- a classified video of a military operation in Baghdad
- a classified PowerPoint video
- more than 150,000 state department cables
For the purposes of this discussion, let's assume that he did these things, or at a minimum, that his position as a military analyst in Iraq, and his resulting access to SIPRnet, made it possible that he could have done these things. There is also no indication at this time that Manning had any advanced hacking skills - all the coverage I've read indicates that he just downloaded this stuff and burned it onto CDs. Let's assume that's true also.
My day job is information security, something I've been doing for about 15 years now. I have no US government clearances - never have had - and thus no direct knowledge of SIPRnet. What follows is necessarily speculative. However, just the facts above strongly suggest some major concerns to me about security practices on SIPRnet.
Firstly, it sounds like the network is what we call a "flat" network - in the sense that there are not internal firewalls or other network barriers preventing people in one part of the network accessing other parts. This is unusual in contemporary corporate practice. Generally modern networks are heavily segmented and employ a variety of access controls to prevent employees in one part of the organization getting access to other parts of the network. If you run a sufficiently large organization you obviously have to assume that somewhere there will be a few bad apples that got past HR and are going to misbehave in one way or another. As the organization size gets large, the odds of this happening tend towards 100% and you want to limit the potential damage any such bad apple can do. So, in your bank, say, you don't want the retail tellers having access to executive board meeting minutes so they can then go carry on insider trading with knowledge of major corporate decisions. In fact, you don't even want the bank tellers in Peoria to have access to the accounts of customers in New York, since there's just no good reason for them to be touching such information under any normal circumstances, but it greatly enlarges the scope of a trouble-maker if they can.
So there are a large number of technical controls available to implement this kind of thing: internal firewalls (special network devices that control access between different parts of the network), the possibility to create entirely logically separate networks for different purposes, login/password requirements on web servers or applications, identity management software to keep track of who is who and who is allowed to go where.
But here, we have Manning in Iraq in a position to download state department cables about every country in the world. He couldn't possibly have any need to know about 99% of the stuff he had access to. And likewise, he had operational information about the war in Afghanistan, even though he was working in Iraq. That suggests few internal barriers.
Additionally, the government doesn't seem to just know what Manning has accessed (eg he's a person of interest in the Afghanistan leaks, but hasn't been charged). For people in sensitive positions in high security networks, there should be an audit trail of their significant actions. Normally, in corporate networks, there are firewall, proxy, and server logs of all web accesses everyone on the corporate network has made. If a person comes under suspicion, it should be possible to go back and figure out everything they read. So the fact that government isn't at this point well aware of everything Manning accessed suggests that the audit logs on at least parts of SIPRnet are very deficient.
There are some other possibilities of course:
- SIPRnet is much better secured internally than I suggest above, but Manning did actually have extensive hacking skills and ability to penetrate technical defenses and remove audit logs of his activity, but this fact has not come to light yet.
- Manning received extensive coaching and assistance from someone, such as Julian Assange, who did have extensive technical hacking skills. No evidence of this appears to have come to light either.
At any rate, the US defense and intelligence establishment is extremely large, and therefore it's absolutely certain that a small but non-zero number of its employees will turn out to be spies, criminals, or miscreants of one kind or another. It's critically important that the damage any one such can do be limited, especially if they are low down in the hierarchy.
This isn't just an issue of confidentiality, though that's certainly important. The DoD is using its networks operationally to share information used directly in warfighting (it's actually a point of pride called network centric operations). If those networks are flat conventional networks of commercial hardware and software, such things are basically inherently insecurable, and it should be assumed that an enemy can basically toast the entire thing with worms, internal DDOS attacks, or similar, during a conflict. One questions, if a single private can compromise the entire network, is the DoD going to actually be able to put up much of a fight at all during a war with a sufficiently knowledgeable adversary?
Update: note doubly well the usual disclaimer. These are my opinions only on my personal blog and I am not speaking on behalf of my employer.