DOCUMENT NO.52
Interagency Task Force Report
on
Unauthorized Disclosure of Classified Information
echnology Working Group
(.'haired by
Central Intelligence Agency Directorate of Science and Technology
2
hiiTTfllli Mll
TABLE OFNTKNIS
EXECUTIVE1
2
Direct!*
NAUTHORIZED DISCLOSURE
nauthorized
nauthorized Disclosure
TECHNOI.OGY
Previous
Digital File Management and
Auditing Network |
Document
12
Word- or
Digital
Electronic Document Tags
Cc*npresscd-Inuge KileJ3
uditing Open
merging Technology
4.0
APPENDIX A: REFERENCE
nTii
mm ircj;nMi
LIST OKKIOUKKS
Figurerocess diagram of Un author mm
figureROCESS DIAGRAM Of UNAUTHORIZED DISCLOSURE
ficurbNTO .TRUSTsystem ARCHtTECTURE
F TABLES
I:
and
EXECUTIVE SUMMARY
(U) Inhe United Slates Attorney General established an interagency (ask force toomprehensive review of current protections against the unauthorized disclosure of classified information to the mediahe Science and Technology Working Groupne of four Working Groups the task force created lo support this effort, was charged with evaluating scientific and technical solutions touc
(U) The SATWG reviewed past and current technical methods to manage and control the dissemination of classified informationleared individual, with authorized access lo the information, to the media. The SATWO also assessed the impact of emerging and future technologies on existing processes and controls
(U) The SATWGumber of commercial applications (specifically, systems developed to improve securiiy and controlsusiness) for ihcir potential to improve management and control of classified informationlassified environment. Ihe SATWG also explored processes and technology to increase (he level of "deterrence" against unauthorized duplication and dissemination of classified information. Finally, the Working Group assessed the potential threats of emerging commercial technologies migrating into the classified workplace.
Conclusions
(U) The SATWG drew the following conclusions about scientific and technical tools that can improve (he managemenl and control of classified infornialion:
(TJ) Key Finding: locre is no scientific or technical system or system* that canprevent the dissemination of clarified information from tomeone cleared to have ilomeone without "need toowever, (he exponential growth of digital data in (he work environment has been paralleled by the development of sophisticated tracking and audit technologies tbat can make it extremely difficult to move classified information out of the classified environment. It is possible to close Ihc gaps in control of such information so thai (he only methods of transporting it beyond the classified environment are verbally or through personal notes.
Digital Kile Management and Con|rol: Commercially available Digital Rights Management (DRM) technology can provide effective comiol of classified infornialionlassified network
Auditing Network ^curjtr: Coounercially available tools for auditing nctwotk and telecommunications activity can be implementedlassified environment to flag unauthorized activity and. when necessary, support after-the-fact investigation of unauthorized disclosure.
faper Document Management and Control: The ability to photocopy documents for unauthorised distribution can be substantially reduced by replacing smtid-alone copiers wilh networked copiers (hat incorporate scanner/printer technology, which allows the network to audit activity, take controlocument, and prevent its unauthorized duplication.
lTTiri nfill
5. Emerging Technologies In lhe Workplace: Wireless technologies, digital cameras, personal digital assistants and other emerging technologies must be carefully assessed before they are permitted Into the classified workplace.
Recommendations
WG makes the following recommendations to improve the management and control of classified information and prevent its dissemination beyond the classified environment:
I I'lll'UIII
DOCUMENT NO. lArT-UDCl-STQ-OOl2
SCOPE
Directive
(U) Onhc Attorney General convened an interagency task force toomprehensive review of current protections against the unauthorized disclosure of classified information. In forming this task force, die Attorney General was in consultation with the Secretaries of the Apartment of Defenseepartment of Stateepartment of Energyentral Intelligence Agencynd others. To support this initiative, the Attorney General and Counselteering Ctornmittcc, Committee of Group Chairs andorking Groups to address litigation, legislation, science and technology, and security issues.
