United States General Accounting Office Testimony GAO DEFENSE INDUSTRIAL SECURITY For Release On Delivery Expected on Special Security 4greements Permit Wednesday Foreign-owned U.S. Firms March 21, 1990 to Perform Classified Defense Contracts Statement for the Record National Security and International qffairs Division For the Committee on Armed Services House of Representatives GAO/T-NSIAD-90-17 / rt ' 1 At-3 I Mr. Chairman, Members of the Committee: We are pleased to present the results of our work on the Defense Department's use of Special Security Agreements ( SSAs . These agreements, initiated in 1984, permit U.S. firms that have come under foreign ownership, control, or influence to con inue to work on classified defense contracts. Prior to 1984, those firms would have had to turn over management control to U.S. citizen trustees under a proxy or voting trust agreement or risk losing their U.S. security clearances. In practice, under an SSA, the foreign firm is permitted to retain a minority position on the U.S. firm's board of directors. In the view of some Defense Department security officials, this increases the potential for inadvertent disclosure of classified information or undue pressure by foreign officials on U.S. management or employees to divulge classified information. The Chairman of the Subcommittee on Research and Development, House Committee on Armed Services, expressed concern that there has been controversy among security professionals within the Defense Department on the adequacy of U.S. policy for protecting the nation's classified defense programs performed in foreign- owned U.S. facilities. Therefore, as he requested, we (1) reviewed the history of SSAs, (2) determined the extent to which classified defense contracts are being performed under these agreements, and (3) obtained the views of current and former 1 Defense Department officials on the adequacy of SSA policy and its implementation for protecting U.S. classified information. Security officials from the Office of the Secretary of Defense, the Defense Investigative Service, and the military services told us that they were not aware of any compromises of classified data under SSAs. However, our work ind icates that there are widely differing views within the defense security community on the adequacy of SSAs and that the services have implemented or plan to implement policies and procedures that appear more stringent than defense policy requires. Defense Department policy states that SSAs are a fully acceptable method to protect classified information. Office of the Secretary of Defense officials believe that SSAs provide flexibility in dealing with foreign parent firms that are not will ing to yield all management control and that they provide protection to classified information that is equal to t hat provided by alternative security arrangements. On the other hand, current and former Defense Investigative Service and military service security officials whom we interviewed generally believed that Department of Defense policy is inadequate to deal with the number of SSAs and the sensitivity of contract information that foreign-owned contractors are accessi ng. Furthermore, the Office of the Secretary of Defense and the military services have approved waivers and exceptions to 2 existing policies and procedures that, in the view of some current and former defense security officials, have increased the risks of compromise of classified data. They therefore suggested that the policy be clarified to specify the circumstances under which an SSA may be used, and they provided suggestions for tightening controls over SSAs. SSAs and other arrangements for negating or reducing risk from foreign ownership and influence have increased in number as foreign investment in U.S. firms with defense contracts has increased. Ten SSAs have been approved since the beginning of 1988. As of about November 1989, 20 foreign-owned U.S. firms had been cleared under SSAs and were working under about 325 classified contracts and subcontracts. One company had 100 contracts and a second had 84. As of mid-March 1990, the Office of the Secretary of Defense obtained for us information showing that SSA firms had classified contracts and subcontracts with an estimated value of almost $1.3 billion. Defense Department policy normally limits the classification level of contracts under an SSA to the Secret level, provided that the foreign control emanates from a country with which the United States has a bilateral industrial security arrangement.1 If the United States does not have such an arrangement, the lclassified information that is releasable to those governments can be released to contractors who are cleared by those governments. 3 policy limits contracts to the Confidential level. The Defense Department has approved waivers to this policy in some instances. Today, three SSAs allow contractors to access Top Secret information. Under three other SSAs, U.S. firms owned by parent firms from countries with which the United States does not have bilateral reciprocal clearance agreements are cleared to access Secret information. Under some of the SSAs, approvals have been granted to allow access to compartmented and special access information--such as communications security information (COMSEC) controlled by the Yational Security Agency--much of which is not releasable to governments or contractors in allied countries. Companies with SSAs are performing classified work on the stealth bomber, the Strategic Defense Initiative, and other sensitive programs. ORIGIiO AND EXTENT OF SSAS Foreign ownership