Vous êtes sur la page 1sur 9

ACCESS TO CLASSIFIED INFORMATION – CONCEPTS OF VULNERABILITIES, THREATS,

RISKS AND INCOMPATIBILITY

Florin BUȘTIUC

Abstract
An individual may be authorised to have access to classified information taking into account
characteristics as loyalty, trustworthiness and reliability. So, there are criteria for assessing eligibility for a
personnel security clearance which are , introduced as incompatibility elements (mainly) in Government
Decision no. 585/2002- The National Standards on the Protection of Classified Information in Romania, but
these have a shape that suggests a synthetic approach, and there are no detailed and / or explained correlations
with those characteristics and factors such as vulnerabilities, threats and risks. Thus, it is appropriate to study
the international acts and US experience in the field, in order to build a comprehensive vision of human behavior
from a security perspective.
Keywords: vulnerabilities, threats, risks, personnel security, eligibility, elements of incompatibility

The general framework of information security


Security has a dual meaning, namely "status / condition reached when information,
materials, personnel, activities and installations are protected against espionage, sabotage,
subversion, terrorism and other damages, as well as against unauthorized loss and disclosure"
(https://nso.nato.int/nso/zPublic/ap/aap6/AAP-6.pdf) and a system of measures to ensure
protection of listed values. Information security is regulated at the legislative level (laws,
governmental decisions) and administrative (regulations, internal rules), and involves physical and
technical measures to defend classified and critical information against clandestine intelligence
gathering (espionage, acts of destruction and theft, access of persons who do not have security
guarantees (Baud, 1998, p. 513).
Thus, information security is an organized system of principles, procedures and rules, in
order to preserve the integrity of some values (usually the central value is information) against
adverse acts / influences, a system which has the following components: physical security,
documents security, communication and computer security, personnel security 1. When each of these
dimensions is analyzed, threats, vulnerabilities, and risks appear "instantly", and personnel security
involves a particular aspect - the elements of incompatibility. With regard to security, the most
vulnerable component is the individual, and for this reason, personnel security is vital to data
(secrets) protection (Hughes-Wilson, 2017, p. 381).
For institutions / organizations, it is important the existence of a staff having behaviors which
reflect values according to the efficiency and integrity requirements. „Corporations/institutions,
whether large or small, need to make sure that the employees, contractors...any partners they
choose to work with are indeed the ones they say they are, they have the accreditations they pretend
to have, and they choose to behave with integrity....The decision to work with them, to trust them
and to allow them to have access to sensitive data is undoubtedly monumental” (Nixon&Kerr, 2008,
p.xxxi). So, when we talk about relevant information (classified, confidential, economic secret, bank
secret etc) which would have a negative impact economically or functionally speaking if they had

 PhD Student “Mihai Viteazul” National Intelligence Academy


1 the issues were addressed in the article Security in organization - approaches, published in The Criminal Investigation Review,
Number 1/2016
1
been transmitted / revealed in an unauthorized (and illegal) manner, then the person’s integrity
becomes much more important, reflected in responsibility, awareness and fulfilling of objectives,
requirements and institutional regulations etc, and we have the following equation: security (of
values) = integrity + competence.
So, states and organizations (companies) protect values such as information (decisions,
projects), financial resources, products, services, equipments, and physical spaces etc, also by means
of a general process of selection of persons (for employment/promotion), and if the values refer to
classified information as a main reference, then one will address the standards imposed by the law,
which put across a field - personnel security / protection, which generates a specific process, namely
security clearance.
By means of security clearance, which can be made by specialized structures within the state
(usually the intelligence/security services), competence can be approached (the presence of certain
abilities necessary for carrying out professional assignments, with the purpose of attaining
efficiency, as a quality of the results), combined with the factor of integrity (the existence of certain
acts/behaviors, or some psychological / social circumstances, by means of which one is assigned
different traits such as loyalty, correctness, trust, discretion, responsibility).

