A principled US Senator responds to the US Intelligence Leaks
Fiction
[Image: unmodified image of the Capitol from the western side, by Martin Falbisoner, licensed CC BY-SA 3.0 obtained from Wikipedia.]
Published 2023-04-17 (following a limited distribution the day before)
Penetrating the Bureaucracy
George made himself a cup of tea. He wandered back to his study growing increasingly certain that the problem was not the airman who uploaded the TS//SCI information for his little group, but the fact that he could get it. His wife, Tess, came to join him in his study. Seeing his brow she remarked "You're thinking about those leaks again, aren't you?"
"Yeah. I keep thinking that we're lucky that he wasn't working for anyone else. How the hell could he get his hands on that intel product? Something must be seriously wrong. The leaks are only partly his fault."
"George, do you really want to take this on?"
At this moment, their grandson pokes his head around the door. "Grandma, there's a meet at the Linux Group Hacker Space tonight from 7 to 8. Can I go?"
"I suppose I could drop you off."
"No need, I'll take my bike. Its a 10 minute ride. I'll call if there's any problem, and yes, I'll wear my helmet."
"Okay, but you call me when you get there and when you are going to leave. And use your lights."
"Y"
"Hang on, Zac. You've heard of 'penetration testing', right?" interrupts George.
"Suuuure."
"I need to speak to some people who know about information security and pen testing. They need to be over 40 years old. I'm talking greybeards, legends. Zac, would you do a little research for me? Ask around at the meet. Get me some names, including real names or hacker names and where they are currently working or have recently worked. Can you do that for me?"
"I'll try. Whats up?"
"Its these leaks. You do the research. Find me some good names and I'll let you know."
"Alright. I might need to stay a little after the event. So, would 8:40 be okay Grandma?"
"Yes. But remember to call on arrival and before departure."
"Got it." says Zac as he leaves with a puzzled smile.
"George?"
"Just looking for some independent opinion. Remember when the DoD invited me out to some exhibition they were having with all those DARPA projects? I was introduced to a guy who seemed to be revered. Seemed nice. Civies. Obviously not military. There was lots of tech talk which I didn't get, but the term I remember is Linux. There was a lot of talk about Cyber Security at the time and it seems to me that this is the problem we've got with these leaks. Its not the airman, its the security that's the problem. And it was there they were talking about 'pen testing'. As I recall, its a bit like war games. One team attempts to get through the other team's defenses.
I figure that until we know the state of the defenses of our sensitive information we'll be listening to 'experts' selling us solutions which we wont even know will fix the problem. I've just got a hunch."
"You and your hunches usually turn out to be more excitement that they're worth."
"Ooooh, Tess. I can delegate this, but I have to begin it first."
-=-
"Grandpa?"
"Zac! Did you have fun at the meet?"
"Yeah. Plenty of new gear. Saw Johnny and Bill, and that girl Flea was there too. But the real fun was with the guys hacking Arduino's and Pi's making little robots with light sensors and microphones and actuators. Not walking or anything, but responding to the environment. Like you could shine a light at this little thing and it would log a light change over the internet. Anyway, lots of fun stuff like that."
Zac puts on a serious voice, "Remember, George, when you're flashing an Arduino its got nothing to do with your clothes or the lights. You’re updating the firmware!"
"Hmm Hmmm. How did you go with the research?"
"Good. I spoke to Phil, the old guy who runs the space. He was with a friend. I asked about greybeards, hackers and pen testing like you asked. They got all reminiscent and talked for a while. I asked, like you said, names or hacker names and last place of employment, contact details. They asked what it was about. I said I didn't know but it had something to do with the leaks. Phil wrote this for you. There's a few names, but at the end Phil said "Get the Senator to contact DARPA and ask them to find Mudge. Who's Mudge?"
"I don't know, Zac, but I'll let you know when I do."
-=-
Three weeks later George calls Zac.
"Zac, how's your Mum?"
"She's okay. Busy as usual."
"Yeah, that's why I'm asking you. What about school? Tell me about your teachers."
"Well, math is okay. He's alright. Its easy so far. We got this young guy, Mr Lidsworth, for English, and check this, we're reading "I, Robot" by Asimov! For Physics we've got Ms Farnsdale who seems okay. We're doing the thing with balls rolling down a track. We got a video camera and a strobe light and used balls of different sizes. Now we've got to graph it. But it was a pretty cool experiment, apart from the idiots who started posing in the strobe. In geography we're doing 'human geography' which sounds dumb to me. But the teacher was pretty serious when he told us that human geographers are critically important to government decision making and policy. Is that true?"
