Get PJ Media on your Apple

PJM Lifestyle

L'affaire Snowden and (Computer) Security

UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET: So not the whole story.

by
Charlie Martin

Bio

July 11, 2013 - 7:21 am

shutterstock_128095721

Rules of the Game

Dealing with classified information has a lot of rules associated with it, of course. (The Federation of American Scientists has a nice set of slides on the rules on the web here, and there’s another good page here.) There are standards for how it’s stored, how it’s transmitted, and how — and where — it can be used, all based on trying to protect sensitive information according to its level of sensitivity. Those rules are based around some basic assumptions: the fewer people who know the information the better; the better we understand who has had access to information, the more likely we are to be able to protect it; and at any moment, there is some individual responsible for any piece of classified information.

Because of these rules, managing sensitive information is difficult, and things that are difficult are hard. And expensive. So there are tradeoffs between the cost and difficulty of managing the information and the desire to protect it.

So what are these rules?

First of all, you need to try to make sure that the people you make responsible for sensitive information are trustworthy. So you do more and more extensive checks of the background of people who get that responsibility. More on that shortly.

Second, you reduce the number of people who have access to any particular piece of information. There is a lot of information classified TOP SECRET, and even more at lower sensitivity levels. I don’t think I’ve ever seen real numbers, but based on my experience I’d guess that there is ten times as much SECRET information as TOP SECRET, and ten times as much CONFIDENTIAL as there is SECRET.

But that doesn’t tell the whole story either, for several reasons. First, classification is “catching” — documents are classified on a paragraph by paragraph basis. If there’s one piece of TOP SECRET in a paragraph, that whole paragraph is classified TOP SECRET, marked by putting a (TS) at the beginning of the paragraph. If there’s a paragraph, or part of a paragraph, marked (TS) on a page, the whole page is marked TOP SECRET at the top. If there’s a page of TOP SECRET in a document, the whole thing is marked TOP SECRET.

Add to that, no one was ever fired for classifying something too highly. Oh, there are counter-pressures, the biggest one being that something that’s highly classified is what is known in the trade as “a pain in the ass” or PITA. But still, it’s better to err on the side of caution.

Of course, these two things mean that there’s a lot of material out there classified (TS) that isn’t particularly sensitive, but it requires a process, with forms and signatures and such, to reduce the classification of a document. (Which, just so you can sound knowledgeable for your friends, is called “downgrading” the document. Preparing a new document with the sensitive stuff removed or blocked out is known as “sanitizing” the document.)

The second major issue, though, is something known as the aggregation problem. Simply put, the problem is this: the more information you have, the more likely you are to be able to deduce something really sensitive from it.

If you’re a bad guy, a Black Hat, and you know that a particular person works for the Department of Defense, that’s not particularly interesting. There are a lot of people in the DC area who work for the Department of Defense. But if you find out that this same person works at Fort George Meade in Maryland, it becomes more interesting: basically, they’re either working at NSA, or the DoD side of the intelligence world the Defense Intelligence Agency, or they’re in the Army Band.

If you then find out they’re tone-deaf, you’ve got something.

Comments are closed.

All Comments   (28)
All Comments   (28)
Sort: Newest Oldest Top Rated
"If you then find out they’re tone-deaf, you’ve got something."

The Drummer?

I don't know when you last worked on that side of things, but today (or at least as of November when was supposed to have been read out of a TS/SCI job) they don't call it "code words" any more, and what you call a channel is, for some stuff, called a "compartment" and the last bit is the distribution.

So you might have something marked SECRET//CI//Twelve Nations where CI is the Compartment Initials, and Twelve Nations is a pre-specified group of nations/partners. For the record I made the CI and Twelve Nations up because the names of compartments are classified and I don't remember if the distributions specifically are.

As to how someone w/out a degree got a job at the CIA, I do not have a degree in anything related to the technical side of computers--I have a degree from a fine arts college, but I had 10 years of experience in the industry and got a TS clearance while in the reserves.

In the days easy drugs and loose morality it's not easy to find folks who can pass a TS background check, and the contractor companies don't care how good you are as long as you're good enough that the customer doesn't complain. Heck, for them your inadequacies are extra money--the more work you don't do the more justification there is for another body, which they get paid for.

