Tom Gjelten’s report, Officials: Edward Snowden’s Leaks Were Masked By Job Duties, goes a long way towards explaining how Edward Swowden was able to move secret documents without suspicion.
The story also highlights the tension between needing to share information and at the same time keeping it secure:
According to the officials, the documents Snowden leaked â the memoranda, PowerPoint slides, agency reports, court orders and opinions â had all been stored in a file-sharing location on the NSA’s intranet site. The documents were put there so NSA analysts and officials could read them online and discuss them.
…
The importance of such information-sharing procedures was one of the lessons of the Sept. 11 attacks. Law enforcement and intelligence agencies were unable to “connect the dots” prior to the attacks, because they were not always aware of what other agencies knew.
Does the NSA response:
The NSA will now be “tagging” sensitive documents and data with identifiers that will limit access to those individuals who have a need to see the documents and who are authorized by NSA leadership to view them. The tagging will also allow supervisors to see what individuals do with the data they see and handle.
surprise you?
Perhaps I should ask:
Do you see what’s common in the “connect the dots,” and “secure the data” responses?
The NSA isn’t sharing data or information about people, places, events, etc., it is sharing (or securing) documents.
The data is something that every analyst must pry out on their own. And every analyst has to repeat the mining operation of every other analyst who discovers the same data.
The lesson here is that document level sharing or security is too coarse to satisfy goals of sharing or security. To say nothing of being watseful of the time of analysts, probably a more precious resource than even more data.
Sharing vs. Securing Example
Assume that I am researching visitor X to the United States who has just gone through passport control. I get a number of resources listed in response to a search. In addition to phone traffic records, etc., there is a top secret report document.
This top secret report document is a report from an American embassy that says visitor X was seen by a CIA operative (insert code name) in the company of bad actor 1 and bad actor 2 at some location. No details of what was said but subsequent surveillance establishes visitor X may be friends with bad actor 1 or 2.
Under the current process, the choice is to either allow me access to this document, which makes me aware of the embassy, the CIA operative’s codename, dates of observation, etc., in short a lot of information that may not be necessary for my task or to deny me access altogether.
For some particular task, such as who else to watch for in the U.S., knowing visitor X is a possible associate of bad actors 1 and 2, alerts me that known associates of bad actors 1 and 2 should also be put under a higher level of surveillance while visitor X is in the U.S. I don’t need to know the embassy, CIA operative, etc., to make that determination.
End Example
The document level sharing/security paradigm of the NSA was the only solution when documents were physical documents. It wasn’t possible to share documents other than as whole documents. Well, there is the Magic Marker option but that doesn’t really scale. And every document has to be “marked” for a particular person or level of clearance.
If we treat electronic documents as, well, electronic documents, we can split them at whatever level is appropriate for security control. Non-trivial but a similar process was developed and used at the Y-12 Complex at Oak Ridge, Tennessee (the place where they build and maintain nuclear weapons).
Beyond splitting documents for security purposes, it is also possible to accumulate the insights of analysts who have read portions of those documents. So that every analyst doesn’t have to read every relevant document but can build upon what has already been discovered by others.
Capturing the insights of analysts on a granular and re-usable level conserves something more precious than more raw data, human insight into data.
None of that can happen over night but continuing with a model of documents as physical objects only delays the day when more granular access enables more sharing and better security. To say nothing of capturing the insights of analysts for the benefit of an entire enterprise.
PS: If you know anyone at the NSA, forward this post to them. I dislike poor information systems more than I dislike any government.