Marc Ambinder of the Atlantic recently blogged about alternative Blackberries that President Obama may carry.
Some people might wonder why this is such a big deal. Ambinder notes that "Government Blackberries" can handle classified information "up to Secret" but that you need a Sectera Edge
from General Dynamics to do anything (voice only) at Top Secret.
Words of the President are obviously valuable, whether voice or text. Even if we ignore spies, think about the interest they carry for news reporters, government contractors, political operatives, and other presumed patriots. So, to start with, we have to ensure that the President's words are only released when he decides to do so.
The government has established several strategies for protecting information assets. While we don't necessarily know what they're doing in the White House, we can make some educated guesses. The problems, and solutions, revolve around multilevel security
, also called MLS
If President Obama wants to use e-mail and phone to talk to people inside and outside the government, the White House techies face an interesting challenge. The fundamental MLS problem is that you don't want classified information to leak into the unclassified world. The easiest way to prevent this is to give him a "public" device and a "protected" device: one will talk to people outside the government, and the other will talk with people inside the government. It's then up to him to avoid disclosing real secrets when he uses the public device.
For example, the President might use a Sectera Edge to talk to senior staffers and others in the government, and use something on the commercial Blackberry network to talk to others. If the NSA can insert magic into a Blackberry to keep it from disclosing the President's physical location, this might work.
The problem is a lot trickier when it comes to e-mail and such. If the President has a mailbox containing both public and classified information, what prevents him from accidentally forwarding a secret message to someone on the outside? This is the sort of mistake any of us might make, and it keeps security officers awake at night.
In classified government environments, they generally keep two or more networks, one for each major level of classified information. For example:
- An unclassified network that connects to the Internet
- A Secret network that does not connect to the Internet but handles bread-and-butter classified information
- A Top Secret or higher network to handle high level diplomatic, intelligence, and military command information
In practice, a person on one of these networks can create documents and e-mails "at or below" the classified rating. For example, you can legitimately create unclassified or Secret information on a Secret network. The problem is that once you've created the unclassified information, you need a way to pass it to an unclassified environment, or it might as well be Secret information. It is hard to pass information this way: how do we ensure that some Secret information wasn't accidentally included in an unclassified file?
While "direct" connection is not allowed between networks of different levels, there are "guard" systems that can connect them, subject to various rules and restrictions. In the perfect world, the guard prevents higher-level information from spilling onto lower-level networks, like Top Secret information spilling onto the Secret network, or Secret info onto the Unclassified. Going the other direction, the ideal guard will also block junk mail, viruses, and access to malicious logic on dangerous web sites.
This is a tall order. Unfortunately there are no easy ways to do this, no silver bullet. We build guards to do the best job they can, we monitor the traffic, and we do the best we can. Some guards rely on positive indicators, like a "Yes I'm sure it's unclassified" indicator from the author of the e-mail or document. It's hard to build a signal that won't be used accidentally or spoofed by a Trojan horse program. The alternative is to look for patterns that might indicate leakage: this is disturbingly similar to computer virus detection, and suffers from the same shortcomings.