(U) Theechnology Working GroupWG) was charged with reviewing technical
capabilities to track and control classified information.WG was also tasked to assess ways in which science and technology can assist in the investigation of classified infomiation leaks.
(U)WG was chaired by the CIA/Directorate of Science and Technology (DST) and included representatives of the Department of Justiceederal Bureau of InvestigationOD, DOE. DOS. Nalional Security Agency (NSA) and National Reconnaissance Organization (NRO).
(U) All United States Agencies handling classified information have policies and procedures in place to restrict its dissemination to cleared individualsneed-to-know" basis. While the overall effectiveness of these measures is not quantified, there have been previous calls for review. Testifying before the Senate Select Committee on Intelligence (SSCI) inhs Director of Central Intelligence (DCI) requested lhat all Agencies in the Intelligence Community (IC) review thcir personnel and security programs, including those intended to prevent the unauthorized disclosure of classified information.
(U) As evidenced by the creation of this task force, leaks continue to occur. Furthermore, leaks are nearly impossible to predict; and without physical evidence, they are extremely difficult to irace back to the responsible individual.
(U) People leak information for any number of reasons: negligence, by accident, as an act of espionage, or as willful disclosure to satisfy some personal need. Education can reduce negligence. Well-designed control mechanisms and work processes can minimize the accidental leak.ell-planned.
focused technical or human espionage operation is more difficult, as system vulnerabilities are systematically exploited. The willful disclosure by one wiui authorized access may be the most difficult leak to manage via technical controls. Individual motivation can be mitigated somewhat byhe use of technical interventions, psychological and behavioral threats that generate fear of detection and reprisal. But even the most sophisticated technology cannot prevent the authorized individual, intent on leaking, from memorizing or hand-copying information and passing ii to an unauthorized person.
ission
(U)WG focused on identifying scientific and technical tools to stop the willful disclosure of classified information to the media. Specifically, tlie Working Group:
(U) Reviewed available scientific and technical applications and tools to control and track access to, and dissemination of. classified government information;
(U) Assessed ways in which technology can assist in the investigation of unauthorized
disclosures:
(U) Identified emerging and anticipated developments in science and technology that will require changes to existing and proposed protections against unauthorized disclosure.
undamental Assumptions
(U)WG adopted the following assumptions as fundamental to its analysis:
(U) Leakers have authorized access to the classified information they leak.
(U) Leakers are deterred by technologies they perceive as being effective.
(U) Keeping highly effectiveecret will inhibit Leakers' ability to exploit vulnerabilities.
(U) Scientific and technical deterrents can be defeated, given enough time and resources.
U) Technical solutions to limiting unauthorized dissemination of classified information must be integrated into the cotnprehensive system of existing technologies, processes, organizational cultures and individual behaviors unique to the agency where they are to be implemented.
NAUTHORIZED DISCLOSURE PROCESS
(U)ystematic approach lo fulfilling its mission,WG dissected both the process that leads to an unauthorized disclosure of classified information, and the after-the-fact investigative process to identify the responsible person. The Working Group then targeted areas for technical intervention and began to explore applicable scientific and technical solutions.
nauthorized Disclosure
roRTJrTrSUJrfTSE ONLY
DOCUMENT NO. lAFT-UDCl-STG-OOl2
ECHNOLOGY ASSESSMENT
(U)WG members assessed their respective Agencies for studies, pilots, research reports and other sources of information on scientific and technical tools, applications and processes to control and track (he flow of classified information.
revious Studies
(U)5he CIA Directorate of Science and Technology (DST) Office of Research<ORD)eries of reports on potential technical solutions to improvingmanagement. These reports were reviewedumber of initiatives identifiedCIA,el (the OA's venture capitalnd the Directorate of Operationshas undertaken
efforts to make classified CIA documents and highly sensitive finished intelligence, including the President's Daily Briefore secure.
