Rand Corp. is suggesting a four-step test to classification that could significantly raise the bar on what information is kept secret.

In a 2010 report recently made public, Rand says four basic criteria should apply when assessing whether information merits classification:

• Does classification decrease the amount of information going to potential state and nonstate adversaries?
• Does the additional information adversaries would have if it is not classified affect what adversaries know (and are such changes meaningful and helpful in the sense that the additional information moves them closer to, rather than farther from, the truth)?
• How likely is this change in knowledge to affect possible adversary decisions (and again, does it do so in ways that help the adversary)?
• Would the decisions the adversary makes based on such knowledge damage U.S. national security?

Over classification is well known as a long-standing problem within federal government. The government spent $8.81 billion on security classification during fiscal 2009--not including the classification costs of the intelligence community--according to the National Archives and Records Administration's Information Security Oversight Office.

Perhaps more important are the indirect costs to over classification. "Classification hampers the ability to share information with people who need it (e.g., state and local officials, private firms) to do their jobs (counterterrorism)," the Rand report notes.

When applying the four criteria, all criteria should be satisfied before information is considered for classification, the report states.

The report gives a hypothetical example of a layout of a military base that is vulnerable to mortar attack. Such information would likely be today classified--but keeping the information somewhat safeguarded on the DoD Nonsecure Internet Protocol Router Network (the NIPRNet) rather than restricting it to the DoD's classified network (the Secret Internet Protocol Router Network, aka the SIPRNet) would be enough to neutralize the potential harm, the report argues.

The reasoning is as follows: The mortar attack vulnerability would be of interest to terrorists or state actors. While large states can penetrate the NIPRNET despite the gateways meant to prevent that, terrorists cannot and large states won't share that information with terrorists. Large states themselves aren't interested in launching mortar attacks against U.S. bases for fear of escalation. Thus, so long as the information is kept in unclassified form on the NIPRNET, classification is unwarranted, the report says.

For more:
- download the Rand report, "What Should Be Classified?" (.pdf)
- download the ISOO's most recent cost estimates for security classification activities report (.pdf)

Related Articles: 
Obama gets mixed secrecy review from watchdog 
OMB tells agencies to 'deter, detect and defend' against Wikileaks 
Chasm between expectation and reality in public-private cybersecurity info sharing