of U.S. companies that perform classified defense contracts is not new but has become more of a concern as foreign companies increasingly buy into U.S. firms. Officials of the Office of the Secretary of Defense stated that from the 1950s until SSAs were instituted in 1984, a military command could permit a foreign-owned U.S. firm that would rather give up its clearance than yield management control to continue working on classified contracts in some instances. This was permitted 4 only if the cornman certified that it needed the product and would assume full responsibility for security of all classified material involved. We were told that this exception was made infrequently-- perhaps only 12 times during a 30-year period. This method was discontinued and replaced by SSAs because the Office of the Secretary of Defense believed that SSAs offered more control over classified material. The methods currently used to keep foreign owners from accessing classified information on defense contracts performed by their U.S. subsidiaries include SSAs, voting trust agreements, and proxy agreements. Under the voting trust agreement, voting shares of the U.S. company's stock are transferred to U.S. citizen voting trustees who acquire the same rights and authority as stockholders. As of November 1989, eight voting trust agreements were in effect. Under proxy agreements, foreign owners appoint U.S. citizen proxy holders, who have the same authority as the voting trustees. As of November 1989, there were 20 active proxy agreements. Proxy holders and trustees can be removed by the foreign parent firm only for gross negligence or willful misconduct. These two arrangements are designed to isolate the cleared U.S. facility from the foreign owners. Due to foreign-owned U.S. firms' criticism of the voting trust and proxy agreements and internal agency concern, the Defense Department formed a panel in the early 1980s to review its policy 5 on how to deal with foreign ownership, control, and influence over U.S. defense contractors. It was concerned that its policy was not flexible enough to satisfy defense needs under unusual circumstances. In November 1983, the panel developed the SSA as a new type of agreement and viewed it as a fully acceptable means to protect classified information when U.S. firms performing classified contracts came under foreign influence, control, or ownership. In March 1984, the Defense Department approved its first SSA, after a Hritish parent company had rejected voting trust and proxy arrangements as imposing unacceptable impediments to operations. Unlike the voting trust and proxy agreements, an SSA allows the foreign parent company to have representation on the board of directors of the U.S. firm and to maintain a degree of control over the business operations of the U.S. firm. However, in practice, the chairman and a legal quorum of the board of directors must be resident U.S. citizens. To justify an SSA, Defense Department policy requires that the Army, Navy, Air Force, or other user agency and the Office of the Secretary of Defense determine that retaining the foreign owned firm's services will "serve the national interest." In exchange, the firm agrees to certain controls: disinterested U.S. citizens are appointed as outside directors of the firm and serve on a security committee as Defense Department watchdogs to ensure that U.S. classified information is not provided to representatives of 6 the foreign parent firm. Visits to or from the parent firm must be approved in advance and recorded by the security committee, and the facility is subject to security inspections. As with U.S.-owned facilities, all management officials and employees who access classified information must be U.S. citizens with a security clearance. Table 1 summarizes data furnished by the Defense Department on the 20 active SSAs, the number and classification of contracts involved, and the country of the parent firm. 7 Table 1: Numbers of Contracts Being Performed by SSA firms, as of Novenber 1989 Number of contracts Country of Top Special parenta Secret Secret Confidential Total Accessb Canada 4 94 2 100 (64) Canada 5 0 0 5 (4) Qnadac 0 0 0 2 (0) France 0 0 1 1 (0) United Kingdom 0 6 6 12 United Kingdom 0 64 20 84 19"; United Kingdom 0 4 0 4 (0) United Kingdom 0 7 0 370 (7) United Kingdom 0 18 12 (12) United Kingdom 0 98 00 98 2, United Kingdom 0 29 3 32 (0) United Kingdom 0 0 6 6 (3) United Kirqdcxnc 0 1 0 2 (1) Israel 0 1 0 1 (0) MultiMtionale 0 1 0 1 (0) MultinatioMlf 0 1 0 1 (1) Netherlands 3 7 0 10 (0) Switzerland 0 8 3 11 (1) Switzerland -0 - 0 -1 - 1 (0) Total g 258 = 54 = 327 = (107) aCountries shown represent majority foreign mnership. bcontracts involving special access programs are part of the total. cClassification was not provided for three contracts: therefore, the three classification columns do not add. dInformation not available. eFtance, Great Britain, West Germany, Italy. flrance, Great Britain, West Germany. 8 CRITICISMS OF SSA P3LICY The general consensus of current and former military service and Defense Investigative Service security officials we interviewed and who have had responsibility for administering SSAs is that the Industrial Security Regulation does not provide adequate guidance. For example, although policy contained in the Defense Department's Industrial Security Regulation requires the defense user agency and the Office of the Secretary of Defense to make a determination with supporting documentation that the issuance of a facility clearance will "sewe the national interest," these officials believe that the policy does not adequately define "the national interest" as it relates to the approval of an SSA. In a March 1984 Industrial Security Bulletin, the Defense Department determined that the national interest criterion would be met if there was,a critical need to use a contractor under foreign ownership when cleared or clearable U.S.