(U) Among the least effective methods for preventing unaudnrized dissemination of classified documents are copier-managernent systems that use devices attached to standard photocopiers, or require biometric ID or PIN entry for access. In ORD's assessment (andWGhese systems do not prevent audiorized users from copying for illicit purposes. Their only benefit may besers perceive their presenceisk.
(U) CIA/ORD assessed the viability of using special inks with copiers to degrade copy quality to (he point it becomes illegible. Specifically tested were die use of photochromic inks, which change contrast under high illumination, and thcrmochromic inks, which change contrast under thermal loading. Unfortunately, extensive testing on copiers of (he time had limited success in effectiveness and reliability. The change in copier design over the past several years, from xerography technologyombination of scanner/printer technology, resulted in reductions in light intensity and operating temperatures that leave special inks even less effective. Moreover, the contrast-change effect was easily defeated when (he (ype of ink wasiermochrornic ink can be circumvented by "chilled" paper.
(U) CIA/ORD also documented evaluations of optical techniques dial used highly reflective surfaces to produce either blank or corrupted copies of an original document. The concept was immature and showed littleignificant detriment to the viability of (his technique is the requirement that standard paper be replacedpecial reflective product.
(U) CIA/ORD looked at exploiting efforts in the security printing industry to authenticate and prevent forgery of financial documents, contracts, notes,ut concluded that, "None of these technologiesare believed capable oferson dedicated to copying (he document for purposes of leaking the information from discovering the relatively simple countermeasures that would permit the protected document to be copied/'
(U) CIA/ORD reported more encouraging findings aboul controlling access to, and distribution of, electronic data. Indeed, its Document Security Program report issued0 slated lhat, "Electronic document dissemination offers the hope for eliminating many of the security vulnerabilities associated with hard copy document dissemination."
FOR OUlLlJU*BiJiDNLV
<tj) CIA/ORD ideniified an encrypiion technology, digital rights managemento manage usage rights of documents in the classified work environment. DRM technology, developed commercially to manage intellectual property in ebusiitess and restrict tlie copying of CDs. allows the document originator to control user rights to that document at the time it is released. The newest DRM applications, based on the concept of "dynamicllow the author to enable user controlsocument throughout its life cycle. In dynamic DRM, permissions arc controlled at the page level,olicy server issues encryption keys everyage is accessed.
igital File Management and Control
(U)WGumber of DRM and network audit technologies under evaluation in the classified community. Two pilot programs, discussed below, represent the most advanced applications of these technologies to the unauthorized disclosure problem.
USE ONLY
here are challenges to deploying ihe application in an interagency environment. Currently, its developers are addressing the issue of passing certificates across firewalls at cross-local area network (LAN) collections, as they are attempting to connect the ADSN to the Joint Worldwide Intelligence Communications Systemar more daunting challenge to any cross-agency implementation would be integrating the variciy and volume of hardware, software. LANs and wide
area networkss well as the policies and protocols for handling classified data, found within each organization. The human cost of managing policy rights, page hy page, is significant and may be the limiting constraint in the widespread use of DRM.
uditing Network Activity
ID
(UJ Auditing network and telephone system activity can provide information about whom had access to classified information and when. Obviously it is helpful in forensic analysis after the fact of the leak. It also has the potential to be useful in identifying unusual activities dial may be indicative of attempts to gain unauthorized access to classified infonnalioo. The difficulty in proactive measures is in establishing the criteria for network use thai would identify unusual activity.
DOCUMENT NO. lAFT-UDa STG-OOI2
aper Document Management and Control
(U) Portable digital technology may eventually render paper documents obsolete, but this won't happen in the classified environment any time soon. Until it does, organizations must make il much more difficult to copy and walk outlassified environment with classified documents
(U) Tremendous progress can be made in classified paper documentation control by replacing standalone copiers in the classified environment with networked copiers that use scanner/printer technology. DRM technology could then be applied to the units, and only individuals with permission lo reproduce hard copy documents will be able to do so. Those without authorization lo do so will he stopped, and their attempt will be logged by network audit technology. As an additional, psychological deterrent, blometrio identifiers can be added to copiers.
