6,000 technologies and identified 2,O60 militarily significant technologies that were then entered into the MCTL database. A total of 656 were selected as Militarily Critical. In short, the MCTL process appears to identify the very technologies that the CI/Security community seeks to protect from compromise.
Example.MCTL标识“自动目标识别(ATR) Algorithms" as an emerging militarily critical technology. Two pages in the manual are devoted to explaining the technology, its applications, and why it is important. A worldwide technology assessment is included, which shows the U.S., United Kingdom, Sweden, and France to be leaders, with China and Russia engaging in limited R&D. Finally, a list of countries and their respective organizations conducting this work are identified. The U.S. sites engaged in ATR algorithms include the Massachusetts Institute of Technology, Boeing, Air Force Research Laboratory, Washington University, Naval Research Laboratory, Raytheon, University of Missouri, SRI, Carnegie Mellon University, Lockheed Martin, etc.
The general features of the MCTL process are as follows.3基于这些特性,MCTL过程出现了to be a cost-effective alternative to the proposed database. In fact, the Defense Security Service (DSS) Counter-Intelligence Office uses the MCTL to compile its annual report, "Technology Collection Trends in the U.S. Defense Industry." Its 2000 report stated that the "DSS documents and reviews foreign interest in U.S. defense technology in categories described by the MCTL."4 Its use by the DSS CI office indicates that the MCTL can likely satisfy the CI/Security community's need to target, collect, and disseminate relevant threat data to appropriate RDT&E facility personnel.
- The process is a systematic and ongoing assessment of technologies to determine which technologies are militarily critical.
- 技术由政府,工业和学术界的技术专家组成的工作组选择。
- Domestic performers of the work are identified, including government laboratories, industrial firms, and universities.
- Other countries performing work in the same area are identified and the extent of their work is assessed.
3http://www.dtic.mil/mctl/
4Defense Security Service, "2000 Technology Collection Trends in the U.S. Defense Industry," p.4.
但是,如果MCTL的不足会导致对其功效的怀疑,那么也许DOD的资源可以更好地修改MCTL过程,而不是创建新的且重复的过程。而且,the avoidance of unnecessary investment costs would meet an objective of the USD (AT&L) Business Initiative Council (BIC), which is to identify and implement business reforms that allow the reallocation of savings to higher priorities.建议2。Consider the MCTL as a cost-effective alternative to the proposed ASD(C3I) Horizontal Assessment and Protection Database (HAPD). If the HAPD is already in existence, then evaluate the merits of pursuing its elimination as a cost-reduction initiative under the auspices of the USD(AT&L) BIC.
C. CRT'S DEFINITION IS BROAD ENOUGH TO INCLUDE ALL DEFENSE RDT&ECRT5is defined as "RDT&E information identified and prioritized by site directors and managers thatmay(emphasis added) be important to maintaining the U.S. warfighters' operational advantage when the resulting capability becomes part of a future DoD acquisition program or system." (Encl. 3, p. 12)
5Before the CI/Security community decided to call it Critical Research Technology, the designator went through many evolutions: Critical Research Information (12 July 00), RDT&E Information (26 July 00), Critical Technology (6 September 00), and Critical Research Information and Technology (23 October 00). The almost interchangeable manner in which the terms research and technology are used here, in the Directives, and in the ASD(C3I) memo, suggest the possibility that the CI/Security community does not fully understand what it seeks to control.
This definition is expansive enough to apply to all DoD-funded work. Hopefully all DoD-funded RDT&E "may be important to maintaining the U.S. warfighters operational advantage." Logically, the definition is worded in a way that excludes only RDT&E thatwill notbe important. Moreover, in a competitive budget environment, there will be a strong propensity for managers to designate their projects as critical. To manage work that is not critical is to risk having your funding cut for work that is.For these reasons the CRT data gathered for the HAPD would likely be much less discriminating than that derived from the MCTL's systematic, expert-driven process.
Recommendation #3.Use the MCTL to identify candidate CPI and expand use of CPI only to non-S&T projects at 6.4 and above (per DEPSECDEF guidance in enclosure (2)).
D.改变当前研究保护政策的案例缺乏信誉也许关键问题是 -发生了哪些事件,比冷战期间使用的安全措施更严格控制科学信息?Enclosure (5), an ASD(C3I) memo, bases the CI/Security community's argument for more stringent research protections on:
But in all five cases the stated concern is technology, not research.The CI/Security community has clearly not made a credible argument to support strict new measures beyond existing national policy codified in NSDD 189-- which is to use the classification process when a need arises for protecting scientific information.
- Three classified reports in 1994 detailing the loss of技术(emphasis added) in the RDT&E community (Encl. 5, p.2).
