It wasn't an insecure SIPRNet that created the "perfect storm" that allowed Private Bradley Manning to dump the State Department cables to Wikileaks. It was the failure of our government to apply standard IT practices in a theater of war.
This week, a lot of folks in the IT security community are scratching their heads. At the State department and at the armed forces, IT heads are likely rolling over the dump of over 250,000 secret US embassy cables to Wikileaks, which has shared this material with multiple media outlets.
Political and diplomatic ramifications of this data dump aside, many questions remain as to how it was even possible that confidential, secret State Department data from one of our most secure government networks, the SIPRNet, or Secret Internet Protocol Router Network, was even able to be leaked by a US Army intelligence analyst, Private First Class Bradley Manning, who was deployed at a field operations center in Iraq.
Conventional wisdom would seem to indicate that if Manning was so easily able to dump data off of this network, then maybe our defense networks aren't secure after all. But it's not that simple.
As it turns out, as it is most frequently deployed, SIPRNet (as well as JWICS) is an extremely secure environment which would have prevented offloading of data of any kind from an endpoint terminal or workstation, because one of the most common configurations uses thin-client terminals which have their USB ports disabled and contain no hard drives or even an optical storage device.
This purchase record from 2008, for example, from the Department of the Army for the US National Guard is indicative of a typical SIPRNet configuration, using HP T5735 smart terminals which run on Linux and use encrypted Citrix ICA sessions to a terminal server which present a virtualized SIPRNet desktop to the end-user. This is implemented using a software solution called Nettop 2, which is sold by Trusted Computer Solutions, which recently became a division of Raytheon.
The systems architecture of NetTop 2 is flexible (see embedded PDF presentation) in that it you can use any number of endpoint terminal types, including PCs, so that different sessions can be established to different virtual desktops and the end-user can have access to a mix of unclassified, semi-classified and classified material from multiple networks, such as the SIPRNet-connected intranet in which the State Department cables that Manning accessed were stored.
However, it is designed so that it is impossible for a NetTop2 user to copy or transfer data from that SIPRNet or JWICS virtual desktop session -- no data transfer or cross-domain copying is allowed between access levels whatsoever.
For a quick overview of the issues involved, have a look at this video that was supplied to me by Raytheon TCS, where their COO, Ed Hammersla discusses the challenges of cross-domain data sharing and how their product is designed to prevent the type of nightmare classified information leak scenario that we're all hearing about now.
So if SIPRNet is secure, and with the NetTop 2 environment it's impossible to copy data off to a USB flash drive or a DVD from a secure session, how the heck was Manning able to dump that data to Wikileaks?
Well, the problem is that in this case, the US Army didn't deploy NetTop 2 for the workstations that Private Manning had access to in Iraq. Instead, he had access to two laptops, with functional DVD writers which were directly connected to the SIPRNet and JWICS, not through secure, isolated virtual desktop sessions.
This resulted in a chink in the armor that was exposed to the wrong type of person -- a mentally unstable, angry young 22-year old Army Private who had carte blanche capability to copy and suck down everything from SIPRNet and the JWICS that he could get his grubby little hands on.
We don't know exactly what methods Private Manning used on this PC to copy down the data -- whether he had direct access to the HTML or data files on the State Department web servers that stored the embassy cables, or whether he used some sort of custom code to spider the pages. The chat records that were supplied by Adrian Lamo have been sealed by the government.
But according to a Wired article from over the summer, we know exactly what went wrong:
As described by Manning in his chats with Lamo, his purported leaking was made possible by lax security online and off.
Manning had access to two classified networks from two separate secured laptops: SIPRNET, the Secret-level network used by the Department of Defense and the State Department, and the Joint Worldwide Intelligence Communications System which serves both agencies at the Top Secret/SCI level. The networks, he said, were both “air gapped” from unclassified networks, but the environment at the base made it easy to smuggle data out.
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”
“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
There's a lesson to be learned here. You can have the most secure network(s) in the entire world, and all kinds of enabling technology to help you safeguard your information, but if you don't follow consistent IT practices across the board, have gaping holes in your endpoints, and you don't psychologically profile the people who have access to your most trusted, secret information, you're just asking for trouble.
That Manning was sucking down vast amounts of data from the State Department's email and intelligence intranets should have tripped alarms at a security console at a network operations center somewhere and the controls should have been put in place in terms of logging and server hardening to prevent this sort of thing. This either didn't happen or nobody was watching -- that's definitely a big issue and it needs to be addressed at a much higher level.
However, these other IT weaknesses and shortcomings aside, Manning would never have been able to transfer that data if the Army had been following the same standard IT practices that it follows stateside and on military bases and other government installations. In my discussions with various people in the defense IT community, I've learned the following:
At the time of the breach, there was a ban on all USB devices at the Department of Defense in effect due to a malware attack that was spread by infected USB drives. At one point, all removable media were banned, including DVD-writeables.
However, DVD-R drives -- such as the ones in Manning's laptops weren't disconnected on all systems because IT policy as it was applied was inconsistent. Additionally, in Afghanistan as well as in Iraq, where Manning was deployed in theater operations, soldiers were using "sneakernet" to move data around because of a lack of consistent network connectivity out at the edge in the battlefield.
So what nailed us was simple. We allowed this guy to walk into work with writeable DVD media and gave him laptops with functional read/writeable DVD drives and possibly even USB ports, at an Iraq field operations center in a theater of war, when the standing policy on military bases and in other government installations (such as at US Central Command) is to prohibit personnel from bringing USB devices, Smartphones, iPods and CDs onsite.
That's just plain stupid.
Was it an insecure network that permitted Manning to perpetrate his treasonous acts against the American people, or was it the Army's inconsistent IT policy that did us in? Talk Back and Let Me Know.