(U) Still remaining Is die issue of enforcing original document controls after printing. Unique identifiers can be included in any printed document lopecific copy to die original, controlled infornialion. Paper can be physically lagged, or the classified information itself can be tagged to support internal or criminal investigations of leaks. Here, too, DRM technology can be incorporated with tagging technology to enforce permissions, prevent unauthorized document duplication, and provide tracking data for follow-up investigation.
atermarks
(U) Commercially available watermark technology can be used to mark printed documents with aunique document identifier and visible controlDO NOT COPY" across the text. Invisible watermarks also can be imbedded into printedand Sharp have copiers that can produce this, and more sophisticated technology is in development. Invisible watermarks can also use technologies that cause very slight moves or shifts of character positions to tag the document. An alternative is io add digital noise pixels to the images or text in Ihe document. Messages like "DO NOT COPY"ehavior deterrent. But more importantly. DRM technology, which can recognize both visible and invisible watermarks, can be used to prevent unauthorized reproduction aa documents are scanned and original document rights reestablished.
ord- or Version-Encoding
(U) Quile possibly, the only potential solution for tracking classified information lhal leaves ihc
controlled environment through personal conversations or personal notes is lo code the information such lhat the wording, phrasing, or syntax is slightly different in each version-set disseminated. In theory, if the unique words or phrases are found in an unauthorized open source, then investigators can trace them back to those who had access lo that particular version. This technique does have its challenges and limitations. Thereinite number of changes that one can make to information without changing Ihe meaning or alerting the reader, and generation of modified versions of classified informationifficult, manual task. Finally, to be effective, potential leakers must be totally unaware of its use. Thus, word- or version-encoding is applicable tomall community of interest.
igital Books
(U) The use of digital books (also known as electronic books or cBooks) integraled with DRM software could all but eliminate classified information in paper form. Digital books ate portable digital data
for omsiexysc only
readers that arc used to download and store electronic documents. Access to cBooks could be controlled by any of the electronic authentication techniques available; digital signatures could be included track chain of custody, and they can be tagged so their location is always known. Only downloading would be permitted from authorized secure networks, and these events could he tracked by DRM and audit control applications.
lectronic Document Tags (cTags)
(U) Physically lagging paper with machine-readable, radio-frequency identification (RFID) tags could be used to prevent the movement of classified paper documents beyond the classified environment. RFID technology is used today in access control systemsmployee badges) and is under consideration for anti-counierfeiting bank notes. eTags respond to an interrogation signal with stored encoded information. By placing interrogation portals at building entrances, Security personnel could be notified when classified documents enter andacility. Tlie technology is potentially useful in small or tightly controlled classified areas, but it may be cost-prohibitive for large-scale use. Current analysis found tags coster page, although they arc anticipaled to fall to as low5 per page in the next three years may and eventually fall1 per page as consumer products incorporate the technology.
ompressed-Image File Capture
<U) Small classified work environments looking lo control minor amounts of classified informalion could . ystem where scanned image files are correlated with stored samples of previously printed documents. Scanned images can be captured as part of an audit process; data storage and size of search space are limitations. Optical character recognition (OCR) software can reduce the data volume of text documents, but it is not effective on non-text documents.
inal note on deterrence: to reap maximum "deterrence" benefits from the implementation of technical tools described in this section, theirbe publicized to all those with authorized access to classified data.
Open Sources
(U)WG looked briefly at technologies that could streamline or otherwise improve the labor-intensive open-source reviews most organizations use to uncover leaks of classified information. Data rnining, data warehousing, linguistic interpreters,an be used to search open source information for key words or decoy words thaieaked source of information. These technologies arc currently being developed and used commercially and in the public sector.WG did not identify any applicationslassified environment but believes several programs do exist in the intelligence community.
