One way to reduce the problem would be to stop assigning security status to pedestrian matters of fact.
Dial back the sensitivity of the image, and just release the sat images if you are concerned about leaking the angular resolution.
Has anyone made any logistical improvements to SCIF in decades? I don't mean whizz bang tech, I mean actual changes of substance to information management on secure basis.
Current political incumbents aren't much bothered with nuance it seems.
A friend who has a security clearance initially didn't want to read The Atlantic's first report about Signalgate for this reason.
Of course it makes sense to prohibit making any statement that serves to confirm or deny whether any publicized information is accurate, but beyond that, once it's out, it's out. Any policy that pretends otherwise is absurd.
This has always been the policy. Unless the documents have been declassified, then access controls remain in effect, and maybe you've got a clearance, but maybe not access or need-to-know, so it would be unauthorized access, which is a security violation.
To the best of your understanding, what is the unambiguous, demonstrable way this policy benefits the nation? What are the gains that outweigh the cost of decades of doltish enforcement?
I am asking because of all the potential benefactors I can come up with, none of them are the American public. I'm hoping your experience can provide some unforeseen nuance.
I don't know for sure (not in that world) but wouldn't this make sense from a compartmentalisation perspective?
You have a person that knows X and a person that knows Y, but knowing both X and Y is vastly more valuable. To keep things secure you ban the X group from knowing about Y things regardless of how they found out.
It's going to produce absurdities sometimes, but the basic principle makes sense.
> Also if it's not real at all then you are allowed...
Kinda like if that wire labeled "Danger, 480V" is actually dead, then it is safe to touch. But with that approach to things, your career as an electrician could be kinda short.
So if you thought you were under surveillance by the CIA, would sprinkling leaked information throughout your communications, or even “this email contains leaked information” make your messages private?
Buried deep in the article is a quick nod to the relative ease of work-arounds, for org's actually aspiring to competence:
> I once asked a U.S. cybersecurity executive how his company handled the banned-documents problem in the context of securing the networks of their own clients. His answer: They would assign U.S. leaks to British analysts and leaked U.K. documents to American analysts.
But mostly the article is a simplistic attack on a simplistic policy, by a (claimed) John Hopkins professor in this area. Very heavy on how the current policy makes his life in academia more difficult. Minimal interest in what workable improvements (from the US Nat'l Security Establishment's PoV) would look like. And scarcely a mention that the whole problem would be far smaller if our Establishment was less shitty at preventing leaks of its secret documents.
EDIT/Responses:
(Dylan16807) Yes, small picture, the leaks are a different topic. But at the "professor of strategic studies" level, arguing for changes in national security policy - maybe he should pay more attention to the bigger picture? That could include mention of the degree to which "simplistic idiocy" security policies discourage and demotivate the young people who our Establishment needs as responsible clerks handling its secret documents.
(cowsandmilk) The "(claimed)" is a sarcastic dig - at the sophisticated worldview which he should bring to this subject, vs. the simplistic way he presents in the article.
> Minimal interest in what workable improvements (from the US Nat'l Security Establishment's PoV) would look like.
An obvious improvement would be to not prohibit people with a security clearance from looking at documents that are already publicly available.
If the concern is that the documents could be forgeries, train them to have a suitable skepticism about the authenticity of leaks rather than prohibiting them from reading it. What if they are already skeptical and want to view the documents for some other reason? What if the government has already conceded that they're authentic, or it's something that can be easily verified given the information, so the authenticity isn't in question? What if they're in a position to prove that it isn't authentic, which could be highly useful information to the government, but nobody ever finds out if they avoid reading it because of a senseless prohibition?
Why (claimed)? It’s pretty easy to verify this person is a professor at SAIS. And the Atlantic is a big enough publication that if someone was impersonating him, it would have been found out since publication.
Thank you(?) - but one response amounted to "oops, add /s", and the other to "a bigger picture looks appropriate for this topic". And from how my comments are usually voted here, I suspect that few other HN readers want to see more of 'em.
A couple issues with the "just declassify stuff" approach, for those unfamiliar:
- The actual declassification decisions would be made by career nat'l security people. Who know that nobody was ever disciplined for keeping "2 + 2 = 4" secret. Nor promoted for declassifying the (metaphorical) blueprints for George Washington's false teeth.
- I've not seen it articulated, but there's also the "never speak honestly around troubled children" nature of declassifying anything. Capitalist journalism promotes junior high school drama queens, and the internet is crawling with simpletons and nut jobs. If you declassified the fact that, in 1971, DoD Junior Analysts Joe & Alice suggested basing nuclear missiles on https://en.wikipedia.org/wiki/Rockall - it wouldn't matter if their idea was vetoed the next day by an O-4, or was physically impossible anyway. There would still be a giant "OMG AMERICAN NUCLEAR MISSILES WERE GOING TO BE LAUNCHED AGAINST INNOCENT BRITISH SEAGULLS!!!" shitstorm about it - because for a (seeming) majority of humankind, "truth" is whatever idea is pushing their buttons the hardest right now.
One way to reduce the problem would be to stop assigning security status to pedestrian matters of fact.
Dial back the sensitivity of the image, and just release the sat images if you are concerned about leaking the angular resolution.
Has anyone made any logistical improvements to SCIF in decades? I don't mean whizz bang tech, I mean actual changes of substance to information management on secure basis.
Current political incumbents aren't much bothered with nuance it seems.
A friend who has a security clearance initially didn't want to read The Atlantic's first report about Signalgate for this reason.
Of course it makes sense to prohibit making any statement that serves to confirm or deny whether any publicized information is accurate, but beyond that, once it's out, it's out. Any policy that pretends otherwise is absurd.
