Thursday, August 16, 2018

Classification/Clearance and the traditional CIA triad

I will start with my conclusion: It is far past time to completely throw out our classification/clearance system for something more modern, of which many potential examples exist. We have never had the resources and political will to do so, and suffer copiously as a result.

Even if we had the memory eraser from MIB the clearance system doesn't fit our modern needs.

In addition to failing to scale to the millions of people we now have cleared - each a specialized individual case! - the clearance system directly conflicts with the basics of the information security axioms we use to govern other complex systems. In particular, to refer to the CIA triad - we know (c.f. SNOWDEN, etc.) that the system almost encourages large scale compromise of confidential information, and not in a way that more "insider threat" programs can really prevent.

We also know that our availability to do national-security-sensitive work is strangled by an inability to get new people into the system - that the best people tend to leave because the requirements are onerous and once you've left your clearance behind to venture briefly into the commercial world, it's unlikely you'll ever get it back. What good is a system in the modern that takes two years to make a decision on someone's trustworthiness?

And the integrity of the classification system only works when we realize it is a relationship and a community, and not a gateway of privilege. If it's possible to lose your clearance for political reasons, or simply because you lost a job, or because you had any minor personal issue, then it's impossible to get reliable assessments for your intelligence community as a whole. Information does not naturally come with a meta-data label of sensitivity or scope - in fact, nearly the opposite is true, as we know from our long-used exploitation of unclassified traffic for national security purposes.

The clearance system is the hulking shadow in the back of any conference meeting on how to meet our strategic needs in the cyber domain. Even discussing norms is impossible without a better and more nuanced system for understanding and managing information-based national security risk.

Many people would say there is no better system, but even some version of the traffic-light-protocol might be a more workable option, or may be more realistically what we use now anyways, if we care to admit it.

----
https://www.cfr.org/report/sharing-classified-cyber-threat-information-private-sector
https://twitter.com/jimsciutto/status/1029810782186496000