Amidst the Sturm und Drang following WikiLeaks’ publication of the State Department cables, Chelsea Manning and Julian Assange drew fire from the DoD, the State Department, the DoJ, Congress and the mainstream media. But with the exception of a few articles and blog postings from the technology sector, there has been no discussion of how it was possible that Pvt. Manning could get away with hoovering off gigabytes of data from Secret and Top Secret networks while remaining completely undetected. There also seems to have been no public discussion of the implications. To go after Chelsea Manning and Julian Assange is just an exercise in shooting the messenger. Ignoring the message will not make it magically disappear. But this is not about messengers. It is about the message. This is about all of those elephants stampeding around the room. Time to break out the elephant gun.
In this multi-part series, I am going to revisit the kerfuffle resulting from Wikileaks’ release of videos and cables that it received from Pfc. Chelsea Manning with an eye toward examining:
- what actually happened
- why it happened
- why it shouldn’t have happened
- and, who is responsible for allowing an environment in which it could have happened to exist in the first place.
In Part 1, we will hear Pfc. Manning describe how the environment at Forward Operating Base Hammer and the lack of security on the DoD “secure” network and the absence of any security on the State Department’s network and systems worked together to enable him to do what she did without being detected. It will identify circumstances and conditions that will point to serious problems with the whole information security environment on both the DoD and State Department high-security networks.
Part 2 will dissect the security environment at FOB Hammer and then explore some of the implications of the problems identified in Part 1. It will show the complete absence of any kind of controls that would have prevented Manning from exfiltrating all of that information. Because of her status and emotional state, allowing Manning to continue in her position was just one more missing control at FOB Hammer. We will see how obvious it should have been to her chain of command that she was a very high-risk person and was a prime candidate for being an insider threat. It will also begin to identify the links in the chain of negligence and incompetence that allowed this to happen.
Part 3 will shift focus from FOB Hammer to the DoD at large and continue to document the negligence, incompetence and cluelessness as the dots are connected from FOB Hammer to the database at State. Again and again and again there were actions that could have been taken, policies that could have been put into effect and processes put into place that could have prevented Manning from hoovering up all of that information.
Part 4 shifts focus from the DoD to the State Department and describes all of the ways State didn’t do things that could have prevented the problem. If anything, State has bigger problems (with respect to the NCD) than did the DoD.
Part 5 will bring it all together and lay out the consequences of the incompetence and negligence exhibited by the players in this little saga. It will lay the message out in such a way that it will be clear even to those who laid the groundwork for this debacle. Given the absence of any kind of risk management or security controls, that something like this would happen was (and probably still is) inevitable. Because of a lack of forensic information, we will never know how many other people did what Manning did, but put it to use in a different way.
In Part 5, we will also review the concept of risk management and its function in the operation of any organization. We will talk about where the responsibility for risk management lies and point out all of the places up and down the chain of command in both the DoD and State Department where it is functionally nonexistent. It will show, based on Executive Branch and DoD directives, that the culpability for the leaks lies with leadership in the DoD and State Department for the complete lack of risk management oversight and practices. If they had followed common, bog-standard information security practices, this could not have happened. The culpability for this mess lies with the “management” of the Departments of Defense and State.
Part 1 after the fold . . .
We can catch a glimpse of the bull elephant if we revisit the June 26, 2010 post in the Threat Level blog on wired.com. In it, the authors talk about Pfc. Manning’s arrest and quote extensively from online chats between Manning and Adrian Lamo, the person who turned him in to the FBI:
He [Manning] claimed to have been rummaging through classified military and government networks for more than a year . . .
(That is, Manning had been able to “rummage around” in classified military and government networks for more than a year without being noticed by ANYONE).
He first contacted Wikileaks’ Julian Assange sometime around late November last year, he claimed, after Wikileaks posted 500,000 pager messages covering a 24-hour period surrounding the September 11, 2001 terror attacks. “I immediately recognized that they were from an NSA database, and I felt comfortable enough to come forward . . .”
(Note that the extent of databases to which Manning, and anyone else with the degree of access that she had, apparently includes National Security Agency databases. This will become important later).
From the chat logs provided by Lamo, and examined by Wired.com, it appears Manning sensed a kindred spirit in the ex-hacker. He discussed personal issues that got him into trouble with his superiors and left him socially isolated, and said he had been demoted and was headed for an early discharge from the Army.
. . .
As described by Manning in his chats with Lamo, his purported leaking was made possible by lax security online and off.
This, too will become salient later.
The networks, he said, were both “air gapped” from unclassified networks, but the environment at the base made it easy to smuggle data out.
The function of “air-gapping” will described later.
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”
“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. “Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis . . . a perfect storm.” [Emphasis mine. This will become a refrain].
Summing up: A disgruntled Pfc. who had been demoted and was being given an early discharge was allowed access to SIPRNET (a SECRET-level network which the DoD shared with the State Department) and JWICS (a Top Secret/SCI-level collection of interconnected networks, to which the Department of State was also connected) in an environment in which there were no security controls. A perfect storm, indeed.
In the same article, Poulsen and Zettner noted:
The State Department said it was not aware of the arrest or the allegedly leaked cables.
In other words, State didn’t know that their cables had been boosted off their network and were sitting on a disillusioned, disgruntled Pfc’s CDROMs. Neither did the DoD. Nor had the NSA detected their pager messages being poached.
Had any of these organizations been aware of the copying, they would have moved on the person doing the copying and we never would have known about the breaches.
In Part 2, we will look at Pvt. Manning’s tale from the perspective of an information security practitioner and see what it tells us.