pharos at gmail.com
Thu Dec 9 14:44:40 UTC 2010
On Thu, Dec 9, 2010 at 1:43 PM, David Lubkin wrote:
> There are two aspects, which both need to be safeguarded. Can you access
> secure information and can you remove it from the secure location? There
> needs to be both technical and human monitoring, appropriate to the
> information being protected.
> Safeguarding against this was already old tech thirty years ago. Limit what
> people have access to. Log what they do access. Raise a flag if they're
> trying to do more than they should be.
> In this case, the bare fact of the leaks means that someone (presumably PFC
> Manning) *did* access enough material that, even if it was part of his job,
> a security event should have triggered that mandated prompt alerting of and
> then review by a security officer. He did get it out from his secure
> workspace, whether by removable media or by network. And he did slip
> through the safeguards that are supposed to weed out people who will pass
> along classified information.
The problem is that in the internet age security is actually a very
All large organisations are struggling to solve this problem.
And organisations don't come much larger than the US government.
Manning accessed SIPRNet.
A 1993 GAO report estimated more than 3 million US military and
civilian personnel had clearance, and access is also available to a
"...small pool of trusted allies, including Australia, Canada, the
United Kingdom and New Zealand...".
So, try and secure that! Not only US computers, but allies computers as well.
The big problem with role-based security is that staff roles change
all the time. And it is difficult to decide what level the 'need to
know' stops at. So most organisations give people more clearance than
they need, 'just in case'.
Staff regard security as an obstacle to doing their job and quickly
find ways to bypass security measures that get in their way.
Everything from holding the security door open, to passwords stuck on
the screen, to 'Can I borrow your signon for this job?'
If you want a hopeful spin on all this, it is that perhaps the US
government will adopt the 'Don't be evil' motto. If you don't behave
badly then you don't have to worry if your security fails. And, of
course, if you don't behave in ways that make people despise or hate
you, this is an additional security measure because then your staff
won't be motivated to harm or expose your misdeeds.
More information about the extropy-chat