Hillary’s Air Gap Problem

Orange-book-small

I imagine most of you have been following the Hillary Clinton email scandal, which has gotten more and more … interesting … since I last wrote about it. At that time, the inspectors general had only revealed emails that were properly classified CONFIDENTIAL, or marked SENSITIVE BUT UNCLASSIFIED, which is a special State Department marking for things that wouldn’t cause damage to our national security but would make things uncomfortable for someone State was working with.

Since then, of course, we know that at least two more emails have been identified as TOP SECRET, and that’s a whole ’nother kettle of fish. I went through the details of classification back in the Edward Snowden days, in a PJ article titled L’affaire Snowden and (Computer) Security,” and John Schindler of the XX Committee has a nice worked example of just how classification works in practice that I recommend.

In the meantime, I’m going to tell you a little war story about the history of computer security.

Back in the late '70s when I actually started to work in the security community, “word processing” was done on a Selectric typewriter – I wrote my drafts on a typewriter, typing the markings carefully as I wrote; I put the drafts away in a safe, along with my typewriter ribbon, every night. We had a cleared typist, and she had an actual Wang word processing machine that had been installed in a case that prevented it from emitting readable radio waves. It was something like a twenty thousand dollar machine, in a twenty thousand dollar special case, and they couldn’t give one to everybody.

Then I went overseas, where there were secure communications, but it was using a 30-year-old teletype. When I came back, things had changed: there was email. Working on a classified project, I had an actual terminal at my desk, and could send email to my colleagues. But only the ones on that project, because the whole computer, network and all, was in a shielded Secure Compartmented Information Facility, a SCIF. The only connections to the outside world were telephones with push-to-talk buttons, and the power lines – which were specially isolated so that no signals could leak out.

The effect was an air gap – there were no electronic connections to the outside world, so there were no pathways for secrets to escape by electronic means. Someone would have to carry a document, or a disk drive, out of the room, and we had guards and such to see they didn’t.

About a year later, I went to graduate school. Cool things were starting to happen. On UNIX systems, you could get a great new kind of interface called a windowing interface. (Yes, kids, I’m that old.) Network-connected computers were coming – ARPANET was expanding, the Internet was just around the corner. And DOD agencies, primarily the NSA’s National Computer Security Center, were thinking about what it would take to let computers that were storing classified data be trusted to also connect to an unclassified world. The results of this process were a series of standards called the “Rainbow Books” because each standard had a brightly colored cover. The most important one was called the Orange Book (guess why) but was formally the Trusted Computer System Evaluation Criteria.

I spent years working out ways to make systems comply with the Orange Book, along with lots of other people, and the conclusion was that it simply wasn’t possible then and isn’t possible now to build a system that could both handle TOP SECRET and connect to an unclassified network. Or connect to a network that might connect to an unclassified network.

In other words, there must be an air gap. Period.

And now we get around to Hillary’s problem. At least two of the emails in her private stash turn out to have been classified

TOP SECRET//SI//TK//NOFORN