Plugging the WikiLeaks HoleHalting Unauthorized Access to Sensitive Documents
What's embarrassing about the WikiLeaks episode isn't just the precarious position the publication of State Department cables put the United States in with its allies, but the possibility that one, low-level individual leaked hundreds of sensitive government documents without being detected.
The leaks have prompted the White House to order each agency that handles classified information to establish a security assessment team consisting of counterintelligence, security and information assurance experts to review the agency's implementation of procedures for safeguarding classified information against improper disclosures.
In a memo with the subject line, WikiLeaks - Mishandling of Classified Information, Office of Management and Budget Director Jacob Lew writes:
"Any failure by agencies to safeguard classified information pursuant to relevant laws ... is unacceptable and will not be tolerated."
Lew also says the review should include without limitation the evaluation of the agency's configuration of classified government systems to ensure that users do not have broader access than is necessary to do their jobs effectively, as well as implementation of restrictions on usage of, and removable media capabilities from, classified government computer networks.
As part of the process, OMB, the Information Security Oversight Office and the Office of the Director of National Intelligence will stand up processes to evaluate, and to assist agencies in their review of, security practices with respect to the protection of classified information.
An Army intelligence analyst, Pfc. Bradley Manning, in an online chat with a computer hacker identified as Adrian Lamo admitted to downloading 260,000 State Department cables and delivering them to WikiLeaks, according to The New York Times. Lamo reported Manning's disclosures to federal authorities, who arrested him. Manning has been charged with illegally leaking classified information.
According to a military charge sheet outlining the allegations, Manning on or about May 27 intentionally exceeded his authorization access on a Secret Internet Protocol Router network computer to obtain more than 150,000 State Department diplomatic cables.
Whether it was Manning or someone else, an insider compromised government IT servers that stored the State Department cables. It's that kind of insider threat that prompted the Defense Department to solicit from outsiders novel techniques to insider threat detection that would greatly increase the accuracy, rate and speed of detection to impede the ability of those seeking access to sensitive government data.
In the request for solutions, the Defense Advanced Research Projects Agency characterizes insiders as dangers to military networks because they can easily evade existing security measures. In its solicitation for outsider help, as part of a program known as CINDER - Cyber Insider Threat, DARPA said:
"Insiders do not attack - instead they use legitimate accesses in support of their operations. Traditional defenses operate under the assumption that existing systems and networks are currently uncompromised. These defenses model normal behavior and look for deviations or look for outsider activities on internal systems in a perimeter centric defensive approach.
"Modeling the actions of legitimate users to watch for changes in their behavior over time has proven problematic and identifying system and network events endemic of attacks does not account for insider threats comprised of legitimate activities. Thus, traditionally both physical and virtual insider threats have been largely identified due only to incompetence on the part of the perpetrator or by accident."
The WikiLeak leaks is just one example of insider threat, as Defense Deputy Secretary William Lynn III said earlier this year:
"Insider threats -- it's not just in the cyber area. I mean, you're always worried about insider threats in terms of either espionage or compromising capabilities, and cyber is no different."