Re: ] demed export -- Security clearances, lie detectors, etc.

[David Farber <dave () farber net>]

________________________________________
From: Eugene H. Spafford [spaf () mac com]
Sent: Sunday, May 04, 2008 11:49 AM
To: David P. Reed
Cc: David Farber; ip
Subject: Re: [IP] demed export --    Security clearances, lie detectors, etc.

On May 4, 2008, at 10:34 AM, David P. Reed wrote:
> My point could have been more clearly stated:  There is NO
> scientific credibility to the methods used for security clearance,
> deciding how to limit people from accessing technology, or detecting
> "lies".

Difficult to run a double-blind experiment when any failure would
result in catastrophic loss of sensitive information and possible loss
of life.  I don't know of any institutional review committee that
would approve such an experiment!

There is evidence that the system works.  Lots of classified material
does not leak out, and has not.  The system uses feedback from
failures to improve.  It is generally good engineering rather than
hard science because it has to operate within constraints and with
unknown variables.  Much of what is done is based on statistical and
legal models.  Your claim there is no credibility is polemic rather
than accurate.

The biggest objection that can be made is really one of being too
conservative: the system is tuned to err on the side of false
positives (reject access for qualified personnel) so as to minimize
false negatives (grant access to possible traitors).  Knowing where to
set the points to allow more access and impose less classification is
a problem, but not one easily amenable to science -- it involves
understanding complexity of individual humans over (potentially)
decades of time.  And as noted above, if the system fails, the damage
may be severe.

> The methods used by government to achieve these important goals are
> bogus, and most likely are due not to careful scientific evaluation,
> but to rank racism, prejudice, and ignorance, cloaked with a veil of
> reason/technology that gives them some credibility.

I'd be interested in whatever evidence you have that proves your claim
that the current methods are "bogus" rather than imprecise.

Every country in the world generally uses the same methods, and has
for decades, if not centuries.  It works.  In fact, it is a more
formalized system of what we do in companies, and in families -- we
limit information to those people with a need-to-know and who we think
are trustworthy.  If the information is valuable, we limit who we tell
it to, and consider what they might do with the information.  If you
are more willing to tell a family secret to your cousin rather than an
unrelated stranger from another ethnic group selling drugs on the
street corner, then is that "rank racism, prejudice and ignorance" or
is it prudence?

Is the system perfect?  No.   Can it be reduced to a precise
scientific method?  Heck no!  People are involved -- people who may
have different motivations over time.  People whose emotions can get
the better of them.  People who change over time.  People whose
judgement may be clouded by alcohol, drugs, disease, or even ideology
-- religious or political. Determining the likely risks ahead of time
is based on statistical and psychological models, which are by their
nature not precise.

For example, suppose you had the plans for the US DOD defense of
Taiwan in the event of a PRC attack.  You give that to 1000 PRC
citizens, 1000 US citizens with no criminal history, and 1000 people
from the US with criminal histories of severe financial and drug
problems.  You tell them all that the plans are an important US
secret, and they shouldn't be revealed to anyone else -- and
especially not to anyone in the PRC government or military. After two
years, would you expect the incidence of exposure across the 3 groups
to be uniform?  Would it be zero?   Are your answers the result of
"rank racism, prejudice and ignorance" or "scientific[ly] credible"
experiments?

> I do share your concerns about the importance and relevance of bad
> actors in the world.  But I'd ask that "security experts" police
> their own ranks first.  Cast out the witchcraft and bullshit that
> has grown up in the field.  Only Bruce Schneier has had the courage
> to make a serious start.  The others seem to be afraid for the jobs
> and income.

This is rather dismissive of what others have done.  Some of us have
been trying for decades to make appropriate changes, often with quiet
success. Not to diminish Bruce in any way, for he is an effective
communicator, but some of the things he writes and talks about, others
have done before him and he doesn't always cite their work.  I do not
know if your statement is based on anger, ignorance, hyperbole, or
some combination of those, but its implications are incorrect.




-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com