The specific framework of personnel security within NATO, UE and Romania


The security clearance for granting access to classified information (state secrecy) is settled
in Romania through Law no. 182/2002 on the protection of classified information, Government
Decision no. 585/2002 - The National Standards on the Protection of Classified Information in
Romania, Government Decision no.353/2002 on Norms on the Protection of NATO Classified
Information in Romania, and Order No. 490/2005 of the National Registry Office for Classified
Information for access to EU classified information.
The objectives of the article reside in shaping a "philosophy of personnel protection" with
pragmatic implications for the decision to grant access to classified information (considering the
complexity of human nature and the different circumstances associated with acts / behaviors), by:
a) describing specific concepts from romanian legislation that do not have unitary significance in all
contexts, b) introducing additional assessment elements, as critical analytic factors, conditions that
could mitigate security concerns.
So, it consists in clarifying certain concepts/principles existent in the Romanian legislation
regarding the protection of personnel – loyalty, correctness, discretion, vulnerabilities, risks, threats,
elements of incompatibility - by correlating them to indicators from C-M(55)15(Final) - Security
Within The North Atlantic Treaty Organization (NATO)/1955 (considering that the specific
Romanian legislation was built on the basis of this document), C-M(2002)49 - Security Within The
North Atlantic Treaty Organization 2 with the Directive AC/35-D/2000-REV7 / 2013 (which contains
Personnel Security), Decision of the EU Council 2013/488/EU referring to security rules for protection
of EU classified information.
Also, a fundamental milestone for understanding personnel security is US legislation -
Intelligence Community Policy Guidance Number 704.2, october 2008 - Personnel Security Adjudicative
Guidelines for Determining Eligibility for Access to Sensitive Compartmented Information and Other
Controlled Access Program Information (https://fas.org/irp/dni/icd/icpg704-2.pdf) and some works
of Defense Personnel and Security Research Center-PERSEREC.

Concepts of integrity, vulnerabillities, threats, risk and elements of incompatibility

2 which replaced document C-M(55)15(Final)


2
For a functional perspective within the article, regarding the personality traits relevant for
security, we propose the following conceptualisations¹:
- correctness – involves observing rules, efficiently carrying out social and professional duties
- honesty – is centered around maintaining sincere and correct relationships
- trustworthiness – is associated to observing what one said, observing the verbal or written
commitments, the steadiness of one’s behavior (emotional and rational)
- discretion – maintaining confidentiality (of the secret), avoiding the questioning of others
related to aspects which violate the rules of confidentiality
- loyalty – involves adopting the objectives of a large comunity / institution, observing
obligations and carrying out the activities that derive from this „contract”
- reliability – a trait which arises from the phisical and mental capacity to exercise judgement,
to perceive/present reality as closer as possible to the truth and to assuming responsibility
- integrity – “the quality of being honest and having strong moral principles...It is generally a
personal choice to hold oneself to consistent moral and ethical standards”
(http://www.oxforddictionaries.com/definition/english/integrity).
We acknowledge that from the perspective of the simplicity that the equation of security is
characterised by, it is suitable to asociate other concepts to the general idea of integrity (without the
limitations imposed by the ethical/moral field), having mentioned that these showcase common
areas of overlapping certain meanings and influences. Moreover, the initial presentation holds the
purpose of easing andcomprehensive and complete understanding of the aspects of personality
relevant for security (Figure no. 1)

Figure no.1 – The components of integrity3

loyalty

reliability
trustworthiness

INTEGRITY

honesty
correctness

discretion

If we were to integrate the listed aspects at an abstract level of certain metaconcepts


