About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, January 4, 2011

Quick update to "Cablegate"

In my last post on "Cablegate", I suggested that the reason so many cables were able to be accessed by Bradley Manning was because of the desire to improve information-sharing after the attacks of September 2001.  At the time that was speculation on my part, but a new article in the Washington Post shows that this is correct.

From the article:

Investigations into the attacks concluded that government agencies had failed to share critical information that could have helped uncover the Sept. 11 plot. Because of that lapse, Congress tasked the Office of the Director of National Intelligence with pressuring key government agencies - including the Pentagon, the Homeland Security Department and the State Department - to find ways to rapidly share information that could be relevant to possible terrorist plots and other threats.
The State Department, with its hundreds of diplomatic posts worldwide, was already making tens of thousands of classified cables available to intelligence and military officials with secret security clearances. But in 2005, the DNI and the Defense Department agreed to pay for a new State Department computer database that could allow the agency's cables to flow more easily to other users throughout the federal government.
"It was consistent with the concept of needing to share information after September 11th," said State Department spokesman P.J. Crowley. "We were asked to do it, and the Pentagon paid for it."
The article also describes the limited safeguards present on this system that directly allowed Manning to steal the documents.

A few State Department officials expressed early concerns about unauthorized access to the database, but these worries mostly involved threats to individual privacy, department officials said. In practice, agency officials relied on the end-users of the data - mostly military and intelligence personnel - to guard against abuse.
The department was not equipped to assign individual passwords or perform independent scrutiny over the hundreds of thousands of users authorized by the Pentagon to use the database, said Kennedy, the undersecretary of state.
"It is the responsibility of the receiving agency to ensure that the information is handled, stored and processed in accordance with U.S. government procedures," he said.
To prevent illegal intrusion, the State Department has long maintained safeguards that make it difficult for an individual to download sensitive information onto a portable device such as a flash drive or compact disc. But Kennedy acknowledged that the department had no means of overseeing practices by other agencies using its data.
U.S. investigators suspect that Bradley Manning, an Army private stationed in the Persian Gulf, downloaded the 250,000 State Department cables to compact discs from a computer terminal in Kuwait. He then allegedly provided the files to WikiLeaks, which shared them with newspapers and posted hundreds of them online.
There you have it.  The rush to share information after September 2001 lead to poor logging and auditing of access to data and placed great trust in the users to not betray the government.  Mr. Manning betrayed that trust.

No comments:

Post a Comment