I was cleared for 40 years. Now I'm retired.
This has always been the policy. Unless the documents have been declassified, then access controls remain in effect, and maybe you've got a clearance, but maybe not access or need-to-know, so it would be unauthorized access, which is a security violation.
> This has always been the policy.
To the best of your understanding, what is the unambiguous, demonstrable way this policy benefits the nation? What are the gains that outweigh the cost of decades of doltish enforcement?
I am asking because of all the potential benefactors I can come up with, none of them are the American public. I'm hoping your experience can provide some unforeseen nuance.
I don't know for sure (not in that world) but wouldn't this make sense from a compartmentalisation perspective?
You have a person that knows X and a person that knows Y, but knowing both X and Y is vastly more valuable. To keep things secure you ban the X group from knowing about Y things regardless of how they found out.
It's going to produce absurdities sometimes, but the basic principle makes sense.
https://archive.md/26QQ5
Well luckily we're all protected by the paywall.
But only if your personal security policy forbids disabling js.
Thanks!
I'm not sure this is a major surprise. Since it's "leaked", it could be (and most likely is):
1. Missing important context, 2. Missing paragraphs, 3. Be edited or in fact, not real at all.
That doesn't seem like a reason to ban looking at it?
Also if it's not real at all then you are allowed to look at it.
It can influence your decision subconsciously or otherwise.
Any public information or misinformation can influence your decisions. Why is it so much worse in the case of failed classification?
> Also if it's not real at all then you are allowed...
Kinda like if that wire labeled "Danger, 480V" is actually dead, then it is safe to touch. But with that approach to things, your career as an electrician could be kinda short.
The policy applies to anyone holding a clearance, not just DoD employees.
So if you thought you were under surveillance by the CIA, would sprinkling leaked information throughout your communications, or even “this email contains leaked information” make your messages private?
No, you just need one of those stupid riders that says ‘if this wasn’t for you, it’s illegal to read it’.
No.
Buried deep in the article is a quick nod to the relative ease of work-arounds, for org's actually aspiring to competence:
> I once asked a U.S. cybersecurity executive how his company handled the banned-documents problem in the context of securing the networks of their own clients. His answer: They would assign U.S. leaks to British analysts and leaked U.K. documents to American analysts.
But mostly the article is a simplistic attack on a simplistic policy, by a (claimed) John Hopkins professor in this area. Very heavy on how the current policy makes his life in academia more difficult. Minimal interest in what workable improvements (from the US Nat'l Security Establishment's PoV) would look like. And scarcely a mention that the whole problem would be far smaller if our Establishment was less shitty at preventing leaks of its secret documents.
EDIT/Responses:
(Dylan16807) Yes, small picture, the leaks are a different topic. But at the "professor of strategic studies" level, arguing for changes in national security policy - maybe he should pay more attention to the bigger picture? That could include mention of the degree to which "simplistic idiocy" security policies discourage and demotivate the young people who our Establishment needs as responsible clerks handling its secret documents.
(cowsandmilk) The "(claimed)" is a sarcastic dig - at the sophisticated worldview which he should bring to this subject, vs. the simplistic way he presents in the article.
> Minimal interest in what workable improvements (from the US Nat'l Security Establishment's PoV) would look like.
An obvious improvement would be to not prohibit people with a security clearance from looking at documents that are already publicly available.
If the concern is that the documents could be forgeries, train them to have a suitable skepticism about the authenticity of leaks rather than prohibiting them from reading it. What if they are already skeptical and want to view the documents for some other reason? What if the government has already conceded that they're authentic, or it's something that can be easily verified given the information, so the authenticity isn't in question? What if they're in a position to prove that it isn't authentic, which could be highly useful information to the government, but nobody ever finds out if they avoid reading it because of a senseless prohibition?
> And scarcely a mention that the whole problem would be far smaller if our Establishment was less shitty at preventing leaks of its secret documents.
That's a very different topic, and even if it was perfectly fixed there's still so many existing documents causing constant hassle.
Why (claimed)? It’s pretty easy to verify this person is a professor at SAIS. And the Atlantic is a big enough publication that if someone was impersonating him, it would have been found out since publication.
> EDIT/Responses:
Your responses deserve their own comments, and by posting in this way, you circumvent the voting mechanism of other HN readers.
Thank you(?) - but one response amounted to "oops, add /s", and the other to "a bigger picture looks appropriate for this topic". And from how my comments are usually voted here, I suspect that few other HN readers want to see more of 'em.
A couple issues with the "just declassify stuff" approach, for those unfamiliar:
- The actual declassification decisions would be made by career nat'l security people. Who know that nobody was ever disciplined for keeping "2 + 2 = 4" secret. Nor promoted for declassifying the (metaphorical) blueprints for George Washington's false teeth.
- I've not seen it articulated, but there's also the "never speak honestly around troubled children" nature of declassifying anything. Capitalist journalism promotes junior high school drama queens, and the internet is crawling with simpletons and nut jobs. If you declassified the fact that, in 1971, DoD Junior Analysts Joe & Alice suggested basing nuclear missiles on https://en.wikipedia.org/wiki/Rockall - it wouldn't matter if their idea was vetoed the next day by an O-4, or was physically impossible anyway. There would still be a giant "OMG AMERICAN NUCLEAR MISSILES WERE GOING TO BE LAUNCHED AGAINST INNOCENT BRITISH SEAGULLS!!!" shitstorm about it - because for a (seeming) majority of humankind, "truth" is whatever idea is pushing their buttons the hardest right now.