(associated to integrity), according to Adjudicative Desk Reference (http://www.dhra.mil/
perserec/products.html) we would have the following personality factors relevant for security:
Conscience / social responsibility - protection of classified data is insured by means of
applying regulations, and the social conscience means accepting authority, adequate interpersonal
3 currently, in the NATO/EU documents only 3 traits are mentioned - loyalty, trustworthiness and reliability. As a personal point of
view, 2 alternatives can be applied for a national legislation: a) their definitions to encompass also the meanings of the other traits, b)
all of the 6 traits to be operated as comprehensive components of integrity
3
relationing, applying rules and regulations. In this context, the person may choose to apply „what is
correct”.
Self control - the ability to exert a responsible and rational control over certain behavioral
impulses, by means of taking on responsibility, setting realistic objectives, putting effort and
developing plans for professional accomplishments. Security relates to a pro-active attitude, and
demotivation, insatisfaction and superficiality can compromise information, whether intentionally
or unintentionally.
The ability to meet commitments – having access to classified information involves also a
confidentiality and protection undertaking, valid while working (but also after leaving). This trait is
reflected by observing personal or professional obligations, in the course of time, which involves the
existence of appropriate and long interpersonal relationships, professional stability, taking on the
objectives of the organization (to choose what is right).
Thus, we consider the following concepts/principles from the Romanian legislation (under
the field of personnel security):
- loyalty, honesty, discretion (“The decision regarding the issuance of the security
clearance/access authorization shall be made on the basis of all available information and shall take
account of: a) undeniable loyalty of the person, b) character, habits, relations and discretion of the
person, which could offer guaranties…”; “ Security vetting - all measures taken by the Designated
Security Authorities, according to their competences, in order to establish the honesty…”)
- security risks - (“Personnel protection - all vetting procedures and measures applied to
individuals who fulfil tasks related to classified information in order to prevent and deter security
risks for the protection of classified information”; “ The vetting procedure for the granting of
access to state secret information is aimed at identifying security risks corresponding to the
management of state secret information”; “Revalidation may be done at the request of the unit
where the person is working, or of ORNISS, in any of the following situations…when there are
security risks regarding the eligibility for access to classified information”; “When requesting
revalidation, a new security clearance/access authorization shall not be issued in the following
situations…in case of security risks during the validity period of the security clearance/access
authorization”; “If during the vetting on any level, there is information that highlights security
risks, a supplementary vetting shall be conducted using methods and means specific to
organizations with competence in the national security field”)
- security vulnerabilities and risks - (“The main criteria for assessing eligibility when
granting the security approval for the issuance of the security clearance/access authorization take
into account both the character features and the situations or circumstances that may lead to
security vulnerabilities and risks”).
- risks and threats - (“Training activity shall be carried out according to a plan in order to
prevent, counteract and eliminate risks and threats of the security of classified information”)
- elements of incompatibility - (“Any of the following situations can be elements of
incompatibility for the petitioner's access to state secret information”).
After studying the foreign documents, it can be concluded that whereas in C-M(55)15(Final)
the concepts of loyalty, honesty and discretion are presented in similar conditions to the ones in the
Romanian legislation (normally, since it was based on the NATO document); in C-M(2002)49,
Directive AC/35-D/2000-REV7 / 2013 and the EU Council Decision 2013/488/EU on the other hand
only three traits are being noticed, respectively loyalty, trustworthiness, reliability:
- “Personnel security procedures shall be designed to assess whether an individual can,
taking into account his loyalty, trustworthiness and reliability, be authorised to have initial and

4
continued access to classified information without constituting an unacceptable risk to security (C-
M(2002)49, art.11)”4;
- “The following paragraphs contain the principal criteria for assessing the loyalty,
trustworthiness and reliability of an individual in order for him to be granted and to retain a PSC.
These paragraphs consider aspects of character and circumstances which may give rise to potential
security concerns (Directiva AC/35-D/2000-REV7 / 2013, art.7)”;
- “Personnel security clearance procedures shall be designed to determine whether an
individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to
access EUCI (UE, art.7)”
Moreover, a definition of security clearance resides out of the NATO approach, which is a
process by means of which loyalty, trustworthiness and reliability are identified and evaluated, as
relevant behavioral/character indicators for protection of information; by means of these traits
another condition was introduced, namely that the person may present an acceptable security risk
(the US practice motivates that it is reasonable to assume that there is no „perfect individual” from
the point of view of security requirements).
At the moment, we consider that it is suitable to try to clarify (and connect) the terms of
vulnerability, threat, risk, therefore we selected the following definitions:
- vulnerability - “a weakness, an attribute, or lack of control that would allow or facilitate a
threat actuation against classified information or supporting services and resources” (C-
M(2002)49)”;
- threat - “The potential for compromise, loss or theft of classified information or supporting
services and resources. A threat may be defined by its source, motivation or result, it may be
deliberate or accidental, violent or surreptitious, external or internal (C-M(2002)49)”; “The
intention and capability of an adversary to undertake actions that would be detrimental to the
interests of the U.S.” (https://fas.org/irp/dni/icd/ics-700-1.pdf).
- risk - “the likelihood of a vulnerability being successfully exploited by a threat, leading to a
compromise of confidentiality, integrity and/or availability and damage being sustained” (C-
M(2002)49)”; “The probability of loss from an attack, or adverse incident. It is a function of threat
(adversaries' capabilities, intentions and opportunities) and vulnerability... Risk may be quantified
and expressed in terms such as cost in loss of life, dollars, resources, programmatic impact, etc” (ICS
700-1/2008).

