Subject: Re: GNU and classified software
From: Frank Hecker <frank@collab.net>
Date: Fri, 23 Mar 2001 21:16:33 -0500

"Karsten M. Self" wrote:
> on Fri, Mar 23, 2001 at 12:44:10PM -0800, Lucas Vogel (lvogel@exponent.com) wrote:
> > Can GNU tools be used in the creation/use/distribution of classified
> > software?
> 
> Define "classified software".  Are you talking about military/defense
> security classifications?

Yes, he was.

Disclaimer before proceeding further: I do have some level of familarity
and experience with US government security clearances and classification
issues, but am by no means an expert on the subject.


>     Q: Do classified software requirements conflict with the GNU GPL?
>     A: I have no idea.  I don't know what the requirements or
>        regulations are.

Briefly: Information, including computer data and software, can be
classified at a given classification level within a hierarchical scheme
(e.g., Confidential, Secret, Top Secret, in increasing order), and then
within particular "compartments" (basically, topic areas) at a given
level. Access to information at a given classification level requires a
person to hold a clearance at that level or higher; thus, for example,
access to Secret data requires a Secret clearance or above. Access to
information within a given compartment requires "need to know" approval
for that compartment; thus a person with a Top Secret clearance might be
allowed to access data in compartment A but not in compartment B.

In theory information can move from lower classification levels to
higher levels but not the other way (at least, not without a formal
declassification procedure being followed). Thus, for example, if the
NSA took a CD containing publicly available GNU software, loaded the
software onto a system attached to a classified network, and modified
the software, then the resulting software would be classified (at
whatever level the network was at) and thus not publicly releasable
(More correctly, the modifications could potentially be released, but
they'd have to be formally reviewed and declassified first.)

> I *do* know that the NSA has worked with GNU/Linux,

If you're referring to the "SE Linux" work, that's within a part of the
NSA that conducts unclassified research on operating system security.
The NSA Security Enhanced Linux code itself is not classified. (If it
were, it wouldn't be downloadable from the NSA web site :-) However I'm
sure there are also GNU/Linux systems deployed within NSA (and
potentially elsewhere within DoD and the US government) within
classified environments.

Frank
-- 
Frank Hecker            work: http://www.collab.net/
frank@collab.net        home: http://www.hecker.org/