Skip to main content

Amidst the Sturm und Drang following WikiLeaks' publication of the State Department cables, Bradley Manning and Julian Assange have drawn fire from the DoD, the State Department, the DoJ, Congress and the mainstream media. But with the exception of a few articles and blog postings from the technology sector, there has been no discussion of how it was possible that Pvt. Manning could get away with hoovering off gigabytes of data from Secret and Top Secret networks while remaining completely undetected. There also seems to have been no public discussion of the implications. To go after Bradley Manning and Julian Assange is just an exercise in shooting the messenger. Ignoring the message will not make it magically disappear. The courts will decide the fates of Assange and Manning. Every dog has his day. But this is not about messengers. It is about the message. This is about all of those elephants that are stampeding around the room. Time to break out the elephant gun.

In this multi-part series, I am going to revisit the kerfuffle following Wikileaks' release of videos and cables that it received from Pfc. Bradley Manning with an eye toward examining:

 -  what actually happened
 -  why it happened
 -  why it shouldn't have happened
 -  and, who is responsible for allowing an environment in which it could have happened to exist in the first place.

In Part 1, we will hear Pfc. Manning describe how the environment at Forward Operating Base Hammer and the lack of security on the DoD "secure" network and the absence of any security on the State Department's network and systems worked together to enable him to do what he did without being detected. It will identify circumstances and conditions that will point to serious problems with the whole information security environment on both the DoD and State Department high-security networks.

Part 2 will dissect the security environment at FOB Hammer and then explore some of the implications of the problems identified in Part 1. It will show the complete absence of any kind of controls that would have prevented Manning from exfiltrating all of that information. Because of his status and emotional state, allowing Manning to continue in his position was just one more missing control at FOB Hammer. We will see how obvious it should have been to his chain of command that he was a very high-risk person and was a prime candidate for being an insider threat. It will also begin to identify the links in the chain of negligence and incompetence that allowed this to happen.

Part 3 will shift focus from FOB Hammer to the DoD at large and continue to document the negligence, incompetence and cluelessness as the dots are connected from FOB Hammer to the database at State. Again and again and again there were actions that could have been taken, policies that could have been put into effect and processes put into place that could have prevented Manning from hoovering up all of that information.

Part 4 shifts focus from the DoD to the State Department and pays tribute to all of the ways State didn't do things that could have prevented the problem. If anything, State has bigger problems (with respect to the NCD) than did the DoD.

Part 5 will bring it all together and lay out the consequences of the incompetence and negligence exhibited by the players in this little saga. It will lay the message out in such a way as it will be clear even to the incompetents who laid the groundwork for the debacle.  Given the absence of any kind of risk management or security controls, that something like this would happen was (and probably still is) inevitable. Because of a lack of forensic information, we will never know how many other people did what Manning did, but put it to use in a different way.

In Part 5 we will also review the concept of risk management and its function in the operation of any organization. We will talk about where the responsibility for risk management lies and point out all of the places up and down the chain of command in both the DoD and State Department where it is functionally nonexistent. It will show, based on Executive Branch and DoD directives, that the culpability for the leaks lies with leadership in the DoD and State Department for the complete lack of risk management oversight and practices. If they had followed common, bog-standard information security practices, this could not have happened. The culpability for this mess lies with the “management” of the Departments of Defense and State.

Part 1 after the the orange squiggly . . .

                                                            Part 1

We can catch a glimpse of the bull elephant if we revisit the June 26, 2010 post in the Threat Level blog on wired.com. In it, the authors talk about Pfc. Manning's arrest and quote extensively from online chats between Manning and Adrian Lamo, the person who turned him in to the FBI:

