Interesting People mailing list archives
Re: ] demed export -- Security clearances, lie detectors, etc.
From: David Farber <dave () farber net>
Date: Sun, 4 May 2008 12:38:27 -0700
________________________________________ From: Eugene H. Spafford [spaf () mac com] Sent: Sunday, May 04, 2008 11:49 AM To: David P. Reed Cc: David Farber; ip Subject: Re: [IP] demed export -- Security clearances, lie detectors, etc. On May 4, 2008, at 10:34 AM, David P. Reed wrote:
My point could have been more clearly stated: There is NO scientific credibility to the methods used for security clearance, deciding how to limit people from accessing technology, or detecting "lies".
Difficult to run a double-blind experiment when any failure would result in catastrophic loss of sensitive information and possible loss of life. I don't know of any institutional review committee that would approve such an experiment! There is evidence that the system works. Lots of classified material does not leak out, and has not. The system uses feedback from failures to improve. It is generally good engineering rather than hard science because it has to operate within constraints and with unknown variables. Much of what is done is based on statistical and legal models. Your claim there is no credibility is polemic rather than accurate. The biggest objection that can be made is really one of being too conservative: the system is tuned to err on the side of false positives (reject access for qualified personnel) so as to minimize false negatives (grant access to possible traitors). Knowing where to set the points to allow more access and impose less classification is a problem, but not one easily amenable to science -- it involves understanding complexity of individual humans over (potentially) decades of time. And as noted above, if the system fails, the damage may be severe.
The methods used by government to achieve these important goals are bogus, and most likely are due not to careful scientific evaluation, but to rank racism, prejudice, and ignorance, cloaked with a veil of reason/technology that gives them some credibility.
I'd be interested in whatever evidence you have that proves your claim that the current methods are "bogus" rather than imprecise. Every country in the world generally uses the same methods, and has for decades, if not centuries. It works. In fact, it is a more formalized system of what we do in companies, and in families -- we limit information to those people with a need-to-know and who we think are trustworthy. If the information is valuable, we limit who we tell it to, and consider what they might do with the information. If you are more willing to tell a family secret to your cousin rather than an unrelated stranger from another ethnic group selling drugs on the street corner, then is that "rank racism, prejudice and ignorance" or is it prudence? Is the system perfect? No. Can it be reduced to a precise scientific method? Heck no! People are involved -- people who may have different motivations over time. People whose emotions can get the better of them. People who change over time. People whose judgement may be clouded by alcohol, drugs, disease, or even ideology -- religious or political. Determining the likely risks ahead of time is based on statistical and psychological models, which are by their nature not precise. For example, suppose you had the plans for the US DOD defense of Taiwan in the event of a PRC attack. You give that to 1000 PRC citizens, 1000 US citizens with no criminal history, and 1000 people from the US with criminal histories of severe financial and drug problems. You tell them all that the plans are an important US secret, and they shouldn't be revealed to anyone else -- and especially not to anyone in the PRC government or military. After two years, would you expect the incidence of exposure across the 3 groups to be uniform? Would it be zero? Are your answers the result of "rank racism, prejudice and ignorance" or "scientific[ly] credible" experiments?
I do share your concerns about the importance and relevance of bad actors in the world. But I'd ask that "security experts" police their own ranks first. Cast out the witchcraft and bullshit that has grown up in the field. Only Bruce Schneier has had the courage to make a serious start. The others seem to be afraid for the jobs and income.
This is rather dismissive of what others have done. Some of us have been trying for decades to make appropriate changes, often with quiet success. Not to diminish Bruce in any way, for he is an effective communicator, but some of the things he writes and talks about, others have done before him and he doesn't always cite their work. I do not know if your statement is based on anger, ignorance, hyperbole, or some combination of those, but its implications are incorrect. ------------------------------------------- Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: ] demed export -- Security clearances, lie detectors, etc. David Farber (May 04)