The improperly redacted document that the Transportation Security Administration posted on the Internet demonstrates failure on many levels, but not all of the failures are the ones the press and congressional critics have been focusing on.
The document in question, which concerns airport security, was actually posted a relatively long time ago, as a PDF. Rather than removing sensitive information from the document, it was blacked over, which means all sorts of details that supposedly could help terrorists blow up airplanes were available to anyone who made the effort to look beyond what was visible on screen. Once this breach was reported to the world, members of Congress expressed their outrage, and the TSA put people on administrative leave. Well, I hope that means time off with pay, because I see little reason to punish those individuals.
Why am I defending the people involved? After all, you would think they would know better. Isn't it common sense that blacking out data still leaves the data there? Let me quote a phrase from my human factors days: "There is no common sense without common knowledge."
So, is there common knowledge that might have allowed the TSA employees to exercise common sense? I don't think so, and that is a problem with the Department of Homeland Security as a whole, not the individual employees.
You might expect the TSA employees to know that there is a lot of information in most documents that people don't necessarily realize is there. But this fact is sadly not realized even by some supposed computer security professionals. I recently worked on a case in which a person who works for a network forensics company sent out a PDF without realizing that the metadata in the file impugned him.
In my book, then, it's not so surprising that the TSA employees would run afoul of what you might think of as the anti-WYSIWYG. You remember that old term, "what you see is what you get"? It described word processors that printed what was displayed on the screen. Before that, you saw command language and hoped for the best when it printed. The problem is that what you see is not what you get in an electronic version of the file, and in this case, what the TSA people saw was black, which hid the black text on the screen. The text was still there, and it was easy to recover when someone finally decided to look for it.
There is a 2005 document from the National Security Agency that tells specifically how to redact data from a document. The document is pretty straightforward and easy to follow. The question is whether or not the people releasing the document knew about these NSA-recommended procedures. Clearly, the people releasing the document took some steps that had the intent of properly redacting data. Those steps were just wrong.
In researching this article, I could find no specific TSA or DHS requirement that the NSA redacting guidelines be followed. And if there are no specific guidelines, how can someone be faulted for not following them?
But let's take a leap of faith and say that there are requirements for TSA employees to follow. Then the question becomes whether or not the employees were informed of the procedures. Is there an organizational process in place that provides people who are responsible for redacting data the information about the appropriate technical redacting standards?
And there is a much larger issue to consider. Even assuming that an individual employee has been given the appropriate knowledge to properly redact information from documents, you still have to expect that there is 100% probability that someone will eventually make a mistake. Even the best people will screw up on occasion. Given the fact that the TSA has access to such sensitive data, there has to be a fail-safe in the release of any data.
The TSA, and all organizations for that matter, should have a final release authority that looks for exactly this sort of thing before posting any data to the Internet. This is especially true if it is derived from a sensitive document. It should not be left to individual TSA employees to figure out if they redacted all of the right information.
Sure, Congress wants heads to roll, and the DHS was happy to place five people on leave, which made it seem like it was taking action. But the real action that needs to be taken is for the DHS as a whole to review its overall processes for redacting information and related security practices. Just don't let the only action it takes be against five employees who failed to exercise common sense when they were not given common knowledge.
Unless the TSA and DHS as a whole have effective processes for educating their employees on technical procedures, and are also able to ensure that those procedures are followed, it is the security and management staffs who should be disciplined.
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.
This story, "Expecting common sense at the TSA defies common sense" was originally published by Computerworld.