-owned companies were unavailable or could not meet the Department's needs. Security officials from the military services told us that their contracting officers are often reluctant to terminate ongoing contracts and therefore tend to propose National Interest Determinations to retain the contractor's sewices, without always attempting to find other U.S.-owned suppliers. Service security officials told us that more specific guidance on when a determination would be justified and what documentation would be required to support a determination would help them to evaluate procurement offices' proposals. As of February 1990, only the Army had issued formal policy an3 procedures on SSAs. The Navy is operating under informal written procedures, an3 the Air Force is developing procedures. Generally, officials of the three military services and the Defense Investigative Service that we interviewed stated that because of the lack of a clear, unified, an3 adequate policy on SSAs, contractors can play off one user agency against another. For example, in a recent case for which an SSA was being considered, Air Force acquisition officials and several Navy an3 Army commands stated that they would not be able to perform some missions if they had to seek new suppliers for the contracts being performed by the U.S. contractor. The Air Force sponsored a Top Secret SSA with this contractor. During its consideration of an SSA, several Navy commands raised serious concerns about using an SSA for the same contractor due to the highly classified nature of some of their contracts. Army and Navy officials stated that the Air Force action restricted their ability to seek a more stringent agreement, such as a proxy or voting trust agreement. The Army and Navy later agreed to the SSA but limited the contractor's access to the Secret level and for up to 5 years; at that time the need for the SSA will be reviewed. The Air Force's participation under the SSA was approved for 10 years at the Top Secret level. Officials of the Office of the 10 Secretary of Defense noted that SSA sponsorship by one user agency does not obligate other user agencies to award classified work to the firm involved. Some military service and Defense Investigative Service officials do not agree that an SSA is a fully acceptable alternative to a proxy or voting trust agreement because under the SSA (1) the foreign owners retain some control of the U.S. subsidiary through membership on the board of directors and (2) the U.S. directors and company employees owe their positions to the foreign owners and may therefore be subject to pressure. Each service has indicated that SSAs are the least desirable method and should be used only as a last resort. For example, an Army policy memorandum issued in 1989 states that "... under an SSA, FOCI2 is not negated, but rather accepted as a risk/hazard due to the lack of alternative cleared sources for a critical product, service, or technology. Because an SSA does not negate FOCI it can only be used when all other means fail." Officials from the Office of the Secretary of Defense do not share these views and believe that SSAs provide adequate protection for classified material. They explained that current Defense Department policy neither encourages nor discourages foreign investment. But they believed that unreasonably stringent security restrictions could, in some cases, lessen U.S. 2Foreign ownership, control, or influence. 11 access to foreign technology and resources that are needed to strengthen the U.S. defense industrial base. Officials from the Office of the Secretary of Defense also told us that they have phased in a number of policy and procedural adjustments to strengthen SSAs since 1984. For example, they indicated that a foreign parent firm is now required to provide advance notice to the Defense Department if it plans to remove a U.S. firm's director and that termination of SSA safeguards requires advance approval. They also indicated that SSAs currently place oversight responsibility for export of unclassified but controlled technical data with cleared resident U.S. citizens and that the military services have the opportunity to review proposed SSA safeguards and may require additional controls. They said that the Department of Defense is continuously evaluating its policy and may consider additional changes to clarify or strengthen its practices. Recognizing the controversy and trade-offs involved in SSAs, some current and former defense security officials we interviewed suggested that the Department of Defense clarify the circumstances under which an SSA is acceptable or appropriate, particularly for protecting highly classified material. In their view, foreign companies usually prefer an SSA over a voting trust or proxy agreement because they retain some control over the U.S. firm, They believe that, once approved, a contractor 12 under an SSA may tend to become entrenched and treated like any other cleared U.S. contractor. These security officials expressed concern that although an SSA was originally intended for use only un3er exceptional circumstances an3 for a particular, critical need, those foreign owners today are, in their view, routinely rejecting the voting trust or proxy agreement in favor of an SSA. They stated that foreign-owned