Obama Administration: Sorry, 2013 Is Too Soon to Fix Gaping Holes in Our Network Security

You’ve no doubt read the multiple posts in which I responded with growing incredulity at the response of DOD and the Intelligence Community to the gaping holes in their network security.

Basically, a review of DOD networks after Bradley Manning’s alleged leaking (which came two years after they reviewed DOD networks after a bad malware infection introduced via a thumb drive), DOD admitted that they still let service members access computers on DOD’s classified network with removable media (like Lady Gaga CDs) two years after they vowed to end the practice; they didn’t have personal keys to offer better authentication and tracking of actions taken online; and they couldn’t audit for unusual activities online.

In short, they don’t have the kind of security that is considered routine in the private sector.

On our classified network.

And in response to their admission of gaping holes in Department of Defense’s (and presumably, because they want the same deadline, other parts of the IC’s) network security, they laid out a plan to fix the problems … by 2013.

Cause I’m sure none of our enemies will come looking for our secrets between now and then.

It’s becoming an obsession for me, this disinterest in fixing gaping holes in our network security even as the Administration claims Bradley Manning’s alleged leak could be a capital offense. If this stuff is so damned secret, plug the fucking holes!

So you can imagine my shock when I read the Obama Administration’s response to the intelligence bill’s endorsement of the 2013 deadline DOD and the IC asked for: (h/t Steven Aftergood)

Section 402 requires the DNI to create an insider threat detection program for the information resources of each element of the IC to detect unauthorized access to classified information. The Administration wholeheartedly agrees with the need to be vigilant and proactive in trying to detect, mitigate, and deter insider threats, and supports a comprehensive insider threat detection capability. The Administration is currently working toward its implementation. However, the Administration is concerned with the unrealistic timelines required by this provision for the program’s operational readiness, and strongly requests that the provision be amended to grant the DNI flexibility in implementation timelines of the program.

Hey bad guys?!?!?!? No one is checking the intelligence community’s networks to see whether you’re nicking highly classified information off of them. No one is checking their networks to see what kind of abnormal activities their own spooks are engaging in.

And they’re not going to be until … well, they don’t know. A deadline, you see, would be rather restrictive. And our fucking classified networks just aren’t a priority for network security! All I can tell you is 2013–two full years from now–that’s too soon.

So China, Iran? Just take what you want. Just make sure you do it in the next two … or maybe three … or who knows? years, because sometime in the distant future the IC aspires to have the same kind of network security your average bland business has.

  1. zapkitty says:

    Best outcome: it’s a setup and the apparently insecure systems are actually cybernetic deathtraps prepared to infect intruders with an uber-stuxnet worm that will give control of all the worlds spy networks to the U.S. oligarchs…

    Most likely outcome: things are exactly as they appear to be.

    • PJEvans says:

      By now the Chinese probably have all the information they can use in the next couple of years; they’re just waiting for the DoD’s next big data upload.

  2. kgb999 says:

    Can’t remember where I read it, but I think one of the issues is that currently data is moved around on removable media. It seems more or less a modern-day equivalent to making a printout. It is taken along and the data referenced in the field from non-connected locations using a laptop or whatever. That part of it really does seem to be a bit of a difficult nut to crack; we’re using portable computing devices basically as readers and there are thousands of people who use various subsets of the larger data store on a routine basis for *all sorts* of things. Unless it is possible guarantee 100% connectivity 100% of the time it seems keeping data only on the server and prohibiting local copies of needed operational information is kind of an inadequate solution.

    As for the authentication and auditing stuff, that seems a bit more unforgivable (auditing particularly). Although even with that I think this somewhat trivializes just how big a job it is to update systems used not only on a military-wide basis but also within the wider government. It’s quite a bit more involved than just coordinating an upgrade with Accounting, Sales, Production and Shipping. It’s like that times 1000 plus big ships and stuff. But it *does* need to be done; there should at least be an engineering plan in place by now with a better proposed timeframe than “two years is too soon”.

    The whole thing is kind of a mess. But it seems to be the same mess we’ve gotten in to all over the place by engineering systems which assume everyone on the “inside” is totally trustworthy and would never screw over the system for some reason. This post makes it sound as if the ability for people granted access to a secure system to exfiltrate data reasonably easily is the same as just allowing any curious party to hop in to the system and browse. I’m pretty sure this is not the case. With our current setup, I think China still needs to find a soldier with access that is interested in spying or to break in somehow.

    (Also. Considering HB Gary and the recent Sony saga – perhaps we’re granting private industry a bit more credit for what’s “routine” than is deserved)

    • emptywheel says:

      Fair point about private industry. HB Gary aside, they usually keep their OWN secrets safe, just not their clients’ secrets.

