In the digital world it is very easy to create data, very difficult to get rid of it

Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.

What is data classification?

It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.

Graphic by Mark Smiciklas

Graphic by Mark Smiciklas, Flickr.com/photos/intersectionconsulting

Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.

However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.

In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!

So how could governments shift the classification balance, improve security and improve efficiency in agencies?

The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a  piece of data is over-classified. However their agency has to wear the added expense.

Gentle readers, we have a problem of incentive imbalance!

Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.

If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.

A plan for implementation

So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?

  1. Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.
  2. Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.
  3. Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.
  4. Require each agency to report the numbers of classified data produced.
  5. Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.
  6. Agencies that produced fewer pieces of data than the previous year would receive a windfall.

That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.

I’d love to hear your ideas, please make a comment

Alex