Hillary’s Air Gap Problem
I imagine most of you have been following the Hillary Clinton email scandal, which has gotten more and more … interesting … since I last wrote about it. At that time, the inspectors general had only revealed emails that were properly classified CONFIDENTIAL, or marked SENSITIVE BUT UNCLASSIFIED, which is a special State Department marking for things that wouldn’t cause damage to our national security but would make things uncomfortable for someone State was working with.
Since then, of course, we know that at least two more emails have been identified as TOP SECRET, and that’s a whole ’nother kettle of fish. I went through the details of classification back in the Edward Snowden days, in a PJ article titled “L’affaire Snowden and (Computer) Security,” and John Schindler of the XX Committee has a nice worked example of just how classification works in practice that I recommend.
In the meantime, I’m going to tell you a little war story about the history of computer security.
Back in the late '70s when I actually started to work in the security community, “word processing” was done on a Selectric typewriter – I wrote my drafts on a typewriter, typing the markings carefully as I wrote; I put the drafts away in a safe, along with my typewriter ribbon, every night. We had a cleared typist, and she had an actual Wang word processing machine that had been installed in a case that prevented it from emitting readable radio waves. It was something like a twenty thousand dollar machine, in a twenty thousand dollar special case, and they couldn’t give one to everybody.
Then I went overseas, where there were secure communications, but it was using a 30-year-old teletype. When I came back, things had changed: there was email. Working on a classified project, I had an actual terminal at my desk, and could send email to my colleagues. But only the ones on that project, because the whole computer, network and all, was in a shielded Secure Compartmented Information Facility, a SCIF. The only connections to the outside world were telephones with push-to-talk buttons, and the power lines – which were specially isolated so that no signals could leak out.
The effect was an air gap – there were no electronic connections to the outside world, so there were no pathways for secrets to escape by electronic means. Someone would have to carry a document, or a disk drive, out of the room, and we had guards and such to see they didn’t.
About a year later, I went to graduate school. Cool things were starting to happen. On UNIX systems, you could get a great new kind of interface called a windowing interface. (Yes, kids, I’m that old.) Network-connected computers were coming – ARPANET was expanding, the Internet was just around the corner. And DOD agencies, primarily the NSA’s National Computer Security Center, were thinking about what it would take to let computers that were storing classified data be trusted to also connect to an unclassified world. The results of this process were a series of standards called the “Rainbow Books” because each standard had a brightly colored cover. The most important one was called the Orange Book (guess why) but was formally the Trusted Computer System Evaluation Criteria.
I spent years working out ways to make systems comply with the Orange Book, along with lots of other people, and the conclusion was that it simply wasn’t possible then and isn’t possible now to build a system that could both handle TOP SECRET and connect to an unclassified network. Or connect to a network that might connect to an unclassified network.
In other words, there must be an air gap. Period.
And now we get around to Hillary’s problem. At least two of the emails in her private stash turn out to have been classified
Here’s a translation.
- “TOP SECRET” everyone knows about, but they may not know the exact definition: it means “information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.” (Emphasis mine.)
- “SI” means it is “special compartmented intelligence.” It’s not true that it is “classified above TOP SECRET” as you’ll sometimes hear because there’s no such thing. Besides, information can be SECRET//SI or even CONFIDENTIAL//SI. But it means that there are both special need-to-know restrictions, and communications channel restrictions, above and beyond TS. It refers to “communications intelligence.”
- “TK” stands for “Talent Keyhole,” which is intelligence collected by satellites instead of Earth-bound collection.
- “NOFORN,” as is pretty obvious, means “no foreign distribution.” Not even Canada.
I’ve gone on at a little length there because I want to make it clear: this classification is pretty heavy stuff, with the potential to cause “exceptionally grave damage,” and containing information that can be identified as coming from both Earth-based and satellite-based collection, that shouldn’t be shared with any foreign national.
This information would always be air-gapped. There is no (legitimate) way that a computer system could be connected to TS//SI//TK//NOFORN data and to the outside world.
What can happen is that someone copies information, onto a piece of paper or a thumb drive (actually systems that can handle TS shouldn’t have thumb drives either, but it’s too easy to sneak one in or out) and then copied into an email in an uncontrolled system – a cell phone or a laptop or an iPad. The person doing it has to know that it’s coming from a secure system, has to know how sensitive the data really is; they go through lots of training, repeated reminders, and come and go to the office through a freaking vault door that would do credit to a bank.
It has to be done on purpose, and it has to be done knowingly. There has to have been conscious intent to do it.
That, folks, is a violation of 18 U.S. Code § 793 - Gathering, transmitting or losing defense information, for which the prescribed punishment is to be “fined under this title or imprisoned not more than ten years, or both.” Which applies both to the sender, and to the recipient.