The Pentagon says the leak of diplomatic cables was an unforeseen
consequence of its policy to encourage information sharing. That’s
nonsense. When it comes to its failure to protect classified data, Uncle
Sam’s been warned before.
U.S. politicians, including Secretary of State Hillary Clinton, condemned the
publication of a trove of diplomatic cables leaked from a classified
military network by the Website Wikileaks in the harshest possible terms
this week, even as the Pentagon promised swift action to plug the kinds
of holes that led to the leak.
Political rhetoric aside,
however, history will remember the leak and subsequent publication of
confidential diplomatic correspondence as one of the great diplomatic
and national security blunders of all time. It was an act of almost
total administrative malfeasance, the responsibility for which lies
squarely in the lap of the U.S. Government and the Pentagon, which have
for years ignored warnings about the shoddy handling of classified
information. Its never nice to blame the victim. But, in the case of the
Wikileaks controversy, blaming the victim – and holding the U.S.
Government to account – is exactly what’s needed.
Let’s review the facts.
This week brought the long-promised publication of a couple hundred diplomatic cables –just a sliver of what is reported to be a trove of a quarter million pages of diplomatic cables – many sent in the period after the September 11, 2001 terrorist attacks.
The
leak put the U.S. on the defensive with important strategic partners
and allies, including Russia, where disparaging descriptions of Prime
Minister Vladimir Putin and President Dmitri A. Medvedev have made headlines even as Putin sat down with Larry King to lambaste the portrayal of him and his government in the dispatches and rattle Russia’s nuclear sword a bit, to boot. Great.
Here
at home, the Pentagon was trying to get ahead of the story even before
the cables were published. It issued a statement to reporters that
chalked up the leak to an unforeseen and unfortunate consequence of
well-intentioned efforts. In this case, those were efforts – post 9/11 –
to facilitate communication between different branches of government.
“These efforts to give diplomatic, military, law enforcement and
intelligence specialists quicker and easier access to greater amounts
of data have had unintended consequences making our sensitive data more
vulnerable to compromise,” wrote Pentagon spokesman Bryan Whitman in a
November 28 email statement to the press.
Defense
Secretary Gates, we learn in the e-mail, commissioned two reviews in
August to “determine what policy, procedural and/or technological
shortfalls contributed to the unauthorized disclosure to the Wikileaks
website.” But already the Pentagon has rounded up some likely suspects:
promiscuous permissions that allow too many users of DoD classified
computers to deploy removable media, such as USB drives, and enjoy
“write capability,” too many points of overlap between the classified
SIPR-net and NIPRNet, the unclassified DoD network, as well as a lack of
process for overseeing the handling of classified material.
It’s not
clear how many of these suggested improvements came from a soul
searching audit within DoD or a quick scan of any of the media accounts
of PFC Bradley Manning’s online bragging about his acumen at snarfing up sensitive military intelligence from SIPRNet.
Manning
is the prime suspect behind Cablegate. In published exchanges with
hacker-activist Adrian Lamo, Manning, a low level, 22 year-old
intelligence analyst, said he had wide access to SIPRNet, which is used
by the DoD and State Department, as well as to the Joint Worldwide
Intelligence Communications System, which harbors Top Secret
information. The networks were isolated from each other and the public
Internet – “air gapped” – but beyond that, data protections were weak,
he claimed. Manning found that he could simply bring in a writable CD
(labeled “Lady Gaga,” it turned out) and copy what he pleased.
“Weak
servers, weak logging, weak physical security, weak
counterintelligence, inattentive signal analysis … a perfect storm,”
he’s quoted as saying in an exchange to Lamo that was published by
Wired.com.
If that was news to Pentagon brass, it shouldn’t have
been. Indeed, the Government Accountability Office (GAO) has issued a
number of reports going back more than a decade that have warned in no
uncertain terms about lax handling of classified information on the
DoD’s network and the inability of the Pentagon to clean up its act.
Consider the March, 2004 report “Industrial Security: DOD Cannot Provide
Adequate Assurances That its Oversight Ensures the Protection of
Classified Information (GAO-04-332)
(PDF), in which the GAO (then the General Accounting Office), which
looked at how the DoD’s Defense Security Service (DSS) responded to 93
reports from compromises of classified information by military
contractors. GAO found that in 39 of 93 reported violations DSS couldn’t
make a determination regarding whether a compromise took place.
