Feeble computer security dominated the third day of a pretrial military hearing for Army Pfc. Bradley Manning.
The fourth pretrial hearing day, on Monday, put the spotlight on more than 100,000 sensitive documents and conversation logs between Manning and a former hacker, according to news reports.
The 24-year-old Manning stands accused of passing a trove of government documents to WikiLeaks while working as an intelligence analyst in Iraq in 2009 and 2010.
If found guilty, he could face the death penalty, although the Army has indicated it would not, in fact, press for his execution.
According to USA Today, investigators testified that Manning downloaded thousands of diplomatic cables; Guantanamo assessment documents; video from a controversial 2007 airstrike in Baghdad; and military records of a 2009 U.S. airstrike in Gerani, Afghanistan, in which dozens of civilians were killed.
Fifteen military staff have been disciplined in the wake of the scandal, according to the Defense Department.
Two witnesses called to testify on Sunday—Sgt. 1st Class Paul Adkins and Warrant Officer Kyle Bolonek—refused to answer questions, invoking their right to remain silent.
According to CNN, the Army has slashed Adkins’s rank, from master sergeant to sergeant first class.
Prior to the WikiLeaks affair, the Army had no technology to block soldiers from downloading and transferring massive amounts of data.
Here’s how Capt. Thomas Cherepko described the pre-WikiLeaks days, according to CNN’s Larry Shaugnessy:
Capt. Thomas Cherepko said intelligence analysts like Manning could move information back and forth from their official computers and a shared computer hard drive. Testifying by telephone, he said there was nothing preventing a soldier from burning a CD of classified information, taking the CD, and then distributing whatever files were on it.
"The only thing preventing that is trust," said Cherepko, who served with Manning at the same base in Iraq.
Since Manning was last deployed to Iraq, the military has restricted the number of people authorized to download secret information, a military computer expert said on Sunday. New rules also require two people to authorize downloads, while mass information transfer sets off alerts.
That’s certainly an improvement over an utter lack of oversight on what staff download and transfer. After all, you may be able to fend off attackers with firewalls, antivirus software and intrusion detection tools, but rogue insiders are a whole ‘nuther kettle of fish.
How do you contain the considerable risk presented by rogue employees? Encrypt everything, as an enterprise key and certificate management vendor like Venafi would recommend?
Institute audit trails for access to encryption keys? Use different passwords to secure different keystores, and then rotate those passwords?
Maybe. But at the very least, you do what the Army is belatedly doing: set up some type of process that ensures that somebody, somewhere—optimally, a number of somebodies—is aware that your intellectual property/sensitive documents are on the move when they’re on the move.
If we all paid more attention to the potential risk, perhaps somebody like Pfc. Manning—an allegedly gender-confused, confrontational underdog of an employee—would be prevented from getting into the hot water he’s now in.
Image source of Army Pfc. Bradley Manning courtesy of wired.com
16 comments on “Lax security blamed for 100,000+ sensitive files found on Manning’s PC”
" perhaps somebody like Pfc. Manning—an allegedly gender-confused, confrontational underdog of an employee— "
what? since when is this article (or this blog for that matter) about gender? and what does that have to do with data security at all. seriously, that's just insulting.
I can't speak for Lisa…but even though I usually bristle a little when articles drop in allegedlies, I didn't bristle here. The media coverage I've seen does allege that he was something of an "out there" chap, and thus perhaps a strange choice for the sort of work he was doing.
After all, it's not just data security which was a big loser here, but Manning himself. And that's what I read into this comment. Risk management in security doesn't just protect the organisation from egregious behaviour by staff, but also protects staff from getting into difficult situations.
The allegations that Manning is gender-confused and that it bears directly on the security breaches with which he has been charged are NOT Lisa's allegations. They are allegations made by Manning's own defense attorney.
From the ABC news article, "Manning Defense Focuses on Female Alter-Ego and Erratic Behavior":
(Quote) Early on Maj. Matthew Kemkes, Manning's military attorney, said raising Manning's homosexuality and his gender identity disorder was important because it would show “what was going on in my client's mind.” (End quote)
Of course, you’re still free to be insulted if that’s what you really want. But then you ought to put the blame on Manning’s attorney. Dumping it on Lisa is a case of shooting the messenger.
