30 October 1999
To: ukcrypto@maillist.ox.ac.uk
Subject: The Evils of MLS (Was: Another online service misleads)
Date: Sat, 30 Oct 1999 10:05:49 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
> Is Joe Public able to grade information? A lot of effort goes into
> this in the civil service and related parts of industry. Organisations
> like the health service seem to only recently have come to grasp the
> concept, most industry has still to grasp the concept.
Classifying information the way the civil service does - top secret, secret, confidential and so on - is usually a grievous error.
An attempt was made to impose it on the NHS. The proposed system would have had highly sensitive data, such as AIDS databases, at secret; ordinary patient records at confidential; administrative data such as prescriptions at rectricted; and libraries as unclassified.
This fails immediately:
* at what level do you classify a prescription for AZT? It's a prescription, so it's only restricted, but it identifies an HIV sufferer so it's secret!
* at present we can live with the risk that follows from a GP's receptionist having access to the 5,000 records in the average surgery. But once all systems are computerised and all practices are on the NHS network, what mechanisms will prevent every one of the receptionists who work for Britain's 37,000 GPs from having access to the records of all 56,000,000 patients?
"Multilevel security", as the civil service approach is called, has failed even in the intelligence community, which spawned it and still tries to impose it on everyone else. In environments such as the CIA, it's meant that everyone needed a "top secret" clearance to even work as a cleaner; but once you had this clearance you could order pretty much whatever you wanted. The Ames and Pollard cases made this clear even to senior management. Yet they keep on trying. One paper from DERA at a NATO conference in Washington I attended early this week was called something like "Multilevel Security - Refloating the Titanic"!
What most commercial organisations (and the NHS) use, and what governments ought to use, is `compartmented security' - each department / ward / warship / whatever keeps its information to itself, and sharing information depends on clearly stated rules which usually flow from the sharer's job role rather than the nature of the information. Crudely put, doctors can share information even on HIV cases, but nurses can't share data even on flu cases except in the direct line of duty and coding clerks can't share anything ever. For more, see www.cl.cam.ac.uk/~rja14/#Med.
Why does the DTI keep on trying to push "multilevel security" in their promotions to industry? I suspect the real attraction to Nigel and friends is that it reflects the `wiretap-ready' view of the world. If a system is designed so that information flows up from Low to High but nothing flows back down, then Low can't tell which of his files High is reading (otherwise a bad person at High could use this as a covert channel to signal down to Low). On the other hand, a hospital whose systems only allow you to access the records of a patient in ward 4 if you're logged into a terminal there sing the ID of a doctor or nurse on rota there, would frustrate "law enforcement access" as well as casual snooping on celebrity patients.
Thankfully, multilevel security has turned out to be a complete non-starter technically. For example, if you are logged on to a CAD system at secret, and a top secret user fires up the same app, then the typical "multilevel secure" operating system will upgrade the licence server to top secret - and you get thrown off the system. Another example is naming - give a Low file the same name as an existing High one and things start to fall apart (if the attempt is rejected, then Low knows there's a High file by that name).
The inappropriateness and unworkability of multilevel secure systems may be a small spark of liberty; we just have to figure out what sort of tinder to put on it and which direction to blow :-)
Ross