Schneier on Security
A blog covering security and security technology.
« Security Theater in the Theater |
| Security Theater, Illustrated »
January 27, 2011
U.S. Strategy to Prevent Leaks is Leaked
As the article says, it doesn't get any more ironic than that.
More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.
I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it's trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don't know what those new models will be, but they will be different.
The more I think about it, the more I see this as yet another example of the Internet making information available. It's done that to the music and movie industry. It's done that to corporations and other organizations. And it's doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.
Shutting WikiLeaks down won't stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.
EDITED TO ADD (1/27): The story turned out to be too good to be true; it's been retracted.
Posted on January 27, 2011 at 6:22 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The Russian and Chinese governments already know these things.
Our government is trying to hide them from us, the voters.
A war they can never win, because they lack the willpower to look at the root cause rather than at the event itself and its consequences.
Genuinely. Those at the top of the chain will always want improvements to their systems that are, fundamentally, security risks.
For example, the misguided policy of having every secret document shared across many agencies, because they misguidedly believe it will magically help people spot terrorists. As if government employees are just sitting there, twiddling their thumbs, bored enough to go and join up dots across terabytes of information.
The one thing you can guarantee is that whatever you need to do to secure things, it'll be scuppered by someone's agenda somewhere.
The main difference between file sharing and leaks is that in file sharing, the owners of the information weren't also the main distributors and consumers of the information.
That's important to note, because many file sharers would say that the reason they use file sharing is that the increasingly controlling manner of IP owners left them with few alternatives to find the music/films.books that they wanted. ("If it's not in the top ten, it's a PITA to find and follow.")
In effect, the greater control made people look for alternatives, legal or not.
I suspect we'll see the same thing played out here. Each security improvement put in place to stop leaks will prevent people from working as they used to, which will lead them to actively seek workarounds, which will actually reduce security and increase the possibility of both accidental and premeditated leaks.
And of course, in both the government and IP owner's cases, the best answer - stop behaving in a way which makes your customers/employees react so badly - will escape those at the top. They can only focus on the effect, not the cause.
If there's one thing that humans can always do, it's apply their superior intelligence to finding new ways of behaving stupidly.
I suspect we'll see a lot of that shortly.
"using psychiatrists and sociologists to assess their trustworthiness. ... require all their employees to report any contacts with members of the news media."
Voight-Kampff and brain scans a coming.
Interesting that they now want to apply the same control (contact reporting) that's been used for years with foreign agents. Hey Meida you're now an enemy of the people! (we suspected)
Don't know how this works for wikileaks since many while calling for his execution deny Assange status as a 'journalist'. By that rubic we have to report interviews that end up on air but not our submissions to wikileaks.
Of course in this instance 'leaked' is strongish word since OMB published it on the White House's website.
Clever, ironic, factually incorrect.
This was a crap article that was already retracted on Jan 7th.
Let's not add to the circus folks. The intertubes already has enough clowns.
If Swiss banks are not able to keep secrets, how can any other institution even think for a second that they could. The 21st century marks the end of secrecy and privacy.
While they keep hacking insiders off it will happen. "The more they tighten their grip the more systems will fall through their fingers." Leopard, spots.
When they introduced laws and techniques to eavesdrop on communications one of the funny arguments has been: "If you are a law abiding citizen, there is nothing to be afraid of." Considering the majority of the leaks of recent years, something similar could be said about governments. Leaked government secrets simply hurt more, if the government is a totalitarian one or hides dark secrets. (Other ones who are hurt by secrets are diplomats with a rather loose mouth, but that's probably only funny, not dangerous.)
Information wants to be free, as far as some bits and bytes are able to want something.
The M-11-08 memorandum to the heads of executive departments and agencies is an unclassified document, so I'm not sure what the fuss is all about.
This said, I agree with Bruce that Wikileaks et al, if nothing else, have shown that data classification, distribution and access models for governments are up for a serious revision.
Off-topic: apparently a military base in Utah that tests chemical and biological weapons has been locked down over "a serious concern". See http://edition.cnn.com/2011/US/01/27/... . Maybe an experiment with gass to incapacitate theatre patrons and terrorists gone wrong 8-)
todays NYT covering the protests in egypt
gives the full name of at least one protester, and the mukhabarat should thank them.
Israel likes mubarak, hates the idea of a free egyptian populace.
who owns ya?
the airports and theaters could put hescos out in front and spotted all over inside to break up lines of force when some chechen brings his hobby in.
If I lived in the middle east and I was ever foolish enough to get cornered by a reporter, my name would be "Abdul Abdul". If they were smart, there would be 300 million Abdul Abdul's over there ...
