To Share or Not to Share, That Is the Question
October 18th, 2011
The Obama Administration (and in particular the U.S. State Department) continues to take the heat for the massive leakage of U.S. government documents courtesy of WikiLeaks (and allegedly originally because of the actions of PFC Bradley Manning). The volume of vitriol directed at President Obama and Security of State Hillary Clinton is astounding; members of the information security community have contributed more than their fair share of it. How could the U.S. government, they say, have been so negligent regarding access control that even a lowly private in the U.S. Army could allegedly gain access to these documents?
Before I go any farther, let’s look at access control from an information security point of view. There are four major models of access control, discretionary access control (DAC), mandatory access control (MAC), role-based access control (RBAC), and ruleset-based access control (RSBAC). In DAC, users can set whatever access control they want. In MAC, users cannot set access controls, nor can system administrators, for that matter. Access controls are instead under the purview of a security administrator. In RBAC, users are assigned job function-related roles that are then mapped to information access needs; entitlements to access any information depend on whether a role requires access to that information. In RSBAC access controls are set through rules such as ingress and egress traffic filtering logic in firewalls.
The massive document leakage was from the State Department’s Net-Centric Diplomacy system. This system was originally built exclusively (or nearly so) for access by State Department employees and contractors. An event that occurred on Christmas Day 2009 led to a change of decision regarding who is allowed to access this system, however. Umar Farouk Abdulmutallab, more frequently known by the unsavory nickname of the “underwear bomber,” allegedly attempted to blow up Northwest Airlines flight 253 from Amsterdam to Detroit, Michigan that day. Fortunately, this attempt was unsuccessful, but disturbing information concerning warnings about this person that had not gotten to organizations that could have stopped this person from being able to board the flight started to circulate. British intelligence had, for instance, informed the U.S. that a man named “Umar Farouk” had vowed to support jihad in a conversation he allegedly had with Anwar al-Awlaki, a Muslim extremist leader in Yemen. Abdulmutallab’s father in Nigeria had alerted the U.S. embassy there that his son may have been involved in Muslim extremist activities in Yemen, something that caused his son’s name to be added to the National Counterterrorism Center’s terrorist watch list. Somehow, however, the younger Abdulmutallab’s U.S. visa was never checked during the flight boarding process. Furthermore, his name was never added to the FBI’s Terrorist Screening Database. U.S. Immigration and Customs and the Transportation Security Administration had no clue that a potentially dangerous person was coming to the U.S. on Christmas Day 2009. The right hand had no idea what the left hand was doing, so to speak.
One of the “lessons learned” from this ugly set of events is that information about potential terrorists and other serious threats needs to circulate more freely with U.S. government circles. Consequently, access controls for the Net-Centric Diplomacy system as well as other U.S. agencies’ systems were relaxed to provide more widespread and easier access. Months later, the massive leakage of documents occurred, and the finger pointing intensified.
What really amazes me is how so many people do not understand the tradeoffs between access control and ease of access. Before sometime shortly after Christmas Day 2009, access to a vast array of U.S. government information was very limited, presumedly to individuals who were in a limited set of role classifications and security clearances. The information was more secure, but at the same time those who needed the information for endeavors such as identifying potential terrorists did not get it, as in the case of tracking (or the lack thereof) the alleged “underwear bomber.” Critics howled and complained. Afterwards the U.S. government opened up access. You might ask why the U.S. Army was granted access to the State Department system. The reason is that the Army is fighting terrorists in both Afghanistan and Iraq, and intelligence concerning the activity and plans of terrorist groups can easily make the difference between victory and defeat. But then when so much information was leaked, critics howled and complained.
My message should by now be clear. When it comes to information sharing, you really can never clearly win. Restricted sharing results in a lower number of unauthorized data leaks, yet it also raises the likelihood that those who have a bona fide need for the information will not be able to access it. Allowing greater access to information increases the probability that those with a genuine need for it will be able to access it, but also increases the risk that the information will be accessed by unauthorized persons. Which of these alternatives is more favorable depends on an organization’s mission and its business and/or operational objectives.
–Gene Schultz, Ph.D., CISSP, CISM, GSLC
– – – – – – – – – – – – – – – – –
Dr. Eugene Schultz is the CTO at Emagined Security, an information security consulting practice based in San Carlos, California. He is the author/co-author of five books, and has also written over 120 published papers. Gene has been the editor-in-chief of two journals and is currently on the editorial board of three journals. He is also a SANS instructor, member of the SANS NewsBites editorial board, co-author of the 2005 and 2006 CISM preparation materials, and is on the technical advisory board of three companies. Gene has previously managed an information security practice as well as a national incident response team. He has also been professor of computer science at several universities and is retired from the University of California. He has received the NASA Technical Excellence Award, the Department of Energy Excellence Award, the ISACA John Kuyers Best Speaker/Best Conference Contributor Award, the Vanguard Conference Top Gun Award (for best presenter) twice, the Vanguard Chairman’s Award, and the National Information Systems Security Conference Best Paper Award. A Distinguished Fellow of the Information Systems Security Association (ISSA), Gene has also been named to the ISSA Hall of Fame and has received ISSA’s Professional Achievement and Honor Roll Awards. He is currently a member of the accreditation board of the Institute of Information Security Professionals (IISP). Dr. Schultz has provided expert testimony before committees within the U.S. Senate and House of Representatives on various security-related issues, and has served as an expert witness in legal cases.