In Part 2, we looked at the security environment at FOB Hammer and discovered that there was effectively none. That was the first component of the “perfect storm” that enabled Pfc. Manning to collect the video and documents that were published by Wikileaks. There were two dimensions that interacted there. One was lax-to-completely-absent physical security at the site. The other was the failure on the personnel management side to detect all of the indicators that Manning was a candidate for being an insider threat. In Part 3 we will shift attention to the other components of the perfect storm that Manning described and show that they were there not for lack of information or institutional awareness, but because of negligence. The rest of the herd after the fold:
Elephants 3 – 6
Lets declare the “weak site security” elephant dead and move on to the others in Manning’s “perfect storm:” “weak servers, weak logging, weak counter-intelligence and inattentive signal analysis.” This was not a case of someone being asleep at the switch . . . there was no switch. In all of the places in which controls to prevent or monitor unauthorized or suspicious activity usually are, there were few or none, and those that might have been in place were ineffectual or simply ignored. Effective host and database access “need-to-know” controls could have blocked access to much of the information Manning accessed. Effective logging would have captured the sources and destinations of the gigabytes of data that Manning was downloading, as well as the origins of the requests. Effective traffic monitoring and analysis could have flagged Manning’s anomalous activity. Even in the absence of traffic analysis, had there been logging, forensic analysis of the traffic would have led back to him. Apparently there was no logging because it wasn’t until WikiLeaks published the data that anyone was aware of what had happened and it wasn’t until Lamo fingered Manning that anyone had a clue who did it . . . The lights were on, the doors were open, but there was no one home. Recall the BankInfoSecurity interview with Marcus Ranum mentioned in Part 2. Later in that interview Mr. Ranum also had this to say about lessons learned from WikiLeaks:
Then the other piece of the puzzle that I find is really interesting is the apparent inability of the people who lost the data, the original data holders, to tell what data was stolen and while it was being stolen. [Emphasis mine] And this is an important message for anyone who is a CISO because it shows what can happen when your data leaks if you don’t have auditing and logging in place so that you can go back and say, “Well, OK if we do believe this guy leaked a bunch of information, what information did he actually access and when?” Of course, ideally you would get in front of that process and maybe detect the fact that somebody who really didn’t have a need to access this particular information was downloading [this information] in one fell swoop. That is kind of a red flag, I would think.
As usual, a master of understatement . . . But he was really being polite, I think. In terms of getting one’s attention, this should be more of an IED going off in one’s face than a red flag. Scott Bradner had a slightly different take on the idea:
The surprise about this latest series of leaks is not that it happened, but how it had not happened long before. Actually, maybe it has — not everyone who would like a copy of such information would be interested in publishing it. [emphasis mine]
The picture that emerges from media reports is that of an organization (the DoD) that was either oblivious to the risks it was taking or which didn’t care. Either way, it is a failure of management. It is a failure of the chain of command to monitor and enforce standing policies designed to protect Secret and Top Secret information. There was a complete absence of any attempt to operate the system in a secure manner. The problem here isn’t WikiLeaks and Pvt. Manning. The culpability lies with the chain of command that permitted such an environment to exist in the first place. They are the ones who provided the means and opportunity. Now, this is a very important point, so I’m going to beat it to death: Nobody had a clue about what Manning was up to until the video and cables were published on WikiLeaks. In his own words, he had been “rummaging around classified military and civilian networks for more than a year” . . . and nobody had noticed anything!
Let’s take a step back and do a thought experiment: Let’s say that instead of the documents being stored electronically on machines on a network that I have physical documents stored in a warehouse . . . the same documents, just different storage medium. Let’s say this warehouse is located in a storage facility. The entrance to the storage facility is unlocked, unguarded and unmonitored. The doors and windows of the building are all open and the lights are on. There is no document check-out/check-in process so there is no way to track what documents are accessed by whom or when. There are no surveillance cameras in the building so there is no way to even tell if/when anyone is there. There is a high-volume copy machine on every floor, but there are no counters or access control mechanisms so that I would have some idea of who was copying how much . . . I have no means of knowing anything at all about what goes on in the building or who goes in and out of the storage facility. Then one day I see excerpts from my cables showing up in every newspaper, TV news broadcast and blog on the Internet. Three questions:
- Should I be surprised?
