ARTICLE by Giuseppe Benassi, Deputy Director of the NATO Office of Security

Protection and exchange of classified information, important aspect of cooperation in the security field in South East Europe

The concept of “Classified Information” stems from the principle that a Community recognizes the need to conceal information from others. Such a principle – whose fundamentals could even be found in anthropology and sociology – has become one of the essential features of a state, and one of the main responsibilities of Governments.

Classified Information can therefore be defined as a categorization applied to information that a government claims is sensitive information. Classification formalizes what constitutes a “state secret” and accords different levels of protection based on the expected damage the information might cause in the wrong hand. The purpose of classification is ultimately to protect information from being used to damage or endanger national security.

As a result, a Security System/Structure is usually established, based on laws and specific regulations, which covers all aspects of security: Physical, Personnel, Administration, IT. Some specific regulations are dedicated to Industry. In this respect, it must be pointed out that the Security System does not apply to what is called “Corporate Security”, that is, the Security System established by Companies or other entities to protect their own commercial information.

Nations have developed their own legal, administrative and operational systems, and although laws and regulations are largely abiding by the same basic principles, differences –sometimes significant – can be found in their implementing procedures. The pivotal role is played by what is normally called “National Security Authority”, a designation that indicates the body legally entrusted to apply the above mentioned laws and regulations.

Exchange of classified information is the other side of the coin: While tightly protecting information at national level, a government MUST be ready to release it to other Entities and to protect those that are received by them.

Such a need derives from:

• Membership in a larger community (NATO, EU, Organisation for Joint Armament Cooperation-OCCAR, etc.);
• Participation in operations (International Security Assistance Force-ISAF, Ocean Shield, etc.)
• International industrial activities (Projects, Contracts, etc.)
• Bilateral cooperative activities.

In case of membership in a larger community, nations normally are bound by a number of formal acts, one of which is invariably related to security. Since nations have in place their own systems, they adhere to a set of common criteria and minimum standards. In case of participation in multinational activities, they have to comply with the rules governing them, while in bilateral cooperative activities, rules will have to be developed and agreed by the Parties.

Security in South East Europe (SEE)

Coming to South East Europe, there are some peculiar features that are worth highlighting. Firstly, most of the nations come from a common context where security was deeply embedded in the state-system, and they can certainly bring in and share some of the characteristics of that system, whose value – in technical terms – is still recognized today. Secondly, the SEE nations have now different status and play different roles in the international arena: some of them are NATO members, some others are in the Membership Action Plan (MAP) of NATO, some are EU members, others are none. As a result, their security systems are reflecting such status, with some in the process of being changed (in case of MAP, for instance). Thirdly, they constitute what is called a “Regional Entity” which could play an active role within the International Community.

It may be worth to elaborate a bit on the “Regional Entity” issue.

It is a concept that is emerging and gaining momentum, not only within International Organisations, but also as a spontaneous gathering of Nations sharing common interests, geographic and historical proximity, even similar language. A typical example is the so-called “Visegrad Group”, whose activity is becoming more and more structured. They are developing a consolidated and coordinated approach in supporting the NATO Office of Security in its activities toward Partner Nations.

Similarly, the SEE nations could use the RCC/ South East European National Security Authorities (SEENSA) Forum, to establish an RCC/SEE Regional Entity. The initial steps in this direction would be:

•  Analyze the respective national laws and regulations, in order to streamline/harmonize them. This would allow a smooth exchange of national classified information in South East Europe and facilitate common activities.
• Complete the establishment of bilateral Security Agreements within the SEE nations. This would allow the development of agreed arrangements at a lower level (for example, the so-called “Traffic Light protocol – TLP” could be introduced as a way to encourage greater sharing of sensitive information).
• Examine the possibility to adopt common processes in terms of Security Accreditation of IT Systems, with the final aim of  achieving a mutual acceptance of such processes;
• Adopt a common approach in offering support to International Organisations.
• Explore the possibility of developing a joint policy on industrial security, since the possibility of obtaining classified contracts at international level is becoming more and more realistic.

Security, far from being a static discipline in a static world, must be proactive, not reactive, in a rapidly changing environment. Information security is no different and – like any form of security – must be put in the context of what it protects.

As a conclusion, take for example the security derived from the brakes of your car. The specific purpose of the brakes is to slow you down and to stop the car. But in reality, the brakes also do something else: they give you the confidence to drive fast.

In the 21ts century we shifted into a world where information has become paramount. But just as you cannot drive an automobile fast without brakes, nothing can grow and flourish without information security.[1]

Giuseppe Benassi took the present post of Head of the Policy Oversight Branch and Deputy to the Director of the NATO Office of Security in 2006, after retirement from Italian National Security Authority (NSA), where he served from 1988. Before that (1977-1988) Benassi was with the Air Force Intelligence and Security Services as Head of Military Police Section, first as Staff Officer and finally with the rank of Lt.Colonel, with a four year break (1981- 1984), when he served as U.N. Military Observer in the Middle East (Syria, Israel, Lebanon). He holds a Master Degree in Political Sciences from the University of Rome, Italy.

MORE FROM THIS ISSUE