Lax security blamed for 100,000+ sensitive files found on Manning's PC

Filed Under: Data loss, Featured, Law & order, Vulnerability

Manning in courtroom - courtesy of wired.comFeeble computer security dominated the third day of a pretrial military hearing for Army Pfc. Bradley Manning.

The fourth pretrial hearing day, on Monday, put the spotlight on more than 100,000 sensitive documents and conversation logs between Manning and a former hacker, according to news reports.

The 24-year-old Manning stands accused of passing a trove of government documents to WikiLeaks while working as an intelligence analyst in Iraq in 2009 and 2010.

If found guilty, he could face the death penalty, although the Army has indicated it would not, in fact, press for his execution.

According to USA Today, investigators testified that Manning downloaded thousands of diplomatic cables; Guantanamo assessment documents; video from a controversial 2007 airstrike in Baghdad; and military records of a 2009 U.S. airstrike in Gerani, Afghanistan, in which dozens of civilians were killed.

Fifteen military staff have been disciplined in the wake of the scandal, according to the Defense Department.

Two witnesses called to testify on Sunday—Sgt. 1st Class Paul Adkins and Warrant Officer Kyle Bolonek—refused to answer questions, invoking their right to remain silent.

According to CNN, the Army has slashed Adkins's rank, from master sergeant to sergeant first class.

Prior to the WikiLeaks affair, the Army had no technology to block soldiers from downloading and transferring massive amounts of data.

Here's how Capt. Thomas Cherepko described the pre-WikiLeaks days, according to CNN's Larry Shaugnessy:

Capt. Thomas Cherepko said intelligence analysts like Manning could move information back and forth from their official computers and a shared computer hard drive. Testifying by telephone, he said there was nothing preventing a soldier from burning a CD of classified information, taking the CD, and then distributing whatever files were on it.

"The only thing preventing that is trust," said Cherepko, who served with Manning at the same base in Iraq.

Since Manning was last deployed to Iraq, the military has restricted the number of people authorized to download secret information, a military computer expert said on Sunday. New rules also require two people to authorize downloads, while mass information transfer sets off alerts.

That's certainly an improvement over an utter lack of oversight on what staff download and transfer. After all, you may be able to fend off attackers with firewalls, antivirus software and intrusion detection tools, but rogue insiders are a whole 'nuther kettle of fish.

How do you contain the considerable risk presented by rogue employees? Encrypt everything, as an enterprise key and certificate management vendor like Venafi would recommend?

Institute audit trails for access to encryption keys? Use different passwords to secure different keystores, and then rotate those passwords?

Maybe. But at the very least, you do what the Army is belatedly doing: set up some type of process that ensures that somebody, somewhere—optimally, a number of somebodies—is aware that your intellectual property/sensitive documents are on the move when they're on the move.

If we all paid more attention to the potential risk, perhaps somebody like Pfc. Manning—an allegedly gender-confused, confrontational underdog of an employee—would be prevented from getting into the hot water he's now in.

Image source of Army Pfc. Bradley Manning courtesy of wired.com

, , , ,

You might like

16 Responses to Lax security blamed for 100,000+ sensitive files found on Manning's PC

  1. offended byYou · 955 days ago

    " perhaps somebody like Pfc. Manning—an allegedly gender-confused, confrontational underdog of an employee— "

    what? since when is this article (or this blog for that matter) about gender? and what does that have to do with data security at all. seriously, that's just insulting.

    • Paul Ducklin · 954 days ago

      I can't speak for Lisa...but even though I usually bristle a little when articles drop in allegedlies, I didn't bristle here. The media coverage I've seen does allege that he was something of an "out there" chap, and thus perhaps a strange choice for the sort of work he was doing.

      After all, it's not just data security which was a big loser here, but Manning himself. And that's what I read into this comment. Risk management in security doesn't just protect the organisation from egregious behaviour by staff, but also protects staff from getting into difficult situations.

      My 2c.

    • Vito · 953 days ago

      The allegations that Manning is gender-confused and that it bears directly on the security breaches with which he has been charged are NOT Lisa's allegations. They are allegations made by Manning's own defense attorney.

      From the ABC news article, "Manning Defense Focuses on Female Alter-Ego and Erratic Behavior":

      (Quote) Early on Maj. Matthew Kemkes, Manning's military attorney, said raising Manning's homosexuality and his gender identity disorder was important because it would show “what was going on in my client's mind.” (End quote)

      Source: http://abcnews.go.com/Politics/bradley-manning-de...

      Of course, you’re still free to be insulted if that’s what you really want. But then you ought to put the blame on Manning’s attorney. Dumping it on Lisa is a case of shooting the messenger.

