Entries Tagged "secrecy"

Page 11 of 21

The Insecurity of Secrecy

Good essay—”The Staggering Cost of Playing it ‘Safe’“—about the political motivations for terrorist security policy.

Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by coal companies or utilities, but by the DHS. How could it possibly be a national security interest to cover up the location of material that’s “not toxic or anything?” It’s not. In fact, even if the ash turns out to be as bad as its worst critics fear, blocking the database is far more dangerous than revealing the location of these sites. Not only has there not been any threat against these sites by terrorists, and no workable scenario by which they might cause a problem, coal slurry impoundments are already failing with regularity, dousing parts of America with millions of gallons of this material. It doesn’t take terrorists to make this happen.

Blocking the release of this information doesn’t protect the citizens of the United States in any way. It’s just another example of the same creeping secrecy that makes cities more difficult to manage because of secrecy over facilities. The same creeping secrecy that “blurs” national monuments from images and puts intentional gaps in public information. The same creeping secrecy that increasingly elevates the most unlikely attack—the shoe bombers of the world—above our right to know what’s going on around us so that we can make informed decisions. The same secrecy that defends torturers.

Posted on July 3, 2009 at 7:18 AMView Comments

John Walker and the Fleet Broadcasting System

Ph.D. thesis from 2001:

An Analysis of the Systemic Security Weaknesses of the U.S. Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker, by MAJ Laura J. Heath

Abstract: CWO John Walker led one of the most devastating spy rings ever unmasked in the US. Along with his brother, son, and friend, he compromised US Navy cryptographic systems and classified information from 1967 to 1985. This research focuses on just one of the systems compromised by John Walker himself: the Fleet Broadcasting System (FBS) during the period 1967-1975, which was used to transmit all US Navy operational orders to ships at sea. Why was the communications security (COMSEC) system so completely defenseless against one rogue sailor, acting alone? The evidence shows that FBS was designed in such a way that it was effectively impossible to detect or prevent rogue insiders from compromising the system. Personnel investigations were cursory, frequently delayed, and based more on hunches than hard scientific criteria. Far too many people had access to the keys and sensitive materials, and the auditing methods were incapable, even in theory, of detecting illicit copying of classified materials. Responsibility for the security of the system was distributed between many different organizations, allowing numerous security gaps to develop. This has immediate implications for the design of future classified communications systems.

EDITED TO ADD (9/23): I blogged about this in 2005. Apologies; I forgot.

Posted on June 23, 2009 at 1:30 PMView Comments

Secret Government Communications Cables Buried Around Washington, DC

Interesting:

This part happens all the time: A construction crew putting up an office building in the heart of Tysons Corner a few years ago hit a fiber optic cable no one knew was there.

This part doesn’t: Within moments, three black sport-utility vehicles drove up, a half-dozen men in suits jumped out and one said, “You just hit our line.”

Whose line, you may ask? The guys in suits didn’t say, recalled Aaron Georgelas, whose company, the Georgelas Group, was developing the Greensboro Corporate Center on Spring Hill Road. But Georgelas assumed that he was dealing with the federal government and that the cable in question was “black” wire—a secure communications line used for some of the nation’s most secretive intelligence-gathering operations.

Black wire is one of the looming perils of the massive construction that has come to Tysons, where miles and miles of secure lines are thought to serve such nearby agencies as the Office of the Director of National Intelligence, the National Counterterrorism Center and, a few miles away in McLean, the Central Intelligence Agency. After decades spent cutting through red tape to begin work on a Metrorail extension and the widening of the Capital Beltway, crews are now stirring up tons of dirt where the black lines are located.

“Yeah, we heard about the black SUVs,” said Paul Goguen, the engineer in charge of relocating electric, gas, water, sewer, cable, telephone and other communications lines to make way for Metro through Tysons. “We were warned that if they were hit, the company responsible would show up before you even had a chance to make a phone call.”

EDITED TO ADD (6/4): In comments, Angel one gives a great demonstration of the security mindset:

So if I want to stop a construction project in the DC area, all I need to do is drive up in a black SUV, wear a suit and sunglasses, and refuse to identify myself.