The 'leaked' document is OMB M-11-08, a publicly released document. There was a similar article saying it was leaked and after I pointed out the mistake they retracted.
As Philip Storry notes above about Governments (of supposadly democratic nations),
"[It] will escape those at the top. They can only focus on the effect, not the cause."
That is they appear only concerned about the "loss of secrets" not "why we have secrets" in the first place.
The "why we have secrets" is an important question and needs answering because it criticaly effects the way Government behaves and how it is treated by those it seeks to govern and those who govern others in other states.
Put simply there are only two things of importance to mankind as a whole "resources" and "knowledge". Resources are those things constrained by the pysical laws of our tangable universe and boil down to "matter" and it's flip side "energy". Knowledge is information about information or resources.
Due to the issues of "mating privilege" controling resources brings benifit to humans. There are two basic ways you can control a resource, the first is by having possession of the resource and preventing other accessing it, the second is to hide the resource, or more correctly hiding the knowledge about a resource from others. In general it requires no energy to hide knowledge, where as it can take considerable energy and other resources to protect the control of a resource.
Thus there is some considerable advantage in hidding knowledge and or "keeping secrets" and the main reason for doing it is sometimes known as "competative advantage".
One of the reasons we have the concept of "ownership" as oposed to just "possession" is that knowledge will always become known to others at some point, be it by chance, disclosure or that it is discernable that someboby has knowledge that is unknown and thus they seek it out.
Put simply if you discover where a bees nest is then you have a considerable advantage in that in effect the honey delongs to you. You can chose to disclose the source of the honey to those you trust or you can keep it secret. However if you keep it secret the honey is only of limited use to you as to effectivly maintain the secret others must not know you have honey therefore you cannot use it to trade etc. However once an untrusted party knows you have access to honey they can devote effort to following you around etc to discover the source.
Thus for a resource to improve it's utility to you or to others by way of trade you need the concept of "ownership" and the ability to transfer it for some reason.
However honey has little value at certain times of the year and considerably more at other times of the year, thus it is to your advantage to keep secret the knowledge of your honey source untill that time.
The concept of "ownership" thus has a persistance over and above simple immediate possession. However it only works if you can trust others to respect your assumed right of ownership over mear possession.
There are a number of ways you can bring about trust, the first is by having a codified system of punishment for transgression (ie the law) or by establishing "self interest" of another.
Now you can view people obeying the law as another form of self interest.
Thus to maintain a secret you have to be able to keep the self interest of all those that know it in align with them not revealing the secret to others. And as we know from long experiance to do that you have to offer something in return.
The problem with the threat of punitive action after the revealing of a secret is only effective if you can actually do it. Thus even though a country might have the death sentance for revealing state secrets it is of little worth if the person defects to another country where they are effectivly protected from such a punishment. Which is why in some parts of the world they go after family and friends in lieu of the actual person.
This would sugest that in many respects you keep the number of secrets down to a minimum and the number privy to them to a minimum as well. However as noted by others some Governments don't appear to have caught on to this, thus the question is why?
And the answer is the "utility of the knowledge", knowledge that is unknown is information or if it is stored in some manner data.
By far the majority of Government "secrets" are neither "unknown" or actually "hidden", because the data they are based on is widely available.
In the past the UK Government under the direction of Maggie Thatcher actually tried to prosecute under the Official Secrets Act a journalist who had agrigated publicly available information into a coherent whole (a book). The case ended up as a bit of a fiasco and embarrassment to the UK Gove.
One of the major changes which ICT has enabled is the agrigation of vast data sets that are almost freely available to be searched.
As private industry appears to be able to analyse the data considerably better than the various government agencies it becomes possible to envisage a time when it will not be possible for a Government to maintain any substantive secret.
The question then arises will anybody be able to maintain anything more than trivial secrets in the near future and what will that do to society in general...
@ BF Skinner
" ... require all their employees to report any contacts with members of the news media ..."
They're actually stepping that up. Last week, NATO invited over to Brussels several security cleared people I know "to be briefed on strategic communication" , i.e. blogs, tweets and other media contacts, social or otherwise.
If Wikileaks is putting governments in the same place as music publishers were by Napster et al, I'm left wondering who their Durwood Pickle is going to be.
Yes, much easier to distribute digital documents. I'm listening to a book right now about the cold war that talks about having to sneak TONS (as in weight) of documents from the USSR that related to rocketry. Like, you needed a railcar to steal the documents.
"yet another example of the Internet making information available"
or another example of technology.... you could say the same about telephones when they were introduced. non-written/audible leaks count too.