      And yeah, one of the problems for removable media is that they have to give data to coalition partners and need to use it for–it sounds like–target. So yuo need removable media. They’re fixing that security problem quicker than the detection system though.

  3. donbacon says:

    Three reasons I don’t worry about it.

    1. A very high percentage of classified documents don’t quality for classification. Their classification is merely meant to hide government activities from the public.

    2. What encourages the U.S. in its frequent military aggression is its relative technical advantages compared to those of its chosen adversaries. Therefore anything that reduces that advantage, that levels the playing field, lessens the incentive for aggression.

    3. There was no significant damage from wikileaks (see #1) which is why Pfc. Manning hasn’t gone to trial.

    • emptywheel says:

      Agree with 1 but not 3. Manning hasn’t gone to trial bc they’re still hoping to get a reliable human witness to some aspects of this. Adrian Lamo is not the witness you want a case like this to hang off of, even if there aren’t a whole bunch of problems with his relation with the govt they’d like to hide, which I suspect there are. And their forensics, precisely because of this particular gaping hole, are probably pretty shitty and technically assailable.

      So they’re still hoping to make a strong case against Manning and will hold him until they’re able to do that.

      Consider the comparison: Thomas Drake, who as Mayer described yesterday, is facing 35 years for leaking 2 documents that aren’t even classified, and 3 more that the IG told him to keep. They are moving forward to trial with that one bc their case is as good as it’s ever going to get.

      • donbacon says:

        Basically I don’t share your concern about “national security.” It’s over-hyped as we see with Manning and next with Drake. “National security” is mostly an effort by those in power to stay in power, and well-compensated, and has nothing to do with any possible injury to us.

        The statistical risk of injury from terrorism, for example, is less than that from bath-tub slips or lightning strikes, and the risk from any declared U.S. enemies (China, Iran, North Korea) is invisible.

        So the whole security concern is a scam, and why contribute to it by asking them to “plug the fucking holes?”

        • PierceNichols says:

          QFT. The only one that might be able to harm the US in a significant way is China, but that particular Mexican standoff/strategic chess game is unlikely to make its way into open warfare unless someone kicks over the board in a fit of pique. My leading candidate for that particular brand of stupidity is the US right wing.

          It’s very easy to make SIPRnet so secure that it can’t be used. That would be a bad outcome, and it is a likely one given the sort of low-information fearmongering about cyber-security that way too many people are engaging in, here and elsewhere. The root of it seems to be folks who ought to know better but are looking forward to drawing fat government contracts to fix the problem.

    • eCAHNomics says:

      I agree.

      The worst job the pentagon does at data security, the better it is for the U.S. public.

    • Ralph says:

      I see your points, especially about leveling the playing field with other countries. I hope you’re right.

  4. zapkitty says:

    “I’m pretty sure this is not the case. With our current setup, I think China still needs to find a soldier with access that is interested in spying or to break in somehow.”

    It would take time and a deal of preliminary work but all China would need to do, if they were inclined to take a low-key route, is to arrange it for an innocent or three to slip some corrupted media into systems that are also networked… and then patiently wait for the dance of the flash drives to bring them cool stuff.

    Access to insiders would be gravy, of course… but even then an insider need not be aware of any link to the minions of Chairman Mao.

    This is, of course, leaving aside entirely China’s dominance of the manufacturing base for our system components…

  5. earlofhuntingdon says:

    Needless to say, a mid-level IT manager who proposed that sort of plan would be out of work in a heartbeat. Mr. Obama seems determined to show those redneck Goopers that there’s nothing government can do that the private sector can’t do better.

    That includes protecting the lives and missions of its military. He puts them and it in harm’s way, not by sending them to war, but to wars in which an ever more IT dependent military can’t assure itself that its IT functions as securely as Kellog’s, Clorox’s or Victoria Secrets’.

  6. fatster says:

    O/T Thirty-five long years later:

    Argentina Dirty War officers jailed for mass killing [crimes against humanity] LINK.

  7. bobschacht says:

    What I’d like to know about this mess is Qui bono? Who benefits? (Other than our enemies, of course). Some bunch of our(?) people apparently have a stake in NOT closing these gaping holes.


    Bob in AZ

    • DWBartoo says:

      Kinda the way it looks to me, Bob.

      This is deliberate.

      Beyond “who?” … there is “why?”

      What failure is an excuse of this potential magnitude designed to “cover”?

      This one, “they” want to be obvious, as it (or “they”) does (do) not benefit from the cover of total, enforced, secrecy.

      “What” can it be?

      A “biggie”, no doubt.


    • PierceNichols says:

      Both you and emptywheel are guilty of grossly underestimating how hard a problem this really is.

      First, the claim that these types of controls are routine in private industry isn’t true. They aren’t — they’re used in specific instances for highly sensitive data if and only if the risk of a leak outweighs what they cost. No-one has ever tried to protect a network the size of SIPRnet to the standard you and emptywheel are demanding.