Posted on June 4, 2009 at 1:07 PMView Comments

The Terrorism Arrests that Weren't

Remember those terrorism arrests that the UK government conducted, after a secret document was accidentally photographed? No one was charged:

The Crown Prosecution Service said there was insufficient evidence to press charges or hold them any longer.

The Muslim Council of Britain said the government behaved “very dishonourably” over the treatment of the men should admit it had made a mistake.

Of the 12 men arrested in the raids, 11 were Pakistani nationals, 10 held student visas and one was from Britain.

Posted on April 24, 2009 at 1:27 PMView Comments

How Not to Carry Around Secret Documents

Here’s a tip: when walking around in public with secret government documents, put them in an envelope.

A huge MI5 and police counterterrorist operation against al-Qaeda suspects had to be brought forward at short notice last night after Scotland Yard’s counter-terrorism chief accidentally revealed a briefing document.

[…]

The operation was nearly blown when Assistant Commissioner Bob Quick walked up Downing Street holding a document marked “secret” with highly sensitive operational details visible to photographers.

The document, carried under his arm, revealed how many terrorist suspects were to be arrested, in which cities across the North West. It revealed that armed members of the Greater Manchester Police would force entry into a number of homes. The operation’s secret code headed the list of action that was to take place.

Now the debate begins about whether he was just stupid, or very very stupid:

Opposition MPs criticised Mr Quick, with the Liberal Democrats describing him as “accident prone” and the Conservatives condemning his “very alarming” lapse of judgement.

But former Labour Mayor of London Ken Livingstone said it would be wrong for such an experienced officer to resign “for holding a piece of paper the wrong way”.

It wasn’t just a piece of paper. It was a secret piece of paper. (Here’s the best blow-up of the picture. And surely these people have procedures for transporting classified material. That’s what the mistake was: not following proper procedure.

He resigned.

Posted on April 10, 2009 at 7:06 AMView Comments

Who Should be in Charge of U.S. Cybersecurity?

U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic.

One of the areas of contention is who should be in charge. The FBI, DHS and DoD—specifically, the NSA—all have interests here. Earlier this month, Rod Beckström resigned from his position as director of the DHS’s National Cybersecurity Center, warning of a power grab by the NSA.

Putting national cybersecurity in the hands of the NSA is an incredibly bad idea. An entire parade of people, ranging from former FBI director Louis Freeh to Microsoft’s Trusted Computing Group Vice President and former Justice Department computer crime chief Scott Charney, have told Congress the same thing at this month’s hearings.

Cybersecurity isn’t a military problem, or even a government problem—it’s a universal problem. All networks, military, government, civilian and commercial, use the same computers, the same networking hardware, the same Internet protocols and the same software packages. We all are the targets of the same attack tools and tactics. It’s not even that government targets are somehow more important; these days, most of our nation’s critical IT infrastructure is in commercial hands. Government-sponsored Chinese hackers go after both military and civilian targets.

Some have said that the NSA should be in charge because it has specialized knowledge. Earlier this month, Director of National Intelligence Admiral Dennis Blair made this point, saying “There are some wizards out there at Ft. Meade who can do stuff.” That’s probably not true, but if it is, we’d better get them out of Ft. Meade as soon as possible—they’re doing the nation little good where they are now.

Not that government cybersecurity failings require any specialized wizardry to fix. GAO reports indicate that government problems include insufficient access controls, a lack of encryption where necessary, poor network management, failure to install patches, inadequate audit procedures, and incomplete or ineffective information security programs. These aren’t super-secret NSA-level security issues; these are the same managerial problems that every corporate CIO wrestles with.

We’ve all got the same problems, so solutions must be shared. If the government has any clever ideas to solve its cybersecurity problems, certainly a lot of us could benefit from those solutions. If it has an idea for improving network security, it should tell everyone. The best thing the government can do for cybersecurity world-wide is to use its buying power to improve the security of the IT products everyone uses. If it imposes significant security requirements on its IT vendors, those vendors will modify their products to meet those requirements. And those same products, now with improved security, will become available to all of us as the new standard.