- A November 2001 GAO letter to the SECDEF citing a Congressional tasking to evaluate, "U.S. efforts to restrict foreign national access tosensitive echnologies(强调)。。。" (Encl. 5, p.3)
- Executive Order 13222 that stated, "the unrestricted access of foreign parties to U.S.goods and technology(重点添加)...对国家安全,外交政策和美国经济构成了异常和非凡的威胁”(第5,第3页)
- The Defense Production Act of 1950, as amended, Section 310, states "the Secretary of Defense shall identifycritical components and critical technology items(emphasis added) for each item on the Critical Items list of the Commanders-in-Chief... " (Encl. 5, p.3)
- CI inspections that identified practices at RDT&E sites that would improve DoD's ability to protect dual-use and leading edge军事技术(强调)。。。"(Encl. 5, p.2)
AN OLD DEBATE
The question of how far to go in protecting research was debated throughout the Cold War. In an article published in theWall Street Journal1982年,国防部长C. Weinberger表示,苏联“组织了一项巨大的,系统的努力,以从西方获得先进的技术”。当时的中央情报局副董事Adm B. Inman Adm B. Inman遵循该文章,建议向美国科学进步协会(AAAS)会议提出,科学依赖性应该通过自愿提交研究结果来更加合作,以向适当出版的政府机构进行预公开审查。
In the wake of those remarks, a study sponsored by the DoD, National Science Foundation, AAAS, and National Academy of Sciences, was conducted to examine the relationship between scientific communication and national security in light of the growing concern that foreign nations were gaining military advantage from such research.6Two central conclusions of the "Corson Study" were as follows.
"The technological leadership of the U.S. is based in no small part on a scientific foundation whose vitality in turn depends on effective communication among scientists and between scientists and engineers. Thus, the short-term security achieved by restricting the flow of information is purchased at a price."
Another DoD report voiced similar findings."In the view of the Panel, security by accomplishment may have more to offer as a general national strategy. The long-term security of the U.S. depends in large part on its economic, technical, scientific and intellectual vitality, which in turn depends on the vigorous research and development effort that openness helps to nurture."
6National Academy of Sciences, "Scientific Communication and National Security" (1982), p. ix. Study members included Dale Corson, Chairman, (at that time President Emeritus, Cornell), James Killian (former Presidential Science Advisor), Wolfgang Panofsky (former member President's Science Advisory Committee), William Perry (former SECDEF), and Samuel Phillips (former Director, NSA).
“所有国家的科学家都在进行大量而越来越多的重要工作。这对我们的技术工厂来说是磨碎的,我们可以通过出版和亲自获得自由思想的自由交流来实现。我们也不能忽略这样一个事实,即维持与包括俄罗斯在内的其他国家的研究发现的沟通可能对进步科学知识非常有益(强调)。"7
第二份报告强劲的倡导的科学openness, in particular with Russia, sounds like post-Cold War policy. Instead, the above quote is from a briefing given before the National Security Council (NSC) on 31 May 1956--苏联首次成功测试了飞机排出的氢弹,不到七个月不到七个月。7Office of the Assistant Secretary of Defense (Research and Development), "Maintenance of Technological Superiority: Presentation Before the National Security Council," (31 May 1956).
有趣的是,这两种冷战报告与ASD(C3i)备忘录的语气进行了对比:ReportsReports
"based on their ongoing open exchange relationships and shared methodologies with foreign scientists, the RDT&E community may be reluctant to be accountable for actions / inactions to protect leading edge military research... (Encl. 5, p.3)"
SUMMARYBoth the 1982 Corson Study and the 1956 NSC briefing were conducted when there was a clear and present danger. Even in an atmosphere of urgency, defense experts found no reason to abandon America's reliance on "security by accomplishment" as a strategy for the S&T environment. Therefore, a strong case can be made that national security is best served by maintaining a balance betweensecurity by accomplishmentand通过控制安全性。The former is the appropriate strategy for the DoD's S&T process, and the latter is effective for the subsequent stages of systems development, acquisition, and commercial production.
With this balance in mind, the three recommendations offered by this paper are intended to:
By incorporating this paper's recommendations, the Directives would meet the above objectives by: protecting research in an appropriate manner by conforming to national policy codified in NSDD 189; implementing former DEPSECDEF Hamre's directive to expand the use of CPI into non-S&T programs; and by considering the MCTL (already used extensively by the CI/Security community) as a cost-effective alternative to the proposed ASD(C3I) database. Moreover, if the ASD(C3I) database is found to be as duplicative as it appears, then the USD(AT&L) BIC might explore it as an area for cost savings.
- Support the commitment of the USD(AT&L), ASD(C3I), and DOT&E, to protect research and technology critical to national security, and achieve coordination of the Directives within 30 days,
- 帮助满足CI/安全社区的合法和重要需求,以针对适当的RDT&E设施人员进行针对,收集和传播相关威胁数据,
- 探索现有的满足CI/安全社区需求的手段,并
- Ensure that defense S&T will not be harmed by measures designed to protect it.
By contrast-- as currently written-- the ASD(C3I) Directives: contradict national policy stipulating the use of the classification process when there is a need to protect research; contradict existing DEPSECDEF policy that specifically prohibits control "lists"8for S&T projects; propose a database that appears to duplicate the functions of the existing MCTL, which is used extensively by the CI/Security community; and create the possibility for criminal sanctions to be brought against individuals publishing unclassified research.
8Discussions with the OIPT's membership and staff confirmed that the DEPSECDEF's prohibition extended to any lists. At the time of the DEPSECDEF memo, CPI was a designator in use for ACAT programs;CRTwas developed by the CI/Security community well after the DEPSECDEF policy was established on 17 February 2000.
If approved in their present form, the Directives can be expected to have a chilling effect on the defense research conducted by the nation's universities, industrial centers, and military laboratories.
Don J. DeYoung
U.S. Naval Research Laboratory
Washington, D.C.
2 April 2002