In this series, we looked at the incompetence and negligence in the Departments of Defense and State that provided an operating environment that enabled Bradley Manning to copy hundreds of thousands of documents without ever being detected. The intent was not necessarily to present this as exculpatory evidence (but it would be really great if it did), but to assign culpability and responsibility for the criminal negligence that allowed this to happen with the idea of holding those who are culpable accountable.

In the earlier sections, I pointed out holes in the systems that made it inevitable that something like this would happen sometime. The only reason we know about them now is that Manning turned over his trove to Wikileaks. Recalling Scott Bradner’s observation:

The surprise about this latest series of leaks is not that it happened, but how it had not happened long before. Actually, maybe it has — not everyone who would like a copy of such information would be interested in publishing it.

Keep that in mind as you are reading. Brass tacks after the break . . .

Before I get started, I want to try to emphasize how serious this issue is . . . and I’m not talking about Manning and WikiLeaks. They were the messengers. I’m talking about the humongous herd of elephants milling around bearing the message. The message is this:

At the time the cables were published, it was possible to stumble around in classified military and government networks and no one would ever know you were there. If someone had smelled a rat, there was no way in hell to figure out what happened because there was no logging of any activity . . . anywhere. Or at least in all of the places Manning explored . . . or others, for that matter . . . remember that Manning decided he could trust Assange because he recognized 500,000 or so pager messages that had been previously posted to WikiLeaks.

“I immediately recognized that they were from an NSA database, and I felt comfortable enough to come forward . . .”

We know about it now, and that’s a very good thing . . . Manning and WikiLeaks did us a great favor in exposing the problem. This leak was the two-by-four that was required to get the attention of some of the folks in the military and government.

This is serious stuff. And it didn’t have to happen. The technology and know-how to prevent this from happening has been around for between 10 and 20 years and sometimes longer . . . Sometimes since the mid ’80s. It is purely a management problem that it wasn’t implemented.

To set the context for the main discussion and conclusion, I’m going to recap the main points:

FOB Hammer site security

First, reread Part 1. It’s short and from the horse’s mouth . . . Then come back for a recap . . .

1. Manning had been rummaging around classified military and government networks for over a year and no one noticed a thing.
2. Manning had been demoted and was being sent home before the end of his tour.
3. Site security at FOB Hammer was non-existent.
4. State didn’t know anything had happened until reporters asked for comments.
5. The DoD had no idea it happened until the video was published.

Insider threat

Marcus Ranum’s take on the insider threat:

Well, to me the biggest lesson is that the people who are inside your organization are the ones who can really hurt you, because they know where the good stuff is. That is a serious problem. So, to me that is the big takeaway. Now that is not [news]. I think I’ve been banging that drum for 20 something years, and security practitioners before me were banging it for 20 years before that. So that is nothing new.

But no one at the DoD or the State Department has been paying attention.

Consider:

1. Manning was the perfect candidate for being an insider threat.
2. In 2000 the DoD published a report titled: “DoD Insider Threat Mitigation. This report provided “an explicit list of recommendations for action to mitigate the insider threat to DoD information systems. Ten years later, Manning was rummaging around classified networks and no one noticed.
3. In 2006, the DoD commissioned a report titled: “Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis.” It made six observations about characteristics of people who would be a potential insider threat. Comparing the profile that Manning presented against the observations in the report, Manning was six for six.
4. Manning had been unstable before being assigned to FOB Hammer. So unstable that he had been sent for psychological evaluation. In the face of his instability, he was sent there anyway.
5. State was just as clueless as the DoD . . . maybe even more so. They had no mechanisms in place to manage the insider threat . . . But it has no more excuse than the DoD does. There are Federal Information Processing System Publications and NIST Special Publications that cover minimum security requirements, etc., etc.

In a nutshell: Despite having information on detecting and mitigating the threat of the insider abusing the system, the recommendations and guidelines were not implemented by either the DoD or State. That is a management problem. There is no excuse whatsoever for not having implementing controls to protect sensitive data and detect anomalous activity on a network. Nor is there any excuse for Manning to have maintained his security clearance after having been demoted.

Security on SIPRNet

Effectively none. See Bradner’s comment above. In Manning’s words:

Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis . . . a perfect storm.

And then, there was Manning himself. He completed the perfect storm.

The fact that Manning was able to bang around military and government networks for over a year and hoover off gigabytes of information completely undetected says it all.

One of the most damning pieces of information came when Maj. Gen. Webber issued the “Cyber Control Order” in Dec. 2010 which said in part:

Unauthorized data transfers routinely occur on classified networks using removable media and are a method the insider threat uses to exploit classified information.

This is an official acknowledgment that the chain of command, up to the level of Major General, knew that security policy was being routinely violated and that it was permitted.

Security at State

No better than at Defense.

