Feeble computer security dominated the third day of a pretrial military hearing for Army Pfc. Bradley Manning.
The fourth pretrial hearing day, on Monday, put the spotlight on more than 100,000 sensitive documents and conversation logs between Manning and a former hacker, according to news reports.
The 24-year-old Manning stands accused of passing a trove of government documents to WikiLeaks while working as an intelligence analyst in Iraq in 2009 and 2010.
If found guilty, he could face the death penalty, although the Army has indicated it would not, in fact, press for his execution.
According to USA Today, investigators testified that Manning downloaded thousands of diplomatic cables; Guantanamo assessment documents; video from a controversial 2007 airstrike in Baghdad; and military records of a 2009 U.S. airstrike in Gerani, Afghanistan, in which dozens of civilians were killed.
Fifteen military staff have been disciplined in the wake of the scandal, according to the Defense Department.
Two witnesses called to testify on Sunday—Sgt. 1st Class Paul Adkins and Warrant Officer Kyle Bolonek—refused to answer questions, invoking their right to remain silent.
According to CNN, the Army has slashed Adkins’s rank, from master sergeant to sergeant first class.
Prior to the WikiLeaks affair, the Army had no technology to block soldiers from downloading and transferring massive amounts of data.
Here’s how Capt. Thomas Cherepko described the pre-WikiLeaks days, according to CNN’s Larry Shaugnessy:
Capt. Thomas Cherepko said intelligence analysts like Manning could move information back and forth from their official computers and a shared computer hard drive. Testifying by telephone, he said there was nothing preventing a soldier from burning a CD of classified information, taking the CD, and then distributing whatever files were on it.
"The only thing preventing that is trust," said Cherepko, who served with Manning at the same base in Iraq.
Since Manning was last deployed to Iraq, the military has restricted the number of people authorized to download secret information, a military computer expert said on Sunday. New rules also require two people to authorize downloads, while mass information transfer sets off alerts.
That’s certainly an improvement over an utter lack of oversight on what staff download and transfer. After all, you may be able to fend off attackers with firewalls, antivirus software and intrusion detection tools, but rogue insiders are a whole ‘nuther kettle of fish.
How do you contain the considerable risk presented by rogue employees? Encrypt everything, as an enterprise key and certificate management vendor like Venafi would recommend?
Institute audit trails for access to encryption keys? Use different passwords to secure different keystores, and then rotate those passwords?
Maybe. But at the very least, you do what the Army is belatedly doing: set up some type of process that ensures that somebody, somewhere—optimally, a number of somebodies—is aware that your intellectual property/sensitive documents are on the move when they’re on the move.
If we all paid more attention to the potential risk, perhaps somebody like Pfc. Manning—an allegedly gender-confused, confrontational underdog of an employee—would be prevented from getting into the hot water he’s now in.