Intelligence Community Will Close Gaping Hole that Allegedly Led to WikiLeaks Disclosure … in 2013

I did a long post yesterday describing how embarrassingly, pathetically bad DOD’s information security was and remains 3 years after a malware attack and a full year after the alleged WikiLeaks leak. Along with DOD’s gaping security problems, I noted that some entities in the intelligence community are still in the process of implementing user authentication which would have exposed someone taking entire databases off of their networks.

While the two DIA witnesses mostly blew smoke rather than provide a real sense of where security is at (both blamed WikiLeaks on a “bad apple” rather than shockingly bad information security), the testimony of DNI’s Intelligence Community Intelligence Sharing Executive Corin Stone seems to suggest other parts of the IC area also still implementing the kind of authentication most medium sized corporations employ.

To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

Just in case the intelligence community can’t get around to providing this fairly common security on our intelligence community networks by their planned timeframe of the first quarter of FY 2012 (which would mean the last quarter of calendar year 2011), the Senate Intelligence Committee is requiring the IC to have a fully operational ability to audit online access by October 2013.

Section 402 requires the Director of National Intelligence, not later than October 1, 2012, to establish an initial operating capability for an effective automated insider threat detection program for the information resources in each element of the Intelligence Community in order to detect unauthorized access to, or use or transmission of, classified information. Section 402 requires that the program be at full operating capability by October 1, 2013.

Not later than December 1, 2011, the Director of National Intelligence shall submit to the congressional intelligence committees a report on the resources required to implement the program and any other issues the Director considers appropriate to include in the report.

In other words, if closing this security gap a year and a half after the leaks are alleged to have occurred is too tough, then they can go ahead and take another year or so to close the barn door.

Though to be fair, this deadline may come directly from the lackadaisical DOD, as the deadlines given here seem to match those DOD aspires to hit.

Now, maybe it’s considered unpatriotic to note that our intelligence community–and its congressional overseers–are tolerating pretty shoddy levels of security all while insisting that they takes leaks seriously.

But seriously: if our government is going to claim that leaks are as urgent as it does, if it’s going to continue to pretend that secrets are, you know, really secret, then it really ought to at least pretend to show urgency on responding to the gaping technical issues that will not only protect against leakers, but also provide better cybersecurity and protect against spies. Aspiring to fix those issues years after the fact really doesn’t cut it.

  1. earlofhuntingdon says:

    You sound like an aggrieved shareholder, complaining that the company’s staff can’t seem to remember to empty the till at night or to lock the door before they leave, and the “company” happens to be a bank.

    I suppose we should be forgiven for expecting the company implement such routine controls promptly. After all, we’re only paying through the nose to keep that part of the “company” afloat, we’re prohibited from raising new revenue and from cutting its expenses. It gives the term “oversight” a new twist.

    • emptywheel says:

      I just think it’ll take three or four more Bradley Mannings exposed to forced nudity before people start pointing out that DOD brought this on itself.

      And all the while, our REAL enemies will just be helping themselves over and over and over and over.

      • earlofhuntingdon says:

        I suspect the Chinese are happy that it’s the US which finds itself living in interesting times. I’m sure glad the Feds have plenty of time, money and discretion to keep spending money on IT programs that count, like developing false digital personas through which to sell their propaganda.

        • PeasantParty says:

          They’re evil I tell you, just plain evil. Off with their heads!/snark.

          You’d think the DOD was a bunch of little bullies on the playground and the first to lie and point fingers.

        • eCAHNomics says:

          My quibble: DOD is a big bully. But like many bullies can’t stand up to a little pressure. Not only easily hacked in espace, but in 3-dimensional space is completely stymied by a rag tag bunch of tribalists with nothing but drug money, Toyota trucks, and a few explosives.

        • eCAHNomics says:

          Be careful about U.S. regional slurs on FDL. I’ve learned that feelings get hurt very easily.