• There was no risk assessment done. (By this I mean a real, grown-up Risk Assessment as described in NIST Special Publication 800-30: “Risk Management Guide for Information Technology Systems.” (pdf)
• There were no more network security controls in place on the State side of the network and on the database as there were on the Defense side.
• The database was not designed with security in mind – there were no security controls in place.
• There was a total absence of data management and access control.
• There was no data classification/segregation process in place.
• There was a mix of data types/classifications in the database.
• Users used the database inappropriately.
• Worst of all, there was no oversight of the system through its lifecycle.

Responses to the leaks by the DoD

• Gates first said that the breach happened because of “technical problems” in the field.
• Then they slammed the barn door shut by telling everybody to stop using removable devices.
• Then Central Command established “Insider Threat Working Groups.”
• They reprimanded the guy who was Manning’s CO at FOB Hammer.

Basically they scrambled around, tried to figure out what happened and then scrambled to try to plug the holes. That was another indication of how bad things are. An organization that takes risk management seriously has an incident response plan in place. Which wouldn’t have been needed had bog-standard security controls been in place . . .

Responses to the leaks by the State Department

Essentially the same as at the DoD.

• Clinton wailed: “Let’s be clear. This disclosure is not just an attack on America — it’s an attack on the international community.”
• They tried to excuse themselves by saying that they just couldn’t assign passwords to all of the potential users of the system.
• They acknowledged that the database was not managed well and that users really weren’t trained well.

I am going to belabor a few of the points I made in Part 4. Firstly, the problem with assigning passwords is not the “right” problem. The problem they should have been addressing was knowing whether someone was authorized to access the data or not. There is a lot more to this issue and this is not the place to discuss it. The important point is that access to classified information should be based on need-to-know. Passwords have nothing to do with helping a system determine whether a particular request is being made by someone with legitimate need to know. With NCD, if you could get to it, you could have anything. Bad, bad, bad system design.

I will let Marcus Ranum address the second point:

Then the other piece of the puzzle that I find is really interesting is the apparent inability of the people who lost the data, the original data holders, to tell what data was stolen and while it was being stolen. And this is an important message for anyone who is a CISO because it shows what can happen when your data leaks if you don’t have auditing and logging in place so that you can go back and say, “Well, OK if we do believe this guy leaked a bunch of information, what information did he actually access and when?” Of course, ideally you would get in front of that process and maybe detect the fact that somebody who really didn’t have a need to access this particular information was downloading [this information] in one fell swoop. That is kind of a red flag, I would think.

The third point that needs emphasis is that “agency officials relied on the end-users of the data – mostly military and intelligence personnel – to guard against abuse.” That’s just bass ackwards. No. No matter how you cut it, that’s just wrong. Murphy’s Law is the only thing one can rely on. If it’s your data and you need for it to be protected, you have to be the one to do it.

Hils, if you and your people had just an eighth of a clue, this wouldn’t have happened. It happened on your watch, on your court, and your team was on defense. It’s all on you, darlin’. Enough with the wailing and gnashing of teeth. Man up and admit that your people could have and should have kept this from happening . . .

(Now, I know that “the book” says that anyone who has access to classified information has a duty to protect it. That is not the same thing as saying that anybody who asks for it can have it, and it’s their responsibility to protect it but I’m not going to keep track of who asked for it, how much, when, or whether they had need-to-know).

As with the DoD, the absence of an incident response plan at State demonstrates how little they know (or do) about security. Also, as with the DoD, had existing policy been implemented, the incident response plan wouldn’t have been needed.

Shifting gears a bit . . .

Information Security is not optional

Appendix III to OMB Circular No. A-130 – Security of Federal Automated Information Resources “establishes a minimum set of controls to be included in Federal automated information security programs.” It defines “adequate security” as:

security commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information. This includes assuring that systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability, through the use of cost-effective management, personnel, operational, and technical controls.

For clarification of responsibilities for security on classified networks it says:

Policy and procedural requirements for the security of national security systems (telecommunications and information systems that contain classified information or that support those critical national security missions (44 U.S.C. 3502(9) and 10 U.S.C. 2315)) is assigned to the Department of Defense pursuant to Presidential directive.

It goes on to say:

For security to be most effective, the controls must be part of day-to-day operations. This is best accomplished by planning for security not as a separate activity, but as an integral part of overall planning.

OK. Given that information security is not optional, and that we have a definition of “adequate security,” lets look at how risks against insider threats, network abuse and database abuse were managed. Keep in mind that one can tell how valuable a resource is by how much effort is expended in protecting it. One could say one or more of the following about the leak, the DoD and the Department of State:

1. The information was valuable and they both failed to provide “adequate security”,
2. The information was of such little value to them that there was no need to secure it or
3. They may have though they were providing adequate security.