      Second, security and usability are naturally opposing, and usually mutually exclusive, values. These systems are intended to support people doing their jobs, and excessively tight security will turn them into very expensive and mostly useless paperweights.

      Third, this is an attempt to solve an inherently social problem through technological means. That is a technique with a severely checkered history.

      Fourth, this benefits computer security contractors and essentially no-one else.

      Fifth, you overestimate the value of information.

      • DWBartoo says:

        Of all the (more than several) “problems” attending waging perpetual war against a tactic and making un-Constitutionally “secure” the “Homeland”, where does this specific “problem” fall, or stand, PierceNichiols, as you perceive it, in terms of difficulty, seriousness, and significance, regarding this “problem’s” special “role” … in both of these larger campaigns, “looking forward”?

        Is it centrally important or merely peripheral?

        Perhaps it is the power elites who overestimate the importance, value, and power of “information”?

        Especially in the current climate-change of pervasive and unaccountable secrecy, and unrestrained governmental assault upon the rule of law and upon civil society, itself?


        • PierceNichols says:

          The comment you are responding to dealt with the issue at hand in the post, not the larger issues at hand. My feelings about the national security state are largely negative.

  8. geraldo says:

    Oh come on, get your priorities straight.

    First they need to make sure the internet wiretapping equipment is working right and then they need to work on the algorithms used to sift through the massive amounts of data they’re collecting. Then they need to deal with all the court cases and type up the official state secrets defense briefs…you can see that they’re Just A Wee Bit Busy Right Now!

    They’ll get to it later once their plates are cleaned off a little!

  9. waynec says:

    It’s good for Pfc. Manning, as ew eludes to.

    If the info is so secret that a capitol crime may be charged, why wait for two more years to put a lid on it??!

  10. lsls says:

    I call BS. By leaking this, they will say that “there was no way to anticipate” whatever happens between now and then. I’m not talking about attacks on the US..I’m talking about a scenario where “someone” does “something” “somewhere” to “something”, but it looks like the ability to “do” “something” was “stolen” by “someone” so that “something” won’t look like it was the fault of the US. The US will then blame “someone” and then say what a good thing whatever “it” is in any case even though they had nothing to do with “whatever it is”. JMHO

    • eCAHNomics says:

      Speaking of calling bullshit, the military can’t even audit itself. What a bunch of incompetents in every way, shape & form.

      Can’t win wars.

      Can’t keep their secrets.

      Can’t keep track of what they’re spending.

      Talk about end of empire hubris.

  11. marksb says:

    The problem isn’t the equipment, or the style of use (cloud vs thumbdrive, etc).

    The problem is that to change the system to secure the data requires that the entire system of data usage be changed. Everyone who has access or provides input to the secure system must change the way they do their jobs…completely.

    They don’t know how to make changes at such a broad level. They’ve got to analyze how the data is accessed, how it’s inputted, how it used, by everyone in the system. That’s overwhelming.

    This isn’t an excuse, it’s really an indictment on how sloppy the system has become over the years. In the long-ago dark ages of my service in the early 70’s, when it was all paper and secret keys to activate crypto hardware on teletype messages, things were tightly secure and any breach was clearly due to a violation of security procedures. Easy data storage and sharing, along with ubiquitous cheap computer platforms, destroyed that security. It became much easier to do the job with the new tools, and I’m guessing the security procedures did not keep pace. I’ve expressed before around here how surprising it is that PC’s used in secure systems have writable CD drives. Idiots.

    Now the entire system must be changed, while maintaining day-to-day functionality. From a project management point of view, this is a nightmare.

    • DWBartoo says:

      A “problem” not ammenable to earnest bipartisanship among, what did you call them, marksb?

      Oh yes, “idiots”.

      So, “now” (rather than “later”, you are suggesting, apparently?) a “sloppy” system must be “changed”, a “process” you have indicated to be a “nightmare”?

      Yet, the gummint appears, apparently, to be reluctant to begin …

      Is there a “pattern” here?


    • emptywheel says:

      They’re not intending to fix the removable media problem. They’ve announced 12% of their SIPRNet computers will remain accessible, though there will be some kind of buddy system until they have some kind of tracker on them.

      They apparently need the removable media (they seem to have gotten rid of thumb drives in response to the malware attack, so maybe just CDs) to copy data to transfer to “coalition partners” and to weapons platforms.

  12. Ralph says:

    Just take what you want. Just make sure you do it in the next two … or maybe three … or who knows? years

    Marcy, don’t trouble yourself about their limited time left to act before things are finally sewn up tight. By then numerous countries and groups — some working alone, others collaborating — will have installed so many trojan-horse information-dispersal software robots (and maybe some hardware ones as well) that the existing DOD computers will never be secure again.