Technology Threats
(U) Agencies that handle classified information are always evaluating lhe potential threat of emerging digital technologiesarcinto the classified environment. Wireless. cellular phones and wireless LANs, personal digital assisianisnd other digital-memory tools (hat satisfy the ever-increasing demand for wider information dissemination and collaboration areew technologies that will create holes in existing and proposed classified information control systems. Small, concealablc digital cameras with large storage capacities can
quickly image lhe pageiarge documem as lliey are displayed on ihc new flat panel computer screens. Commercially available power-line transmission systems used in LANs can be used to ex filtrate digital data.
(U) in ils discussions, the SATWO addressed the potential impact of emerging technologies on existing and proposed systems to prevent the unauthorized disclosure of classified data At this time, the Working Group offers the following observations and concludes that each ofthe technologies identified below, as well as all future new technologies, must be fully assessed before ihey are rxwnitied into the classified environment Moreover, most emerging digital devices must not be allowed to physically connectlassified LAN, (LAN access must be managedrusted, competent staff.)
(U) Wireless LANs must be set up properly, with adequate encryption and firewalls, if used io disseminate classified information.
(U) All power lines in classified facilities must be filtered to defeat attempts io exfiltrate information, especially by use of commercial powerline LAN products.
(U) Digital cameras should be banned from tlie classified environment.
hii1
DOCUMENT NO.52
ONCLUSIONS
(U) Specific conclusions ofWG include:
There is no scientific or technical system or systems that can unequivocally preventsemination of classified information from someone cleared to have It to someoneto know."
(U) There is no scientific or technical solution to prevent the willful disclosure of classified information by someone with authorized access. But technology can close the gaps that allow leaks to occur, leaving only verbal conversations and personal notes as viable means to move classified information out of the classified environment
Commercially available Digital Rights Management (DRM) technology cancontrol of classified informationlassified network.
(U) It is possible to establish positive, persistent control of classified information in hard and soft copy formats with technology discussed in thisocuments Rights Managementudit tools, visible and invisible watermarks, public key infrastructure, centralized server networks with policy servers, and others. Pilots are addressing implementation issues with firewalls and key distribution. Significant issues remain to establishing community-wide policies, standardization of networks and software, and costs and labor of integrating large, distributed user groups.
Commercially available tools for auditing network and telecommunications activityImplementedlassified environment to flag unauthorized activity and,support after-the-fact investigation of unauthorized disclosure. .
omprehensive audit system is only as good as its ability to flag unauthorized use and identify' and track access to leaked information. Selecting "events" to audit and designing search algorithms are not trivial tasks, due to the magnitude of informationarge user population.
The ability to photocopy documents for unauthorized distribution can beby replacing stand-alone copiers with networked copiers, which allow theaudit activity, take controlocument, and prevent Its unauthorized duplication.
(U) As long as paper and copiers exist in the classified environment, classified documents can he copied and distributed. Changes can be made io the current document copy process to provide
more comprehensive audits.
4.5 (U) Wireless technologies, digital cameras, personal digital assistants and other emerging technologies must he carefully assessed before tliev arc permitted into the classified
workplace.
I
APPENDIX A: REFERENCE DOCUMENTS
W
Document Security Program
Document Copy Study
Document Copy Prevention Requirement Validation Study
Statement of James I. I'avitt, Deputy Direclor ot Operations of the CIA before the SSCI
Statement for the Record SSCI Hearing on Unauthorized Disclosures; Supporting Testimony by the Director of CIA
0
6
10
Source
CLVDST/IPO
CIA/DST/ORD CIA/DST/ORD
Senate Select Commiuee on Intelligence (SSCI)
Senate Select Committee on Intelligence (SSCI)
Original document.
Comment about this article, ask questions, or add new information about this topic: