Gary Warner, the author of the excellent blog "CyberCrime & Doing Time" recently wrote an excellent article about the flaws inherent in allowing Manning unfettered and unlogged access to virtually everything that he was cleared for. Essentially, this is one major reason that organizations should restrict access only to those who have a legitimate need for access. Not only does it limit the amount of damage that a disgruntled employee can do, but it also limits the amount of damage that can be done if an account is hijacked by a hacker or malware.
This is an inherent difficulty in information security: how do you draw the line between too restrictive and too generous permissions? Manning was an intelligence analyst in Iraq, so he needed access to a wide range of information in order to do his job. In addition to reports from Iraq itself, there might be Iraq-related discussion coming out of Afghanistan, or from diplomatic discussions between the US and Iraq, or from the US and other countries. These are just a few examples of why Manning might have had a need for access to a wide variety of data.
Despite the possible justification for access, it makes me wonder why the US Government allowed Manning to access virtually everything. I have no evidence (at the time of this writing), but I strongly suspect it's due to the events of September 11, 2001 and the recommendations of the National Commission on Terrorist Attacks Upon the United States (aka "the 9/11 Commision"). Among other issues, the Commission criticized the lack of connection between individual intelligence agents and national priorities and the lack of communication between intelligence agencies, including the military intelligence agencies. It's possible the government's response to the Commission's report included removing all significant "need to know" restrictions, while leaving in place the basic "classification" restrictions.
(UPDATE: This suspicion has now been confirmed by the Washington Post)
It's not my place to determine whether or not that decision was justified, but it's certain that allowing Manning access to everything drastically increased the damage caused by his breach. Access policies are just one aspect of information security, the other aspect is auditing (logging). Wired.com quotes Manning as writing:
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”Manning directly admits that weak (or absent) logging procedures directly contributed to his ability to remove information. Logging could have generated a digital trail of his activities (both accessing data and burning it to disk). A good SIEM software could have managed the logs and automatically alerted the appropriate manager or authority that Manning was doing something he shouldn't have been.
“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
Just like I talked about in my blog about airport security, effective prevention, tracking and mitigation efforts all need to be combined into a coherent policy to handle damaging attacks like the US Government has recently suffered at the hands of Bradley Manning.