In
short, GAO reported six years ago that the DoD’s investigatory arm for
the leak of classified information seemed unable to carry out its core
mission. “While DSS maintains files on contractor facilities’ security
programs and their violations, it does not analyze this information,”
the report found. And “by not analyzing information on security
violations and how well classified information is being protected across
all facilities, DSS cannot identify system vulnerabilities and make
corrective changes to reduce the risk of information compromise.” What
happened with that report? Its hard to tell, exactly, but as of the end
of 2009, none of the eight main recommendations of that report had been
implemented, GAO found.
Or
read the 2008 report Defense Critical Infrastructure: DOD’s Risk
Analysis of its Critical Infrastructure Omits Highly Sensitive Assets (GAO-08-373R)
(PDF), which found that DoD had not taken adequate steps to ensure that
critical assets that store the Government’s most sensitive intelligence
assets – information derived from so called “Sensitive Compartmented
Information” (SCI) or “Special Access Programs” (SAP) – were safe.
Any
private sector security consultant worth her salt will tell you that
the first step in securing your IT infrastructure is to determine what
critical assets you have, where they’re located on your infrastructure
and who has access to them. In fact, the pages of Threatpost,
or dozens of other security-focused publications like provide road maps
for such assessments. Also note the countless resources, white papers
and reports online – from the excellent Verizon Data Breach Investigations Report on
down – that preach the gospel of taking a risk based approach to
security, implementing granular controls over data, behavior based
detection of threats, the need to monitor and control the flow of
sensitive data using port and device control as well as network based
data leak protection. Organizations have been learning hard lessons
about limiting user access for years — all lessons that the DoD wants
us to believe were thrown to the wind under political pressure to
achieve the goal of more inter agency sharing? Its a plausible scenario –
but not a particularly flattering one to the DoD, I must say. A more
likely scenario is that the lessons, themselves, were never learned. And
that’s all the more tragic because the lost information, in this case,
wasn’t customer lists or price sheets. It was precious communications on
which lives depend, and which help safeguard our nation and protect our
standing in the world.
To be fair, some of the measures DoD now
says they’re getting serious about have been in the works for a while.
According to Mr. Whitman at the DoD, efforts to deploy host based
security on SIPRNet systems have been underway for “some time” and are
now 60% complete. Great. Next step: turning the HIPS on in active
protection mode so it can block threats, not just report on them,
Whitman told Threatpost. DoD is looking at thorny issues like the need
for more training and supervision around the handling, storage and
access to sensitive information. On a more practical level, DoD is
cracking down on the use of external media: disabling write access to
USBs, DVDs and the like. This isn’t the first time
the DoD has cracked down on external device access to its sensitive
networks in this way, but I suppose its worth another shot.
That
all sounds good but, like the drunk who keeps falling off the wagon,
we’ve heard it all before from Uncle Sam when it comes to IT security
and, sadly, the outcome is always the same.
The
lesson of Wikileaks, after all, isn’t that different from the lessons
of Titan Rain, the Aurora breach or any of a number of incidents: the
need for risk based assessments of critical assets and data, tighter
access control and better monitoring of threats and a culture of
security that flows from the top down and – in the government’s case –
doesn’t bend (or collapse) when buffeted by political winds from Capitol
Hill. As Gary McGraw of security firm Cigital noted in his recent podcast with Threatpost editor Dennis Fisher,
policymakers’ attention is often distracted by fear mongering (note the
recent headlines about the Chinese “hijacking” Internet traffic from
government networks), while the military is guilty of applying old and
inappropriate warfare models to fighting in cyberspace.
“Military
and civilian networks are all entangled in inextricable ways. Trying to
divide and conquer by building protections around the military network
and ignoring the civilian networks is absurd. It doesn’t work,” he
said. “We all live in glass houses, but it seems
like we’re all focused on delivering faster more accurate rocks that we
can throw harder, instead of focusing on the fact that we’re living in
glass houses.”
“If you step back and look at espionage and
cybercrime and cyber war, the only defense we have is building secure
systems that work correctly,” he said. Words to live by.
