The Wikileaks Brouhaha: Shooting the Messengers and Ignoring the Elephants, Part 3

In Part 2, we looked at the security environment at FOB Hammer and discovered that there was effectively none. That was the first component of the “perfect storm” that enabled Pfc. Manning to collect the video and documents that were published by Wikileaks. There were two dimensions that interacted there. One was lax-to-completely-absent physical security at the site. The other was the failure on the personnel management side to detect all of the indicators that Manning was a candidate for being an insider threat. In Part 3 we will shift attention to the other components of the perfect storm that Manning described and show that they were there not for lack of information or institutional awareness, but because of negligence. The rest of the herd after the fold: Continue reading

Advertisements
Posted in Accountability, Civil Liberties, Information Security, Risk Management, Scapegoating, Shooting the Messenger | Tagged , , , , , , , | Leave a comment

The WikiLeaks Brouhaha: Shooting the Messengers and Ignoring the Elephants, Part 2

Part 1 of this series revisited Pfc. Manning’s activities at Forward Operating Base Hammer with a focus on indicators that provided information about the level of oversight and risk management with respect to protecting Secret and Top Secret-level data.

In Part 2, we will look more closely at the information security environment at FOB Hammer and the initial response to the leaks by the DoD. We will begin to see how incompetent the whole chain of command from the leadership at FOB Hammer all the way up to the Secretary of Defense is in protecting high-value information.

Elephant 2 after the fold.
Continue reading

Posted in Accountability, Information Security, Risk Management, Scapegoating, Shooting the Messenger | Tagged , , , , , , , | Leave a comment

The WikiLeaks Brouhaha: Shooting the Messengers and Ignoring the Elephants, Part 1

Introduction

Amidst the Sturm und Drang following WikiLeaks’ publication of the State Department cables, Chelsea Manning and Julian Assange drew fire from the DoD, the State Department, the DoJ, Congress and the mainstream media. But with the exception of a few articles and blog postings from the technology sector, there has been no discussion of how it was possible that Pvt. Manning could get away with hoovering off gigabytes of data from Secret and Top Secret networks while remaining completely undetected. There also seems to have been no public discussion of the implications. To go after Chelsea Manning and Julian Assange is just an exercise in shooting the messenger. Ignoring the message will not make it magically disappear. But this is not about messengers. It is about the message. This is about all of those elephants stampeding around the room. Time to break out the elephant gun.

In this multi-part series, I am going to revisit the kerfuffle resulting from Wikileaks’ release of videos and cables that it received from Pfc. Chelsea Manning with an eye toward examining:

  • what actually happened
  • why it happened
  • why it shouldn’t have happened
  • and, who is responsible for allowing an environment in which it could have happened to exist in the first place.

In Part 1, we will hear Pfc. Manning describe how the environment at Forward Operating Base Hammer and the lack of security on the DoD “secure” network and the absence of any security on the State Department’s network and systems worked together to enable him to do what she did without being detected. It will identify circumstances and conditions that will point to serious problems with the whole information security environment on both the DoD and State Department high-security networks.

Part 2 will dissect the security environment at FOB Hammer and then explore some of the implications of the problems identified in Part 1. It will show the complete absence of any kind of controls that would have prevented Manning from exfiltrating all of that information. Because of her status and emotional state, allowing Manning to continue in her position was just one more missing control at FOB Hammer. We will see how obvious it should have been to her chain of command that she was a very high-risk person and was a prime candidate for being an insider threat. It will also begin to identify the links in the chain of negligence and incompetence that allowed this to happen.

Part 3 will shift focus from FOB Hammer to the DoD at large and continue to document the negligence, incompetence and cluelessness as the dots are connected from FOB Hammer to the database at State. Again and again and again there were actions that could have been taken, policies that could have been put into effect and processes put into place that could have prevented Manning from hoovering up all of that information.

Part 4 shifts focus from the DoD to the State Department and describes all of the ways State didn’t do things that could have prevented the problem. If anything, State has bigger problems (with respect to the NCD) than did the DoD.

Part 5 will bring it all together and lay out the consequences of the incompetence and negligence exhibited by the players in this little saga. It will lay the message out in such a way that it will be clear even to those who laid the groundwork for this debacle.  Given the absence of any kind of risk management or security controls, that something like this would happen was (and probably still is) inevitable. Because of a lack of forensic information, we will never know how many other people did what Manning did, but put it to use in a different way.

In Part 5, we  will also review the concept of risk management and its function in the operation of any organization. We will talk about where the responsibility for risk management lies and point out all of the places up and down the chain of command in both the DoD and State Department where it is functionally nonexistent. It will show, based on Executive Branch and DoD directives, that the culpability for the leaks lies with leadership in the DoD and State Department for the complete lack of risk management oversight and practices. If they had followed common, bog-standard information security practices, this could not have happened. The culpability for this mess lies with the “management” of the Departments of Defense and State.

Part 1 after the fold . . .

Continue reading

Posted in Accountability, Information Security, Risk Management, Scapegoating, Shooting the Messenger, Willful Ignorance | Tagged , , , , , | Leave a comment

dcmwfmmmu, 9 May 2012

Vatican Board Asked to Resign Over Conference

” Members of the Vatican’s bioethics advisory panel have called for its board to resign after scientists who don’t support core church teaching on issues like birth control and infertility were featured at its annual conference.”

They’ve been going through Darryl Issa’s playbook.

‘Nuff said.

Posted in Trunchbull, Willful Ignorance | Tagged | Leave a comment

My Howard Beale Moment

OK. This is my Howard Beale moment. It’s been building for a while.

It started approaching critical mass when people applauded at Rick Perry’s offhand statement that he “never struggled” with the possibility that Texas could ever have executed an innocent person. Then everything started piling on . . . State legislators passing misogynistic legislation . . . ALEC-written bills being fielded in state legislators all across the US . . . Ideologues holding the population of the US (including constituents who didn’t vote for them) hostage . . .

Then came Rick Santorum throwing up on John Kennedy’s speech on the separation of church and state. “I don’t believe in an America where the separation of church and state are absolute” he says. (I’ll have a lot to say about that later).

That got my attention.

Then I read that Tennessee has passed “The Monkey Bill.”

And, there’s the news that when Bill Zelder (of the Texas House of Representatives) couldn’t get his anti-choice legislation passed, he enlisted the Texas Department of State Health Services to implement it for him anyway. And they are.

Then Arizona passes a law saying that life begins two weeks before conception. (No, they didn’t bother to define the term “life” . . . D’you suppose we could convince Mexico to just let us give Texas and Arizona back? I was really hoping that Rick Perry would follow through with his threat to secede . . .)

Anyway, that did it.

Rant starts after the break.

Continue reading

Posted in Freedom of Religion, Politics, Religion, Separation of Church and State | Leave a comment