L'affaire Snowden and (Computer) Security


Everyone is at least faintly familiar with the normal terms of classification: UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET. They're defined by executive order, the most recent one being from 2009, but the standards have been more or less the same for many years:

  • TOP SECRET information is information that, if released, would cause "exceptionally grave" damage to national security;
  • SECRET information would cause "grave damage" to national security;
  • CONFIDENTIAL information would merely "damage" national security; and,
  • UNCLASSIFIED information, you guessed it, wouldn't damage national security if released. (Strictly, UNCLASSIFIED isn't a classification, it's not defined in the executive order. But something that isn't classified is marked (U) so it's a very pedantic distinction.)

But these classifications are so not the whole story. Understanding what really happened with Snowden and the NSA data requires looking a bit deeper.


There is a nicely elegant way to measure how critical a piece of information really is, in dollars. We simply define the risk of some bad things happening as the cost associated with that bad thing, technically called the hazard, and the probability of it happening.

Risk = Probability × Hazard

All the sensitivity categories and all the rules are based on trying to reduce the risk. When what you're trying to evaluate is classified under this U.S. government system, though, those risk numbers can get pretty astronomical. "Extremely grave" damage? The 9/11 attack cost the U.S. economy something like a trillion dollars. Let's work some examples:

  • If there's one chance in a thousand of the bad thing happening, then the risk is a billion dollars.
  • If there's one chance in a million, then the risk is still a million dollars.
  • If there's one chance in a billion, the risk is still a thousand dollars.

And 9/11, as traumatic as it was, is relatively small compared to what might happen in the case of "extremely grave" damage. When you quantify the risk, it's easy to see why these secrets are worth all the effort.