"The total NSA Security Program extends beyond these regulations. Security begins as a state of mind." By Lorax
Of all the various acronymic government agenicies that soak up large amounts of our tax dollars, none are more mysterious than the National Security Agency (NSA). Charged with monitoring all telephone, radio, or data transmissions that could have an impact on national security, the NSA's very existence was officially denied until recently.
So when a member of slack's tireless investigative team laid a document entitled "NSA Employee Security Handbook" on my desk, I was justifiably skeptical about its origins.
"Where the hell did you get this," I asked, straining my ears for any approaching sirens.
"It was posted on the internet," chirped our info-gopher, beaming like he'd just found a particularly meaty walnut. "Hey, I didn't steal it or anything!" The propeller on top of his beanie hat spun fiercely as he became agitated at the suggestion, and stormed out of the room.
After reading the electronic messages which accompanied the document, carrying the designation "FOR OFFICIAL USE ONLY", I began to believe it was authentic. It seems that a copy of the manual made its semi-public debut in Phrack magazine, an electronic "hacker" periodical that's been distributed via the internet for many years, and has been in warm water more than once for publishing sensitive material.
As I pulled the shades and unplugged the telephone, I quickly skimmed the first few paragraphs:
"At times, security practices and procedures cause personal inconvenience. They take time and effort and on occasion may make it necessary for you to voluntarily forego some of your usual personal prerogatives..."
I realized that I was finally going to find out 'who watches the watchmen...'
Although the government no longer denies the existence of the NSA, NSA employees aren't supposed to let people outside their immediate family know where they work unless absolutely necessary. The manual states:
"Should strangers or casual acquaintances question you about your place of employment, an appropriate reply would be that you work for the Department of Defense...Do not act mysteriously about your employment, as that would only succeed in drawing more attention to yourself."
The Agency suggests that its employees describe their jobs using very generic titles, like "research analyst" or "clerk" for positions described internally as "cryptanalyst" and "signals collection officer". By the way, that last title, "signals collection officer", is the guy wearing headphones taping our overseas calls.
After reading a bit further into the manual, I began to realize that almost half of the NSA's employees do nothing more that keep their secrets secret. Each office has a Staff Security Officer (SSO) who reports to the Office of Security (referred to by the Bond-like acronym "M55"). In addition, each department is assigned a Classification Advisory Officer (CAO) who does nothing but decide exactly HOW secret each secret is.
Near the top of this "plumber's pyramid" is the NSA/CSS Information Policy Division (or the more easily pronounced "Q43"). The Information Policy Division reviews ALL statements and documents released to the public by the NSA. (You can bet they're as busy as Maytag repairmen...) They are the people who cross out all that stuff in Freedom of Information Act-released material.
The Information Policy Division (Q43) also handles public relations. Boasting that "for the most part, public references to NSA are based upon educated guesses", the manual states, "If approached by the press, the best response is 'no comment'. You should then notify Q43 of the attempted inquiry." They will presumably call the nosy parker on the telephone and state "No Comment," but that's just an educated guess...
NSA employees are told to use the weighty "NSA Classification Manual" (which is itself classified, of course) to determine the proper classification of any secret. Surprisingly, the NSA seems to use only three levels of classification, "Confidential", "Secret" and "Top Secret."
I suppose that unlike the White House, which has dozens of levels of classification like "Umbra" and "Ultra", almost everything about the NSA is so secret that it doesn't matter. When in doubt, personnel are supposed to ask their CAO or Q43.
In addition, there is a fourth category entitled "FOR OFFICIAL USE ONLY" (FOUO) [I'll bet there's a Department of Acronyms(DEPACRO) somewhere...] which is what the employee manual that landed on my desk was designated. According to the manual, FOUO-designated material "although unclassified, is exempt from the requirement of public disclosure concerning government activities, and should not be given general circulation. The unauthorized disclosure of information marked 'FOR OFFICIAL USE ONLY' does not constitute an unauthorized disclosure of classified defense information." I breathed a sigh of relief, as I realized I could actually print this stuff.
