What IT Security?

Authored by Karl Denninger via Market-Ticker.org,

Oh boy….

President Donald Trump revealed that a staffer with national security advisor Mike Waltz’s office included the editor-in-chief of the Atlantic in a Signal group chat with senior Trump officials who were discussing plans for an upcoming strike on Houthi rebels in Yemen.

“It was one of Michael’s people on the phone. A staffer had his number on there,” Trump told NBC in a phone interview when asked how Jeffrey Goldberg, the Atlantic’s editor-in-chief, was added to the high-profile chat.

Who was the person with zero IT security expertise that had people in the DOD and NatSec part of the government using anything other than their own infrastructure for such things?

There’s utterly no reason to ever trust any external system for sensitive information internal to the government.

Ever.

Let’s say, for example, I send you an email.  I typically “sign” them.  By doing this the email has included both an attestation that it has not been altered, as otherwise the signature will not validate, and my public key.

Now if your computer has a trust chain to verify that — and I publish that, by the way (so it can validate that public key is good) then you can now send me an encrypted message.  Once you do so not even you can read it — only I can, because I’m the only one with the other half of the key.

With me so far?

Now let’s say we start up a conversation and we have ten people in there.  I send an encrypted message to all ten. What I actually send is ten messages because each person’s public key is different and again, each of them are the only people with the other half of it.  So far so good.  They each get it, they can decode it, but not the copy sent to anyone else — and since I signed it if that signature verifies they know it hasn’t been tampered with in transit.

But in this case, since you care about the integrity of who can be a part of conversations generally, all transmissions go through the government’s infrastructure.  The government, incidentally, already has the PKI infrastructure (issuing certificates, attesting to them, etc. — this is part of, but not all of, how a CAC card works) to do all this.

Thus when you send the message the server — which is a DOD/NatSec server — is the machine that processes it.  Because a public key is in fact public it knows who the message is going to (all of the recipients) and whether the DOD/NatSec servers issued the certificates involved and to whom.

The server cannot see the unencrypted contents of the message as only the recipient of each transmission has the private key required to decode it – but it knows who its going to and their public certificate.  This means it can be set up to look at same and refuse to deliver a message if it is to someone who doesn’t have a DOD-issued certificate and, for example, the other people in the communication do; it could either embargo it (after all, there might be circumstances where this is legitimate) or alert someone that something hinky may be going on, throw it in the trash summarily, or some combination.

It can’t see the contents, but it can interdict the message before it ever leaves the DOD and identify who transmitted it because the machine that sent it is known.

In other words if you set things up properly, and run them properly, what happened can’t happen and if it is attempted, either by accident or malice, not only does it not work the person who did it gets busted if the transmission was not legitimate.

Yeah.

That.

Security of communications is supposed to be important…. right?

So why did CISA, which is an official government agency, recommend Signal specifically when it has no nexus within the government and thus, while it may be end-to-end encrypted (and not full of holes, which I can’t speak to since I’ve never looked at it in sufficient detail to have a valid opinion) it has no means of controlling who is in a chat nor to prevent anyone who might, whether through accident or malice, add someone unauthorized to a new or existing one and there is no means for the participants or organization to which they belong to vet who is in said chat.

You can have the best encryption on the planet — absolutely impossible to break — but if there is either someone foolish or malicious it is meaningless exactly as while you can have a fortified home or business if you leave the front door unlocked it matters not.

The entire reason you use a chain of trust and only allow entities known to have been authorized through that chain to be included in any sort of access regime is precisely this.  Humans are both fallible and, from time to time, corrupt.

Either is fatal to a security scheme and thus you must design in and insist on a control process to mitigate that risk.

We do not, at present, know if the breach here was due to stupidity (accident counts) or malice but what we do know is that CISA – an official government source – made a recommendation during the last Administration (so no, you can’t lay this one on Trump) to use infrastructure for allegedly “secure” communications that lacked any measure of control over human accident or malice in terms of recipient (and group) management.

This incident, beyond the actual person who added (or changed) the recipient so that reporter was in the list, is directly chargeable against CISA and their recommendation.  Since it is their job to put forward such standards for the government this is a fatal failure and every individual involved in that process, no matter how small their involvement, must be both publicly identified and expelled.  As there was apparently no classified data breached as a result of this criminal sanction is not appropriate — but permanent severance from any government employment now and in the future, along with summary and permanent revocation of any clearance held by said persons is not just advisable — it is mandatory.

Security is a process, not a product.