I know plenty of people at the various jobs I worked that flat out would get fired in any small to medium sized company, and a few who should have been sued for fraud when they claimed to be computer techs. f

And once you're hired the intelligence agencies largely use the same computer systems everyone else does. Once you have access to the LDAP store (Be it active directory or "real" LDAP) you can manipulate your access at will. And if you're in an older enviroment that hasn't upgraded to role based ACLs it's even easier. Most people in the government--like most people everywhere--have NFC about computers.
40 weeks ago
40 weeks ago Link To Comment
While watching the shiny objects (zimmerman trial, egypt, etc.), we get this quietly signed by our POS POTUS... EO 12472 Gives Obama Power to Seize All Communication Systems

http://www.independentsentinel.com/executive-order-12472-assignment-of-national-security-and-emergency-preparedness-telecommunications-functions/
40 weeks ago
40 weeks ago Link To Comment
Hey dips*, that EO was originally written in 1984 by Reagan and amended twice by Bush.

Obama's a foxtrotting twit but it really doesn't help the team when lackwits like you get your facts wrong and make all of us look like tinfoil hat wearing goofballs.

Unless you're *trying* to make us look bad so the "democrats" will win. Which is always possible.
40 weeks ago
40 weeks ago Link To Comment
Yes, that EO was originally written in 84, but it has been expanded with each re-writing. The version that our current POTUS signed is the most expansive, and with the least controls, of any of them.
37 weeks ago
37 weeks ago Link To Comment
Well written article, thanks for hashing out some of the details for us.
40 weeks ago
40 weeks ago Link To Comment
Excellent job explaining the classification labyrinth and some points of failure in less than book length! The system is built by humans and so subject to human failures. (no one is on guard 24/7/365 no matter how important it is that they should be) There are systems defined but, as with nearly all security measures, they are ignored or bypassed for ease of use. As always no one thinks it will ever happen to them and it's okay "just this once".

The biggest take away from all this mess, something we should not ever forget: "digital exhaust" (thank you Dan Geer for the excellent visual reference) is often times far more important than content when gathering intelligence information.

Whether it's the NSA gathering metadata on cell networks or a slide show publicized by Snowden of methods used, it is very likely far more damaging than wiretapping the President's phone.
40 weeks ago
40 weeks ago Link To Comment
Your explanation of classification levels and compartmentalized information matches my experience when working in a SCIF for many years.

For what it's worth, the "NOFORN" in “Top Secret, SI, NOFORN” is not a code word; it's a further description of the channel. NOFORN means No Foriegn Nationals may see the document/information. So it is information that would not be shared even with our allies (eg, British intelligence), even if our ally was otherwise cleared, but rather is for use only by and in the USA.
40 weeks ago
40 weeks ago Link To Comment
Yeah, I was kinda hoping no one would notice that I sort of blurred that over -- it seemed hairy enough as it was. Thanks for explaining it.
40 weeks ago
40 weeks ago Link To Comment
Nice Job, Charlie contextualizing the world Snowdon worked in. You confirmed a fuzzy suspicion when you pointed out that his world boiled down to theoretically water tight Unix permission structures, and the whole thing begins to turn to mush when someone goes on maternity leave and five personnel changes later it's porridge. I remember a guy who was a radio operator in the Naval Air Transport in the 50s and the Russkie radio operators on the trawlers always always knew the names of everyone on the plane because they had the crew lists. He gave as good as he got in the inevitable banter (they still used Morse then) but was always frustrated because all he could call them was Ivan because he didn't have their crew lists.

I also hear your self recognition that you had a lot less judgement yourself when you were 29, which as a 70 year old I can confirm is equally true of myself. I remember seeing a billboard put up by the Indonesian religion Subud when I was in my 30s. It said "If you want to change the world, first change yourself." That was a memorable moment for me. ;-)
40 weeks ago
40 weeks ago Link To Comment
While all rational folks know - at least they should - that certain national secrets should NEVER be revealed - this in no way leads to Obama Inc's conclusion that ALL Americans have to be spied on to keep them safe!

Moreover, the balderdash is revealed when the rest of the equation is known - http://adinakutnicki.com/2013/06/18/the-purging-an-omerta-re-islam-terror-within-americas-power-centers-eviscerates-nsas-domestic-spying-say-what-commentary-by-adina-kutnicki/

Case closed.