He [Manning] claimed to have been rummaging through classified military and government networks for more than a year . . .
(That is, Manning had been able to "rummage around" in classified military and government networks for more than a year without being noticed by ANYONE).
He first contacted Wikileaks' Julian Assange sometime around late November last year, he claimed, after Wikileaks posted 500,000 pager messages covering a 24-hour period surrounding the September 11, 2001 terror attacks. "I immediately recognized that they were from an NSA database, and I felt comfortable enough to come forward . . ."
(Note that the extent of databases to which Manning, and anyone else with the degree of access that he had, apparently includes National Security Agency databases. This will become important later).
From the chat logs provided by Lamo, and examined by Wired.com, it appears Manning sensed a kindred spirit in the ex-hacker. He discussed personal issues that got him into trouble with his superiors and left him socially isolated, and said he had been demoted and was headed for an early discharge from the Army.
. . .
As described by Manning in his chats with Lamo, his purported leaking was made possible by lax security online and off.
This, too will become salient later.

. . .

The networks, he said, were both "air gapped" from unclassified networks, but the environment at the base made it easy to smuggle data out.
(The function of air-gapping will described later).
"I would come in with music on a CD-RW labeled with something like 'Lady Gaga,' erase the music then write a compressed split file,' he wrote. 'No one suspected a thing and, odds are, they never will.'

"[I] listened and lip-synced to Lady Gaga's 'Telephone' while exfiltrating possibly the largest data spillage in American history,' he added later. 'Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis . . . a perfect storm.' . . ." [Emphasis mine. This will become a refrain].

Summing up: A disgruntled Pfc. who had been demoted and was being given an early discharge was allowed access to SIPRNET (a SECRET-level network which the DoD shared with the State Department) and JWICS (a Top Secret/SCI-level collection of interconnected networks, to which the Department of State was also connected) in an environment in which there were no security controls. A perfect storm, indeed.

In the same article, Poulsen and Zettner noted: "The State Department said it was not aware of the arrest or the allegedly leaked cables."

In other words, State didn't know that their cables had been boosted off their network and were sitting on a disillusioned, disgruntled Pfc's CDROMs. Neither did the DoD. Nor had the the NSA detected that their pager messages had been poached.

Had any of these organizations been aware of the copying, they would have moved on the person doing the copying and we never would have known about the breaches.

In Part 2, we will look at Pvt. Manning's tale from the perspective of an information security practitioner and see what it tells us.

Crossposted to Don't Confuse Me With Facts, My Mind's Made Up!

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  a couple of key points that change everything: (2+ / 0-)
    Recommended by:
    Youffraita, Simplify

    If, as you say:

    Manning "had been demoted," and "was being given an early discharge," then whatever disciplinary situation produced the demotion and early discharge should also have resulted in rescinding his S clearance.  

    The fact that he retained his clearance, or at minimum retained access to classified data one way or another, demonstrates contributory negligence on the part of his superiors and those charged with maintaining INFOSEC.

    If I was Manning's lawyer, I'd be all over this and use it for all it's worth.  

    "Minus two votes for the Democrat" equals "plus one vote for the Republican." Arithmetic doesn't care about your feelings.

    by G2geek on Sun May 13, 2012 at 09:22:42 PM PDT

    •  IANAL but Mannings lawyer sucks n/t (0+ / 0-)
    •  re: a couple of key points . . . (2+ / 0-)
      Recommended by:
      G2geek, codairem

      Hola G2geek,

      You're absolutely right. And that's where all of this is going to end up. Your observation is just the very teeny-tiny tip of the iceberg. It's going to get much worse. Please keep checking in . . . my end game in publishing this series is to try to give Manning's lawyer some cannon fodder and to try to stir up enough public indignation that the feds will decide to dial back the pressure a bit. It's going to get really embarrassing for the DoD and State before this is all done . . .

      •  excellent: do it. here's another piece for you: (2+ / 0-)
        Recommended by:
        codairem, Rich in PA

        Manning almost certainly has undiagnosed bipolar disorder, that could provide something like a diminished capacity defense.

