L'affaire Snowden and (Computer) Security
UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET: So not the whole story.
July 11, 2013 - 7:21 am
Edward Snowden, Remember Him?
This finally takes us back to Snowden, the heroic traitorous whistleblower spy. It’s a lot easier to understand what happened now that we understand just what the context of all this really is. In Snowden’s case, it’s not just the talk about the NSA leaks, but the question of how a mere contractor got cleared for this stuff and how he got access to whatever information he actually has.
So what do we know of his history? He enlisted in the Army, apparently intending to go for the Special Forces, but was discharged after breaking both legs. (It’s been widely reported he enlisted in the Special Forces, but it doesn’t work like that. Four months in, he was in his initial training for whatever military specialty he was looking for.) However, by the time he’s been in the Army that long, he had at least a CONFIDENTIAL and probably a SECRET clearance, those being about as exclusive as a thunderstorm.
This undoubtedly helped him get work as a security guard at the Center for Advanced Study of Language of the University of Maryland. NSA does quite a lot of research in teaching and acquiring languages, because the people they listen to stubbornly refuse to speak English, but this is a very open organization. Still, I imagine it was while he was working there that he got started in the process to get the extended clearance, which took me a year back in the ’70s. Then he was hired by CIA to “work in Computer Security.”
Now we get to one of the things that a lot of people have said: “how did a guy with no college degree and just a GED get hired to work in IT security?” But there’s a basic misunderstanding there: not everyone “working in IT security” is doing research. CIA has a bunch of computers, and they need a bunch of systems administrators.
Would CIA hire someone with a clearance and some computer skills, but no degree? You bet your ass they would. Especially for a sysadmin job. But it’s also the sysadmin job that explains what Snowden may have been able to get access to (and what he probably didn’t really have access to). To explain that we’re going to have to do a little more exposition, this time on computer security in this world.
Like everything in computer science, there’s some math involved, but I promise I won’t go into it much. Here’s the basic idea. When you examine all the rules for sensitivity levels and classifications, it turns out that the real classification of some chunk of data is composed of three parts:
(sensitivity, channel, codeword)
So one file on a computer might be marked “UNCLASSIFIED, carrier pigeon only, alpha” and another file might be “SECRET, regular channels, none.” All of these lists of three things, “triples,” exist in a relationship technically called dominates — if one triple is “more classified” that another triple, the first triple “dominates” the second.
There is an example of this in the NSA slides Snowden released; the Washington Post has published some of them. This one is marked “Top Secret, SI, NOFORN,” where SI is the channel.
These form a partial order which just means that we can’t always compare two elements and see which dominates the other. That Wikipedia article has a good example in street addresses: you know that 300 Pike Street is a higher address that 100 Pike Street, but you don’t necessarily know where 300 Pike Street is compared to 300 Walnut Street.
What’s important, though, is that in general, to have access to information marked (X,Y,Z) you have to be cleared for X, have access to special channel Y, and you have to be individually “read into” information for codeword Z. But it turns out to be convenient to define two special markings, system high and system low. System high is simply defined to be higher than everything else, it dominates anything; system low is dominated by anything. UNIX geeks will recognize system high as being just like root or “superuser” access.
In a real system implementing this scheme, what’s called a multilevel secure system, in theory you control the access to each marking, each compartment, separately. So you restrict the access privileges for even the system administrators so they can only deal with certain information.
This quickly runs into the PITA problem, though, as you get more markings and time goes on. The sysadmin for (A,B,C) goes on maternity leave, and someone has to take up the slack; a new compartment is added, so someone has to get access, which normally means being “read into” the particular program or codeword, which takes paperwork; the ambassador forgets his password, and doesn’t have time to go through the secure process so someone has to be able to set the password for his account for him. Bit by bit, as people get sloppy over time, it turns out that there’s usually someone who has system-high access, “root” access. (One of the few commercial systems that supports this completely is Oracle’s Solaris operating system. I’ve set up a number of systems with the full access control, which means there’s not even a root account; I don’t think that has lasted a day on any system I’ve seen.)
I’m willing to bet that Snowden ended up — possibly with some quiet pushing on his part — with access to a system-high account, from which he could see anything on the system.