The manual cautions, "While you may take this handbook home for further study, remember that it does contain FOUO information which should be protected. Appropriate administrative action will be taken to determine responsibility and apply disciplinary measure in cases of unauthorized disclosure..." I wonder if some poor soul is currently trying to explain where he USED to work before he left his employee manual on the subway...
The manual states almost a dozen times, "your obligation to protect sensitive Agency information is a lifelong one." On the off chance that they're tired of being searched and X-rayed every day, NSA employees who wish to find jobs elsewhere must have their résumé approved by their Classification Advisory Officer, who among other things, will provide them with an unclassified job description guaranteed to look good, like "clerk."
"Former" NSA employees can forget about making a living writing about their glorious adventures breaking Taiwanese banking codes and aiming orbital telescopes. The manual states, "Even when you end your affiliation with NSA, you must submit any material for prepublication review."
"Vast amounts of information leave our facilities daily in the minds of NSA personnel and this is where our greatest vulnerability lies," warns the section on Personnel Security which lays out the "policies and guidelines governing employee conduct and activities."
If this manual is any indication, it seems that the NSA can't read minds yet. In order to safeguard that 'vast amount of information leaving the facility in the minds of NSA personnel,' they instead control who an NSA employee associates with after Close of Business, or "COB" (I'm not making these up).
"A policy concerning association with foreign nationals has been established by the Agency," and quite a policy it is. The manual states:
"You are prohibited from initiating or maintaining associations (regardless of the nature and degree) with citizens or officials of communist-controlled, or other countries which pose a significant threat to the security of the United States and its interests. A comprehensive list of these designated countries is available from your Staff Security Officer (SSO) or the Security Awareness Division (SAD)." This list of "threatening countries" is developed by the State Department and changes on a daily basis, according to the whims of geopolitics ("Damn, word just came down that we can't shop at that Pakistani-owned PDQ on the corner anymore...").
It's not just friendships with citizens of countries on the State Department's "bad boy" list that are prohibited. The manual states, "Close and continuing associations with any non-U.S. citizens which are characterized by ties of kinship, obligation, or affection are prohibited. A waiver to this policy may be granted only under the most exceptional circumstances where there is a truly compelling need for an individual's services or skills." ("Sorry Jacques, my boss says we aren't allowed to be friends.").
If an NSA employee even thinks about moving in with their Quebecois lover, they have to ask first. "Any intent to cohabitate or marry a non-U.S. citizen must be reported immediately to your Staff Security Officer (SSO). If a waiver is granted, future reassignments both at headquarters and overseas may be affected." I'd take that last sentence to mean they can kiss their career good-bye.
Not only are an NSA employee's personal relationships under scrutiny, but all of their family member's are as well. "The marriage or intended marriage of an immediate family member to a foreign national must also be reported through your SSO to the Clearance Division (M55)."
Even if their prospective bride, groom, or live-in is a U.S. citizen, they need to report this to the NSA's Office of Security with Form G1982 (Report of Marriage/Marital Status Change/Name Change). I'm not sure what happens if THEY fail the security checks.
If an NSA employee is put in the position of having a "foreign national" as a neighbor at home, the manual warns, "you should be careful not to allow these associations to become close and continuing to the extent that they are characterized by ties of kinship, obligation, or affection." ("But dear, my boss says I CAN'T borrow Gunter's hedge trimmer.")
In addition, NSA employees aren't supposed to initiate any correspondence with citizens of foreign countries, especially citizens of BAD countries as defined by the State Department.
Vacation trips abroad (known by the catchy term "Unofficial Foreign Travel" or UFT) can be far more trouble than they're worth if you work for the NSA. All "UFT's" must be approved in-depth by a variety of security-minded departments. A complete and detailed itinerary must be submitted 30 working days in advance on Form K2579 (Unofficial Foreign Travel Request, probably available from the Department of Forms and Procedures...) Not only is travel to BAD countries prohibited, but areas where citizens of BAD countries are known to frequent are verboten as well.
