Tuesday, December 7, 2010

HSIN and Wikileaks

Bob Radvanovsky at SCADASEC List published an email from the people that manage the Homeland Security Information Network (HSIN) reminding folks that potentially have legitimate access to classified information that the Wikileaks publication of classified documents does not make them unclassified. Specifically, the email notes:
“Executive Order 13526, Classified National Security Information (December 29, 2009), Section 1.1.(c), states ‘Classified Information shall not be declassified automatically as a result of any unauthorized disclosure of identical or similar information.’”
They also remind HSIN users that “if any classified material that has not been declassified by proper authority is uploaded in HSIN, it is considered a security incident as serious as any other and will be treated as such”. It wouldn’t matter if the information was obtained from an unclassified source (Wikileaks), it would still be a violation of the rules since HSIN is not cleared for the discussion of classified information.

The Rules are Rules

Those of us who are familiar with the standards for handling and declassifying classified information are well familiar with these rules. In part those rules were designed to protect classified information that was published in limited release from further being publicized, particularly if the released information was not identified as being classified.

Additionally, the current rules designed to prevent an open dialog that would confirm that an isolated document purporting to be a classified document was really and truly what it purported to be. Keeping the in-government discussion of the document classified would allow the government to deny the legitimacy of the document by ignoring it.

The current classified document rules have procedures in place for a review of a compromised document to determine if the classification should be reduced or removed. As one might expect the review procedure is a tad bit bureaucratic. It will be a long time before all of the Wikileaks documents have been so reviewed.

Obviously these rules were never designed to deal with a security breach the size of the Wikileaks fiasco. Unfortunately, just because the rules were not designed for this probably to be repeated problem does not mean that they can be ignored. The rules will almost certainly have to be revised for this type of security breach, but until they are the rule enforcers will still have to enforce those rules.

Unenforceable Rule

There is a more controversial part of the same email that requires some thought. The email states:

“HSIN contractors and users must not knowingly access, download or attempt to download, from any unclassified system, any information from a public web-site that is believed to be classified, nor should they comment [on] or confirm the degree of sensitivity of such information, or, discuss the content in a potentially classified document with persons who would not otherwise be authorized access.”
There are three distinct portions of this legalistic sentence. The last two parts are the easiest to understand. The reason for ‘commenting on or confirming the degree of sensitivity’ goes along with the standard reasoning that without this type of confirmation, the ‘enemy’ will never really be sure that it is a legitimate document, providing some small measure of information protection. Discussing the content with unauthorized personnel is easy to understand.

If you understand the last two parts, you can begin to understand why the first part, the controversial part, of the paragraph came into being. If someone with routine access to unclassified government communications networks, like HSIN, were to access the Wikileaks cables, there might be some confusion as to its security classification status in that person’s mind. That confusion could lead to the type of problems identified as being prohibited in the last two parts of the sentence.

Now, I certainly understand the intention of this complex directive from HSIN and I even agree to a certain degree with its intent. Unfortunately, from a practical view point it is unenforceable (I’ll leave the issue of legal enforceability to the lawyers; I AM NOT A LAWYER). There are just too many devices with which one could conduct such a search or download that the government would never have the opportunity to ensure that such searches were not done; particularly considering that so many of the documents have been reposted on so many different sites..

Now, one of the first leadership lessons that I learned as a young NCO was that you should never give an order that you know will be disobeyed; it makes you look stupid and undermines your authority. This is especially true when, as in this case, there are so many legitimate reasons for ignoring the prohibition. For example, many HSIN users will have a real interest in determining if one or more of the projects that they might be working on may have become compromised by one or more of the leaked documents.

Now I am not going to advocate ignoring this directive. I understand the reason for it being issued, and if it is followed there will be less chance of an inadvertent disclosure or discussion of the classified information in an inappropriate setting. I also understand the reasons and motivations for ignoring the rule. I will warn my readers though, if you do violate it, you are going to have to take some precautions to ensure that you can still identify the information as being classified. Other wise you will inevitably make a mistake that could result in your loosing access to classified information; a very negative mark on one’s career in the security industry.

No comments:

/* Use this with templates/template-twocol.html */