Adina Kutnicki, Israel http://adinakutnicki.com/about/
40 weeks ago
40 weeks ago Link To Comment
2 small questions
A. Adina's expertise in security/intelligence is?
(All opinions are not necessarily equal)

B. What Do You Want To Do? Problems are meant to be solved....not just ranted about.
40 weeks ago
40 weeks ago Link To Comment
Reading Martin's account here of these onion-skin layered complexities, inside the compartmentalization of the individually separate levels of three divisions of each classification, do y'all see where I'm going?, of "classified" stuff was itself dizzying. I'd guess that there's even more to it than this, depending on the........uh oh, here we go again down yet another path.

The conclusion seems to me to be that this is one helluva humongus organizational Catch-22, very damned if we do, even more damned if we don't.

Frankly, Snowden should be skinned alive, slowly, along with this whole Greenwald/Guardian outfit. WikiLeaks/Assange/New York Times/Washington Post each in their separately designated compartmentalized Circles of Hell are, of course a separate subject.

Unmentioned so far is the stark tragedy of how many American lives have now been put in jeopardy.......all because of an individual's smug certitude.
40 weeks ago
40 weeks ago Link To Comment
"The conclusion seems to me to be that this is one helluva humongus organizational Catch-22, very damned if we do, even more damned if we don't."

You are one of the few people I've seen on the Net that gets this.
I keep asking people...What do You Want To Do?...no answer...at least no real answer.

"Frankly, Snowden should be skinned alive"


If I find a downside, I'll let you know. :-)
40 weeks ago
40 weeks ago Link To Comment
"This quickly runs into the PITA problem, though, as you get more markings and time goes on. The sysadmin for (A,B,C) goes on maternity leave, and someone has to take up the slack; a new compartment is added, so someone has to get access, which normally means being “read into” the particular program or codeword, which takes paperwork; the ambassador forgets his password, and doesn’t have time to go through the secure process so someone has to be able to set the password for his account for him. "

One of the things I have learned from reading history is...Something Always Goes Wrong.

Also something needs to be done over this...
"Add to that, no one was ever fired for classifying something too highly."

It appears, looking from the outside in that many times something is classified not so much that it might endanger the nation, but would endanger someones career.

As always I reserve my God given Constitutional right to be Wrong
40 weeks ago
40 weeks ago Link To Comment
It appears, looking from the outside in that many times something is classified not so much that it might endanger the nation, but would endanger someones career.

Oh hell yes. Or because it's easier to classify something than to decide what really should be classified. Or you get a Major Major who would classify used toilet paper if the smell didn't get to him.
40 weeks ago
40 weeks ago Link To Comment
"Bureaucracy defends the status quo long past the time when the quo has lost its status."
Laurence J. Peter
40 weeks ago
40 weeks ago Link To Comment
As far as compartmentalized, when I was in the Service I was a Radio tech. This required a secret clearance. With that, I could repair just about any radio we had. At one time I was sent on a wargame to Australia. We didn't have enough Crypto people to spare so they called some of us in to learn how to operate the Crypto equip. The key word there is operate. While in the field one of our Crypto units broke down. I was told to fix it by my Lt. I told him I didn't have the clearance to go inside it. I had to repeat this until I got to the Battalion Commander who had the authority to bump my clearance up so that I could open the equipment. The fun part was that the problem wasn't on my side my equipment was working perfectly.
At another time I was working a radio relay site in Vietnam. While doing a comm check I happened on a conversation between the Battalion CO and the Regimental CO about a patrol we had out and giving their coordinates in the clear over the phone. Funny how at just that moment they lost their comm. I didn't go back to see if they got the hint after I opened the channel up again but the patrol came back safe.
40 weeks ago
40 weeks ago Link To Comment
The "Crypto for Use" Access is a distinct, separate club. You should have been sprinkled with that flavor of pixie dust if you were called on for that duty.
40 weeks ago
40 weeks ago Link To Comment
Yes indeed, and there's an excellent example of privilege elevation for PITA. Thanks.
40 weeks ago
40 weeks ago Link To Comment
1 2 Next View All