The following 17 December 2009 article by Steven Aftergood of Secrecy News features some highlights from a 16 December 2009 hearing of the House Homeland Security Subcommittee on Transportation Security on the ongoing problems caused by an accidental release of very sensitive security information by the Transportation Security Administration (TSA). Based on these highlights, it would appear that several members of Congress do not understand the difficulty of getting web sites (including AirSafeNews.com partner AirSafe.com) to remove a sensitive TSA procedures manual form the Internet. Additional notes,links, and commentary were added by AirSafeNews.com
After a Transportation Security Administration manual containing “sensitive security information” was inadvertently disclosed on a government website (see earlier AirSafeNews.com article), it was reposted on several non-governmental websites where it remains freely available. Asked what TSA intends to do about that, Acting TSA Administrator Gale D. Rossides told Congress that her agency does not have the legal authority to compel members of the public to remove sensitive TSA documents from their websites, though she wished that they would do so.
“Do the current regulations provide you a mechanism to keep individuals from reposting this information on other web sites?” asked Rep. Charles W. Dent (R-PA), at a December 16 hearing of the House Homeland Security Subcommittee on Transportation Security.
“No, sir, they do not,” Ms. Rossides replied. “We do not have any authority to ask non-government or non-DHS (Department of Homeland Security, which includes TSA) sites to take it down.”
“What action does TSA intend to take against those who are reposting this sensitive document that should not be in the public domain?” Rep. Dent persisted.
“Well, right now, there really isn’t any authoritative action we can take,” Ms. Rossides said. “Honestly, persons that have posted it, I would, you know, hope that out of their patriotic sense of duty to, you know, their fellow countrymen, they would take it down [1]. But honestly, I have no authority to direct them and order them to take it down.”
But Rep. Dent expressed his own indignation at the web sites that ignored the official control markings on the TSA manual. “To those who reposted this security information on the internet, you should share in the blame should security be breached as a result of this disclosure,” he said [2].
But the urgency of the need to restrict continued access to the leaked TSA manual seemed diminished by Ms. Rossides’ declared view that aviation security has not “been compromised or weakened because of this incident.” Furthermore, she said, that manual was now obsolete because “very significant changes” have been made to airline security policy since the manual was issued.
Ms. Rossides added that in order to prevent further inadvertent disclosures of the newest security measures, she was refusing to provide a hardcopy of the latest edition of the TSA security manual to Congress. “I just wanted to take the absolute measures to protect that information, and that’s why a hardcopy wouldn’t be presented,” she said [3].
Rep. Dent objected to this. “By refusing to give a document to this committee because of concern about a public disclosure, that’s implying that this subcommittee would disclose the document. And that’s what, I guess, troubles me the most.” He said he would press the issue.
Subcommittee chair Rep. Sheila Jackson-Lee (D-TX) said she would introduce legislation to bar contractors from access to “sensitive security information,” since contractors apparently were at fault in the inadvertent disclosure of the security manual. “It’ll be my legislative initiative to insist that contract employees not be used to handle sensitive security information, period,” she said [4].
Rep. James Himes (D-CT) asked whether TSA was examining who had downloaded the security manual.
“I believe that is part of what [the TSA Inspector General] is looking at,” Ms. Rossides said. “We do know — our CIO shop has done an initial review of who did download it and has it on their website — non-government, non-DHS websites. We do know that.” [5]
Resources
Listen to a brief description of the TSA document controversy
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
Follow-up article on how to safely redact an electronic document
Visitor feedback on the TSA data release
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News
Notes
[1] The creator of AirSafeNews.com and AirSafe.com, Dr. Todd Curtis believes that in this particular situation, that threat to public safety made by making the document freely available to the public is minimal, and the the higher patriotic duty is to make the public aware of the situation, including making the document available through AirSafeNews.com and AirSafe.com.
[2] Dr. Curtis has stated that this attitude is complete nonsense. Security was breached when TSA accidentally released the document, and by now any attempts to erase a document that is already widely available online would be at best futile.
[3] If you wish to have a hardcopy of either the redacted or unredacted version of the document, please visit 2009.airsafe.org, download the appropriate PDF file, and print out your own hard copy edition. There are no legal limitations to printing this document, which is in the public domain. Any security classifications on the document must be followed only by those who are legally required to do so, which would likely include any US government employee or members of the US military.
