NSA urges use of better redaction methods
How-to guide aims to protect information from accidental exposure
- By Patience Wait
- Feb 16, 2006
A series of embarrassing and potentially damaging leaks of information throughout government has compelled the National Security Agency to give its users of common desktop applications in-depth guidance on redacting information in documents.
NSA is providing its employees step-by-step instructions to avoid the kind of mistakes made by the White House, the Defense Department, the United Nations and likely many other agencies over the past 18 months.
In one highly publicized gaffe, the Pentagon posted a report on its Web site in May 2005 regarding the circumstances surrounding U.S. soldiers in Iraq accidentally killing an Italian secret service agent. The PDF file blacked out some information regarding the incident that was deemed sensitive, but a simple cut-and-paste of the text revealed the hidden words.
'Improper redaction of electronic documents has been a growing area of concern in the information assurance community, so NSA decided to publish security guidance to help address this concern,' an NSA spokesperson said.
There have been other high-profile gaffes where information was accidentally released.
Most recently, a federal agency embedded a classified object into a PowerPoint presentation that was included on a CD-ROM handed out at a conference. The agency now is scrambling to recover the CDs and fix the mistake, said Ron Hackett, electronic document security program manager for SRS Technologies of Newport Beach, Calif. Hackett declined to name the agency.
These mistakes are becoming more common, and NSA, along with Defense, is trying to give employees some help.
NSA's architectures and applications division of the Systems and Network Attack Center prepared the report, Redacting with Confi- dence: How to Safely Publish Sani -tized Reports Converted From Word to PDF, which was posted on the NSA Web site late last month.
The Defense Department last summer also issued similar instructions, according to a spokesman at the Defense Intelligence Agency, which received a copy of that guidance.
NSA's guide is specific to Microsoft Word because it is so widespread throughout the government, but the report notes that the same general principles can be applied to executing redactions in other word processing software.
Broadly speaking, NSA's primary recommendation is to make a copy of the original document, then delete the information to be redacted from the copy, keeping the original as a backup.
The NSA guide is useful in raising government users' awareness of the problems, but not in solving the problem, said Ken Rutsky, executive vice president of worldwide marketing for Workshare Inc. of San Francisco.
'It's basically a policy document, [and] policies that require users to follow 20-something steps don't work,' Rutsky said. 'Compliance is way too hard for the user,' and there's no way to know if the procedure is being used consistently and correctly, he said.
Potential problems exist in several Microsoft applications, such as Excel and PowerPoint, and each software package contains risks of its own. For instance, hidden cells in Excel might not actually stay hidden, or a logo cropped from a document still is there, just rendered invisible.
NSA did not indicate whether it is preparing similar guidance for any of these other issues.