        If you look at some of the items in his disciplinary record, they appear to be indicative of mood swings.  And in particular the frenetic nature of his foray into the classified databases is highly indicative of the manic phase of bipolar disorder.  That is how people in a manic state behave: they have enormous energy to devote to whatever task they get themselves into, and they typically become extremely focused on what they're doing, even to the point of being oblivious to risks to their own wellbeing.  Check, check, and check.

        Now the difficult part of this will be to get recognition that he was in an abnormal state, without ending up with him being forcibly drugged with major psychoactives for the rest of his life.  Bipolar disorder very often quiets down into cyclothymia (a much reduced version with milder mood swings) when the person is in a calm quiet environment, and also becomes less severe in the 30s and 40s than in the 20s.  Cyclothymia generally does not require major psychoactives to treat it.  

        I know more about this case than I can discuss in public, and the bottom line from where I'm looking at it is that the whole thing was an enormous tragedy all 'round.

        Bradley Manning got talked into throwing his life away with a degree of recklessness that is also symptomatic of psychiatric ailments.  Adrian Lamo was in a position where he could not have done other than exactly what he did.  

        But frankly I am not pleased with Mr. Assange.  He basically convinced a kid young enough to be his offspring, to throw his life away, so Assange could go on with his rockstar trip.  Middle-aged men manipulating kids who aren't even legal to drink beer: sorry folks, that's way beyond not cool.  

        And almost as if to prove the point, some months ago Assange claimed he had the goods on Bank of America that would cause its house of cards to collapse: but what ended up happening was the the files were deleted in their entirety during a snit between Assange and one of his subordinates.  That information could have been of enormous value to progressives, but it was lost due to a snit.  That just disgusts me.

        So IMHO, it's Anonymous who have picked up the torch for disclosures in the public interest.  And by their nature they are immune to personality cults, which is all to the good.  

        "Minus two votes for the Democrat" equals "plus one vote for the Republican." Arithmetic doesn't care about your feelings.

        by G2geek on Mon May 14, 2012 at 12:13:35 AM PDT

        [ Parent ]

        •  re: excellent: do it (1+ / 0-)
          Recommended by:
          G2geek

          I'm with you on treading very lightly around the bipolar disorder observation. Especially if he ends up doing time, which I don't think he can avoid. I was a Navy corpsman in the late '60s and early '70s and worked on a locked ward for a while. The treatment he got at Quantico is nothing compared to what the inmates (and I'm using the term advisedly) got if they got out of hand. Think One Flew Over the Cookoo's Nest, only worse . . .

          Agree also about Assange. I have mixed feelings about Lamo. At best, I think that both he and Manning used poor judgment. Lamo could have stopped Manning from spilling his guts and Manning could have not spilled his guts to someone he didn't know. Having said that, given his mental state and naivete, he probably didn't know better, and even if he had, it probably wouldn't have mattered at that point . . .

          Re Anonymous, they might be immune to personality cults (which I think might be debatable), but they certainly aren't immune to internal squabbles and power plays . . . Having said that, I think that given the distributed/decentralized nature of the organization, it's much better placed to be successful in doing WikiLeaks kinds of things . . .

      •  and I want to emphasize this point: (1+ / 0-)
        Recommended by:
        Neuroptimalian

        Adrian Lamo was in a position where he could not have done other than exactly what he did.

        First of all, he was a well-known hacker who had previously gotten into trouble with the law.  As a result of that, it's almost a certainty that he was being watched.

        Second, he was doing some security consulting in a highly sensitive environment.  In that type of environment it is expected that individuals who run across evidence of illegal activities will routinely report what they observe.  

        Manning contacted him as a potentially sympathetic character, and blurted out what he had done.  This put Lamo in the position that if he had simply ignored it or even told Manning to shut up and stop his activities, Lamo could arguably have become an accomplice to whatever Manning ended up getting charged with.  

        Lamo had no choice but to report what he observed.  He could not have done otherwise.   Anyone out there who wants to try to label Lamo as some kind of "snitch" should understand that Manning put him in an impossible position.