I wish someone would leak my observation to a federal judge.
You don't need to create any new surveys, assessments and such, just reformat this as a questionnaire and have your people respond.
Everyone with Twitter is in the media these days.
some jokes just write themselves
It's nice to watch Washington get a taste of its own medicine every once in awhile. Until they stop archiving and mining the personal correspondence of their own private citizens, I don't think the US government deserves a lick of empathy for any of these leaks, or a lick of privacy for that matter.
Hypocrisy at its finest ladies and gentlemen.
There have been several insightful comments and articles regarding the future of secrecy and privacy, especially in government and corporations. Many seem to think that the real answer to the problem is to a) not do so many things one would want to keep secret, resulting in b) keep less secrets. I see several problems with this. One does need to maintain some secrets, and regardless of how many secrets one has, there will be those that will think that some of those secrets need to be made public and attempt to do so. Keeping less secrets reduces the advantage that being the "only one or only people" with certain knowledge provides. Also keeping less secrets makes those special few secrets a much more valuable and interesting prize, and therefore more prone to attack (attempts to reveal or gain those secrets). There's a school of thought concerning encryption that if one only encrypts that which one is truly afraid to disclose, it draws attention to that content. Therefore to avoid pointing to the most important data, encrypt everything...make it all a secret.
However in the case of governments, there is the issue that more transparent government (not completely transparent) is in the interest of the people...if people want more transparent governments, they need to gain that transparency by truly working in concert with governments and not appear to be an adversary against which additional protection and secrecy is required.
I always tend to think of secrecy in terms of the number of copies that can be made of a document before the authority guarding the secret is likely to find out what's going on. If there is no document, then you may have a true secret. If the document exists as a single piece of paper, then you may pretend you have a secret. If the document is digital or has been copied onto many pieces of paper, you're not dealing with a secret at all, but with a ritual in which the people in charge are prepared to act shocked when word gets out.
"it doesn't get any more ironic than that."
How about the leaked cable in which a diplomat scoffs at German concerns that the US does not have effective data protection measures?
I believed it at first cuz something similar already happened. Remember when the govt hatched a plan to defeat wikileaks, which then appeared on wikileaks? I was like "good luck" lol. I think that trumps the recent claim in humiliation.
It is a human failing to act stupid. In this country, we treat it as a constitutional right. If you're a politician or part of the Government it is a protected right.
Leaking documents is one fundamental way of robbing the innate power of information from those that would hold it close, consolidating their power.
This is not to belittle the efforts of those brave souls that would be harmed by the release of this type of information, it is merely to point out that those that hold the power can twist meanings at whim.
The answer may be to try to raise the level of empathy that we can possess as a society to the point where we don't have anything to fear. This I fear is an impossible task.
Question: If your adversary/competitor is better able to maintain secrets than you are, do they have an advantage?
Question: If your adversary/competitor is better able to share information within their organization, at the risk of less security, do they have an advantage?
> EDITED TO ADD (3/27):
After the irony of the leak-prevention manual being leaked, my brain struggles with the editorial popping back and forth between now and the future.
I look forward to the redaction of next March's revision, and hope Bruce's edits of the space-time continuum lead into a nice future for the rest of us.
Fm the Times
"It was important to know that much of the communication between Washington and its outposts is given even more restrictive classification — top secret or higher — and was thus missing from this trove. We searched in vain, for example, for military or diplomatic reports on the fate of Pat Tillman, the former football star and Army Ranger who was killed by friendly fire in Afghanistan. We found no reports on how Osama bin Laden eluded American forces in the mountains of Tora Bora. (In fact, we found nothing but second- and thirdhand rumors about bin Laden.) If such cables exist, they were presumably classified top secret or higher. "
The argument could be made that multilevel classification here worked. Because only Secret and below had been compromised the more valuable information had remained protected.
Did I say? This is a really good article.
Should prove interesting when and if the net is taken down in the US, how quickly wireless mesh networks pop up, or will those be illegal?
"Question: If your adversary/competitor is better able to maintain secrets than you are, do they have an advantage?"
The simple answer is in many things it depends on your viewpoint and it's drivers.
First off the organisation should ask "why are we keeping secrets?" and then "to what advantage?"
If the answer to both those questions makes a legal, rational and compelling case, then the organisation should have a rational and cost effective policy for dealing with secrets.
Importantly though the same questions should be asked of each and every potential secret, prior to evaluating the complex benifit/cost/risk/time surface involved with it.
For instance lets assume you are a jet engine manufacture, and you have discovered a way to make turbo prop blades 5% stronger and 10% lighter than other "known" existing processess.
