A couple of lessons ago I mentioned the importance of identification and authentication, as well as the IAAA factors in access control. We now turn to the second "A" in that list: authorization.
Authorization has to do with the granting of rights, or privileges, or permissions. Authorization gives you the ability to perform certain functions that have been granted. Authorization has, actually, a great deal to do with this entire scandal.
First of all, none of the people involved in this, in any way, had authorization to be doing what they were doing. The sensitivity of the information being discussed in the chat meant that the Signal app, and the cell phones, should not have been used. The importance of the information meant that, if this information was to be discussed, it should have been discussed on channels that were much more secure than cell phones and the Signal app.
Additionally, there was the fact that somebody had enabled a setting that would have deleted all of the discussions after a week. This function should not have been enabled, since this was official government business, and the rules governing official government business mean that the information should have been retained for archiving, even if the information might not have been made available, possibly for decades to come. It still should have been archived, and submitted to the archives.
Then there was the adding of the reporter. Adding someone to such a discussion, discussing topics of such sensitivity and importance, should have undergone a formal process. Nobody, regardless of who they were, should have been added without the process being followed, and there being assurance that appropriate people were added to the discussion, and that nobody who was not authorized, and not an appropriate party to the discussion, would be added. There doesn't seem to have been any process in place. Even the creation of the chat channel itself could not have gone through appropriate processes, since the technology used for the discussion was not appropriate to the sensitivity of the information, and therefore would have been flagged had the proper process has been followed.
(The auditing of the channel, and the recording of the discussions, on the part of the reporter was, itself, unauthorized. However, in this case, the reporter's actions were probably the least unauthorized of all of the activities of everyone involved with the entire scandal. Initially, the reporter felt that this was some kind of prank being played on him, or an attempt at disinformation. Given the importance of disinformation in modern politics, it is not surprising that the reporter, while not engaging with any of the discussions, still recorded them, in order to try and figure out what was going on, and, if possible, who was doing it. The reporter was not, of course, authorized to participate in, or even listen to, the chat. However, the indisputable verification of the reality of this channel, and the high probability that these were real discussions, by real members of the administration, didn't happen until the end. Having determined that this was a real communications channel, and that this was real, and very sensitive, military information that was being bandied about, the reporter thereupon left the channel. And wrote the story.)
Nobody authorized the creation of the chat channel. (And, apparently, it's not the only one.) Nobody authorized the use of these particular technologies for the discussion of information of this sensitivity. Nobody authorized the individuals involved in the chat channel to make exceptions to the policies and regulations that restricted that discussion of information on the unauthorized technologies and channels. There were appropriate channels which should have been used for the discussion of this level of information, and those channels were not used. The people who were involved in the discussion were all authorized to use those appropriate technologies and channels. If these discussions needed to be held (and we will discuss that in a subsequent episode of this series) then there were channels available. The use of cell phones, and Signal, was definitely not authorized, and not appropriate.
Next: "Security for ordinary folks": Lessons from Signalgate - 6 - Accountability
No comments:
Post a Comment