        "Minus two votes for the Democrat" equals "plus one vote for the Republican." Arithmetic doesn't care about your feelings.

        by G2geek on Mon May 14, 2012 at 12:22:49 AM PDT

        [ Parent ]

        •  And it's not like Manning wouldn't have been found (1+ / 0-)
          Recommended by:
          G2geek

          ...anyway.  This just hastened the discovery.

          Romney '12: The Power of Crass Commands You!

          by Rich in PA on Mon May 14, 2012 at 05:50:07 AM PDT

          [ Parent ]

          •  And it's not like Manning wouldn't have been found (0+ / 0-)

            Rich,

            I would be really, really surprised if he would ever have been found out if he'd remained strictly anonymous. As you'll see as the saga progresses, there was no way anyone could have nailed him. There was no auditing on the network, no auditing on the hosts, no auditing on the databases, no auditing anywhere . . . no intrusion detection systems anywhere on the networks, no honeypots, bupkis, zip. Remember that he said in his chat with Lamo that he noticed that somebody had posted 500,000 pager messages that had been slurped out of an NSA database. There's no way that could have happened if network monitoring was in place. Also, there's no way he would have been able to hoover and post all of the stuff from State or the videos from Iraq. If the networks had been monitored, he'd have been nabbed way before he had a chance to unload them . . . and he would have disappeared into a black hole and no one would ever have heard of Bradley Manning . . .

        •  re: and I want to emphasize this point (1+ / 0-)
          Recommended by:
          G2geek

          I completely understand that Lamo ended up between a rock and a hard place. And, though in my reply to your previous post I said that possibly Lamo could have not engaged, Manning may have taken the conversation too far too quickly for Lamo to get him dialed down. I'm comfortable that Lamo had no choice in how it played out . . . The only concern/reservation I have about the way things played out is that I don't know what Lamo's motivation was for letting Manning completely spill his guts. If he was playing Manning to get all the goods he could on him, that would spin things differently. I'm not saying that I suspect that that is the case - only that I don't know that it is not the case.

          •  Manning did, and Lamo couldn't. (0+ / 0-)

            (I had just written a lengthy reply, clicked the wrong button, and lost it, so this is the short version.  My thoughts and opinions on this stuff are in part formed by information that is not generally public.  The community of hackers and people with related interests, professionally and personally, is a very small neighborhood.)

            Manning blurted it out when he first met Lamo online.  There was no opportunity for Lamo to disengage.

            You've been in the Navy, so you know the routine: someone comes up to you and solicits classified information, and you are obligated to report them to your chain of command.

            Or someone goes to the bar and brags that they committed a notorious recent bank robbery, and the person they brag to is an off-duty cop.

            Or someone works at a broadband provider and runs across a stash of kiddie porn in a customer's "cloud storage" folders.

            In any of those types of cases, everything that follows is required and there is zero room for flexibility.  In some cases the individual who was the recipient of the unwelcome solicitation, news, or discovery, is also obligated to follow procedures for further contact with the person of interest, and very often those procedures are determined by legal requirements (for example the rules related to entrapment are stricter than most people realize).

            Lamo could have been in love with Manning and wanted to marry him, or hated his guts and wanted him dead, and either way the result would have been basically the same.

            From the military's point of view, Manning had done as much harm as a well-organized spy ring, and intent was irrelevant.  By analogy a kid who gets in a car after having too much to drink, and causes a fatal accident, doesn't intend to go out and kill someone.  But intentions before the fact, and apologies after the fact, don't bring back the dead or put secrets back in the bottle.  

            I fault Assange for having encouraged Manning to go on his wild fishing expedition.  Had Manning stopped with the release of the combat video showing civilian casualties, he could have claimed to have acted as a whistleblower and his outcome would have been different.  But Assange took advantage of Manning and got him to dredge up all the rest of that stuff, very little of which had any bearing on public policy debates, and some of which did real objective harm.

            There is a special place in hell for grownups who take advantage of kids.  