Thus, starting with the main significances, in relation to the field of protection of the
personnel we propose the following conceptualisations:
Vulnerabilities – they are negative subjective psychological and behavioral characteristics, on
the base of which a person was/is/can be determined to get involved in
unauthorized/illegal/illegitimate acts of collecting, transmitting, destroying, altering information,
respectively can intentionally or unintentionally compromise information from the point of view of
confidentiality, integrity and/or availability5.
“…Vulnerabilities are a concern because of the threat which is constantly posed to national
security by foreign nations and by dishonest citizens” (Department of Defense, 2000, p. 24).

4 The idea according to which a person can be a security risk was also found in C-M(55)15(Final), where art. 14 mentioned - „Persons
who are considered to be security risks or those abut whose loyalty or trustworthiness there is reasonable doubt, should be excluded
or removed from positions where they might endanger security”
5 According to Government Decision No. 585/2002, confidentiality means “to ensure access to classified information only based on
the security clearance, in compliance with the secrecy level of the information accessed and the permission resulted from the
enforcement of the need-to-know principle”; integrity derives from “interdiction to change - by deleting or adding - or to destroy
classified information without authorization”; availability is characterized by: “to ensure the conditions necessary to find and easily
use classified information, whenever necessary, with the strict observance of its confidentiality conditions and integrity”
5
Areas of the potential vulnerability are: allegiance to the state, foreign influence, foreign
preference, sexual behavior, personal conduct, financial considerations, alcohol consumption, drug
involvement, psychological conditions, criminal conduct, handling protected information, outside
activities.
Threats – they are persons or entities (informative structures, organized crime groups,
terrorist groups etc) which, by means of intentions and capabilities (both current and future) reveal
the purpose of unauthorized/illegal/illegitimate accessing of classified information, or/and persons
which support the respective activities through actions/lack of actions, directly/indirectly,
intentionally/unintentionally. Considering the person, threats appear in their relational
environment, situations and circumstances.
Risk – considering the idea according to which „the person is to represent an acceptable
security risk”, we therefore define risk as the probability / potential consequence that, according to
the existence of certain vulnerabilities or/and threats, the person may be involved in unauthorized /
illegal/illigitimate acts6 of collecting, transmitting, destroying, altering information, respectively the
person may compromise classified information through actions/lack of actions, directly / indirectly,
intentionally / unintentionally, thus generating prejudices for the national security and defense
(implicitly for the institution in question). The risk relates to the following principle which governs
security clearance – „May one reasonably assume that vulnerabilities and current / previous threats
and the conditions through which they manifest / manifested will negatively influence the protection of
classified information?”
In this point we might say that vulnerabilities and threats relevant for security are integrated
in elements of incompatibility / evaluation criteria of eligibility, which in fact represents concrete
situations to judge if a person is „an acceptable security risk” (Figure No. 2).
From a personal point of view, the act of evaluation does not involve a separate analysis to
establish whether there is integrity, vulnerabilities, threats, risks, elements of incompatibility.
Elements include vulnerabilities and / or threats which explain „the absence of integrity”, and the
fact that after evaluation one concludes that there are elements of incompatibility implicitly means
that there are security risks involved. Therefore evaluation is finally reduced to establishing the
application/non application of elements, the use of all these concepts having in fact the purpose of
defining a general theoretical/conceptual framework of personnel security.

