[Cryptography] Security clearances and FOSS encryption?

Joe St Sauver joe at oregon.uoregon.edu
Tue Jul 8 11:05:55 EDT 2014 

Hi,

Ian commented:

# There aren't specific restrictions as such with security clearances [1]
# but there are conflicts of interest.  If a person has a security
# clearance, then they have a master or power.  If they are devoted to
# your project, then this means they serve two masters, the best you can
# hope for is that the other master is dormant.
#
# That power can be used at will.  There are a range of pressures that can
# be put on a person to assist the power.

I think that's well put. For what it may be worth, I've enclosed below what 
I shipped to Bill directly on the 4th of July (I'd assumed that there 
wouldn't be much general interest in this topic, so I just replied to him 
directly, but given the discussion that's taken place, I'll throw this in 
for what it may be worth)...

Regards,

Joe

Forwarded message follows:

> I don't have a clearance, and this (and the rest of this note) should not
> be taken as legal advice, but have you reviewed the NISP Library at
> http://www.dss.mil/isp/fac_clear/download_nispom.html for anything that
> might be applicable?
>
> I will also note that there are a surprising number of people in the United
> States who *do* hold security clearances of one sort or another. See for
> example http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/24/5-1-million-americans-have-security-clearances-thats-more-than-the-entire-population-of-norway/
> ("5.1 million Americans have security clearances. That's more than the
> entire population of Norway.")
>
> That said, not all of those clearances are alike. A person who got a 
> confidential clearance from an agency that's not a member of the intelligence
> community is likely different than a TS/SCI clearance held by someone who
> is a member of the intelligence community.
>
> So... the real question for someone who is the holder of a clearance would 
> be, "would working on a free or open source encryption project be viewed as
> potentailly derogatory when considered by a counterintelligence officer,
> now or when it's time to renew that clearance?"
>
> Potentially relevant factors:
>
> -- has the involvement in the project been fully disclosed to the 
>    person's supervisor and security officer?
>
> -- is the project in any way illegal?
>
> -- does it result in deliberate damage to US government information systems?
>
> -- does it involve secret contacts with foreign nationals or representatives?
>
> -- would the person's participation result in intentional compromise of
>    classified information
>
> -- would the project create a conflict of interest for the clearance holder?
>
> The difficult questions in the other direction, e.g., for the project, would
> probably be:
>
> -- how was the cleared status discovered? did a potential participant 
>    volunteer that fact in advance? is it inferred based on the persons' 
>    employer/role? was it discovered and revealed by another participant,
>    having been concealed by the clearance holder himself or herself?
>
> -- does a cleared person have an inherent conflict of interest? can they be
>    true both to the goals of the project and the objectives of their 
>    employer/clearance sponsor?
>
> -- would the person's participation call into question the integrity and
>    trustworthiness of the project's architecture or the project's code?
>    or can compensating controls be applied to ensure that the person's
>    participation does not result in the introduction of back doors or other
>    intentional flaws?
>
> -- is the person comfortable having his/her cleared status or agency
>    or contractor affiliation publicly known? (Now that you've discussed
>    the issue in a public fora, everyone currently on your team is potentially
>    at reputational risk if the actual person holding the clearance doesn't
>    speak up)
>
> -- is everyone else comfortable with that person's participation? if having
>    that person participate means that three other critical contributors
>    drop off, that may not be a good trade off
>
> -- what if the person makes a contribution, and the contribution is 
>    subsequently found to be flawed; would that be sufficient to kick that
>    person off the team (e.g., a so-called "one-bite" rule)?
>
> -- if the project allows the person to contribute, but the person's
>    agency subsequently determines that they're not comfortable with him
>    or her doing so, what then? would that person give up their job and
>    clearance? would the person drop off the project? if so, would
>    dropping out of the project be potentially disruptive?
>
> -- is there any possibility that the person's participation might result
>    in licensing complications for the product you're working on? (e.g.,
>    could it be claimed as work-for-hire or the intellectual property of
>    the cleared person's employer?)
>
> And, of course, people who do have clearances aren't necessarily bad people.
> You know they aren't criminals. You know they aren't drug addicts, or in
> financial distress and subject to financial inducements.  But then again, 
> they are from the government or a government contractor, and that may
> change their primary loyalties.
>
> I've often thought that a nice compromise would be to have people do
> something like Nexus/GlobalEntry/TSA PreCheck. You then know that they're
> trustworthy (or at least not too hinky acting), but they aren't encumbered 
> with all the baggage of an actual clearance.
>
> Good luck sorting out what you decide you want to do,
>
> Regards,
>
> Joe
>
> P.S. One of the nicer non-governmental resources on clearances can be
> found at https://www.clearancejobs.com/security_clearance_faq.pdf

More information about the cryptography mailing list