[4] Dr. Curtis hastens to point out that any contractors would have been overseen by US government employees. This member of Congress implies that contractors are not fit to handle sensitive security information, but a reasonable extension of this argument is that government employees are also not fit to handle such information.
[5] The TSA Inspector General is invited to contact AirSafeNews.com for a list of all those associated with publication of this web site who have downloaded this document. AirSafeNews.com will also willingly supply information on the number of downloads made from the server at AirSafe.com that contains this manual. As of 24 December 2009, that number is just under 7,000. Unfortunately, AirSafe.com's privacy policy prevents that site from tracking the destination of these downloads, so we can only provide the US government with general guidance on just how daunting any search for copies of this document will be.
Showing posts with label document. Show all posts
Showing posts with label document. Show all posts
25 December 2009
11 December 2009
Continued Fallout from TSA Release of Sensitive Security Information
Rep. Peter King of the US House of Representatives recently sent a letter to Secretary Janet Napolitano, head of the Department of Homeland Security (which oversees TSA), and among other requests asked DHS how it was addressing the repeated posting of the security manual on other web sites and "what legal actions, if any, could be taken to compel its removal."AirSafeNews.com is not one of those sites that has posted copies of the unredacted security manual. However, it has provided links to both the redacted and unredacted versions of the document that are hosted by its partner site AirSafe.com.
However, by the time AirSafeNews.com first wrote about this document, it was already available in a wide variety of places, including major US media organizations like ABC News, and CBS News; and also at document sharing sites like Scribd.com. The document is also available at sites the specialize in releasing secret and restricted government and corporate documents such as Cryptome.com and Wikileaks.org. A search on Google or Bing would quickly reveal many other sites that have either the document or links to the document.
Even if all online copies were to disappear from the web tomorrow, it has likely already been downloaded millions of times around the world. The unredacted copy hosted at AirSafe.com was downloaded over 4,000 times in the first two days that it was available. The reality of the Internet is that it is an international enterprise, and no single nation, not even the United States, can eliminate access to a document. Once a document is available online, it is very, very difficult to make it unavailable online. Using legal means to remove the TSA document from the Internet would be at best an exercise in futility.
Survey Responses
Earlier this week, we put out a survey asking three questions about this latest TSA scandal. The survey in the article asked three questions, and 21 members of the AirSafe.com audience responded.
The the first question asked for a yes or no response. The second question had as response choices Yes, No, Maybe, and Other. The third question asked for a general response. The questions and their responses were as follows:
1. Did you download and review the TSA report?
Thirteen had downloaded the document, and eight did not.
2. Should the head of the TSA resign?
Nine believed that the head of the TSA should not resign, seven thought the head should resign, four said maybe, and one did not respond.
3. Tell Us What You Think About this Situation
The responses are included below with only slight editing for spelling and grammar:
- No-one should be exempted from screening now that we know who has been allowed in without a check.
- Whoever is in charge of the section responsible for dissemination of documents.
- It's unfortunate maybe the guy who didnt black out the areas correctly should resign.
- I do not care about very strict screening, it has to be, what matters to me is security.
- I downloaded the manual but did not review fully. Yes he should resign, same with the fellow that made the document public. TSA should learn from this and ensure they do not create additional work for themselves and avoidable delays for the rest of us at the airports.
- This was an accident; not so serious one, in my opinion.
- It puts the traveling public in danger.
- I think that if this is typical of how our government functions, then it's no wonder half of Americans have no faith in the ability of the government to run things like health care. Whoever is responsible for this error should be fired and steps should be taken to be sure this doesn't happen in the future. First of all they need a competent IT person to do this sort of thing.
- Absolutely unacceptable and sooooooo stupid!!
- Really? You people (presumably those behind AirSafeNews.com) are just feeding the fire and all of you who keep circulating this information should be tried as traitors to the US Constitution.
- Typical no-brainer attitude. Shouldn't try something unless you know what you are doing.
- I don't feel safer.
- Use it to prevent other occurrences...firing only encourages cover ups.
- The responsible employee should resign.