"Yes, Zac, it is. At Congress we have the congressional research service. Whatever we want to know, we ask them to find out for us. They contact universities and other bodies to find the answers. When policy will change things in an area where people live we need to know what that change will look like. To do that you need to know how things are now, and that is where the human geographers come in, and the census and lots of other data.
Zac, I said I'd tell you more about what we're going to do about the leaks if you did good research, didn't I? Well, next time you go to the Hacker Space, will you take one of the cards I gave you and give it to Phil and send him my thanks. I also said I'd tell you about Mudge. You're coming to lunch on Sunday, aren't you? I'll tell you then. And you can tell me about any new classmates too."
-=-
Following Sunday lunch George and Zac take Palo for a walk.
"So, who's Mudge?"
"He's exactly what I asked you for, a respected greybeard hacker. I asked one of my aids to look him up and related hacker history. He was your age when PC's first arrived on the scene. You could say he's a second generation hacker. Did you know that the term has an older, original meaning?"
"Yeah, Phil was talking about that. Something to do with playful creativity. Like bending the rules."
"Indeed. There's another hacker of the preceding era who you should probably know about too. Have you heard of Richard Stallman?"
"No. Is he related to Mudge?"
"Not really. Stallman was about 20 years older, but they were both in the same area when Mudge was growing up, Massachusetts. Stallman invented the GNU Public License without which there would be no Linux. Actually, his GNU project wrote most of the software for the earliest versions of Linux, or GNU/Linux. But the license was a hack. He used copyright law to prevent works being copyrighted. He called it copyleft."
"Copyleft?"
"The old hackers loved to play with words. Mudge worked on computer security. I suppose you could call him the grandfather of the meaning of the modern term. How to break programs and gain access to systems, and thus how to defend against these types of attacks. I think the term is greyhat. In the end he spent a while working with DARPA. So, I had a chat with him and was beginning to let him know what I was interested in. He stopped me, and asked me to install Signal. Remember my aid, John? He checked it out and installed it and I got back to Mudge and gave him the run down. He got back to me with two lists, one of which is a list of people of his era who he respects and the other is a list of companies working in Cyber Security which he believes do good work and have the professionalism and approval to participate in the security audit which I hope to arrange. Now, you don't tell anyone about this, okay? Either I'll be able to get this happening or I wont. After that, I'll tell you more about it and then you can tell anyone you want. Deal?"
"How long?"
"I'm not sure. 3 to 6 months, I think. Maybe longer. Hey, there's a good stick, lets give Palo a bit of a run."
Months later, George and Zac head off with Palo along the same path.
"Can I tell people now?"
"Not yet, but we're getting there. Would you like to know a little more?"
"Is there any good stuff?"
"Yes, a bit, but you have to keep your lips sealed for a while longer."
"Yessir, a Senator's grandson must be reliable", replies Zac in a fake formal voice.
"Okay, so I asked Janine on the Armed Services Committee to insert an agenda item and ask General Henkel to attend with a representative for military information security. I'd asked Mudge to let me know who was reliable and knew the military jargon and standard evasion tactics. So, we invited him too. His name is not important. Let’s call him Mr. X. Janine was brilliant. When it was my turn she informed the General and his aids that we would be asking about information security and we'd need to move into closed session, which we did. When everyone was seated I had Mr. X come in and walk past Henkel and his aids. You should have seen the looks on their faces. It was very subtle on Henkel, but I know a look of repressed anger when I see it.
You see, we'd prepared the questions, and Mr. X had predicted their responses so I would ask Henkel or one of his aid's a question and based on the predicted response, I had in front of me the question to ask Mr. X to clarify the answer. He would then end his reply with a signal for the next question, which I had in front of me. We had them squirming and hopping for 20 minutes. We managed to get them to admit that they could not be certain that a restricted document of a certain classification would not be able to be accessed by a person with the equivalent clearance but who is not an intended recipient."
Zac throws George a combined look of puzzlement with ‘and?’
"I know that sounds a bit complicated, but its not. What it means is that they cannot be certain of the control of their information. The follow up question was, of course, how they would know if this had happened. Of course they waffled on about audits and so forth. Then I asked them at which point between December and March an audit had shown that this exact problem had occurred which caused the recent leaks? Of course, they said they would have to look up records and so forth.
So, on the good side, we know we have a problem and we have some idea what it is. On the bad side, they know we're coming. But, the good side far outweighs the bad. I have the admission I need to attempt to improve our information security."
"You're going to start making trouble again, aren't you Grandpa?"
"Yes, Zac, I think I am. And if I do, some people are not going to like that and will try to stop me or make things difficult, wont they?"
