Wednesday, December 8, 2010

Some Musings On the Bradley Manning Charges

The things that Bradley Manning is currently charged with are here.  The essence of it is that between Nov 2009 and May 2010, he used his access to the US classified secret network (SIPRnet) to download a number of things, move them to his personal unclassified computer, and then give them to other unauthorized parties (presumably including Wikileaks).  The things he is is accused of thus misusing include:
  • a classified video of a military operation in Baghdad
  • a classified PowerPoint video
  • more than 150,000 state department cables
He is also accused of uploading unauthorized software onto a SIPRnet computer (we don't know what software it was).  He is also a person of interest in the leak of dispatches about the Afghanistan war (and apparently boasted to Adrian Lamo that he did so leak).

For the purposes of this discussion, let's assume that he did these things, or at a minimum, that his position as a military analyst in Iraq, and his resulting access to SIPRnet, made it possible that he could have done these things.  There is also no indication at this time that Manning had any advanced hacking skills - all the coverage I've read indicates that he just downloaded this stuff and burned it onto CDs.  Let's assume that's true also.

My day job is information security, something I've been doing for about 15 years now.  I have no US government clearances - never have had - and thus no direct knowledge of SIPRnet.  What follows is necessarily speculative.  However, just the facts above strongly suggest some major concerns to me about security practices on SIPRnet.

Firstly, it sounds like the network is what we call a "flat" network - in the sense that there are not internal firewalls or other network barriers preventing people in one part of the network accessing other parts.  This is unusual in contemporary corporate practice.  Generally modern networks are heavily segmented and employ a variety of access controls to prevent employees in one part of the organization getting access to other parts of the network.  If you run a sufficiently large organization you obviously have to assume that somewhere there will be a few bad apples that got past HR and are going to misbehave in one way or another.  As the organization size gets large, the odds of this happening tend towards 100% and you want to limit the potential damage any such bad apple can do.  So, in your bank, say, you don't want the retail tellers having access to executive board meeting minutes so they can then go carry on insider trading with knowledge of major corporate decisions.  In fact, you don't even want the bank tellers in Peoria to have access to the accounts of customers in New York, since there's just no good reason for them to be touching such information under any normal circumstances, but it greatly enlarges the scope of a trouble-maker if they can.

So there are a large number of technical controls available to implement this kind of thing: internal firewalls (special network devices that control access between different parts of the network), the possibility to create entirely logically separate networks for different purposes, login/password requirements on web servers or applications, identity management software to keep track of who is who and who is allowed to go where.

But here, we have Manning in Iraq in a position to download state department cables about every country in the world.  He couldn't possibly have any need to know about 99% of the stuff he had access to.  And likewise, he had operational information about the war in Afghanistan, even though he was working in Iraq.  That suggests few internal barriers.

Additionally, the government doesn't seem to just know what Manning has accessed (eg he's a person of interest in the Afghanistan leaks, but hasn't been charged).  For people in sensitive positions in high security networks, there should be an audit trail of their significant actions.  Normally, in corporate networks, there are firewall, proxy, and server logs of all web accesses everyone on the corporate network has made.  If a person comes under suspicion, it should be possible to go back and figure out everything they read.  So the fact that government isn't at this point well aware of everything Manning accessed suggests that the audit logs on at least parts of SIPRnet are very deficient.

There are some other possibilities of course:
  • SIPRnet is much better secured internally than I suggest above, but Manning did actually have extensive hacking skills and ability to penetrate technical defenses and remove audit logs of his activity, but this fact has not come to light yet.
  • Manning received extensive coaching and assistance from someone, such as Julian Assange, who did have extensive technical hacking skills.  No evidence of this appears to have come to light either.
At any rate, the US defense and intelligence establishment is extremely large, and therefore it's absolutely certain that a small but non-zero number of its employees will turn out to be spies, criminals, or miscreants of one kind or another.  It's critically important that the damage any one such can do be limited, especially if they are low down in the hierarchy.

This isn't just an issue of confidentiality, though that's certainly important.  The DoD is using its networks operationally to share information used directly in warfighting (it's actually a point of pride called network centric operations).  If those networks are flat conventional networks of commercial hardware and software, such things are basically inherently insecurable, and it should be assumed that an enemy can basically toast the entire thing with worms, internal DDOS attacks, or similar, during a conflict.  One questions, if a single private can compromise the entire network, is the DoD going to actually be able to put up much of a fight at all during a war with a sufficiently knowledgeable adversary?

Update: note doubly well the usual disclaimer.  These are my opinions only on my personal blog and I am not speaking on behalf of my employer.

5 comments:

Glenn said...

Lack of competence and loss of competence at various levels of governence seems to be _one_ symptom of empires in decline...

Glenn

Philip Brewer said...

You've put your finger on exactly what Assange is trying to do. His whole point is that repressive governments need to keep secrets to be effective. Revealing their secrets may make them less effective at being oppressive—but at least as important, forcing them to hold their secrets ever more closely definitely makes them less effective.

The US has networks that function as you suggest—that scrupulously limit access to each individual piece of information based on each individual user's demonstrated need-to-know. But that isn't the right level of security for all information.

From what I've seen so far, it looks to me like the State Department had the security level just about right. None of the information that I've seen discussed in the media would have been particularly useful to foreign governments—surely their own diplomats were telling them that the Saudi king doesn't trust Iran. Even if some low-level spies were passing this information regularly to various foreign powers, I don't see that US security suffers.

On the other hand, I can see this information being very helpful to other US diplomats—and even non-diplomats who have to interact with foreign officials.

That's why the information wasn't more carefully secured: because it was useful to have it widely available inside the government.

If the information is locked down more tightly, thousands of government officials will have a harder time doing their job well. Which is explicitly Assange's goal.

Stuart Staniford said...

Philip:

From what I've seen so far, it looks to me like the State Department had the security level just about right.

Well, the fact that it's been dominating newspaper headlines for over a week now, suggests that it wasn't actually a very good idea to put it in a position to be accessed by very large numbers of people.

If the information is locked down more tightly, thousands of government officials will have a harder time doing their job well. Which is explicitly Assange's goal.

Proper security certainly costs something in convenience/resources (installing controls, and figuring out who is supposed to have access to what). However, lots of organizations manage to operate ok notwithstanding a good deal more segmentation than is apparent here.

Philip Brewer said...

Sure. I've worked at them. I was also a security professional in my day job—I helped write the infrastructure that supported those efforts.

But my take is that locking the information down harder is almost always a mistake. (Not always. It's important to lock down information about individuals, such as the identity of spies and private medical information.) I can't count the number of bad decisions that were made because people didn't have access to the information they needed. (Often after the right decision had already been reached by people who did have that information—except that even the fact that a decision had been made was kept secret, so somebody had to make the decision again.

And certainly "dominating headlines" seems like a weak marker of harm—it just means that the secret emails were interesting.

Mr. Sunshine said...

Stuart,

You describe a network operation that has less security then my home LAN. This makes me suspect there's more to the situation than meets the eye. After all, what's the result of these "leaks?" More repressive censorship, more Internet content control; everything government wants to squelch "Amendment 1" is justified with this Wiki-situation.