One of the hardest problems in computer security — in all security, really — is the insider attack. It means pretty much what it sounds like: how do you prevent the illicit release of information by someone who is authorized to have access to the information? How do you limit the damage an insider can do?
Long before computer security became an issue, the basics were well understood. Before you give people access to anything you want to protect, you make as sure as you can that they’re trustworthy. You identify what you want to protect so no one can say they weren’t aware of its sensitivity. You physically control the information so it’s difficult to get out of your control. You limit what people can see to what they must have to do their job — this is called “need to know” in government parlance. And you establish penalties sufficient to make someone think twice, or three times, before revealing your secrets.
The hazards of an insider attack have been shown many times. Recently, the Snowden case was one where, because of specific computer security issues, Ed Snowden was able to capture a lot of sensitive information and smuggle it out to Wikileaks. In the process, he fled justice into the arms of the Russian FSB. (I wrote about this at some length in “Snowden and Computer Security” several years ago here at PJM.)
Of course, computers have made this much harder. Once upon a time, James Bond 007 had to have a Minox camera and take pictures of documents — 36 to a film roll. Now, for less than $20, you can buy a device that fits on a keychain that can store literally millions of pages of documents, days of audio, hours of video. And because of the digitalization of the world, those documents, audio, video, are racing around the Internet at half the speed of light through a network that was built from the first to not let silly little limits like atomic bombs prevent the data from getting through.
This makes for a good news/bad news joke: the bad news is that it’s a real bear to protect our data; the good news is that it’s hard for adversaries to protect their data.
The problem for regular folks is that they’re entitled under the Constitution to expect the government to leave their data alone, but they don’t have the technical skills and resources with which to protect themselves.
Well, where there’s no feasible technical solution, we try laws.
The Foreign Intelligence Surveillance Act (FISA) attempted to establish rules by law to protect citizens and residents — the technical terms are United States Persons or “U.S. Persons” — against unlimited spying by the government by requiring a special warrant in order to target U.S. Persons for interception, and by requiring the U.S. Government to handle anything that was collected “incidentally” to other surveillance with great care to prevent the U.S. Person’s information from being revealed.
Before FISA, there really were no limits on what could be intercepted by intelligence agencies. This was abused over and over again, usually by the FBI, which used national security as a reason to intercept phone conversations of pretty much anyone who was thought to present some kind of a threat.
Even at the time FISA passed, though, civil libertarians were warning that there was little real protection against the Government using the information they collect maliciously. The problem goes back to the basics: you need to make sure that the people with access to the collected data were thoroughly checked and could be trusted.
In the United States, though, there’s a significant loophole, called “an election.”
Necessarily, when we elect a president, the president has complete access to any data — the president is the authority who decides what data is to be protected, and with what rigor. The president’s political appointees, just as necessarily, must have the same access. Our only real protection from illicit disclosure by these insiders is the degree to which they can be trusted. An unscrupulous political appointee on the president’s national security staff can obtain anything and leak anything.
In the Obama administration, scruples about information security were notably lacking. We saw it with the Clinton emails, where information security procedures were openly flouted, and where, frankly, multiple felonious violations of the espionage went unpunished.
And we’re seeing it now: Susan Rice, and probably a number of others, violated the provisions of FISA, and certainly, with no reasonable doubt violated the privacy of at least one U.S. Person.
FISA is coming up for renewal not too long from now, and FISA’s opponents have got a new and very strong argument that the government cannot be trusted with the power to intercept U.S. Persons communications.
If FISA were eliminated, the U.S. would lose a valuable tool — we really do need to be able to intercept communications within the U.S., for both state and non-state (read “terrorist”) actors. But for Americans to be able to trust their government with these surveillance powers, we have got to be able to trust that unscrupulous political appointees are deterred, and that illicit actions will be punished.
If Susan Rice, and the leakers if Rice wasn’t the one, go unpunished, we’ll have proven the wild-eyed civil libertarians right, and have given their arguments against continuing FISA much new strength.