Based on all of the activity out of the DoD and State after the leaks were published, I’m going to go with number one. So now we need to ask a few of questions:

1. Was this out of ignorance or negligence?
2. If it was out of ignorance, who was responsible for putting up with it?
3. If it was negligence, who can we throw under the bus?

I’m thinking that it’s probably both. Ignorance caused by negligence on the part of State and negligence on the part of the DoD.

You’ve got to be seriously intellectually challenged to think that with 500,000 people having access to a completely unprotected database that it won’t be compromised in some way, intentionally or not. You’ve also got to be seriously challenged to think that anything that evolved in the manner that the NCD database did, was being actively managed at all.

With respect to the DoD, the public admission that “unauthorized transfers” were routinely taking place and that the chain of command up to the level of Major Generals were aware of it sorta defines negligence. See Parts 2 and 3 for more examples. This is enough to make the point.

So who gets thrown under the bus? Since risk management is a “management” function, I nominate the management of the Departments of Defense and State. In reality, it probably wouldn’t be realistic to hope for meaningful consequences to be applied to anyone higher than the Assistant Secretary of Defense for Command, Control, Communications and Intelligence in the Defense Department and the Undersecretary of State for Management in the State Department.

It really would be nice, though to have some kind of acknowledgement from the Secretary of State, the Joint Chiefs of Staff and the Secretary of Defense that the leaks happened because of the incompetence and negligence of the people in their departments whose responsibility it was to see that classified information was appropriately safeguarded. It simply was not. If their responsibility had been taken seriously, this never would have happened. And because of their negligence, we will never know how many more times it did happen . . .

Recently there was an article on the BBC News web site titled: “Foreign spies ‘penetrate’ US military networks.” In part, it read:

Foreign spies should be assumed to have penetrated the computer networks of the US military, American politicians have been told.

Security experts testifying to the Senate Armed Services Subcommittee said the penetration was likely so complete that attempts to curb it should stop.

Indeed.

Seems to me that this incompetence and negligence has been much more harmful to the US than what Manning and WikiLeaks did. D’you suppose it would possible to have the people that Defense and State elect to throw under the bus sent to Quantico to await their trials, too? And that they be made to sleep naked every night? But I’d rather that their trials not be held in secret. I’d like very much to hear all about how badly the pooch is really screwed . . . (Which, I suspect, is why Manning’s trial is being held in such secrecy. You can bet your bippy that there are going to be some pretty unflattering things come out of that trial . . .)

Don’t worry, I’m not holding my breath. A guy can dream though, can’t he? I’ll settle for knowing how absolutely incredibly clueless those people are and having the fun of watching the stuff hit the fan as the chickens, er, elephants come home to roost. They’ll be able to bury a lot of it, but every now and then something will break out . . .

What the Executive Branch hasn’t figured out yet is that Manning and WikiLeaks did us (that is, we US citizens who expect those who are running our country and our military to be at least somewhat clueful) a great favor. They have shown us how incompetent and negligent our leadership is. The Emperor truly has no clothes. Thanks, guys! You did us a great favor . . .

I am sure that Manning, and possibly Assange are the only people who will see any time behind bars. I am quite confident that Manning will have the book thrown at him and he’ll probably spend the better part of his life in the brig. The DoD is using him as a scapegoat and a red herring to direct attention away from how badly they screwed up their security . . . and avoid having to answer some really embarrassing questions. I really feel sorry for him and if there were anything I could do to help him I would/will. Again, I’m not holding my breath.

But I do get some consolation and some awesome lulz when I think about this:

Everything I’ve talked about in this series is information that is publicly available. I’ve linked to every source I’ve used. I’m not the only person in the world who can read and put two and two together. Half the people I’ve worked with over the past ten years or so have figured this out. Any sysadmin with half a clue has figured out what was and is going on. The only thing all the Chicken Little stuff has accomplished is to affirm what is already obvious . . .

The directives, policies, knowledge and tools that could have been employed to prevent this leak have been available for at least ten years. There is no excuse for this to have happened. The explanation is that protecting classified data wasn’t important enough to the DoD and State for them to implement the controls. It’s just that simple.

Memo to the DoD, State, and probably every other department in the Executive Branch:

In case you haven’t figured it out yet, to your friends, this debacle has made you out to be numbnuts and it has shown your enemies your soft spots . . . If it didn’t affect me and my family and friends personally, I could work up a serious case of Schadenfreude . . .

The only interest I have in this debacle is busting the idiots on whose watch this happened. There are, however, others who have different motivations . . . and the resources to exercise them.

Thanks much to Bradley Manning and WikiLeaks. Thanks for shining a bright light in a dark corner. It’s been fun to watch the roaches scatter . . .

[1] His only real sin was in getting caught . . .

This blog entry cross-posted to lartwielder at Daily Kos.