The value to the company is clear as it makes the engines designed using the capabilities of this new process considerably more efficient (~14% decrease in engine loss) in use which would have a significant market advantage for the airlines using such engines in their airframes.
Thus the sole knowledge of the process gives a competative advantage to the company that would not be there if the process was known to all engine manufactures.
So there is a clear rational for keeping the process secret.
However you then need to establish the benifit/risk/cost, not just now but in the near and longterm future.
On analysis it might become clear that the process is such that it involves other organisations etc over which maintaining control would be difficult. Thus consideration might be given to bringing critical parts of the process "in house", but this may entail a cost that could remove any short term benifit.
This sort of anaylsis should provide some indication of where the best points in the process are to be kept secret and for how long the secret will give a competative advantage, thus a series of rational choices can be made.
Part of the analysis should rightly look into your point of,
"Question: If your adversary/competitor is better able to share information within their organization, at the risk of less security, do they have an advantage?"
The answer to this can be found by looking at "lead times".
If it takes say five years to incorporate the benifits of a new production process into a new product or range of products then you can estimate what the advantage is of keeping the secret to a very limited subset of people for that period of time.
However as I noted above (about trading honey) once it is known you have an improved engine design your competitors are going to analyse it in depth to find out where the improvments are and if possible how the improvments are gained. You can estimate what the lead times are for this and work out various time windows and what can be achived within them.
It is thus a trade off, a competative advantage that is not used or used ineffectivly through overly restrictive secrecy losses a lot of it's advantage against the competition.
The hard point is working out the "sweet spot" for maintaining the advantage to best effect and usually most people will over estimate the advantage of secrecy and the time for which it should be used.
It is usually called "erring on the side of caution" and is counter balanced by "nothing ventured nothing gained"
In many modern non manufacturing organisations the managment view point is very short term and based almost entirely on "share holder value". A main driver for "share holder value is to give projections of growth based on information that gets disclosed. Thus the managment of such organisations do not see lead times giving viable windows of oportunity, thus the "nothing ventured..." viewpoint is overplayed and secrecy is thus seen as an inhibitor to "shareholder value" except in certain small areas such as planning prior to announcement or implementation of the plan.
Which is one of the reasons we have irrational markets, they sacrafice long term substantial gains for short term at best marginal advantage.
The reason being is that unless an organisation has significant investment in it's own stock, share value is of little or no conciquence to the strength of the business (the investment cycle ended when the stock was initialy sold). However shareholders want to see immediate returns due to their "butterfly nature" and unfortunatly for the business they have a say in who runs the business and how...
Which might account for why some of the more successfully run private businessess use mortgages on assets to raise capital rather than giving away control of the company via shares.
the reason that binladens escape from tora bora is highly classified, is because if it got out, alqueda would find out about it.
Your last sentence, to the effect that government secrets would continue to leak, should be qualified. Wikileaks is almost a "one trick pony" in a certain sense, in that PFC Manning apparently provided all of the huge downloads from SIPRNet. That classified network erred in its security planning, with too much focus on an external threat (they were apparently hacked recently thru a flash drive inserting malware into a classified laptop connected to SIPRNet) and little or no focus on the internal threat. Their Host-Based Security System reportedly had security features like port monitoring & bulk download alarms but these were not implemented at the time Manning was active. SIPRNet supports the operational side of the military, & by necessity allows for open USB & other i/o ports, as classified data frequently needs to be pushed to locations off the network. This is not the case with JWICS, the TS/SCI network supporting DOD & the IC, where open i/o ports are very rare & (as far as I know) closely monitored. I'm sure SIPRNet will be locked down on the inside to a much greater extent in the future.
Its not ironic.
If the policy actually caused leaks to increase - that would be ironic.
There is no indication to believe the purpose of the document is to stop itself from being leaked, so its release is not ironic.
"There is no indication to believe the purpose of the document is to stop itself from being leaked, so its release is not ironic."
The documents was purportedly about preventing leaks of private or classified information. The document was private or classified. It leaked. That's irony. Thanks for your insightful, trolling post.
@ A Reader
Thanks for bringing it to my attention. A disturbing situation... Guess what they've turned to people? Good... old fashion... dialup. It's alive and there's an entire country dying to sign up. Never thought I'd see that day...
Brings up a good point ... information security should involve any media that holds your information: paper, microform, electronics, your head. My fear is that organizations may concentrate all they efforts on electronics and leave gaping holes in security around the other media. The bad guy doesn't always want huge volumes of data (as is easier in electronics), sometime it's just a wee bit of critical data!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.