Technical Incompetence
There was a truly outrageous story on NPR this morning about the US military releasing a report to the public with classified information contained within it. The report in question described the investigation into an incident in which US forces killed an Italian intelligence agent, and injured Giuliana Sgrena, the Italian reporter who had just been released by kidnappers. Some bright mind released the document in a digital format (PDF), and used software formatting to black out classified information. Since the implementation of this formatting keeps all of the information within the file, and just places black over it when it is displayed, it was trivial for technically savvy people to extract the classified information. When questioned about this lapse, a Pentagon spokesman blamed it on 'technical problems.' Bah! I say. This is not a technical failure, it is a gross mismanagement of secure data. Blaming it on technology is pathetic. Almost as pathetic as the NPR reporters accepting the military's description of the problem.
When creating secure systems competent people understand that it is very easy to attain the appearance of security, and very hard to attain the real thing. There are a number of standard techniques which are used by professionals to enforce the security goals of the system. The US military should be well versed in these techniques, as they have funded a great deal of the research into them. Furthermore, they have demonstrated that they understand how to put these techniques into use in non-digital environments. In this instance the key principle which was violated is called encapsulation. The secure data should never, in any form, been made available to the people who were in charge of preparing this document for public release.
In this instance it appears that poor design of the overall security infrastructure resulted in the release of data that really should be classified. A breach perhaps as bad as the Bush Administration's suppression of data that should be released. We are asked to believe that we should trust the professionals to determine what should and shouldn't be classified. There have already been calls for reviewing how information gets classified. It appears that we should also be reviewing how it gets protected after it is classified. I'm definitely more concerned with the damage to our democracy of unnecessary suppression of data, but really offended by the lame suggestion that it is a technical failure in this case.