U.S. firms are competing for an3 performing contracts involving access to highly classified and sensitive materials that usually are not releasable even to the governments of our closest allies. They therefore believed that the SSA policy needs to be reassessed and that the Office of the Secretary of Defense needs to provide additional specific guidance. We noted that some SSAs have cleared contractors to compete for any contracts in one or more broad program areas and that lo-year SSA terms may allow those contractors to become permanently incorporated into the U.S. industrial base. Officials of the Office of the Secretary of Defense noted that access to Top Secret an3 special access material by a U.S. subsidiary must always be justified on a case-by-case basis and that, if release is approved, the information is routinely denied to the foreign parent company. During our work, defense security officials provided a number of suggestions on how the Defense Department% policies and 13 procedures for SSAs coclld be improved to strengthen security controls, including (1) requiring the procuring command to submit a separate National Interest Determination for each classified contract to be performed by a foreign-owned company and document that the contract is critical to performing its mission, (2) placing time limits on SSAs and requiring the procuring activity to seek other U.S. sources so as to ultimate lY replace the foreign-owned or influenced contractor, and (3) requiring procuring activities to document the specific steps they took to identify U.S.-owned suppliers. PROCEDURAL WEAKNESSES Following are examples of procedural weaknesses that we found during our work: -- The Defense Investigative Service developed interim security measures to provide some control over management of a company from the time a U.S. contractor is acquired by a foreign owner until safeguards of an SSA or other security arrangements are in place. The interim measures were to cover only existing contracts and last for 120 days. The interim measures have been extended for up to 1 year or more, however , and waivers have been processed and new contracts awarded in this interim period. Defense Investigative Service officials indicated that extending the interim measures and approving new contracts reduce the 14 Defense Department's leverage in negotiating the terms of a security clearance agreement. -- The serv ices' implementing policies and procedures for National Interest Determinations require procurement activities to justify a need for a product or service that is mission-critical, cannot be obtained in sufficient quantity from U.S .-owned sources, and involves a unique product or technology. Military service security officials we interviewed indicated that supporting justification for these determinations is sometimes incomplete or inadequate. For one recent SSA, several commands had requested the retention of almost every existing contract with the contractor without documenting the need in each case. In some cases, contracting officers did not indicate what steps, if any, were taken to identify U.S.- owned suppliers. In another case, the service's files indicated that several U.S. firms could fill the user’s requirements, but an SSA was requested and approved. In another case, the foreign company requested approval of an SSA before it bought out a U.S. firm. The SSA was approved by the takeover date. -- The Industrial Security Regulation permits a foreign-owned U.S. facility to be issued a security clearance if the risks from foreign ownership, control, or influence can be negated or reduced to an acceptable level. It does not specifically 15 require that the user agencies determine whether the foreign company is doing business with our adversaries. According to an Army counterintelligence specialist, in a specific case of concern to the Subcommittee, the foreign parent company was doing business with the Eastern bloc, but the extent of that business was not known. The official told us that this information would be useful to evaluate a request for an SSA but that it is not normal Army procedure to check for this type of information. -- The Defense Department requires outside directors who serve as Defense's watchdogs on the security committee to be cleared U.S. citizens who have certified that they have no prior financial or employment relationship with the U.S. firm. Financial disclosure statements are not required. During our review of the SSA files, we noted several instances in which individuals appointed as outside directors had prior dealings with the U.S. subsidiary that appeared to be contrary to established Defense Department policy. ------------------- We interviewed current and former security officials from the Defense Investigative Service, the Office of the Secretary of Defense, and the three military services responsible for administering the Defense Department's Industrial Security Program. We also reviewed selected SSA files at the Defense Investigative Service and the three military services and 16 analyzed about half of the 20 SSAs existing as of November 1989. We discussed this statement with officials of the Office of the Secretary of Defense and the Defense Investigative Service and incorporated their comments, as appropriate. This concludes our statement for the record. 17
Defense Industrial Security: Special Security Agreements Permit Foreign-owned U.S. Firms to Perform Classified Defense Contracts
Published by the Government Accountability Office on 1990-03-21.
Below is a raw (and likely hideous) rendition of the original report. (PDF)