Saturday, December 04, 2010

Wikileaks and the future of national security IT

It all started with a CD with "Lady Gaga" written on it.

With that simple disk and the assistance of the Wikileaks website and a willing media, US Pfc. Bradley Manning (see photo to the right, in all its chipmunk-cheeked glory) accomplished the largest known unveiling of US confidential documents. From a transcript of his online conversation with hacker Adrian Lamo (who turned Manning in), Manning was shocked by how easy his crimes were:

(01:56:07 PM) Bradley Manning: i didnt even have to hide anything
(02:15:03 PM) Bradley Manning: pretty simple, and unglamorous
(02:17:56 PM) Bradley Manning: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis... a perfect storm

(02:44:47 PM) Bradley Manning: the network was upgraded, and patched up so many times... and systems would go down, logs would be lost... and when moved or upgraded... hard drives were zeroed
(02:45:12 PM) Bradley Manning: its impossible to trace much on these field networks...
(02:46:10 PM) Bradley Manning: and who would honestly expect so much information to be exfiltrated from a field network?

Who indeed. It raises the thought: If Manning could do it, why couldn't others? The same thought is roiling the world of national security IT, whose overlords werer pressured in the post-9/11 world to lower barriers between systems as a way to encourage information sharing, or "connecting the dots." Yet now it appears that Manning's folly is forcing politicians, bureaucrats and IT managers to raise walls and cut ties.

The Obama Office of Management and Budget issued a one-page memo calling for tighter security practices. In particular, the memo calls for a restriction on the range of information available to a user, or a "broader access than is necessary to do their jobs effectively." The Defense Department has already pushed forward, tightening access to system, including restrictions on the use of removal media exploited by Manning.

This type of restriction is not even a US phenomenon. The WikiLeaks fiasco, as well as a well-publicized leak of classified Israeli documents to an Israel newspaper, led Israel to take similar steps to clamp down on how its secrets are accessed. The US incident is also serving as a reminder to US businesses what happens when you don't keep watch over your information.

How this leak happened is clear. Yet as this ZDNet debunking clearly shows, Manning's exploitation of an open system was a failure to use available resources to secure an IT infrastructure:

Well, the problem is that in this case, the US Army didn’t deploy NetTop 2 for the workstations that Private Manning had access to in Iraq. Instead, he had access to two laptops, with functional DVD writers which were directly connected to the SIPRNet and JWICS, not through secure, isolated virtual desktop sessions.

This resulted in a chink in the armor that was exposed to the wrong type of person — a mentally unstable, angry young 22-year old Army Private who had carte blanche capability to copy and suck down everything from SIPRNet and the JWICS that he could get his grubby little hands on.

So what now? As I stated, the gates will shut and the doors will close. But its doubtful those steps lead to the establishment of a truly responsible IT security regime, since the rules in place would have stopped the Manning leak if they had been properly followed. It's impossible to legislate a cure to laziness.

Perhaps for a time the walls will remain up. Yet convenience and the needs of the moment will eventually open the door to another breach. It will happen. As long as the IT infrastructure of national security can fall victim to laziness, it's only a matter of time.

No comments: