The purpose of this paper is to provide information on how to run a project securely, with the specific case study in mind of an organization that may reasonably believe that the government of their country may want to stop or otherwise interfere with their activities. This could be for a number of reasons, for example: (1) Seeking independence for a region of the country, and the central government of the country opposes this. (2) Protecting a sector of the residents of the country that is currently persecuted by the government. (3) Protecting a portion of the land from a government project that is harmful to that land. There are many other legitimate reasons why a group of people may need to protect themselves and their activities from interference of the government, and these examples are merely to illustrate that not everyone who may be in opposition to a government should be assumed to be a criminal.
At no point in this document I describe the sorts of actions people may be engaging in that may be opposed by a government. This is because the nature of the actions can change very quickly depending on the political climate. But to avoid misunderstanding here, no part of this document should be interpreted as supporting violence of any sort.
This document intends to be simply a starting point for a discussion. Anybody involved in a project that must be kept secret from a government need to consider by themselves how to best keep themselves and others safe. It’s up to the reader to figure out which suggestions apply to their particular situation, and to research further those matters I have only outlined, or failed to mention.
In this document, terms in bold font indicate software or technical terms that may be useful to search on the Internet to those not already familiar with them. I have done this instead of providing links, because links get broken fairly easily over time, while names of software and technical terms are more stable.
The three big questions
When it comes to secret communications, these three questions determine the best steps to take:
- Importance: How critical is the content of this message to my project?
- Opposition: How likely is my opponent to try to stop me, interfere, or otherwise cause difficulties if they knew this piece of information?
- Access: What is easiest for my opponent to do in order to find out secret information?
Thinking carefully about importance
If a person has little or no experience of managing a project with significant opposition, they are likely to believe that all or most of the communications about it must remain secret. This is a mistake. This is because secrecy itself arouses interest. And keeping secret a large amount of activity is usually extremely difficult. Besides, secrecy isn’t costless. The greater the level of secrecy, the greater the hassle people need to go through in order to enjoy it. The rule of thumb is to keep as much secrecy as is needed, no more and no less.
In actual fact, very little about a secret project needs to be secret. The first step in managing well a secret project is to find a good cover story. This is a story that can explain satisfactorily most of the activities needed for the project, and that would cause no opposition from the opponent. With a good cover story, the number of people that need to be aware of the real goals of the project can be reduced, improving security. And all the communications that fit well with the cover story can be open.
With a good cover story, what’s left that’s important and must be kept secret? Think of a game of chess. All the movements of both sides are perfectly visible. The only thing that is kept secret is the goals and strategies that chess players have in their minds, and that’s what makes the game worth playing.
Similarly, the most important communications are those that relate to the goals and strategies of the project. The next most important are tactical: actions that you have established need to happen in order to fulfil the goal. Everything else, low-level activities and optional actions, should be classified as non-critical. Again, only those communications that aren’t well covered by the cover story need to be kept secret.
Thinking carefully about opposition
It’s a common mistake to ignore this aspect. Why not classify everything according to importance? After all, times change and you cannot be sure where opposition will come from tomorrow. The reasons it’s a mistake have been mentioned before: First, secrecy arouses interest and mistrust. There is no sense in provoking mistrust unnecessarily, by hiding things that the opponent actually has no objection to. Secondly, secrecy has costs, and there is no reason to incur them if they’re not needed.
Actions that would cause no opposition should not be secret, except for communications about high-level goals and strategies. These are best kept secret always, because it’s hard to know when they may start going into territory that may cause opposition. At the same time, a need for secrecy shouldn’t eliminate checks and balances of power. Accountability should be preserved. The way this is normally achieved is with delayed communications. Lower-ranking people within the organization should get access to the content of the secret discussions at the highest levels, but after some delay, once the decisions have been acted upon and therefore the content of the initial discussions is no longer so sensitive.
It makes sense that the level of secrecy should match the level of opposition. Combining importance and opposition, we get the following table:
|No opposition||Mild opposition||Strong opposition|
The levels of secrecy have been coloured from green to purple, with green meaning no secrecy and purple meaning the utmost secrecy. The number of levels is arbitrary but five works well.
It’s easy to confuse security levels with the amount of hassle it causes to implement security measures. There is some connection, because the more worried you are about information getting in the wrong hands, the more hassle you’d be willing to put up with. But just because a measure is little hassle, it doesn’t mean it makes sense to implement it at the lowest security level. Only persons of interest need anonymisers, even though the measures are fairly easy. And just because setting up a secure server is a lot of hassle, it doesn’t mean you should give up on it, if your conclusion is that you really need it for the activities you want to carry out.
Thinking carefully about access
The fundamental concept about access is that a chain is only as strong as its weakest link. It’s necessary to think of all the steps that a message takes from sender to recipient, and then consider how easy it is for an opponent to eavesdrop at every stage.
Different types of communications are easier to eavesdrop than others. Currently, an eavesdropper prefers text, then voice, and likes images least. The reason is that nowadays, data is usually acquired in bulk, and it would be extremely time-consuming for a person to look through all of it. Instead, data is pre-filtered with automated methods, so that humans only need to look at what appears to be the most relevant information. Text is very easy to filter in all sorts of meaningful ways. Voice needs to be converted to text first, and the conversion isn’t entirely reliable. Besides, tone of voice often carries information that isn’t reflected well in a transcript, and friends often use short-hand expressions that other people wouldn’t be able to interpret. Images can be automatically analysed to some extent (mostly for face recognition), but they are hardest to deal with for automated filters.
The level of security should match how easy it’s for an eavesdropper to access the information. The idea is that, for information that isn’t very valuable, an eavesdropper probably won’t bother unless it’s very easy to acquire it. The more valuable the information is, the more effort an eavesdropper is likely to be willing to go through in order to get it.
The chain of communication for text
I will describe here the chain of communication of emails, because it’s at the same time the most common text communication and has one of the most complex chains from the point of view of users. I’ll describe it in non-technical terms, since technical details vary but the fundamental concepts don’t need a technical description to be understood:
|Step||Risk||Difficulty for eavesdropper|
|A person types an email and sees it on the screen as they write it.||If the computer is infected with some types of malware, the letters they type and/or screenshots may be sent to an eavesdropper.||Medium, needs some info on the system of the specific computer.|
|The email gets stored in the computer’s hard drive before being sent||If the computer is hacked or infected with malware, the contents of the hard drive are available to an eavesdropper.||Easy.|
|The email gets sent over the Internet, passing through several servers.||The servers or even the routers the email passes through could be sending the content of the email to an eavesdropper.||Possible for governments, but finding the information is akin to finding a needle in a haystack.|
|The email gets stored in an email server, waiting for the recipient to download it.||The email server could be hacked or otherwise available to an eavesdropper (governments are entitled by law to ask companies to provide emails to them).||Easy.|
|When the recipient downloads the email, it gets stored in their hard drive.||If the computer is hacked or infected with malware, the contents of the hard drive are available to an eavesdropper.||Easy.|
As you can see, encrypting email while on transit simply doesn’t deal with the easiest points of access for an opponent today.
The chain of communication for voice
The chain of communication for voice is in its own way as complex as email, but the final user has control over less elements of it. So, for all practical purposes, one needs to consider only two risks. The first applies only to smartphones, and it is that they can be hacked (at either end of a conversation) and send the voice content to an eavesdropper. The second is that the voice message gets intercepted while being transmitted. This includes the possibility that the government is legally allowed to listen in some cases. It’s difficult to establish which method is easiest for an eavesdropper.
No security measures needed.
Try to keep as much as possible within the green level. You can do this by having good cover stories.
Also, it’s often possible to discuss sensitive material without any security precautions, by talking in code. The simplest way of talking in code is to substitute critical words (like “our leader”) by words that sound innocent (like “my grandma”). But those sorts of codes are far too easy to break. Instead of a fixed set of substitutions, talking in code should rely on large amounts of common experience (such as landmarks in a big city, or knowledge of certain events), and use them to convey information.
A simple example of talking effectively in code could be this: A person sends a text message saying “?” and gets answered with another text saying “!” In this case, the person saying “?” knows that the recipient, from the date and time and who is asking, can figure out by themselves what the obvious question is. Probably something like: “How did it go?” The reply “!” probably means “Great!” because to say “Awful!” it would have been more appropriate to reply “:(”
Another example is a text saying: “Meet me at D&D before dinner.” Both “D&D” and “before dinner” could have multiple meanings to an outsider, but common experience can make this message entirely unambiguous… and it’s even possible that D&D is a time and “dinner” a place. Common experience can function as an extremely long and secure key.
Talking in code is quite safe for persons who are confident they haven’t been singled out as persons of interest, since they’ll be spied on mostly by automated systems, who simply aren’t intelligent enough to detect and interpret people speaking in code. Persons of interest shouldn’t rely on talking in code except in emergencies when no other method is available, because they risk by doing so to have the code laid open to opponents.
Secure easily accessible text.
At this level, the opponent would only be interested if collecting information was as easy as shooting fish in a barrel, and all the heavy lifting could be done automatically. So the precautions are mostly geared towards making things difficult for spy bots.
Before going into secure communications, it’s sensible to take a look at social media. Most activists engage frequently in social media. That’s fine, but if you start engaging in activities that may generate some opposition, you need to start being a little more careful about social media. It may look like a great idea to boast about your opposition to the government in social media, but in fact it could be a terrible idea. This is for two reasons. First, you may discover that you aren’t as anonymous as you thought you were. Just because your screen name is nothing like your real name, you aren’t anonymous. You probably gave your email address to the social media company, and even if you didn’t, the company logs your IP address and other data about the device you log in from, and your social media stream may contain a lot of information about yourself. And even if you are careful and use the Tor browser to anonymise you, you’ll probably find that social media accounts that say things the government doesn’t like don’t last for very long. And secondly, social media provides a handy map of who knows who. So if you identify yourself clearly as somebody in opposition to the government, your social media friends and followers may be flagged up for further scrutiny.
Mainstream media should give you a clear idea about which opinions are safe to express publicly, and stay strictly within those bounds. I don’t necessarily mean that nobody should attempt to push the envelope of what’s acceptable in social media. I’m simply saying that those who want to push the envelope in social media should not be involved in any other activity that the government may oppose, even at a low level, because they are effectively shining a big light on themselves, and that is mostly incompatible with any sort of undercover operation.
If you are determined to stay very actively involved in social media, it can be a good idea to use a separate browser from your usual one to use only for social media. This reduces the chances of social media companies acquiring information about your other online activities. They are very information-hungry, and you may inadvertently click on “accept” and let them read something you didn’t mean to. Also, be aware that a lot of social media automatically records your location. If you are ever involved in any sort of somewhat undercover activity in a different location from where you are supposed to be, don’t engage in social media or if you must do it, do it through an anonymiser like Tor.
Now, to the practical security measures to protect your files and communications.
First of all, don’t keep any of your important files in cloud storage, or backup them in the cloud, with any of the big online companies (Google Drive, Dropbox, etc.) Most cloud storage solutions are obliged to give information to the government if they are asked. And even encrypted files aren’t all that secure from the government: they can break fairly easily most types of encryption. Make it a little bit harder for them, and keep your files in your computer, which means the opponent would need to either hack or infect with malware your computer to get at them.
If you need to share files with others and keep them available online, the simplest way that gives you some basic security is to set up a free website where you can download them from, in encrypted form. This is probably an acceptable risk if you expect that people will only need to access them for a short period of time, and you can delete the files afterwards. Make sure that in setting up the website, you don’t give away any information that personally identifies you. Don’t use your usual email as the contact email.
If you think the files will need to be available for long periods of time, it’s easy for the government to demand from any webhost that a site be brought down. Not to mention that before they do that, you’d expect them to download the files themselves and have a good look at them (and their code crackers are excellent, and probably know every backdoor to every encryption method). The only safe way is for your group to have its own secure server. SecureDrop can be installed in it, which has many desirable features for sharing files. Ideally, the server should be in a location that can be physically defended if it came to it, with backup on a separate location. Later on I’ll say more about other things that makes sense to have in a secure server.
Email files and other documents in a hard drive can be encrypted using VeraCrypt, and this also can be applied to files shared on a server.
It’s important to understand what encrypting files makes secure and doesn’t. It means that if a laptop or other portable device was lost and somehow fell in hands of an opponent, they wouldn’t be able to read the encrypted files. If a device is infected with malware that tries to copy files of interest and send them to an opponent, encrypting the files may not stop the malware, if it’s using the VeraCrypt interface to read them, but it can, if the malware hasn’t been programmed to deal with encrypted containers. Also, any malware cannot read an encrypted container if it isn’t mounted. That’s why files relating to different projects should be encrypted in different containers, and you should only mount the container you are using at the time. This also means that unrelated projects should also use separate email addresses, so the email files can be kept in separate encrypted containers. When you have stopped working on it, unmount the container. Malware normally operates when the computer is (relatively) idle, so the user won’t notice that normal operation is slowed down. So the chances that malware successfully copies encrypted files is reduced if encrypted containers are only mounted while you use them.
Encrypted files use the password for the encryption, so unlike simply losing your password for your laptop, which can be worked around and is meant to be no more than a deterrent, losing the encryption password means losing access to the encrypted documents. Writing the password in a file or allowing your system to remember the password in any way effectively negates the benefits of encrypting files in the first place.
A solution to this problem is using a password manager like KeePassX. However, like anything else, it might be hacked.
If you prefer to keep your passwords in your memory, this is a simple technique for creating a password that is reasonably difficult to attack by brute force and at the same time can be remembered easily: You need a long piece of text that you know you will remember by heart, such as the lyrics of a song. Devise a method to extract the password for the text in some easy way, for example: Pick the first letter of each word. If the word is a number, use the number. If the word is capitalised, write the letter in capitals and shift it to the next one in the alphabet (If it’s A, write B). The method needs to be reasonably simple to remember but also not too straightforward, since simple methods of extracting the password (just use the first letter of each word) might be known to brute force attacks. You can test the strength of any password at the Kaspersky secure password check.
A type of file that deserves some special attention are lists of contacts. People often keep lists of contacts in Excel spreadsheets, with contact details such as phone numbers and emails. For obvious reasons, this type of file should be especially protected. It should have its own separate encrypted container, and be also protected with a password (this is a little known feature of Excel). In addition, there is a simple trick that can be used on email lists in Excel, which is doing a global Find and Replace of “@” for “a@”. This automatically makes all the emails incorrect. The Find and Replace can be reversed in order to get a list of valid emails.
Outlook and other email software often stores all the emails you have contacted, and malware can read that list of contacts and send it to an opponent. Viruses do it all the time in order to propagate. In order to reduce the risk, don’t use the built-in contacts feature in your email software (you can keep lists of contacts in an Excel spreadsheet instead, if you need it). And disable the auto-complete and auto-suggest features, that create another cache of email addresses. Also, it’s a good idea to move sent emails from the Sent Emails folder into a separate one. This is because malware sometimes looks at the emails in the Sent Emails folder to copy the email addresses of the people you are sending email to. You don’t need to do this manually, you can set up a rule to do this for you.
Don’t use email accounts from the big providers (Gmail, Hotmail, Yahoo, etc). If you happen to work within the government but are involved in activities opposing the government, don’t use your government email account for anything relating to those activities. Instead, use a secure server for email. For individuals, a good solution is Neomailbox, hosted in Switzerland.
If your organization is serious about having private email, get a local IT professional set up your own secure email server, which can also be a file server. This is a rather technical task, so you want a good professional with a good understanding of security.
You may need to use (relatively) large email lists of people that will receive somewhat sensitive information. For big projects, like those involving the independence of a region, it wouldn’t be entirely out of the question that a particular message needs to be sent out to thousands of people, and that you expect those people to keep their mouth shut for a few days. In that case, use a mail list (with PHP list, or other software of your choice) that’s set up in your own server, and make sure it’s secure. Don’t use any of the standard cloud solutions, since they may be required to give information to the government.
When it comes to your smartphone, make sure you aren’t keeping a lot of data in it that relates to activities the government may oppose. Keep in it the phone numbers of your main contacts and little else. It isn’t the best device to deal with large amounts of data anyway. And if the government got to access it, you could be giving them vast amounts of information connected in ways that would make it very easy to entirely reconstruct your activities. If you use your smartphone for social media and you are sometimes in different places from where you are supposed to be, disable the location service on those apps.
Secure text and voice.
At this level, the opponent would be willing to put in more effort, but still would leave most of the spy work to automated systems. The actions carried out are still not significant enough to justify prosecuting individuals for them. One of the goals at this level is to avoid getting flagged up as a person of interest.
All the recommendations of the Yellow Level apply. In addition:
Think a little more about the data in your smartphone, and what could be giving additional information to the government that you don’t expect them to know already. For example, make sure you don’t use your thumbprint to unlock your phone. Use a password instead. If you are going to an unusual location for you as part of your activities, keep your phone switched off unless you absolutely need it. Simply disabling location services isn’t enough, because a phone can always be located from the mobile phone signal. Disabling location services only makes your location a little more fuzzy, so instead of knowing with an accuracy of meters where you are, the government will know with an accuracy of tens or at most hundreds of meters, and that isn’t usually a game-changer.
For voice security, the best option is to use the Open Secure Telephony Network (OSTN) and the server provided by the Guardian Project, ostel.co
You will need to install an app on your phone to use with ostel.co. A good app for Android is CSipSimple, and a good one for iPhone is Groundwire. Signal is another app that’s available for both Android and iPhone.
It’s also possible to make and receive these calls from a computer by installing Jitsi. Jitsi is similar to Skype, but unlike Skype it’s open source and therefore reasonably unlikely to have back doors.
When it comes to email, at this level I’d add an additional layer of security by using Thunderbird and PGP encryption (Enigmail). I don’t advise this at the yellow level because it’s a bit of hassle for users to use different software, and while governments must be assumed to have access to all Internet communications, it also must be assumed that they won’t bother looking at a needle in a haystack unless they’re interested enough in this particular needle.
The solution above isn’t available for smartphones, but I don’t think it would be wise at this level to email at all from a smartphone. Even the US government haven’t found yet a smartphone solution they are satisfied it’s secure to email from, and they would know. And smartphones simply leave too little control to the user and too much control to the operating system, and governments are known to have back doors into smartphones. Even journalists have found that their smartphones were hacked in order to identify their sources. If you feel that you absolutely must email from a smartphone, the best options are using K-9 combined with OpenKeyChain on Android, and iPGMail on iPhone.
From a smartphone it’s probably better to use a secure chat application, rather than email. That way, if it gets compromised, at least you aren’t giving away your email details. The best option, available for both Android and iPhone, is ChatSecure. Don’t use it to connect to any Facebook or Google accounts, though. Just create a new account on the public XMPP servers. The chat messages can be also sent and received from Jitsi.
It’s inevitable that extra precautions will get somebody flagged up to some automated systems. If somebody is encrypting their communications, they must have something to hide. So it can be helpful to have some sort of cover story that explains this sudden interest in privacy, and to be fairly loud about it. Governments usually take no interest in company security, and companies can sometimes be quite paranoid about their trade secrets because a competitor could effectively snatch the business out of their hands. So it may be helpful to claim in social media and/or personal blogs that you are involved in some new confidential project with some company, perhaps a start-up. Also, don’t overuse the security. Use always no more and no less than you need.
