Amidst the Sturm und Drang following WikiLeaks’ publication of the State Department cables, Chelsea Manning and Julian Assange drew fire from the DoD, the State Department, the DoJ, Congress and the mainstream media. But with the exception of a few articles and blog postings from the technology sector, there has been no discussion of how it was possible that Pvt. Manning could get away with hoovering off gigabytes of data from Secret and Top Secret networks while remaining completely undetected. There also seems to have been no public discussion of the implications. To go after Chelsea Manning and Julian Assange is just an exercise in shooting the messenger. Ignoring the message will not make it magically disappear. But this is not about messengers. It is about the message. This is about all of those elephants stampeding around the room. Time to break out the elephant gun.
In this multi-part series, I am going to revisit the kerfuffle resulting from Wikileaks’ release of videos and cables that it received from Pfc. Chelsea Manning with an eye toward examining:
- what actually happened
- why it happened
- why it shouldn’t have happened
- and, who is responsible for allowing an environment in which it could have happened to exist in the first place.
In Part 1, we will hear Pfc. Manning describe how the environment at Forward Operating Base Hammer and the lack of security on the DoD “secure” network and the absence of any security on the State Department’s network and systems worked together to enable him to do what she did without being detected. It will identify circumstances and conditions that will point to serious problems with the whole information security environment on both the DoD and State Department high-security networks.
Part 2 will dissect the security environment at FOB Hammer and then explore some of the implications of the problems identified in Part 1. It will show the complete absence of any kind of controls that would have prevented Manning from exfiltrating all of that information. Because of her status and emotional state, allowing Manning to continue in her position was just one more missing control at FOB Hammer. We will see how obvious it should have been to her chain of command that she was a very high-risk person and was a prime candidate for being an insider threat. It will also begin to identify the links in the chain of negligence and incompetence that allowed this to happen.
Part 3 will shift focus from FOB Hammer to the DoD at large and continue to document the negligence, incompetence and cluelessness as the dots are connected from FOB Hammer to the database at State. Again and again and again there were actions that could have been taken, policies that could have been put into effect and processes put into place that could have prevented Manning from hoovering up all of that information.
Part 4 shifts focus from the DoD to the State Department and describes all of the ways State didn’t do things that could have prevented the problem. If anything, State has bigger problems (with respect to the NCD) than did the DoD.
Part 5 will bring it all together and lay out the consequences of the incompetence and negligence exhibited by the players in this little saga. It will lay the message out in such a way that it will be clear even to those who laid the groundwork for this debacle. Given the absence of any kind of risk management or security controls, that something like this would happen was (and probably still is) inevitable. Because of a lack of forensic information, we will never know how many other people did what Manning did, but put it to use in a different way.
In Part 5, we will also review the concept of risk management and its function in the operation of any organization. We will talk about where the responsibility for risk management lies and point out all of the places up and down the chain of command in both the DoD and State Department where it is functionally nonexistent. It will show, based on Executive Branch and DoD directives, that the culpability for the leaks lies with leadership in the DoD and State Department for the complete lack of risk management oversight and practices. If they had followed common, bog-standard information security practices, this could not have happened. The culpability for this mess lies with the “management” of the Departments of Defense and State.
Part 1 after the fold . . .