Oddly enough, travel to Canada, the Bahamas (home of the world's largest money-laundering banks), Bermuda (see note about the Bahamas) and Mexico (where Lee Harvey Oswald once visited the Soviet embassy) does not need to be approved in advance, although they still need to fill out Form K2579 after the fact.
The NSA isn't just paranoid about foreign citizens. After all, those who've recently immigrated to this country are often happier to be here than those who were born here. Anytime an NSA employee seeks to join a domestic Non-Governmental Organization (NGO), they must report through their Staff Security Officer (SSO) to the Clearance Division (M55), so that they have, "the opportunity to research the organization to assess any possible risk." In other words, if someone purporting to be a "clerk" with the "Department of Defense" wishes to join your community Lions Club, just turn them down if you don't want your phones tapped for a few months.
Don't bother trying to recruit them into GreenPeace either. The manual states, "in addition to exercising prudence in your choice of organizational affiliations, you should endeavor to avoid participating in public activities of a conspicuously controversial nature." I suppose that means the Great Midwest Marijuana Harvest Fest is clearly off-limits.
Although the NSA has comparatively few levels of secrecy for documents and materials, it makes up for it in the number of categories of people who are allowed to know those secrets, and where they are allowed to see them.
They don't call NSA headquarters "The Puzzle Palace" just because they break codes. According to the employee manual, "physical security safeguards include Security Protective Officers (i.e. guys with guns) fences, concrete barriers, Access Control Points, identification badges (the manual lists at least 8 different types), safes, and the compartmentalization of physical spaces."
In order to get to their office every morning, NSA employees need to open any number of security-locked doors with an Automatic Teller-like card and Personal Identification Number (PIN) system, and can expect to be searched several times when passing through various areas of the building.
The NSA is equipped with two phone systems. The gray phones, which are guaranteed to be secure, and the black phones, which are not. Any time someone picks up a black phone at the NSA, everybody in the room is supposed to stop talking immediately (they apparently know how easy it is to bug a phone). Of course, there's really no point in trying to get a pizza delivered to an NSA office anyway.
Things not to bring to work at the NSA include: carbon paper, computer disks, film (both new and exposed rolls), used typewriter ribbon, cameras, cellular telephones, transistor radios and portable televisions, laptop computers, audio or video tapes, remote control devices, pagers, and many obviously foolish items like firearms, explosives and illegal drugs.
Of course, as they leave work each day, NSA employees are subjected to the Mother of All Searches, so the manual advises, "the inconvenience can be considerably reduced if you keep to a minimum the number of personal articles that you remove from the Agency."
At home, NSA employees aren't supposed to talk about their work at all, even with cleared, fellow Agency members. Also, information acquired during the course of one's employment with the NSA "may not be mentioned directly, indirectly, or by suggestion in personal diaries, records, or memoirs." ("Dear Diary, Thursday, June 10th. Went to work. That's all I can tell you...")
As the National Security Agency's Employee Security Handbook states, it's the employee's state of mind that the Agency's concerned with.
Only the most naive would say that all of this security is unnecessary. As the manual warns "Throughout your NSA career you will become increasingly aware of the espionage and terrorist threat to the United States. There should be no doubt in your mind about the reality of these threats."
However, this dark glimpse into one of the most secretive institutions in world provides valuable information into the mindset of the NSA and its leadership.
After discovering the sort of scrutiny that NSA employees go through day in and day out, I now wonder if the privacy-abolishing policies NSA intends to inflict on the American people, such as the Clipper Chip and the Digital Telephony Act, seem very tame to them. Perhaps the leadership of the NSA looks forward to a day when everyone will have to fill out a Form G1982 to request permission to get married, just to be safe...
|
To be contacted for a confidential consultation please E-mail: jmatk@tscm.com
or send a letter via US Mail to:
or call:
URL: http://www.tscm.com/ |