Something else that makes sense at this level is to start using an anonymous search engine such as DuckDuckGo. Remember to use it not only on your computer but on all devices that you use for searching the Internet. Google keeps track of all your search terms, and people get flagged if they start searching for sensitive search terms. A woman got the FBI knocking at her door because, just after the Boston attacks, his journalist husband was doing research on jihadists at work, her teenage son (without her knowledge) clicked on the link provided on a news site about how to build a pressure cooker bomb, and she happened to need a pressure cooker at that time and started shopping online for one. Yes, the American government had software bots that automatically put all that information together, a person got warned and they decided it all looked pretty suspicious, and they sent a team to check it out. I don’t recommend using an anonymous search engine at the Yellow Level because actions at that level should be mild enough that don’t make it worthwhile to pick on individuals, and it’s good for the opposition to be aware of the general mood temperature. At Orange Level, on the other hand, people are getting closer to the level that might attract individual attention, and at the same time they may be trying to learn more and acquire a more important role, and in the process they are at a higher risk of attracting unwanted attention.
Another thing to consider at this level is whether your payments might be tracked. Whenever you want to pay for anything that may generate opposition, the best method is to come up with a good cover story that can justify purchasing those items without arousing suspicion. When that isn’t practicable, pay in cash, and if it’s something you have to buy online, use bitcoin.
Use separate devices in order to hide identity.
My assumption is that, at the Yellow and Orange Levels, the opposition may want to spy on the activities and thwart the actions carried out, but would not be interested in prosecuting the specific persons involved. People need Red Level security if they believe that they may be prosecuted and imprisoned as a consequence of their actions.
In this case, my recommendation would be for people not to use the devices they normally use for non-confidential work, at all. Standard emails often include details that identify a device uniquely, and an opponent may target a specific device that is known to be owned by a person of interest. Instead, you should use a separate device that is only used for highly sensitive activities. This should be a new device, not a second-hand one that might already have been identified. It should be bought through a channel that doesn’t connect it directly to the owner, who may already been identified as a person of interest. There are stories where new devices that were known to be intended for a person of high interest, had special firmware installed on them, able to spy on the contents of the hard drive, but that wouldn’t be deleted when formatting the hard drive.
For computing needs, the best option is a laptop with a secure Linux operating system, such as Tails. Qubes is another flavour of Linux that’s regarded as very secure, but it’s rather resource-hungry, so it’s likely you need a powerful laptop to run it.
If you think a small tablet device will suit your needs best, it may be sufficient to get a tablet with a Linux (not Android) operating system, and install Tor and Thunderbird in it.
An alternative that could be useful as an emergency while on the move is Knoppix, a version of Linux that boots directly from a DVD. It will allow you to connect to the Internet from any PC with access to it, and it’s reasonably secure and includes Tor. Most significantly, a computer booting from Knoppix will appear on the network very different from how it would appear booting normally, which will protect the person whose computer you are borrowing. Setting up your whole communications system from a borrowed computer would take time and an understanding of how to configure Linux applications, but often your immediate needs will be satisfied if you can use webmail without attracting unwanted attention to your friend’s computer.
Whatever the device you are using, browsing should be done with Tor, which provides anonymous browsing. Email should be as described for the Orange Level, with a separate email account only for Red Level activities.
When it comes to phones, the only reasonably secure option is to avoid smartphones entirely. Not only are smartphones fairly easy to hack by the government, but they also keep a constant detailed record of your location. Instead, use the cheapest sort of mobile phone available, with a pay-as-you-go SIM card. It’s a good idea to change SIM card regularly, in case a particular number has been identified by the opponent. The phone should also be abandoned for a new one when there is any suspicion that it has been identified. Phones do broadcast identifying information specific to the device to the mobile network. And keep your phone switched off (taking out the battery) if you aren’t making calls or expecting them. Even basic mobile phones give out information about location, though smartphones pinpoint your location more accurately.
