Armed Conflict Criminal Justice & the Rule of Law Terrorism & Extremism

9/19 Session #5: On PKI, CAC, PGP, and Other Tech Talk

Wells Bennett
Thursday, September 19, 2013, 4:32 PM

The government will call its witnesses now, with respect to AE155---the defense motion to abate in light of IT problems.  Leading off is Brent Glover, head of DoD’s Washington Headquarters Services Identity Protection Management Team.  He describes his expertise and vocational duties briskly, all the while employing a blogger-bewildering battery of jargon and acronyms.  Suffice it to say, as the witness tells prosecutor Johanna Baltes, that Glover helps his client agencies---including the Military Commissions---ensure information security.

Published by The Lawfare Institute
in Cooperation With
Brookings

The government will call its witnesses now, with respect to AE155---the defense motion to abate in light of IT problems.  Leading off is Brent Glover, head of DoD’s Washington Headquarters Services Identity Protection Management Team.  He describes his expertise and vocational duties briskly, all the while employing a blogger-bewildering battery of jargon and acronyms.  Suffice it to say, as the witness tells prosecutor Johanna Baltes, that Glover helps his client agencies---including the Military Commissions---ensure information security.  This encompasses what Glover calls “PKI,” or public key infrastructure.  The DoD uses this to keep its users’ email safe, among other things.

PKI, and Glover’s day-to-day work, involve various kinds of layered, electronic security.  Thus he might arrange for clients to employ asymmetric encryption---with one key made available to the outside world, and another available only to a particular user.  He also doles out and maintains the “common access cards” or “CACs” that defense employees and contractors must use, in order to access their DoD-issued computers.  Another security protocol, Glover tells Baltes, is “SSL,” or secure socket layering; banks use that, as do his DoD networks.  Baltes asks for more detail on encryption and email, which Glover happily supplies.  The body of a message is encrypted, along with attachments, but addressing information is not, he says.  And, Glover tells a curious court, only the intended recipient of an encrypted message can open it, by entering his or her private key. Your tech-primitives at Fort Meade’s CCTV hovel gradually can begin to discern how Glover’s jibberish will jibe with Baltes’s challenge to the defense’s motion---at least with regard to email.  Can one can send encrypted emails by means other than those Glover mentioned initially?  There are alternatives, yes.  Take “PGP,” or “Pretty Good Privacy.”  That by definition less than optimal approach blends something called symmetric encryption, and password protection.  (Glover agrees with Baltes’s suggestion here that it is a bad idea, to send an unencrypted email to a recipient, and then to advise him or her about an encrypted message that is soon to come.)  And when the court asks, Glover says that monitoring of computer work product is essentially cut off once a sender encrypts a message---again, save only addressing information.  He adds that if a workstation isn’t connected to DoD network, there isn’t a monitoring connection in play at all.  One could thus encrypt messages, save them in outboxes, and then link up to the network and send out sensitive emails. And one could not decrypt and email by means of an investigative search requests---something we’ve heard a lot about during the past few days.  The implication: lots of options available to security-minded defense counsel, so far as concerns email.   What about laptops?  These can be and are encrypted, by means of “Data at Rest” software.  It is a brick, Glover says, unless one unlocks by means of, among other things, CAC cards and user-specific keys.  Even Microsoft allows for password protection, too, Glover tells the prosecutor.  What about the loss of a password?  You’d be SOL then, says Glover, using the airborne term. Cross-examination follows, with David Nevin rising first.  He poses this hypothetical, one quite familiar to him: sending an email from within DoD, when connected to a DoD network, to someone outside of that network (as Nevin usually is, given his office’s location in distant Boise, Idaho).  The government, in its papers, claims that DoD IT is willing to explore the possibility of creating a secure, out-of-network communications regime.  Well, doesn’t that mean this capability doesn’t yet exist?  It does, Glover says: commercial vendors can issue certificates to civilians, worldwide.  And those certificates can be used to achieve the kind of security needed in Nevin’s (real) hypothetical.  Nevin clarifies that commercial availability doesn’t mean current use by the defense.  Glover continues: so long as Nevin doesn’t share his private encryption key---that used to unlock encrypted messages received---his communications should be safe.  NSA, he says, is the administering agency here, for CACs and private keys issued. Hold on there, partner: NSA?  A now visibly more interested Nevin presses Glover.  Yes, that agency can, with appropriate documentation, retrieve private encryption keys for defense-issued CACs.  Ummm...well you know that NSA’s primary mission is conducting surveillance of suspected enemies of our country?  For some reason the witness now wiggles, and denies being “aware” of what NSA’s primary mission is.  He won’t debate the NSA's work with Nevin.  But Nevin wants to do just that. How could NSA responsibly keep the keys to defense counsels’ CACs, given its professed interest in surveilling men like the accused?  Another balk, one that the court lets pass, as we segue to the next and most obvious topic: monitoring.  It’s not his expertise, but yes, Glover understands that some monitoring takes place of all DoD machines.  Encryption wouldn’t affect that, would it?  SSL tunnels could provide some protection, but generally a web address wouldn’t be shielded from monitoring, according to the witness.  News websites also would not be protected, Glover tells the military judge.  (Yes, Glover has read news reports of NSA’s encryption-beating capabilities, but these don’t alter his opinion about the safety of defense information.) The lawyer asks a few more questions, among other things about symmetric encryption.  Nevin can’t see how that arrangement can work, when counsels’ offices are often located miles away from one another.  Under these circumstances, the lawyers obviously must communicate the password to one another, if somebody forgets---but that's awfully hard, given Nevin's setup.  Glover dissembles a bit, but says he doesn’t recommend the symmetric approach in any case.  Nevin lastly asks about monitoring---about which Glover isn’t expert, and can answer in only general terms.  Glover thinks some materials, when added to encrypted databases, are initially entered in unencrypted---and thus visible to outsiders---form.  He adds that monitoring is automatic, at least until something triggers suspicion and calls for investigation by a person. Tech talk continues in just a moment, with further cross-examination from other defense counsel.

Wells C. Bennett was Managing Editor of Lawfare and a Fellow in National Security Law at the Brookings Institution. Before coming to Brookings, he was an Associate at Arnold & Porter LLP.

Subscribe to Lawfare