        • mzchief says:

          I’m glad that you bring this up. Having lived there myself, I mean to point to a terrible injustice. Just for starters, I suggest we stop the poisoning of the area and the people through pollution, environmental degradation of the remaining pristine waters, mountain top removal and other questionable Federally financed projects that don’t do a thing for the economy, health, education and happiness of the local people. I’d like to see a sincere effort to see the place transformed and thriving.

        • eCAHNomics says:

          Yes, mountain top removal one of the biggest environmental porns I knew of before the Gulf and nuke disasters.

        • mzchief says:

          There is a significant amount of environmental abuse and destruction. The way many of the people were forced to live was just awful and the pall that hung over the place was so heavy you could cut it with a knife. The sense of alienation and depression that engulfs Wheeling hits you before you even enter the town. You just want to pour warmth and sunlight on the place anyway you can. Obviously it’s a big project and one that should be replicated many other places including Pennsylvania, Ohio, New Hampshire, Delaware and Kentucky but you get the drift. The pattern I noticed is that this tracks with wherever King Coal has or presently operates. So once can’t be surprised that unhealthy land means unhealthy, unhappy people.

        • eCAHNomics says:

          Coal. Another example of the resource curse. Only the megarich benefit. The rest are worse off than if there were no valuable resources whatsoever. They may still be poor but at least they don’t suffer from exploitation too.

        • mzchief says:

          No jobs, no houses, no education, no healthcare, no savings, no retirement or getting old, no healthy children and grand children, tripled grocery prices and purchasing power dropping like a rock. How is that concession of power and authority working out for you, America?

  2. eCAHNomics says:

    Personally, I’m happy that the USG, including spooks, have such bad security. I think the USG has too many secrets and they are oriented at keeping info from U.S. peeps, as I’m guessing that most foreign govts already knew much of what has been leaked (and those of us who were watching closely weren’t at all surprised by much of what was contained in the leaks. I hope they never fix security.

  3. nahant says:

    To enable strong network authentication and ensure that networks and systems can authoritatively identify who is accessing classified information, the IC CIO is implementing user authentication technologies and is working with the IC elements to achieve certificate issuance to eligible IC personnel in the first quarter of fiscal year 2012.

    Are you freaking kidding me?? This is basic sys admin 101!! WTF are our tax dollars for? A bunch of users (managers) with no idea what security is all about running the show…

        • eCAHNomics says:

          Ya win a lot, then you lose ONE!

          On first blush it appears to be a low probability, high consequence event. And peeps don’t seem very good at planning for those.

          However, it is no longer a low probability event; for example all the corp websites that have been hacked. So even that excuse blows now.

          BTW, thanks for your response to Knox on the other thread. He still doesn’t get it though.

  4. PeasantParty says:

    You both are so right. That’s the way I see it. Bullies that yell the loudest and first and blame it all on someone else.

    Oh, and mzchief. You can copy and past number 16 right over on the new thread. Sheesh!

    It’s like a boxwood maze these days.

  5. papau says:

    DOD/NSA/CIA terrorist database search needs data that I sell (and have sold into other governments) – and in meetings they admit as much.

    Yet the not invented here problem combined with you’re representing only a few scientists and are not a mega-corporation we usually do business with means I am told I need more political backing to get DOD/NSA/CIA to do what they say they should do to defend the US.

    I have given up and am no longer spending my own money to get them to do what they should do about a problem that has been discussed in open hearings for multiple years now – with no movement. If anyone with “Senator” or “Rep” as their boss is interest in national defense I’ll ship them a 4 paragraph summary with details as to prior hearings and the solution (upgrade) that is needed. I really do not care if I make a sale – but I’d like to know that they are at least developing the same data in house – meaning that they take their promises to previous Congresses seriously.

    As to the security problems, they have top of the line programs and procedures – that get tossed against amazing management and budget process obstacles – so I am sympathetic to the DOD/NSA/etc. But as you note, the result is less than optimal – but at least there is an implementation date of 2013 :-)

    • eCAHNomics says:

      but at least there is an implementation date of 2013 :-)

      Isn’t that also the date U.S. troops are out of [insert country name here]? I can’t keep track anymore.