Figure No.2 – Relationing between integrity – vulnerabillities/threats – incompatibility


– risk – access

6 As characteristics of specific activities such as espionage, fraud, theft, sabotage, facilitation of third party access, unauthorised
disclosure of sensitive information
6
elements of incompatibility

acceptable
threats

security
risk
A A

acceptable
C INTEGRITY C

security
risk
C C
E E
S S

S vulnerabilities S

elements of incompatibility

We acknowledge that there is an interest also in a definition of (security)


evaluation, such as the analysis and evaluation of all the available information through
the point of view of integrity, taking into account subjective psychological and behavioral
traits, relational environment, situations and circumstances for the identification of
vulnerabilities and threats which materialised (singularly or in association) into
incompatibility elements, so that one may conclude that the person represents an
acceptable security risk, any susceptibilities / doubts / uncertainties regarding the
person’s integrity being solved in the favor of (national) security interests.
In this context, simplifying the definition of security clearance by referring to the
identification and evaluation of loyalty, trustworthiness and reliability, represents, in fact, an
indirrect reference to elements of incompatbility, because in practice the following question arises –
„What are the concrete situations which indicate the fact that these traits are affected / don’t exist”?
So, if we were to propose an extended definition, then the security clearance is the process by
means of which all the available information filled in the security forms about a person in a specific
period in time, is searched and verified, targetting the identification of vulnerabilities and threats
which are emphasized as being relevant for security through the situation corresponding to
incompatibility elements; the final objective is to insure the existence of loyalty, trustworthiness and
reliability. It is not the purpose of…security vetting processes to penalize applicants for existing
conditions or mistakes they may have made in the past; the purpose ist o attempt to predict future
conduct based on past and present conduct and conditions” (Henderson, 2007, p. 75).
The idea of identifying whether the person is „an acceptable security risk” reveals the
following three situations:
- no incompatibility elements are identified and applied, and implicitly the person is „an
acceptable security risk” (according to the insider’s theory which points out that it is likely for a
person to become a future risk, although things were normal at the time of the verification; that is
why the necessity to evaluate a person throughout the entire period during which they have access
to classified information is also regulated);
- incompatibility elements are identified and applied, and implicitly the person is not an
acceptable security risk;
- specific situations described by elements of incompatibility are identified, but these don’t
apply.
7
The NATO and EU documents don’t reveal the procedure for this position, however, the US
legislation and practice (ICD 704.2 / 2008) provides additional items, respectively critic analysis
factors (“the nature, extent, and seriousness of the conduct; the circumstances surrounding the
conduct, to include knowledgeable participation; the frequency and recency of the conduct; the
individual's age and maturity at the time of the conduct; the extent to which participation is
voluntary; the presence or absence of rehabilitation and other permanent behavioral changes; the
motivation for the conduct; the potential for pressure, coercion, exploitation, or duress; the
likelihood of continuation or recurrence”) and conditions that could mitigate security concerns.
In this case when the incompatibility element does not apply it is implicitly concluded that
the person is „an acceptable security risk” (there is a minimum probability for the person to get
involved in acts of compromising information). In the US practice, “if the adjudicator decides that the
adverse suitability information in not serious enough to recommend denial or revocation, the
clearance may be granted or continued with a warning that future incidents of a similar nature may
result in revocation” (Henderson, 2011, p. 42).
Therefore, it is not necessary to have an argumentation of the existence and application of
incompatibility elements and a separate / additional one for the security risk – simply identifying
the situation described by the incompatibility element and deciding whether this element applies or
not by means of critical factors and mitigating conditions, involves also the existence / non existence
of risk (to the maximum extent, a synthetic phrasing such as „the person presents an unacceptable
security risk” may appear in the context of argumenting the existence of an element).

Conclusion
For personnel security, it is a necessity to describe concepts such as vulnerability, threat and
risk, so that theoretical and practical tools characterized by an integrative vision to be available to
the specialists, with positive effects in understanding, interpreting and evaluating human acts and
behaviors from a security perspective. So, the incompatibility elements involve vulnerabilities,
threats, risks and are logically developed out of the primary requirements of security, namely the
existence of traits such as loyalty, trustworthiness and reliability (integrity) and based on this
reason we can consider them as „the personality’s hard core”, from the point of view of security.
Moreover, by referring to these, we also mention that a logical possibility (as „back-up” plan) can be
created, that in case when in the daily practice a new situation appears which is not at all described
by the incompatibility element, one can be able to take the pragmatic decision not to grant access to
classified information in order to protect (national) security.

