Defense Dept. Not Planning On Closing Security Hole That Resulted In Wikileaks Disclosure... Until 2013

from the but..-but...-kill-manning! dept

One of the big points that's been completely lost in the debate over Wikileaks and Bradley Manning allegedly leaking a bunch of government info to Wikileaks is just how easy it was to do so. Some reports have noted that millions of people had access to the same info, and it's quite likely that plenty of others "leaked" at least pieces of it (not necessarily to Wikileaks, but out into the world). Some are beginning to point out just how incredibly slow the Defense Department has been in trying to be more secure with its network. While they were quick to arrest Manning, actually doing something about how easy it was to leak took months. And, even worse, it looks like the major security holes in the system won't actually be closed until 2013. So, government leakers have a few more years...

Filed Under: defense department, security, wikileaks

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    aldestrawk (profile), 12 Apr 2011 @ 2:41am

    The article from Firedoglake misleads by summarizing SIPRnet as being either secure or not secure. There are three, somewhat independent, aspects of security at work here; ability to bridge the air gap between SIPRnet and the rest of the universe, authentication and finer grained access, logging and auditing capability. Each one will make the system more secure.
    SneakerNet was and is still needed. They point out the malware incident in 2008 triggered by an infected thumb drive. Malware can be controlled by disabling autorun capability. I am not sure if that was addressed. The DOD apparently decided to restrict thumb drives but still allowed writeable CDs. After Wikileaks, they are restricting further, only allowing 12% of their computers Sneakernet capability and somehow(?) monitoring people and transactions on these. This is enough, in itself, to have prevented a Bradley Manning from leaking mass amounts of material. Someone else, a little more trusted, can still do a mass leak.
    What they are ultimately doing is making multiple classification levels for info and assigning everyone a capability to access some subset of those levels. They are doing this by creating a PKI and issuing cards with digital certificates. DoD, apparently, did not want to do passwords. I am a bit dumbfounded if they don't do two-factor authentication. The State Dept. has already moved their cables over to JWICS (the top secret network). I think that is overreacting. Maybe it's temporary. Certainly, the vast majority of those don't deserve top secret listing.
    The final part is to put in a logging and auditing capability to monitor data transactions. The threat of monitoring is supposed to deter leaking.
    They recognize there is a need to share information, particularly after 9/11. From the outside, it looks like they just let anyone with access to SIPRnet full access to all information stored on it. The full system won't be finished till 2013, but that doesn't mean that there is no more security than there was a year ago. The algorithms needed to implement such a system are well known. There are several different authentication systems in use elsewhere. The card system means it will take time to deploy.
    One of the NSA's responsibilities is developing computer and network security (e.g. SE Linux (Security Enhanced Linux) is derived from work done at the NSA). The DoD will be using an auditing system developed by the NSA. There is an interesting quote in the Lamo/Manning chat logs.

    i even asked the NSA guy if he could find any suspicious activity coming out of local networks… he shrugged and said… “its not a priority”

    Nobody expected a military insider would do a mass leak. That was naive.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.