- Who is responsible for the breach?
- Who is accountable for the breach?
Answers to the three questions:
- The person who allowed those documents to be stored in that environment. I guess that’d be me.
- The person who authorized the storage of those documents in that environment. I guess that’d be me, too.
If I were the CEO of Coca Cola and that was the Coca Cola “secret formula” that was being spread around, I would be reaching for my golden parachute, and it would be interesting to see how many of the board members survived the next stockholders’ meeting. Should I have known better? Absolutely. My job is to minimize the risk of the loss of the confidentiality, integrity and availability of mission-sensitive information. Now, I believe that there is not a reader out there who couldn’t come up with ways to button the situation up so tightly that someone would have to work very hard to get into the storage facility, into the building, copy the documents and get back out again without being detected. There are the logical equivalents for the protection of electronic systems and data. And the DoD has that information. Nicely collected in a document titled “DoD Insider Threat Mitigation” (pdf) published April 24, 2000. From the Executive Summary:
This report provides an explicit set of recommendations for action to mitigate the insider threat to DoD information systems. [emphasis mine] The report results from the actions of an Insider Threat Integrated Process Team (IPT) requested by the Senior Civilian Official (SCO) of the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) OASD (C3I). The Team’s charter was ‘to foster the effective development of interdependent technical and procedural safeguards’ to reduce malicious behavior by insiders.
The recommendations fall under seven categories:
- Policy & Strategic Initiatives
- Personnel (Management and Security)
- Training and Awareness
I am beating this subject into the dirt to show that there is no possible excuse for the breach to have occurred. The cause is sheer negligence at the highest levels of the DoD (and as we will see in Part 4, also State). In 2000, the DoD was handed a cookbook for the mitigation of the insider threat. If, in the intervening ten (10)! years between the time the document was published and Manning had gone on his shopping spree, the recommendations in that document had been implemented, Manning would have been found out when he first started fiddling around and it would have ended there. Purely and simply it was an abject failure of adequate risk management at the organizational level. . . . After the leaks hit the fan, the military hastily slammed the barn door shut.
The U.S. Military is telling its troops to stop using CDs, DVDs, thumb drives and every other form of removable media or risk a court martial. Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 (2010) “Cyber Control Order” – obtained by Danger Room – which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches. “Unauthorized data transfers routinely occur on classified networks using removable media and are a method the insider threat uses to exploit classified information. To mitigate the activity, all Air Force organizations must immediately suspend all SIPRNET data transfer activities on removable media,” the order adds.
Reread previous two paragraphs. Then think about what is being said, and by whom. A Major General is announcing in a memo that, as commander of Air Force Network Operations, he knows that “unauthorized data transfers routinely occur on classified networks using removable media.” General Webber didn’t just take it upon himself to send out that memo. He sent it out for the same reason that “similar directives have gone out to the military’s other branches.” It really doesn’t matter from how high up the chain of command the impetus for the statement came, the point is that policy dealing with how to handle highly confidential information was being blatantly ignored throughout the military . . . and, as acknowledged in the memo, the chain of command up to at least the Major General level was aware of it and tolerated it. And this is only part of the problem. The most important part is that the DoD was responding to the superficial aspect of the problem and had no clue about the root of the problem. Clueless, clueless, clueless. What we have here is a gross failure of risk management and governance that is hard to distinguish from negligence at the highest levels of the military establishment. Not to put too fine a point on it, but, because no one was paying attention, Secret and Top Secret data has been leaked . . . from the State Department, the Defense Department and the NSA (and who knows where else). One could fly a flight of B-52s through the holes in those networks and no one would know they were there. . . . The lights are on, the doors are open, but there’s nobody home . . . Which leads us to another one of the elephants. Given Pvt. Manning’s perfect storm along with the admission that “unauthorized data transfers routinely occur on classified networks . . .” one has no way of knowing how much data was compromised, how many times, by whom, or for how long. As Scott Bradner said, ” . . . not everyone who would like a copy of such information would be interested in publishing it.” And apparently, there are those out there . . . Again from the Threat Level article:
The [FBI] agents did tell Lamo that he may be asked to testify against Manning. The Bureau was particularly interested in information that Manning gave Lamo about an apparently-sensitive military cybersecurity matter, Lamo said. That seemed to be the least interesting information to Manning, however. What seemed to excite him most in his chats was his supposed leaking of the embassy cables. He anticipated returning to the states after his early discharge, and watching from the sidelines as his action bared the secret history of U.S. diplomacy around the world.
