White House Strategy to Prevent Leaks is Leaked

Thursday, January 06, 2011

Infosec Island Admin


Retraction:  White House Strategy to Prevent Leaks is Leaked

The document cited in this article, "M-11-08, Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems", was in fact not "leaked", as the article states.

Credit for bringing the error to my attention goes to member Daniel Philpott, who noted the document was posted at the Office of Management and Budget site. I would like to personally extend my thanks and appreciation for his efforts to help get the facts straight.

I was completely erroneous in stating that the document had been leaked, and regret not confirming via other sources the assertions made in the article that was my original source for the assumption, "US Gov't Strategy To Prevent Leaks Is Leaked".

The main point of my article, that the government utilizes leaks to disperse information informally, is nonetheless valid. I did, though, choose the wrong document to build my argument around, and for this I error I am deeply regretful.

This was grave mistake on my part, and I wish to offer my sincerest apologies to the community, my colleagues, and the general public for the misinformation.

The original text for the article remains posted below.

 *   *   *  

A White House memo instructing Executive-level department heads on new procedures to identify potential leakers and prevent unauthorized leaks was itself leaked to the press.

The memo, titled "Initial Assessments of Safeguarding and Counterintelligence Postures for Classified National Security Information in Automated Systems" was dated January 3, 2011, and contained another memo as an attachment titled "Classified National Security Information".

Issues addressed in the memo include the use of psychological evaluations to determine the likelihood a staff member may be a leak threat, and the monitoring of activities after they leave the department or government employment entirely.

There is, of course, no absence of irony involved with a leaked memo about how the administration wants their directors to proceed with new strategies to prevent information leaks.

Though the memo does not appear to be classified, nonetheless it was quickly in the hands of the press, and was not issued by the office of the White House Press Secretary via sanctioned channels.

The leaked memo highlights serious problems the government faces in their efforts to secure classified information in the wake of the WikiLeaks disclosures.

One problem is the nature of classification of information. Many documents may be designated as "classified" even though they do not contain highly sensitive information or state secrets; the designation "classified" in many instances simply means do not disseminate.

Another issue is the long standing practice of purposely leaking information to the press in order to disseminate it without assigning the responsibility to any particular body of government, and sometimes the information intended to be leaked may in fact be classified.

Also in need of evaluation is the large number of personnel with access to classified information. Currently more than two million people have access to confidential materials, with nearly one million having access to documents with a "Top Secret" classification.

The designations allowing access to information concern the level of security assigned to the information, but have little or nothing to do with whether or not the personnel actually need or should have access to the information to perform their duties.

The government needs to add another level of authorization for position-specific designations, but this task is complicated by the fact that the government has been working to decrease the obstacles to inter-departmental information sharing in the post-911 environment.

The road ahead for the government is certainly complicated when it comes to securing sensitive information while preserving tactical access. To date, only sixty percent of the networks at the Department of Defense have even modest levels of security where personnel are concerned.

It would be advisable if they took some lessons from the private sector regarding data classification, authentication protocols, and the implementation of software to regulate access controls.

Post Rating I Like this!
shawn merdinger Metadata in documents like PDFs is often revealing.

Doing the following on a *NIX shell:

wget http://msnbcmedia.msn.com/i/msnbc/sections/news/OMB_Wiki_memo.pdf

strings OMB_Wiki_memo.pdf | grep @

[redacted per SCM request] XXXXXXXXXXXX@omb.eop.gov

Daniel Philpott You must be kidding. OMB M-11-08 memorandum was not leaked. It is a publicly released document and provides additional guidance on carrying out OMB M-11-06. Both are focused on responding to WikiLeaks style unauthorized disclosures. The site it was published from is about as authorized as you get:

shawn merdinger @Daniel Philpott -

Nice. You're the man.
shawn merdinger This retraction is professionally done, and aside the initial mistake, I believe there are lessons for all of us to learn here.

Specifically, the issue of metadata in all documents is a security risk and leak within itself. We really need integrated, easy-to-use and seamless tools that will cleanse a document of unnecessary metadata that discloses an organization's information, like emails, OS, software versions, internal network paths and directories, etc.

Folks really should take a look at Defcon 18's video archive and especially the "FOCA2: The FOCA Strikes Back" presentation which covers in detail WhiteHouse.gov public document metadata extraction.


Video: FOCA2: The FOCA Strikes Back

Slides: FOCA2: The FOCA Strikes Back

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.