Thursday, April 20, 2006

Classifications and Clearances

World War II, and the Cold War that followed, led NATO governments to move to a common protective marking scheme for labelling the sensitivity of documents. Classifications are labels, which run upward from Unclassified through Confidential, Secret, and Top Secret. The details change from time to time. The original idea was that information whose compromise could cost lives was marked ‘Secret’ while information whose compromise could cost many lives was ‘Top Secret’. Government employees have clearances depending on the care with which they’ve been vetted; in the United States, for example, a ‘Secret’ clearance involves checking FBI fingerprint files, while ‘Top Secret’ also involves background checks for the previous 5 to 15 years’ employment.

The access control policy was simple: an official could read a document only if his clearance was at least as high as the document’s classification. So an official cleared to ‘Top Secret’ could read a ‘Secret’ document, but not vice versa. The effect is that information may only flow upward, from Confidential to Secret to Top Secret, but it may never flow downward unless an authorized person takes a deliberate decision to declassify it.

There are also document-handling rules; thus, a ‘Confidential’ document might be kept in a locked filing cabinet in an ordinary government office, while higher levels may require safes of an approved type, guarded rooms with control over photocopiers, and so on. (The NSA security manual gives a summary of the procedures used with ‘Top Secret’ intelligence data.)

The system rapidly became more complicated. The damage criteria for classifying documents were expanded from possible military consequences to economic harm and even political embarrassment. Britain has an extra level, ‘Restricted’, between ‘Unclassified’ and ‘Confidential’; the United States had this, too, but abolished it after the Freedom of Information Act was passed. America now has two more specific markings: ‘For Official Use only’ (FOUO) refers to unclassified data that can’t be released under the Freedom of Information Act (FOIA), while ‘Unclassified but Sensitive’ includes FOUO plus material that might be released in response to a FOIA request. In Britain, restricted information is in practice shared freely, but marking everything ‘Restricted’ allows journalists and others involved in leaks to be prosecuted under Official Secrets law. (Its other main practical effect is that an unclassified U.S. document sent across the Atlantic automatically becomes ‘Restricted’ in Britain, and then ‘Confidential’ when shipped back to the United States. American military system builders complain that the U.K. policy breaks the U.S. classification scheme!)

There is also a system of codewords whereby information, especially at Secret and above, can be further restricted. For example, information that might contain intelligence sources or methods—such as the identities of agents or decrypts of foreign government traffic—is typically classified ‘Top Secret Special Compartmented Intelligence,’ or TS/SCI, which means that so-called need-to-know restrictions are imposed as well, with one or more codewords attached to a file. Some of the codewords relate to a particular military operation or intelligence source, and are available only to a group of named users. To read a document, a user must have all the codewords that are attached to it. A classification label, plus a set of codewords, makes up a security category or (if there’s at least one codeword) a compartment, which is a set of records with the same access control policy.

There are also descriptors, caveats, and IDO markings. Descriptors are words such as ‘Management’, ‘Budget’, and ‘Appointments’: they do not invoke any special handling requirements, so we can deal with a file marked ‘Confidential—Management’ as if it were simply marked ‘Confidential’. Caveats are warnings, such as “U.K. Eyes Only,” or the U.S. equivalent, ‘NOFORN’; there are also International Defense Organization (IDO) markings such as ‘NATO’. The lack of obvious differences between codewords, descriptors, caveats, and IDO marking is one of the factors that can make the system confusing.

The final generic comment about access control doctrine is that allowing upward-only flow of information also models what happens in wiretapping. In the old days, tapping someone’s telephone meant adding a physical wire at the exchange; nowadays, it’s all done in the telephone exchange software, and the effect is somewhat like making the target calls into conference calls with an extra participant. The usual security requirement is that the target of investigation should not know he is being wiretapped, so the third party should be silent—and its very presence must remain unknown to the target. For example, now that wiretaps are usually implemented as silent conference calls, care has to be taken to ensure that the charge for the conference call facility goes to the wiretapper, not to the target. Wiretapping requires an information flow policy in which the ‘High’ principal can see ‘Low’ data, but a ‘Low’ principal can’t tell whether ‘High’ is reading any data, and if so what.


Post a Comment

<< Home