As an expert in the DoD on classification, I felt compelled to write about the Clinton email fiasco. I sent this to several reporters in Washington DC only to get “Interesting points” as a response.
Classification Law and the Clinton Emails
The kangaroo courts being held on Facebook, in Congress, and the various internet and print media over the Clinton emails have all deliberately avoided any discussion about the law regarding classification. FBI Director, James Comey, got it right based solely on the law. For those who protect their beliefs with cognitive dissonance, you’ll probably skip reading this. For everyone else, this is an apolitical revelation of some facts pertaining to classification law.
The federal rules defining what can be classified, who can classify it, constraints and prohibitions, levels of classification and required markings are codified in 32 CFR 2001 pursuant to Executive Order 13526. Each successive President signs an E.O. shortly after assuming the office continuing the classification policies. The CFR specifies that the heads of federal agencies are appointed as having Original Classification Authority (OCA). This authority is limited to specific positions in the Federal government and can only be delegated in writing to very senior positions within each Federal agency. Staff members are not authorized by the law to make original classification determinations. These OCAs are required to subjectively assess risk (possible outcome plus probability of outcome) of documents, images, objects, etc. in their purview for their potential damage to US national security if exposed publicly and be able to articulate that specific risk if challenged. The law also specifies if there is doubt, the default determination is Unclassified. Unclassified only means the information does not meet the criteria for labeling it as Confidential, Secret, or Top Secret based on the risk assessment. The State Department names this category Sensitive But Unclassified while the Defense Department labels this category Unclassified/For Official Use Only. It’s important to note here that Unclassified does not mean publicly releasable which requires a separate determination. Clinton, as Secretary of State, had the authority conveyed by law to make her own determination about the classification of her emails.
The CFR is not a criminal statute. Therefore, prosecution for unauthorized disclosure of classified information falls under the Espionage Act of 1917 (18 USC 792+). This is where intent to damage the US national security is required to be proven to get a conviction. FBI Director Comey specifically stated that while Clinton’s email server did not meet security requirements to prevent infiltration or hacking, there was no evidence that hacking occurred.
Opinion: Clinton was certainly careless – no doubt about it, and deserves rebuke for that. However, based on the authorities conveyed by 32 CFR 2001 and the required elements for prosecution under 18 USC 792, the FBI had no choice other than to recommend no charges be filed. Neither CFR nor department policies address access controls in the modern information computing environment. As federal departments modernize IT systems to support information sharing between authorized users, they are continually hampered by antiquated security policies that barely recognize the existence of the internet. While the CFR is clear about who can make an original classification determination, staff members below each OCA in lower elements of the federal agencies continue to illegally label items classified without specifically delegated authority from their OCA or performing the legally required risk assessment.