Don’t leave your devices unattended where they might be tampered with by the opposition. If you must leave a laptop with sensitive content unattended, you may want to take the battery with you, to make it more difficult for the opposition to tamper with it.
Avoid all electronic communications, especially text.
At this level, we are talking about material that is so sensitive that you break into a cold sweat just thinking that the opponent may get hold of it. Think about “The Schindler’s List” as a possible scenario of when you would be this paranoid. The only good solution in this case is to avoid electronic communications as much as humanly possible, since they are easiest to intercept. Text communications especially should be avoided. The alternative is hard-copies of the documents in question, taken by couriers with appropriate defensive measures. In order to prevent couriers and other people who may lay eyes on the document from reading it, it may be produced in a form that is intrinsically difficult to read casually, such as microfilm.
If it becomes necessary to share any such text documents in electronic form, the best way is to do it in a non-text format. For example, convert the document to image format (either directly or by scanning a hard copy). Then hide the image with steganography. Paint.net has a steganography plug-in, but you may want to look for something a little more professional.
In order to work on a computer with extra sensitive material with the least worries that it may be obtained by an opponent, the safest way is what’s called an “air gap”. This expression comes from pre-wireless times, and it means that if there’s an air gap between your computer and the network (ie, the computer isn’t connected to the network at all), it can’t be hacked.
There is, unfortunately, a lot of misunderstanding about how to operate a computer with an “air gap”. You have to remember that the main worry is that the material on the computer leaks out. Whether the computer gets infected with malware or not is a secondary concern. As long as the contents don’t leak, if all the opponent can manage to do is to crash the computer or even destroy it irreparably, it’s at most an annoyance (you should keep back-ups of the sensitive material, of course). This means that you aren’t so worried about what can get into the computer, but you are very worried about what can be allowed to get out. Outputs need to be carefully limited. The computer should not have a wireless capability at all, it should not be connected to the network, and the network socket should be disabled in some sort of physical way (a ball of BlueTac will do), so that it isn’t possible for somebody who might get access to the computer to connect it to the network. Also, nobody should be allowed to use a USB drive on the computer. You may want to consider gluing any USB devices to their ports and disabling unused USB ports. The computer will need a CD/DVD drive because you need some way of reading data into the computer, but should have no CD burning software. Output should be restricted to the screen, loudspeakers, a printer, and devices that produce hard-copy content, such as microfilm. In short, it should be impossible for the computer to output data without a human being aware of it, and the output should be of a sort that automated systems find difficult to handle.
The computer should be running some reasonably secure version of Linux, but it isn’t necessary that it’s Tails or Qubes, since it isn’t meant for communication. Needless to say, all the sensitive files should be encrypted. Passwords to access the computer should be strong. File permissions need to be thought out carefully. How many people really need access to this level of information? And how much separation you need between projects?
With such sensitive material, you have to worry whether the room with this computer might be bugged. Nowadays, it seems that governments rely less on actively bugging a location, and more on hacking the devices already present there. People are likely to meet sometimes in the room where this computer is, to look together at the information in it. It’s important to have strict rules about what devices people can bring with them. Smartphones, laptops and tablets might be hacked and recording everything that’s being talked about, so they shouldn’t be allowed. Some sort of recording is likely to be appropriate, but the exact manner of this should be discussed beforehand, and should be done with a device with limited capabilities are clear to all present (such as camera, tape recorder, etc.), as opposed to a multi-function device that could be doing more than is immediately apparent, like broadcasting this information wirelessly to the opponent.
Security isn’t a matter of using whatever apparently useful applications you’ve seen recommended by security experts. It’s above all a way of thinking about communications and data. If you understand the general principles, you can easily work out what software or devices you may need. On the other hand, if all you know are specific techniques, you will be exposed as soon as technology changes.