      On edit: A serious reply. My late friend who owned a company that manufactured high-tech ceramics, tried to get into the DOD on better explosive protective vests, couldn’t get anywhere bc he didn’t contribute to the right people. Small biz of around 100 employees. Only the big contributors need apply.

      • emptywheel says:

        Interesting point.

        Their removable media problem (that is, the most amazing military in history losing the fight against Lady Gaga CDs) appears to be unique to the field. They need to keep access for CDs (they claim they’re no longer accessible to thumb drives) so as to pass data to weapons platforms (I sort of wonder if that means “drones”?) and “coalition partners.”

        I keep thinking about that “coalition partner” thing. What’s included in that? Brits? Canucks? Iraqis and Afghans? Contractors? Very quickly it becomes a vastly more dangerous problem than Bradley Manning.

        But if the worst problems are bc of deployment issues in our permawars, then if one of them ended, yeah, that’d fix the problem.

        • emptywheel says:

          I absolutely agree the govt has too many secrets from us.

          But it’s pretty clear that one, of several, reasons they’re giving Manning the treatment they are is as a lesson to others. The lesson? If you leak our overclassified data that has almost no real protection on it, rather than blame ourselves, we’ll treat you like a terrorist.

          So I’m not sure whether making sure it remains leaky is the best solution.

          Furthermore, to the extent that we’re spending hundreds of billions on this war machine, there are some functions I’d like it to be competent at serving. Killing Afghan civilians? No. But responding to another attack here? Yes.

          We have to assume that with IT security like this, all of the military machine’s efficacy is being drained.

          In other words, we’re willing to spend $700 billion on this supposedly invincible machine, but not willing to spend a few billion to make sure it stays that way.

      • papau says:

        LOL –

        And as to your serious note about your friend – yep – you get meetings but they go nowhere – indeed one fellow suggested selling it to IBM or equivalent so they could resell it to the DOD/NSA/etc.

        The US government truly is a world made ONLY for mega corporations.

      • chaeronea says:

        Unless you massively underbid, you weren’t getting a contract from the DoD in years past without the backdoor handshake system. Can’t have your friend’s company undermining the profits of someone else making sub par vests, that’s just unamerican! Think of the precious jobs we need out in some republican district!

  6. orionATL says:

    this is a a really powerful point of counterattack, and makes the third (if my count is correct) missile fired in that counterattack.

    what this emptywheel/fdl counterattack suggests,

    when put together with

    -the repeated leaking of highly classified info to “journalists” by presidential and other “high” gov’t sources,

    -the routine practice of classifing government docs as “secret” or greater in order to hide information from citizens/voters, and

    -the shabby, unprofessional, uncaring attitude toward the security of “secret”-stamped u.s. documents by the chain of officers that pvt manning reported to and was required, thru the chain-of-command, to obey

    is that manning must be psychologically tortured until his normal mind is destroyed

    in order to protect from being manifest to the american public

    the sloppy, insouciant, opportunistic, exploitative attitude toward “secret” documents by our commander-in-chief, by the sec of defense, and by the officers, jr and sr, in manning’s particular command.

  7. orionATL says:


    need to incorporate cd’s or dvd’s = need to accomodate “legacy” equipment,

    for whatever reason –

    age of own equipment or of equipment of potential or actual “allies”?

  8. MickSteers says:

    The treatment of Bradley Manning IS the security response.

    They’ll get around to battening down the hatches eventually, but there will always be a hack of some sort to circumvent the system, even when their systems become as good as the one Toys-R-Us uses.

    They are sending an important message. “Feeling noble, are you? Thinking of exposing wrongdoing in accordance with your sworn oath to uphold the constitution? Think again. Think of Bradley Manning.”

    In the United States, there are no whistle-blowers. Only terrorists.

    Mission Accomplished.