Manning was only focused on the embassy cables, and in this case, we lucked out and dodged a bullet. But then the FBI was much more interested in “an apparently-sensitive military cybersecurity matter . . .” Good luck, guys. You’re going to need a boatload of it . . . Without any forensic evidence you don’t have a chance in hell of finding out what happened. Now, published reports give no information/insight into whether Manning was the only one of all of the people who have or had access to SIPRNet and JWICS to extract (or, for that matter, edit or insert bogus) information from them. It is safe to say that the probability of that being the case is infinitely small . . . Especially given the FBI’s interest in that “apparently-sensitive military cybersecurity matter.” After all,
. . . squashing Wikileaks disclosures to prevent exposure of sensitive information would not prevent terrorist organizations or enemy states from obtaining that same data and using it for more nefarious purposes.
Just to make sure that this elephant is well and truly dead: This really was the perfect storm. Nonexistent network/database security allowed Manning to hoover up gigabytes of data in complete anonymity and nonexistent site security at FOB Hammer allowed him to “export” those data from the “secure room” to the WikiLeaks servers. Though many/most of the sites that have access to SIPRNet and JWICS may adhere to policy, processes and procedures that prevent this sort “exporting” from happening, there are an unknown number that do not. And while we know of one case in which the weaknesses of the system were exploited, there is an unknown and unknowable number that are not. On top of that, given the lack of controls that would allow us to know, we have no idea what and how much other data has been downloaded and how much has been deliberately compromised . . . if, when or by whom. In the current vernacular, this is what one would call an Epic Fail. It is tempting to call for the heads of those who are accountable for the abysmal security of the environment at FOB Hammer. DoD Instruction 8510.01 defines a Certification and Accreditation process that would theoretically allow one to identify them. That person/those people certainly need to be held accountable, but in a way, they would be just as much scapegoats as is Manning. From what one can glean from published reports, the problem is endemic. Manning described it himself when he described the perfect storm. Then, General Webber’s statement that “Unauthorized data transfers routinely occur on classified networks . . .” confirmed it. This is a system-wide (at least DoD, State and the NSA) lack of basic risk management and governance. From a ComputerWord article discussing the fallout from WikiLeaks:
Adm. Mike Mullen, chairman of the U.S. Joint Chiefs of Staff, was blunt in his criticism of Wikileaks during the press conference. “The truth is they might already have on their hands the blood of some young solider or that of an Afgan [sic] family,” Mullen said.
The real truth is that if there is any blood on anyone’s hands it would be on Adm. Mullen’s and on the hands of those under his command who permitted the lack of security that allowed Manning to exfiltrate the information. A mea culpa from Adm. Mullen is most appropriate and would have been welcome. In its absence “Good riddance!” and a “Hope to see you in court sometime soon!” will do. When the North Koreans shelled Yeonpyeong Island, the South Korean Defense Minister resigned. It would have been nice if Secretary Gates had acknowledged the scope of the problem and at least made the gesture of offering to fall on his sword. To wrap up, a couple of observations from the press: From The National Journal in late 2010:
The U.S. Central Command has begun security reviews of protocols at forward-deployed settings like Hammer in Iraq, where Manning spent several years. “Insider threat working groups” have been established, and commanding officers are being trained to detect behavioral changes in their young analysts.
