April 4, 2018
Author: Scott Marshall
Those who are broadly aware of the field of information security would know of the CIA Triad. The three components that represent the pillars of information security—those being confidentiality, integrity and availability.
Confidentiality in a military context (and in some circumstances, commercial contexts) can be broken down into two sub-categories—confidentiality and secrecy.
Most privacy information comes under the sub-category of confidentiality. That sub-category can be defined as information of which a threat actor is aware, but cannot gain intimate knowledge of.
Secrecy, on the other hand, means that a threat actor is unaware the information even exists. In a military context this may relate to specific capabilities or plans of action that are sensitive enough that you don’t want anyone without a “need-to-know” to be aware of its existence.
There are two definitions you should be aware of when considering secrecy vs confidentiality. These definitions come from the Australian Signal Directorate Information Security Manual.
“Need to know. The principle to restrict an individual’s access to only the information that they require to fulfil their role.”
So, what is the ASD definition of access?
“Access. Ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information a system contains or to control system components and functions.”
The bolding here highlights that in some military contexts, users should only gain knowledge of the information a system contains (secrecy).
So, should users be prevented from gaining knowledge about the existence of information that an originator has decided they don’t need for their work? In practicality it comes down to the originator. To assist in increasing availability to key decision makers, should they see the title of a document that contains information they don’t have a need-to-know about, as the originator understands it, or should it be blocked in total?
At the end of the day, unfortunately, there isn’t a simple answer. Having spoken to people on both sides of the fence, some insist all military information should be exempt from secrecy— while others say everything should be secret. Like most questions in life, the answer lies somewhere in the middle— and an experienced secure information manager can assist with ‘drawing the line’
Experience tells us that many of those arguments stem from technical limitations in technical solutions rather than good information management. Don’t let your technical solution drive whether information is protected to respect confidentiality vs secrecy.
Scott Marshall is the Mission Systems & Information Security Technical Lead at Pacific Aerospace Consulting. Pacific Aerospace Consulting assists Government and Industry clients from the US and Australia with security accreditation and compliance as required by the US and Australian Governments.