Yep. A hyperlink would have helped clear up confusion.
The question isn't how do you protect against rogue employees abusing their knowledge – there is no way you can prevent someone from talking or writing about something they've seen. All you can do is hope that loyalty (and the threat of sanctions) keeps people from doing this.
But allowing personnel to freely download and move classified material among different systems? That's insane. Someone talking about classified material is bad – someone talking about classified material and having it on their personal hard drive is criminal (and I'm not talking just about the person downloading the material).
I'm a fan of monitoring the computer activity of each user. This proactive measure provides an audit trail of whatever is done on a PC, so when an investigation is needed, it's all there and takes a short time to review and find what you're looking for. A lot better than combing through logs and invariably coming to the conclusion there are gaps in the information you're looking for.
Employee monitoring provides more value than an audit trail. Knowing how employees use their computers helps improve work quality, productivity as well operations in general. Frankly, without monitoring in place assuring compliance with Acceptable Use Policy is like swiss cheese – has holes in it.
You were doing fine until your last paragraph.
Interesting article – up until the "allegedly gender-confused". Why the need for a personal attack?
It's not a personal attack. Read the article linked by Vito, above, in reply to "offended byYou". It's simply a reporting of a fact—one that Mr. Manning himself obviously believes is relevant to the case, considering the fact that he's basing his defense on it.
Whether it turns out that Mr. Manning's gender confusion provides a successful defense might indeed be relevant to security policy. If he's found not guilty on the basis of his alleged psychological dysfunction, then the army is going to have to come up with a security policy that takes that into account. Existing consequences under current policy will no longer have any deterrent effect if security breaches due to gender dysfunction are given a free pass.
By the way, a reduction in rank from Master Sergeant to Sergeant First Class is not what anyone would consider "slashing". It's just one grade lower.
I'll just leave this right here: http://openchannel.msnbc.msn.com/_news/2011/12/21…
Well Bradley Manning wants to become a woman. Good luck to him, he already qualifies as a gossip!
Hissssssss!!!!! hahaha! O, you bad boy. What was I reading recently, something about how men actually talk more than women, but they tend to talk mostly about themselves? Testosterone, the tongue-flapper, yippee!!!
FWIW, I was married to a transgendered person who eventually became a woman. I am the last person in the world who would interpret "gender-confused" to be a smear of any kind. As commenters noted, I was just reporting on the defense's use of this personality trait.
Agreed, Gender or Gender confused has nothing to do with the issue.
What it does have to do with is he sold out his country and his leaders, something that every service member takes an oath to defend and support. I think the Army should press for the death sentence. Make an example of him, too many people now-a-days take security to simply and think of it as a just a hindrance to their rights. These security classifications and restrictions are in place to protect the information and data from exposure, in addition to, protect our country and citizens from any harm, which may come from these security breaches. People everywhere are watching this case; some of those are people that are thinking of doing these things. Often the only thing that stops them is the threat of being caught and tried for treason, if this criminal does not have his feet held to the fire, then we are sending a clear message that if you want to stand on your principle, you will only get time in jail. Which is much less of a threat now-a-days, when prisons are faced with overcrowding, simple white collar criminals are released. To me a security professional and retired military member, this is appalling.
Everything needs to be done to divert attention from the contents of some of that information becase it puts egg on the face of a lot of people in power. From what I have read on Wikileaks in general shows a lot of two-faced double dealing and dirty tricks, deceit and lies, games played with peoples lives. The whole security angle strikes me more as people in power want the unfettered ability to do what they want without fear of discovery and consequences.
IMO you guys focus way to much on the fact, that he has published critical data. But you are quite aware, which data this was?
Most of these files and videos showed military action against civilians, which is, IMO, way more criminal then making this information public to the world.
I think it's crazy to press death sentence against him: Whistleblowers are not, by nature, criminals. I haven't heard any word about those soldiers, who killed nearly 10 civilians and two Reuter reporters.
Making crime apparent to society musn't be a crime!