Related Articles
TSA Releases Extremely Sensitive Security Information Online
How the TSA Could Have Easily Avoided Its Recent Security Problem
Resources
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News
Photo: gregoryjameswalsh
10 December 2009
How the TSA Could Have Easily Avoided Its Recent Security Problem
The recent controversy over the accidental release of extremely sensitive security information by the TSA has been a huge embarrassment to the agency, and very likely revealed details about the TSA security process that could make it easier for individuals or groups to bring prohibited items into the secure areas of airport terminal or onto aircraft. It would also make it easier for someone to take steps to avoid extra screening at the airport.
TSA Problem Was Completely Avoidable
One step that the TSA reportedly took, putting five employees and contractors involved in the document release on administrative leave, may have only involved those who were responsible for preparing and releasing the document. Perhaps a more important issue is whether this problem could have been avoided. It is very likely that the problem was not only avoidable, but specific step-by-step procedures to avoid this kind of problem have been widely available to the US government for several years.
According to an article in Federal Computer Week, over the last few years, the US military in Iraq, the White House, and the US Department of Justice have all had similar situations where a improperly redacted document was released to the public, and the sensitive information within those documents were later uncovered.
In wake of those events, the National Security Agency (NSA) issued guidance to US federal agencies that included detailed instructions on how to process a word processing document in such a way that any sensitive information would be eliminated from the final PDF document. The report, titled “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF,” has been freely available to the public for several years, and the instructions in that document could have been used by the TSA to avoid their recent embarrassing episode.
Highlights of the NSA Report
Word processing documents such as Microsoft Word contain many kinds of information such as text, graphics, tables, images, and metadata, and more. This complex combination of data makes it easy to accidentally expose information, especially when someone does not properly remove sensitive information before the document is released to the public.
Techniques that work with printed documents, such as blacking out an area of text or graphics, or reducing the size of a graphic, often do not work with electronic documents because the information is still contained within the document. Most word processing documents also contain hidden information such as comments or prior versions of the document, that may also be very sensitive.
The NSA's document had very clear instructions that anyone could use to take an MS Word file or just about any other kind of word processing file and systematically remove any sensitive content, including metadata, before creating a PDF file for public distribution. Let's hope that the TSA has the good sense to follow the NSA's procedures, or something like it, the next time they redact a document.
Related Articles
TSA Releases Extremely Sensitive Security Information Online
Continued Fallout from TSA Release of Sensitive Security Information
Resources
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News
TSA Problem Was Completely Avoidable
One step that the TSA reportedly took, putting five employees and contractors involved in the document release on administrative leave, may have only involved those who were responsible for preparing and releasing the document. Perhaps a more important issue is whether this problem could have been avoided. It is very likely that the problem was not only avoidable, but specific step-by-step procedures to avoid this kind of problem have been widely available to the US government for several years.
According to an article in Federal Computer Week, over the last few years, the US military in Iraq, the White House, and the US Department of Justice have all had similar situations where a improperly redacted document was released to the public, and the sensitive information within those documents were later uncovered.
In wake of those events, the National Security Agency (NSA) issued guidance to US federal agencies that included detailed instructions on how to process a word processing document in such a way that any sensitive information would be eliminated from the final PDF document. The report, titled “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF,” has been freely available to the public for several years, and the instructions in that document could have been used by the TSA to avoid their recent embarrassing episode.
Highlights of the NSA Report
Word processing documents such as Microsoft Word contain many kinds of information such as text, graphics, tables, images, and metadata, and more. This complex combination of data makes it easy to accidentally expose information, especially when someone does not properly remove sensitive information before the document is released to the public.
Techniques that work with printed documents, such as blacking out an area of text or graphics, or reducing the size of a graphic, often do not work with electronic documents because the information is still contained within the document. Most word processing documents also contain hidden information such as comments or prior versions of the document, that may also be very sensitive.
The NSA's document had very clear instructions that anyone could use to take an MS Word file or just about any other kind of word processing file and systematically remove any sensitive content, including metadata, before creating a PDF file for public distribution. Let's hope that the TSA has the good sense to follow the NSA's procedures, or something like it, the next time they redact a document.
Related Articles
TSA Releases Extremely Sensitive Security Information Online
Continued Fallout from TSA Release of Sensitive Security Information
Resources
Full TSA report
Redacted TSA report
TSA prohibited and restricted Items
TSA Statement from December 9, 2009
Original AirSafeNews.com article on this topic
NSA procedures for redacting a document
Microsoft advice for minimizing metadata in Word documents
Tools for removing hidden data from Government Computer News
Subscribe to:
Posts (Atom)
