A recent report by the Department of Homeland Security Inspector General (DHS IG) concludes that the Transportation Security Administration (TSA) is “abusing its stewardship of the SSI [Sensitive Security Information] program.” The SSI designation falls under the umbrella of Controlled Unclassified Information (CUI), something of a twilight zone where agencies can control the distribution of unclassified records—often with very little oversight.
Many agencies have their own proprietary CUI designation, and some agencies have multiple CUI labels—there are currently 23 categories and over 80 subcategories of CUI. These labels are designed to restrict dissemination of the documents bearing them. The labels also have the effect of blocking information sharing between agencies, since each designation has proprietary rules and one agency cannot trust that other agencies will handle the information in accordance with those rules. Essentially, once an agency marks something as CUI, they don’t share it with anyone.
This latest finding by the DHS IG comes after TSA arbitrarily designated portions of the IG’s draft report SSI. As a result, several portions of the publicly released report was redacted, despite the fact that the redacted material came from previous, unredacted IG reports.
In response to these redactions, the IG included a memo, which reads in part:
The redactions are unjustifiable and redact information that had been publicly disclosed in previous Office of Inspector General (OIG) reports…
I can only conclude that TSA is abusing its stewardship of the SSI program. None of these redactions will make us safer and simply highlight the inconsistent and arbitrary nature of decisions that TSA makes regarding SSI information. This episode is more evidence that TSA cannot be trusted to administer the program in a reasonable manner.
This problem is well-documented…
These blistering words are not an overreaction. There are many other examples of blatant abuse from just the past few years. Last year, TSA’s SSI office redacted portions of a different IG report. The IG strongly disagreed with the determination and wrote two letters to the Acting TSA Administrator, John Pistole. Administrator Pistole refused to answer, and after almost two months, the head of the SSI program office responded with a letter affirming the redactions. The IG has characterized the redacted portions as “generic, non-specific vulnerabilities…that would not be detrimental to transportation security.”
The case of Robert MacLean is another example of the TSA’s abuse of the SSI designation. In 2003, MacLean shared with the media unclassified information the agency had texted to his unsecured phone, blowing the whistle on (and ultimately preventing) a reduction of air-marshal coverage on high-risk flights despite intelligence reports noting increased risk of hijacking. Three years later, MacLean was fired for “Unauthorized Disclosure” of what the agency claimed was SSI. However, it was only four months after MacLean was fired—almost three and a half years after the incident—that the SSI office actually designated that text message as SSI. Despite the clear absurdity of the TSA’s position, MacLean spent the next nine years defending himself in court. In early 2015, the Supreme Court settled the case by ruling in his favor. The Project On Government Oversight (POGO) supported MacLean throughout his case, including the filing of an amicus brief on his behalf before the Supreme Court.
In early 2015, the National Review highlighted multiple examples of others who have been threatened by TSA for sharing SSI materials, including other Air Marshals, Representative Jason Chaffetz (R-UT), Chairman of the House committee responsible for overseeing TSA, and journalist Christopher Elliot—the latter two despite the fact that CUI rules apply only within the agency. While Chairman Chaffetz, the journalist, and (eventually) MacLean were able to stave off the overzealous attacks, most TSA employees have rarely been as fortunate. For instance, former air marshal Jose Lacson was fired in 2011 after posting in an online forum what he claims were made-up numbers regarding air marshal hiring and attrition rates, according to the National Review. He has been unable to get his job back, since the agency has broad leeway to designate whatever it wants as SSI. Elliot is quoted as saying that “pretty much anything that isn’t nailed down at the airport is considered SSI these days,” everything from “descriptions of scanners to screener test scores to unsolicited business proposals.”
The House Committee on Oversight and Government Reform has also noted the arbitrary nature of the TSA’s SSI program. In 2014, the Committee issued a bipartisan Joint Staff Report detailing how the TSA has on multiple occasions either withheld or released records over the objections of the SSI office, or even without consulting the SSI office at all. The investigation revealed “coordination challenges” and a “failure to follow proper procedures” within the TSA regarding the use of the SSI designation.
These are not isolated incidents, but indications of an institutionalized disregard for transparency and oversight. Unfortunately, TSA management has a history of covering up problems rather than confronting them, and SSI is only one tool that is used. Despite immense public pressure, Congressional hearings, and media coverage, TSA has not done enough to hold its leaders accountable. Only two of the most toxic managers have been removed in the past 5 years (one now works at Customs and Border Protection, while the other quit after being re-assigned). As shown in federal survey results, TSA has problems that extend far beyond the blatant abuse of SSI. Poor managers require oversight, not the unchecked ability to pseudo-classify anything that might reveal their mistakes to the public.
The IG also mentions in its latest report that, at the request of three committee and subcommittee Chairmen, the IG is in the process of reviewing TSA’s overall use and management of the SSI designation. They expect to issue the results this summer. POGO hopes this review will spur tangible reforms and hold TSA management accountable for attempting to evade oversight.
While the abuse of the pseudo-classification system may be especially clear in the TSA, it is a government-wide problem. Despite then-President Obama’s Executive Order back in 2010 requiring the National Archives and Records Administration (NARA) to work with agencies to create a registry of and guidelines for CUI labels, implementation has been incredibly slow. Although delayed by agency inaction, NARA was able to publish an online CUI registry in 2011, finalize a CUI regulation in September 2016, and publish guidance on how to mark CUI information in December 2016. However, it may still take years for agencies to fully implement the new regulation.
As POGO General Counsel Scott Amey recently testified before Congress, the CUI Executive Order needs to be implemented more quickly, and Congress needs to both clarify existing CUI legislation and more closely oversee the use of CUI in agencies. The DHS IG has done its job by bringing abuses of the program to our attention. The next step is for Congress to act.