Those of you who have been with me for a while know that I spent my entire career working in the world of military intelligence, on active duty in the Air Force and later, after my military retirement, as a government contractor supporting Air Force programs ... a total of more than 40 years dealing with secret stuff. I think this gives me a certain amount of authority to talk about the related topics of (1) the need to protect government secrets, (2) how we protect those secrets, and (3) the attitude of some people toward the protection of those secrets.
The immediate impetus for me to write this post was the arrest of a young Air National Guard Airman for his cavalier sharing of classified material he downloaded from secure networks in the course of his job as an IT specialist. Here's a guy who, like many thousands of other clearance-holders, was investigated and adjudicated before being granted access to classified material. Unlike most of those others, he chose to ignore the security guidelines in place and recklessly share extraordinarily sensitive material. Why did he do that?
People who make a living catching those who leak classified material will tell you that there are four reasons most people engage in espionage: for money, for ideology, because they've been compromised (blackmailed), or as an ego trip - hence the acronym MICE. But in the case of the young airman now sitting in jail, none of these really seem to apply. His motivation appears to have been a muddled mixture of a need to show off to his online friends, mixed with a confused desire to show "the people" what is really happening in the world. He apparently believed that the vast experience he'd amassed as a 21-year-old Airman First Class gave him the expertise and the authority to expose information that could (and likely will) cost lives.
So, IMHO, he's both ignorant and traitorous, and he deserves to be in jail ... as does a certain former president who was also (and continues to be) blithely cavalier with sensitive material. Guess which one is in jail? Hint ... it's not the one who can hire reinforced battalions of lawyers and convince ignorant laymen that he's being unfairly picked on.
But the question in my mind is this: how was it that this 21-year-old Airman was able to access such extraordinarily sensitive information? In short, because of two things: networks and the traditional tension between the need to protect information and the need to make it easily available to those who need it (who have a need to know).
When I entered the world of military intelligence in 1973, back when dinosaurs roamed the earth, everything was on paper. It was stored in big, heavy safes which were kept in locked rooms which were often alarmed. If the contents were really sensitive, the safe would have two combination locks, and no single person was allowed to have both combinations. The most sensitive documents had unique control numbers and had to be signed in and out, and the records of their storage and access were audited at regular intervals. Most copy machines in secure areas needed a special key (which had to be signed for) to be operated, and had counters that recorded the number of copies made. Yes, things got leaked back then in the stone age, but it was a lot more cumbersome and dangerous to do so.
By the mid-80s or so, word processors started to become widespread, followed by standalone PCs, which begat networks and digital storage and transfer. This had both advantages and disadvantages. It reduced the amount of loose paper that needed to be stored in expensive, bulky safes and controlled with cumbersome handling measures, but it also introduced security vulnerabilities in storage and transfer. The IT specialists who set up, managed, and maintained the networks had to be authorized for access to the highest level of material on their networks - not because they had a need to know, but because the nature of their work gave them the opportunity to see everything that was there. This is what made the IT Airman in Massachusetts so dangerous.
Let's talk about the whole need to know issue. Need to know is supposedly one of the criteria for access to classified information ... it's not enough to be approved for access to information classified at a certain level - there must be an operational reason for you to have that access - a need to know. Some programs are considered so sensitive that the rule for access becomes "Must Know" - you cannot do your job unless you have access to that information. There's also another school of thought that says increased access to various sources and types of classified information leads to better analysis and improved decision-making ... this is the "Need to Share" camp.
So, what does all this mean?
Classification is expensive and cumbersome. Safes rated to store paper files and removable electronic media are big (take up space), heavy (require buildings that can support their weight*), and very expensive. Networks become more expensive as the amount of digital protection increases, and increasing levels of protection often require multiple sets of equipment, independent connections, and separate access methods ... and wireless connectivity is dangerous in itself, being subject to interception en route.
In my last job before retirement, I had three separate computers on my desk which allowed me to access four different networks at increasing levels of sensitivity. And the offices in which I worked, located in the already-heavily-defended Pentagon, were secured by combination locks and multiple alarms and access control policies and systems.
So, yeah, all this security is cumbersome and very, very expensive. Is it necessary? In some cases, certainly. In other cases, maybe. In still other cases, probably not. Who decides? Who makes the rules about what needs to be protected at what level, for how long, and from whom? Who watches the watchers?
This is the hand-wringing discussion we have every time there's a major compromise of our intelligence and security. I don't profess to have the right answer ... I have suggestions that might help**, but it's no longer my problem. The people we pay to be security officers will have to figure it out. We will always have information that needs to be protected, we will always have people who want access to it that they shouldn't have, and no security system is perfect. As my dad used to say, locking all the doors and windows keeps the honest people out.
If you happen to be a person with access to sensitive information, remember that you don't get a vote on who you can share it with. Things are classified at a particular level for a particular reason. If you disagree, you can try to work it out with the person who originally classified it, or look for official channels through which you can appeal the classification.
The Internet ain't one of them.
Have a good day. Thanks for letting me get this off my chest. More thoughts coming.
Bilbo
* Many years ago, my unit's offices were in rickety old two-story World War II-era open-bay wooden barracks (they've long since been torn down). The four-drawer safes on the upper floor (and there were a lot of them) had to be placed next to wooden support beams, otherwise they'd have a better-than-even chance of crashing down onto the heads of those of us on the ground floor. You can bet that we were attuned to every noise those buildings made.
** Starting with figuring out how to prevent IT people from accessing network content while doing network maintenance. Don't ask me how.
6 comments:
All of those reasons, yes. But don't forget the most obvious: STUPID.
Thanks for sharing your well weighted insight.
Unfortunately, in this world your experience is given equal value to the isolated red-neck with an armory full of weapons and a head full of conspiracies.
I would think that anything being transmitted, even interoffice from computer to computer, would be encrypted.
Fascinating - thanks for the birds's-eye view of the topic. (Just a thought - wanting to show off to online friends seems like ego to me, and isn't the desire to show "the people" what's really happening in the world a kind of ideology, albeit a highly personalized one? Maybe the acronym still fits.)
I worked in an office where, through the years, more and more filing cabinets filled with paper files were added. I seriously worried about them someday falling through the floor and taking me with them. I was told that the building was old and the joists were much bigger than current building codes require. It didn't make me feel any better.
I've been away from blogging for some time but am picking it back up and am glad to see you're still around! I think we all might shudder to think how much classified information does get out. The times being what they are, that's a scary thought. Love your DUMBCON Index. Could be a long, long time before it drops back to Level 5.:)
I was hoping you'd post about this. I appreciate your informed opinion. Preventing IT from accessing network content while doing network maintenance sounds simple enough...
Post a Comment