The Pentagon has launched a "very robust investigation" into the source of the leak of more than 90,000 classified documents on the war in Afghanistan, Geoff Morrell told CBS' The Early Show Tuesday, but what few are discussing is how the source got away with it.
We can pretty much figure that the leak happened via military networks (it would be a long shot that 90,000 documents were hand delivered as hard copies, though even then the source would have had to access them from classified computer applications). But beyond that, questions remain: Did the source download the documents to an attached storage device and then send them via a personal email, or was he more bold still -- sending them directly from a federal account? In either case, why on earth were security control not in place to prevent the download and/or transfer of classified documents? Furthermore, did the source actually need access to 90,000 documents or was this an (epic) failure to implement access controls?
And perhaps most significant: Shouldn't the Pentagon be able to identify the source of the leaks by checking the network logs to see who accessed the documents? Maybe that's exactly what's involved with the "very robust investigation" that Morrell mentioned, though one would think -- if an option - it could have been done already.
Marc Ambinder, the politics editor at The Atlantic, Nextgov.com's sister publication, wrote in June that Army Specialist Bradley Manning had been outed by an informant as the source behind Wikileaks' best scoops, including its "Collateral Murder" video that shows a killing of journalists by U.S. soldiers. Manning supposedly bragged to the reformed hacker that "weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis" created a perfect storm for him to exfiltrate "possibly the largest data spillage in American history."
Apparently, that perfect storm rages on.
COMMENTS
"... Furthermore, did the source actually need access to 90,000 documents or was this an (epic) failure to implement access controls?"
These questions are why IT budgets are bloated while frontline product development and research projects run at a snail's pace. At some point you have to hold people culpable and somewhat assume a 'digital trust' just as you do when you allow someone to physically read trusted information.
I'll be willing to bet he utilized resources that were set up to bypass the extreme IT/IA bullcrap to get the job done. What's crap is the IT nerds are going to be able to hamper DoD productivity once again because someone (in a very limited case) ran afoul deliberately and with criminal intent. The focus should be on the criminal aspect and human/social engineering risks, not the "How can we mitigate this risk in the future via IT and digital systems?" Because quite frankly the hoops to jump are too cumbersome as it is for class and unclass systems alike at the sacrifice of operational capability (no, I don't mean the desk jockeys CONUS).
FED SWGUY 07/27/10 12:06 pm ET