Remember “DoD Insider Threat Mitigation” published in April 2000? And the response in 2010 is to establish insider threat working groups?!?!?!?!? Jesus, Mary and Joseph! I’ve seen some dysfunctional organizations in my time, but this absolutely takes the cake. What the hell were they doing in the ten years between the time the Insider Threat Mitigation Guide was published and the archetypal insider threat punked the whole DoD and State Department? Jesus! Talk about closing the barn door after the horses bolt . . . Finally, from CTOEdge:
Without the most basic level of security, it’s hard to see how you can expect your sensitive data, including your business plans, your customer information or your own accounting data, to not eventually leak out. The difference between the government and you is that such a leak can shut down your business, and perhaps put you in jail if you violate federal compliance laws. With the government, only Manning is likely to see prison time. The people who designed the security system, it appears, aren’t being held accountable.
Yes, unfortunately, but typically, it is likely very true that Manning is the only one likely to see prison time. He just showed up for work to find an all-you-can-eat-for-free smorgasbord. The people who should be held accountable are those who had ten years to implement the recommendations made in “DoD Insider Threat Mitigation” and four years to train unit commanders and non-coms on the observations made in “Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis” on how to spot potential insider threats and how to manage them. The bull elephant in the room is how cavalierly the DoD has treated information security and the apparent lack of an organized governance and risk management process, not to mention a mature information security practice. It would be wonderful to think that we really dodged a bullet with this and that all that happened was we found out a little about how our government has lied to us and that, as a whole, our diplomatic corps is a pretty astute bunch of folks. The thing is, because of “weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis . . .” even if DISA had an incident response team, there is very little information available that would help with a forensic analysis.
There is no telling how much data has leaked or where it is. There is no public evidence of the existence of a formal incident response process. The response to this incident reminds one of the Keystone Kops and the Marx Brothers. We have seen some knee-jerk responses such as blindly forbidding the use of removable media and the institution of “insider threat working groups.” Can you say too little, too late? I’m going to stop right here for a minute to remind the reader of Marcus Ranum’s comments on the insider threat . . . that he’d been banging that drum for 20 years and that others had been banging the drum for 20 years before him. “So that is nothing new.”
Remember also that the DoD has been funding projects collaborating with organizations like NIST, RAND, CERT and others on understanding the insider threat and documenting mechanisms for managing it. And the report on insider threats that was published in 2006 listed the six attributes that characterized an insider threat . . . all six of which Manning exhibited! Now, that information was, in and of itself, as Mr. Ranum said, not new.
Apparently the threat was not important enough for the DoD to actually do anything about it . . . Or more likely, no one was paying any attention. No matter how you cut it, though, the negligence that was/is displayed should cost careers. What we have here is a failure to manage risk. Apparently, protecting Secret and Top-Secret information is not a priority for the Defense Department.
So what’s missing from the public discussion at least, is any indication of awareness of the main problems and the “big picture.” Perhaps the charitable thing to do is to apply Hanlon’s razor to this situation. But what does remain is the fact that there is no evidence of risk management and governance, at least as far as security is concerned, in the DoD. (For an idea of what it looks like when an organization takes network security and data protection seriously, read this article on The Register. The threat to national security is not Bradley Manning and WikiLeaks. It is the cluelessness of the people who are responsible for protecting our classified data). We have talked about several of the elephants in the room, but we still have one left.
To this point, the DOD has gotten all the attention. To be fair, the management at State is if anything, even more clueless than the folks in the DoD. We’ll address that elephant in Part 4. This entry was cross-posted to lartwielder on Daily Kos.
Update 10 June 2013: Seems I was premature when I talked about dodging the bullet.