DoD: WikiLeaks Defense in Place by 2013Congress Told How Breach Occurred; Steps to Prevent Future Ones
Also at the hearing, Patrick Kennedy, State Department undersecretary for management, and Thomas Ferguson, DoD principal deputy undersecretary for intelligence, told the senators how processes to safeguard data broke down, leading to Army Pfc. Bradley Manning allegedly transferring more than a quarter-million classified and sensitive diplomatic cables from DoD's classified SIPRNet network onto compact disks. The contents of those cables were turned over to WikiLeaks, an anti-secrecy website, which made them public last November. The copying occurred in Iraq from November 2009 to May 2010.
Sen. Susan Collins of Maine, the committee's ranking member, asked why would DoD computers contain State Department diplomatic cables and be accessible to someone who wouldn't need that information to perform his job? Kennedy responded that the cables were on the DoD network so military intelligence officers could have access to them. Like the Internet, he said, some data on SIPRNet are protected by passwords, others are not. The cables were not password protected.
"To be blunt, we believe in the interest of information sharing, that it would be a grave mistake and danger to the national security for the State Department to try to define each of every one of the 65 agencies that we share our diplomatic reporting analysis to say that, 'Pvt. Smith should get this cable, Lt. Jones should get that cable, Cmdr. X should get that cable.' The policies put in place between the State Department and other agencies for many years is that we provide this information to the other agency, the other agency takes on the responsibility of controlling access by their people to the material we provide to them."
Ferguson explained that different IT security rules apply to IT systems in battle zones than those stateside. He said that unlike homogeneous IT systems that share similar components in the United States, as one would find at Bank of America, computers in combat areas are often cobbled together. To transfer data, he said, it's simpler and faster to put the information on removable storage devices, especially considering that the United States works with coalition allies with different computer systems. "The focus in the field was speed and agility," Ferguson said. "We took that risk to allow, not just Pvt. Manning, but many people who are serving there to move at that pace." Besides, he said, personnel with access to SIPRNet had security clearances. "Frankly," Ferguson said, "most of our focus was worried about outside intruder threat, not insider threat."
To prevent future breaches, Takai said DoD has begun issuing to SIPRNet users hardened smart cards that are similar to ones used on its unclassified network. The vast number of cards to be issued - 500,000 - along with ancillary card readers and software means that distribution won't be finished until the end of 2012. It will take till mid-2013 for all SIPRNet server to be configured to accept the cards.
The CIO attributed the long rollout to the vast number of cards that need to be produced in a trusted environment and the fact that many of the computers and personnel to receive the cards, readers and software are situated in isolated locations, such as ships at sea.
Takai said DoD hopes to prevent future breaches such as WikiLeaks by implementing a host-based security system that centrally monitors machine configurations. A device-control module on the system disables the use of removable media, with certain exceptions. For those exceptions, a report will be issued in real time for each attempt to write data to removable media. On machines in which the host-based security system isn't deployed, other remedies will be used, such as removing software to allow writing to a CD. Indeed, Takai said, DoD has disabled the write capability on nearly 90 percent of its SIPRNet computers and devices; the exceptions involve machines that need the write capability for operational needs. She said machines with write capability operate under strict controls, in which copying is done at a kiosk overseen by two individuals.
Takai also said DoD is testing an audit extraction module, developed by the National Security Agency, that can be integrated into the host-based security system and leverages existing audit capabilities to reports to network operators questionable behaviors.
Collins asked why DoD doesn't use role-based software that limits users to only information they're entitled to access?
Takai said such technology is feasible, but in many situation it would be difficult to categorize the many different roles and decide what information should be accessible to users performing in those roles. "While this can make it possible to prevent the financial analyst from accessing large amounts of intelligence data," she said, "the general intelligence analyst or operational planner will still need to have access to enormous amounts of data since such access is essential to successful performance of their function."