            Manning's life has become a foregone conclusion, Lamo has been blamed for it, while Assange escapes like a child-molesting priest hiding out at the Vatican.  Manning will be sleeping on a slab while Assange is still preening for the cameras.  The sheer injustice of that situation only compounds the tragedy.   There is no good that has come from this, and no good that can possibly come from it, unless progressives and dissidents recognize that Assange bears the responsibility for what happened to both Manning and Lamo, and throw Assange into the proverbial dustbin of history.  

            Anonymous isn't perfect either, and it really bugs me when they go after military and law-enforcement agencies as targets of their activities.  But at least Anonymous doesn't suffer from a personality cult built around a narcissist.  And the people in Anonymous do their own dirty work and risk their own necks, rather than luring others to do it for them and take the consequences for them.  Or to put it differently, an honest robber who occasionally does a Robin Hood, is more respectable than a con-man.  

            "Minus two votes for the Democrat" equals "plus one vote for the Republican." Arithmetic doesn't care about your feelings.

            by G2geek on Mon May 14, 2012 at 09:13:11 PM PDT

            [ Parent ]

    •  Would that be any sort of acceptable defense? (1+ / 0-)
      Recommended by:
      G2geek

      It's a defense in a colloquial sense, but I'm not sure it's a defense in the stylized setting of a trial.

      Romney '12: The Power of Crass Commands You!

      by Rich in PA on Mon May 14, 2012 at 05:51:24 AM PDT

      [ Parent ]

      •  IANAL so your guess is as good as mine. (0+ / 0-)

        And the UCMJ differs substantially from civilian law.

        For one thing, the military is very hard core about "the buck stops here" at every level, with every person, with few exceptions if any.  

        The fact that they left the door wide open for someone who was about to exit the service, to go in and gather up bushels full of stuff, might get someone else in trouble, but may not get Manning out of trouble.

        Now IMHO this case should have been handled much more rapidly and without all the long detention in solitary and all the rest of that.  Those factors should weigh against the government.  And frankly I tend to favor tempering justice with mercy when dealing with cases such as "screwed-up kids who aren't really sociopaths."  But there's no escaping the fact that he really shot for the moon with this one, and the likely outcome is life behind bars.  

        As I said, this whole thing is a tragedy at all levels.  

        "Minus two votes for the Democrat" equals "plus one vote for the Republican." Arithmetic doesn't care about your feelings.

        by G2geek on Mon May 14, 2012 at 07:04:36 AM PDT

        [ Parent ]

        •  Re: IANAL so your guess is as good as mine (0+ / 0-)

          "As I said, this whole thing is a tragedy at all levels."

          Amen, brother.

          I'm afraid you're right about Manning's future. IMHO, though, far and away the most egregious outcome of this whole thing is that the people who were responsible for securing the system and the data will get away without even an entry in their jacket . . .

  •  Does lax security constitute a defense? (0+ / 0-)

    I don't think anyone below the level of Deputy Secretary of State or delegates should have had access to all of the cables, so the whole thing has been astounding from the start, but I don't think there's an "attractive nuisance" defense for leaking classified documents!  Then you have Manning's mental state, and the lack of any bad consequences (vs. plenty of good ones) from the leaks....all in all it seems to be that Manning has no way to avod being found guilty but a good case for a slap on the wrist.

    Romney '12: The Power of Crass Commands You!

    by Rich in PA on Mon May 14, 2012 at 05:49:22 AM PDT

    •  Re: Does lax security constitute a defense? (0+ / 0-)

      Good question. Complicated issue. I'll be addressing it in Part 6.

      •  I'm betting that ... (0+ / 0-)

        your research will confirm that no, lax security does not constitute a defense.  In fact, unless there were an issue of entrapment, the level of security Manningly knowingly and purposefully breached will not be relevant.

        "Two things are infinite: the universe and human stupidity, and I am not sure about the universe." -- Albert Einstein

        by Neuroptimalian on Mon May 14, 2012 at 09:03:31 PM PDT

        [ Parent ]

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site