Moreover, the NSA’s dual mission of providing security and conducting surveillance means it has an inherent conflict of interest in cybersecurity. Inside the NSA, this is called the “equities issue.” During the Cold War, it was easy; the NSA used its expertise to protect American military information and communications, and eavesdropped on Soviet information and communications. But what happens when both the good guys the NSA wants to protect, and the bad guys the NSA wants to eavesdrop on, use the same systems? They all use Microsoft Windows, Oracle databases, Internet email, and Skype. When the NSA finds a vulnerability in one of those systems, does it alert the manufacturer and fix it—making both the good guys and the bad guys more secure? Or does it keep quiet about the vulnerability and not tell anyone—making it easier to spy on the bad guys but also keeping the good guys insecure? Programs like the NSA’s warrantless wiretapping program have created additional vulnerabilities in our domestic telephone networks.

Testifying before Congress earlier this month, former DHS National Cyber Security division head Amit Yoran said “the intelligence community has always and will always prioritize its own collection efforts over the defensive and protection mission of our government’s and nation’s digital systems.”

Maybe the NSA could convince us that it’s putting cybersecurity first, but its culture of secrecy will mean that any decisions it makes will be suspect. Under current law, extended by the Bush administration’s extravagant invocation of the “state secrets” privilege when charged with statutory and constitutional violations, the NSA’s activities are not subject to any meaningful public oversight. And the NSA’s tradition of military secrecy makes it harder for it to coordinate with other government IT departments, most of which don’t have clearances, let alone coordinate with local law enforcement or the commercial sector.

We need transparent and accountable government processes, using commercial security products. We need government cybersecurity programs that improve security for everyone. The NSA certainly has an advisory and a coordination role in national cybersecurity, and perhaps a more supervisory role in DoD cybersecurity—both offensive and defensive—but it should not be in charge.

A version of this essay appeared on The Wall Street Journal website.

Posted on April 2, 2009 at 6:09 AMView Comments

Hiding Behind Terrorism Law

The Bayer company is refusing to talk about a fatal accident at a West Virginia plant, citing a 2002 terrorism law.

CSB had intended to hear community concerns, gather more information on the accident, and inform residents of the status of its investigation. However, Bayer attorneys contacted CSB Chairman John Bresland and set up a Feb. 12 conference at the board’s Washington, D.C., headquarters. There, they warned CSB not to reveal details of the accident or the facility’s layout at the community meeting.

“This is where it gets a little strange,” Bresland tells C&EN. To justify their request, Bayer attorneys cited the Maritime Transportation Security Act of 2002, an antiterrorism law that requires companies with plants on waterways to develop security plans to minimize the threat of a terrorist attack. Part of the plans can be designated as “sensitive security information” that can be disseminated only on a “need-to-know basis.” Enforcement of the act is overseen by the Coast Guard and covers some 3,200 facilities, including 320 chemical and petrochemical facilities. Among those facilities is the Bayer plant.

Bayer argued that CSB’s planned public meeting could reveal sensitive plant-specific security information, Bresland says, and therefore would be a violation of the maritime transportation law. The board got cold feet and canceled the meeting.

Bresland contends that CSB wasn’t agreeing with Bayer, but says it was better to put off the meeting than to hold it and be unable to answer questions posed by the public.

The board then met with Coast Guard officials, Bresland says, and formally canceled the community meeting. The outcome of the Coast Guard meeting remains murky. It is unclear what role the Coast Guard might have in editing or restricting release of future CSB reports of accidents at covered facilities, the board says. “This could really cause difficulties for us,” Bresland says. “We could find ourselves hemming and hawing about what actually happened in an accident.”

This isn’t the first time that the specter of terrorism has been used to keep embarrassing information secret.

EDITED TO ADD (3/20): The meeting has been rescheduled. No word on how forthcoming Bayer will be.

Posted on March 18, 2009 at 12:45 PMView Comments

1 9 10 11 12 13 21

Sidebar photo of Bruce Schneier by Joe MacInnis.