Bibliografie

1. Baud, Jacques (1998). Encyclopedie du Renseignement et des Services Secrets, France,


Charles – Lavauzelle
2. Busș tiuc, Florin. (2016). Securitatea în organizație – repere, îîn Revista de investigare a
criminalității, Anul IX / Numaă rul 1/2016 (Conferintșa Sș tiintșificaă a Sș colilor Doctorale
Noi provocări la adresa securității interne în Uniunea Europeană, 15 iunie 2016),
Academia de Politșie “Alexandru Ioan Cuza”, Bucuresș ti
3. Hughes-Wilson, John (2017). The Secret State: A History of Intelligence and Espionage,
London, Pegasus Books
4. Nixon, W. Barry, Kerr, Kim (2008). Background Screening and Investigations.
Managing Hiring Risk from the HR and Security Perspectives, SUA, Elsevier
5. William, H. Henderson (2007). Federal Suitability and Security Clearances. Issue
Mitigation Handbook, California, Last Post Publishing

8
6. William, H. Henderson (2011). Security Clearance Manual. How to reduce the time it
takes to get your government clearance, California, Last Post Publishing
7. Department of Defense-SUA (2000). Personnnel Security Program. Lessons (material
owned by the author)
8. LAW no. 182 of 12 th April 2002 on the protection of classified information ,
http://www.orniss.ro/ro/legislatie_1.html, accessed: July 2016
9. GOVERNMENT DECISION no. 353/2002 on Norms on the Protection of NATO Classified
Information in Romania, disponibil la http://www.orniss.ro/ro/legislatie_1.html,
accessed: July 2016
10. GOVERNMENT DECISION no. 585/2002 - The National Standards on the Protection of Classified
Information in Romania, disponibil la http://www.orniss.ro/ro/legislatie_1.html,
accessed: July 2016
11. Official Journal of the European Union L 274/1 din 15.10.2013 - DECISIONS COUNCIL
DECISION of 23 September 2013 on the security rules for protecting EU classified
information (2013/488/EU), http://www.consilium. europa. Eu / en / general-
secretariat/corporate-policies/classified -information/, accessed: August 2016
12. C-M(55)15(Final) - SECURITY WITHIN THE NORTH ATLANTIC TREATY ORGANIZATION
(NATO), 1955, https://www.utanrikisraduneyti.is/ media/Varnarmal /
Security_Regulations_-_C-M_55_15_Final .pdf.pdf, accessed: May 2016
13. DOCUMENT C-M(2002)49 SECURITY WITHIN THE NORTH ATLANTIC TREATY
ORGANIZATION (NATO), 2002, http://cryptome.org/nato-cm2002-49.htm, accessed:
April 2016
14. AC/35-D/2000-REV7-DIRECTIVE on PERSONNEL SECURITY (7 January 2013),
http://www.jftc.nato.int/images/stories/PDFs/AC-35-D-2000-REV7 %20Directive
%20on%20 Personal%20 Security.pdf, accessed: April 2016
15. AAP-6 NATO Glossary of Terms and Definitions, https://nso.nato.int
/nso/zPublic/ap/aap6/AAP-6.pdf, accessed: April 2016
16. SUA-Intelligence Community Policy Guidance Number 704.2, october 2008 - Personnel
Security Adjudicative Guidelines for Determining Eligibility for Access to Sensitive
Compartmented Information and Other Controlled Access Program Information,
https://fas.org/irp/dni/icd/icpg704-2.pdf, accessed: April 2016
17. SUA-Intelligence Community Standard number 700-1/2008. Glossary of Security
Terms, Definitions, and Acronyms, https://fas.org/irp/dni/icd/ics-700-1.pdf, accessed:
July 2016
18. Adjudicative Desk Reference (editions 1999, 2014), http://www.dhra.mil/
perserec/products.html, accessed: July 2016
19. http://www.oxforddictionaries.com/definition/english/integrity, accessed: July 2016

Vous aimerez peut-être aussi