Evan Knappenberger, a member of Iraq Veterans Against the War who served in roughly the same position Bradley Manning did (but several years earlier), was interviewed by his college newspaper about my latest obsession, DOD’s network security. (h/t Asher_Wolf)
What kind of access did you have here and in Iraq?
Army security is like a Band-Aid on a sunken [sic] chest wound. I remember when I was training, before I had my clearance even, they were talking about diplomatic cables. It was a big scandal at Fort Huachuca (Arizona), with all these kids from analyst school. Somebody said (in the cables) Sadaam wanted to negotiate and was willing to agree to peace terms before we invaded, and Bush said no. And this wasn’t very widely known. Somehow it came across on a cable at Fort Huachuca, and everybody at the fort knew about it.
It’s interesting the access we had. I did the briefing for a two-star general every morning for a year. So I had secret and top-secret information readily available. The funny thing is, Western’s password system they have here on all these computers is better security than the Army had on their secret computers.
There are 2 million people, many of them not U.S. citizens, with access to SIPRNet (Secret Internet Protocol Router Network, the Department of Defense’s largest network for the exchange of classified information and messages). There are 1,400 government agencies with SIPR websites. It’s not that secret.
[snip]
We basically gave (the Iraqi army) SIPRNet. It’s not official, but if you’ve got a secret Internet computer sitting there with a wire running across from the American side of the base, with no guard, you’re basically giving them access.
Then in every Iraqi division command post, you have a SIPRNet computer, with all the stuff Bradley Manning leaked and massive amounts more.
I could look up FBI files on the SIPRNet. In fact, I was reading Hunter Thompson’s “Hell’s Angels” book, and I was like “this sounds cool,” and I looked up all the Hell’s Angels.
Now, as I said, Knappenberger was in Iraq several years before Manning, before malware was introduced into DOD networks via a thumb drive and the limited response DOD made to that. So this can’t necessarily be taken as a description of what the network was like when Manning allegedly downloaded three databases on a Lady Gaga CD, nor as a description of what it is now (though as Congressional testimony has made clear, DOD isn’t in a big rush to fix its gaping security problems).
But Knappenberger’s account backs up two points I’ve been making: first, the level of security tolerated in DOD is far worse than what you’d find on networks in the States that carry much less sensitive information (he refers to the network at Western Washington University).
Further, one of DOD’s challenges is that we need to share information with our “coalition partners” (in his account, the Iraqi army). No matter how trustworthy they seem, these coalition partners are going to have different motivations than American soldiers (think, for example, how close members of Nuri al-Maliki’s government are to Iran). They may be far more susceptible to approaches from other countries’ intelligence services than your average Army Specialist. And if there are data breaches to foreign government, we (both citizens and our government) may not be learning about them.
And there’s some indication our network security is weakest precisely at those points where we are sharing data. One of the reasons 12% of SIPRNet computers will remain accessible to removable media, after all, is to facilitate sharing of data with coalition partners. While DOD is finally implementing a buddy system to add a level of security at those sensitive computers, that still leaves them exposed to human sloppiness.
With security like this, the data Manning is alleged to have taken simply can’t be called secret. Limited access, maybe. But it’s not even clear we’re limiting access from the people who most seriously shouldn’t have it.