[Cryptography] Security clearances and FOSS encryption?
Joe St Sauver
joe at oregon.uoregon.edu
Tue Jul 8 11:05:55 EDT 2014
Hi,
Ian commented:
# There aren't specific restrictions as such with security clearances [1]
# but there are conflicts of interest. If a person has a security
# clearance, then they have a master or power. If they are devoted to
# your project, then this means they serve two masters, the best you can
# hope for is that the other master is dormant.
#
# That power can be used at will. There are a range of pressures that can
# be put on a person to assist the power.
I think that's well put. For what it may be worth, I've enclosed below what
I shipped to Bill directly on the 4th of July (I'd assumed that there
wouldn't be much general interest in this topic, so I just replied to him
directly, but given the discussion that's taken place, I'll throw this in
for what it may be worth)...
Regards,
Joe
Forwarded message follows:
> I don't have a clearance, and this (and the rest of this note) should not
> be taken as legal advice, but have you reviewed the NISP Library at
> http://www.dss.mil/isp/fac_clear/download_nispom.html for anything that
> might be applicable?
>
> I will also note that there are a surprising number of people in the United
> States who *do* hold security clearances of one sort or another. See for
> example http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/24/5-1-million-americans-have-security-clearances-thats-more-than-the-entire-population-of-norway/
> ("5.1 million Americans have security clearances. That's more than the
> entire population of Norway.")
>
> That said, not all of those clearances are alike. A person who got a
> confidential clearance from an agency that's not a member of the intelligence
> community is likely different than a TS/SCI clearance held by someone who
> is a member of the intelligence community.
>
> So... the real question for someone who is the holder of a clearance would
> be, "would working on a free or open source encryption project be viewed as
> potentailly derogatory when considered by a counterintelligence officer,
> now or when it's time to renew that clearance?"
>
> Potentially relevant factors:
>
> -- has the involvement in the project been fully disclosed to the
> person's supervisor and security officer?
>
> -- is the project in any way illegal?
>
> -- does it result in deliberate damage to US government information systems?
>
> -- does it involve secret contacts with foreign nationals or representatives?
>
> -- would the person's participation result in intentional compromise of
> classified information
>
> -- would the project create a conflict of interest for the clearance holder?
>
> The difficult questions in the other direction, e.g., for the project, would
> probably be:
>
> -- how was the cleared status discovered? did a potential participant
> volunteer that fact in advance? is it inferred based on the persons'
> employer/role? was it discovered and revealed by another participant,
> having been concealed by the clearance holder himself or herself?
>
> -- does a cleared person have an inherent conflict of interest? can they be
> true both to the goals of the project and the objectives of their
> employer/clearance sponsor?
>
> -- would the person's participation call into question the integrity and
> trustworthiness of the project's architecture or the project's code?
> or can compensating controls be applied to ensure that the person's
> participation does not result in the introduction of back doors or other
> intentional flaws?
>
> -- is the person comfortable having his/her cleared status or agency
> or contractor affiliation publicly known? (Now that you've discussed
> the issue in a public fora, everyone currently on your team is potentially
> at reputational risk if the actual person holding the clearance doesn't
> speak up)
>
> -- is everyone else comfortable with that person's participation? if having
> that person participate means that three other critical contributors
> drop off, that may not be a good trade off
>
> -- what if the person makes a contribution, and the contribution is
> subsequently found to be flawed; would that be sufficient to kick that
> person off the team (e.g., a so-called "one-bite" rule)?
>
> -- if the project allows the person to contribute, but the person's
> agency subsequently determines that they're not comfortable with him
> or her doing so, what then? would that person give up their job and
> clearance? would the person drop off the project? if so, would
> dropping out of the project be potentially disruptive?
>
> -- is there any possibility that the person's participation might result
> in licensing complications for the product you're working on? (e.g.,
> could it be claimed as work-for-hire or the intellectual property of
> the cleared person's employer?)
>
> And, of course, people who do have clearances aren't necessarily bad people.
> You know they aren't criminals. You know they aren't drug addicts, or in
> financial distress and subject to financial inducements. But then again,
> they are from the government or a government contractor, and that may
> change their primary loyalties.
>
> I've often thought that a nice compromise would be to have people do
> something like Nexus/GlobalEntry/TSA PreCheck. You then know that they're
> trustworthy (or at least not too hinky acting), but they aren't encumbered
> with all the baggage of an actual clearance.
>
> Good luck sorting out what you decide you want to do,
>
> Regards,
>
> Joe
>
> P.S. One of the nicer non-governmental resources on clearances can be
> found at https://www.clearancejobs.com/security_clearance_faq.pdf
More information about the cryptography
mailing list