    • icmonsters · 946 days ago

      Yep. A hyperlink would have helped clear up confusion.

  2. Grashnak · 955 days ago

    The question isn't how do you protect against rogue employees abusing their knowledge - there is no way you can prevent someone from talking or writing about something they've seen. All you can do is hope that loyalty (and the threat of sanctions) keeps people from doing this.

    But allowing personnel to freely download and move classified material among different systems? That's insane. Someone talking about classified material is bad - someone talking about classified material and having it on their personal hard drive is criminal (and I'm not talking just about the person downloading the material).

  3. RichardRosenSG · 955 days ago

    I'm a fan of monitoring the computer activity of each user. This proactive measure provides an audit trail of whatever is done on a PC, so when an investigation is needed, it's all there and takes a short time to review and find what you're looking for. A lot better than combing through logs and invariably coming to the conclusion there are gaps in the information you're looking for.

    Employee monitoring provides more value than an audit trail. Knowing how employees use their computers helps improve work quality, productivity as well operations in general. Frankly, without monitoring in place assuring compliance with Acceptable Use Policy is like swiss cheese - has holes in it.

  4. Jason · 955 days ago

    You were doing fine until your last paragraph.

  5. Anon · 955 days ago

    Interesting article - up until the "allegedly gender-confused". Why the need for a personal attack?

    • Nigel · 952 days ago

      It's not a personal attack. Read the article linked by Vito, above, in reply to "offended byYou". It's simply a reporting of a fact—one that Mr. Manning himself obviously believes is relevant to the case, considering the fact that he's basing his defense on it.

      Whether it turns out that Mr. Manning's gender confusion provides a successful defense might indeed be relevant to security policy. If he's found not guilty on the basis of his alleged psychological dysfunction, then the army is going to have to come up with a security policy that takes that into account. Existing consequences under current policy will no longer have any deterrent effect if security breaches due to gender dysfunction are given a free pass.

  6. CommonSense · 955 days ago

    By the way, a reduction in rank from Master Sergeant to Sergeant First Class is not what anyone would consider "slashing". It's just one grade lower.

  7. Miguel C · 954 days ago

    I'll just leave this right here: http://openchannel.msnbc.msn.com/_news/2011/12/21...

  8. James · 953 days ago

    Well Bradley Manning wants to become a woman. Good luck to him, he already qualifies as a gossip!

    • Lisa Vaas · 899 days ago

      Hissssssss!!!!! hahaha! O, you bad boy. What was I reading recently, something about how men actually talk more than women, but they tend to talk mostly about themselves? Testosterone, the tongue-flapper, yippee!!!

      FWIW, I was married to a transgendered person who eventually became a woman. I am the last person in the world who would interpret "gender-confused" to be a smear of any kind. As commenters noted, I was just reporting on the defense's use of this personality trait.

  9. Treason Sucks · 953 days ago

    Agreed, Gender or Gender confused has nothing to do with the issue.

    What it does have to do with is he sold out his country and his leaders, something that every service member takes an oath to defend and support. I think the Army should press for the death sentence. Make an example of him, too many people now-a-days take security to simply and think of it as a just a hindrance to their rights. These security classifications and restrictions are in place to protect the information and data from exposure, in addition to, protect our country and citizens from any harm, which may come from these security breaches. People everywhere are watching this case; some of those are people that are thinking of doing these things. Often the only thing that stops them is the threat of being caught and tried for treason, if this criminal does not have his feet held to the fire, then we are sending a clear message that if you want to stand on your principle, you will only get time in jail. Which is much less of a threat now-a-days, when prisons are faced with overcrowding, simple white collar criminals are released. To me a security professional and retired military member, this is appalling.

  10. JimH · 951 days ago

    Everything needs to be done to divert attention from the contents of some of that information becase it puts egg on the face of a lot of people in power. From what I have read on Wikileaks in general shows a lot of two-faced double dealing and dirty tricks, deceit and lies, games played with peoples lives. The whole security angle strikes me more as people in power want the unfettered ability to do what they want without fear of discovery and consequences.

  11. Zuckerfry · 948 days ago

    IMO you guys focus way to much on the fact, that he has published critical data. But you are quite aware, which data this was?
    Most of these files and videos showed military action against civilians, which is, IMO, way more criminal then making this information public to the world.
    I think it's crazy to press death sentence against him: Whistleblowers are not, by nature, criminals. I haven't heard any word about those soldiers, who killed nearly 10 civilians and two Reuter reporters.

    Making crime apparent to society musn't be a crime!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.