"I suppose so."
"So, what do we do before we do things that we think are important but are also probably going to annoy other people?"
"Think about if its a good idea?"
"Yes. We consider the risk and the potential benefit. Its often called a risk-reward analysis. Okay. So, the risk is that I get into trouble and maybe I get kicked out of the Congress. Actually, that might be a blessing, but lets leave that aside for now.
Lets think about the benefit. Lets use a game of football as an analogy. So, you know that the quarterback will signal to the team which play they are to execute. This can be done in various ways with verbal or hand signals. The whole team need to know which play is to be executed for it to work. What happens if the opposition knows what the signals mean?"
"Then they'll know the play."
"And ..."
"The play probably wont work."
"And if they know your signals and plans and you don't know their's, who wins the game?"
"They do."
"Exactly. So, lets put that into real world politics. We're country A and we want a trade deal with country B. But, country C could make the trade deal pretty bad if they knew we wanted to negotiate it with country B. So, here its important that the plans for the trade deal are unknown to country C. How do we make sure that country C doesn't know?"
"Don't tell them. Oh, I get it. They'll try to steal them. So that means you need to stop them from stealing them from us. And country B."
"Well done. You have spotted one of the most import parts of information security. To be useful information needs to be exchanged between parties and if it is sensitive you need to secure both parties and the manner of information exchange."
"Now, in war, if the enemy knows your plans, people die. Well, more people die. So, these are two real world examples highlighting the importance of information security for sensitive national information. I believe that our current information security is not good enough and we risk having our plans known by people we do not wish to share them with. So, the benefit is improved national information security and the risk is I get kicked out of Congress. Is the risk-reward good enough?"
"I dunno, Grandpa. Its pretty cool having you as a Senator. ... Okay, joking. I see your point. But isn't there more to this? Like, what is the chance of your success given the risk?"
"Zac, you are a clever young man. This is precisely the question. What if I told you that I will be retiring in a few years. This is very secret. Just between us, okay?"
"Yeah, just us. When?"
"That doesn't matter, what matters is that the risk is less, as I'll be retiring in a few years. I already have my pension so its not a big risk at all. So, is a small risk worth a small chance to gain a big reward?"
"Hm. That's a good way to look at it. Yeah. But it still depends on how small the chance is."
"Yes, Zac, it does, and that is for me to assess."
"See, I've been lucky. There's a young politician who has some principles and can also distinguish between when sticking to them matters or does not. The questions are, can one effect change which is an improvement, and what does it cost? The same types of questions we have been discussing. She has shown an aptitude for understanding risk-reward analysis. I've been around long enough, and am looking forward to retiring. But, I've got three years left and enough support to achieve this so long as I take the risk. It doesn’t look like anyone else will. I think its worth it. I've also got a trick or two up my sleeve, one of which is a prominent independent journalist who agrees that its worth a shot."
-=-
It took George all of those three years to see the penetration testing audit begin. He had to burn political capital and in such trade away some of his legacy. But his resolve was firm.
When he was being challenged about the cost he would ask "What is more valuable, a Destroyer or your adversary being unaware of your plans?" It clearly cleaved the patriotic from the sycophantic and avaricious.
He called in favors from marketers and advertisers to craft slogans for moments of confrontation. His connection with veterans affairs gave him rallies calling for securing military intelligence for these people knew the consequences of plans revealed. His journalist ally deftly dismantled pathetic character assassination attempts. His as yet unannounced replacement worked carefully to support the campaign at key and strategically safe moments to raise her profile.
George knew he would be retired when the pen testing audit came out, and it would be yet another Senate report with a public summary which represented but 2% of specific conclusions reached. It would be his replacement's job to see it through, and she would need allies. He worked to help her gather them. He had done what he could, and got the ball rolling. It was up to the next generation to see it through. Although some of that burnt capital caused some enmity in sections of his party, there were still a few who would come to visit and consult on strategy for other changes worth the risk.
It took Zac quite some years to gain a fuller understanding of the number of moving parts which needed to be managed just to get the ball rolling for the campaign he'd played a small role in helping his grandfather launch.
It was the walks he fondly remembered. And Palo.
Notification
Subscription is optional. Subscribers can expect notifications for most articles. Better is to use RSS (feed), or bookmark the Archive page and visit at leisure. If you use Twitter, following @YesXorNo1 is also a partially effective notifications strategy. A reliable notification mechanism is the use of Substack’s Notes facility.
Copyright and Licensing
This work is copyright to the blog's author with CC BY-SA 4.0 licensing. Have fun, reuse, remix etc. but give credit and place no further restrictions. Let’s build culture.