Security system failures enabled Defense Dept. breach
Failures in the security system set up to protect the U.S. Department of Defense's central database of classified and secret information enabled the alleged leaking to WikiLeaks of classified information by Army Pvt. Bradley Manning, witnesses said during a U.S. Senate Committee on Homeland Security and Governmental Affairs hearing Thursday.
As a result of the alleged breach "hundreds of thousands of classifies DOD [Department of Defense] reports and State Department cables" were leaked to WikiLeaks, as Committee Chairman Joseph Lieberman, I-Conn., noted in his opening remarks.
The military alleges that Manning downloaded the files to a CD from the Department of Defense's classified SIPRNet network.
SIPRNet is a central database that "maintains Department of Defense classified, secret level information," which includes everything from operations data to personnel files, said witness Thomas Ferguson, principal deputy under secretary for intelligence for the Department of Defense.
Sen. Scott Brown, R-Mass., asked how Manning allegedly had access to classified documents that were unrelated to his work.
"[Manning] was able to obtain classified information that was not password protected," Ferguson said, noting that some, but not all, of the information on SIPRNet is password protected.
Brown and Ranking Member Susan Collins, R-Maine., questioned how an army private was able to access the information in the first place, let alone download copies undetected.
"The rank of Pvt. Manning is not so much the issue," Ferguson said. He explained that in monitoring these internal information sharing systems, the concentration is on the "outside" threat of intrusion, not an "inside threat."
The only explanation for how the security was breached is that the security itself was faulty, witnesses agreed.
Lieberman and Collins expressed concern that the breach will cause agencies to revert back to the era of "information hoarding." Witnesses tried to calm that fear by explaining that there is no need to halt interagency information sharing, but that agencies need to use different avenues and establish specific personnel access.
One access control solution that the Defense Department has started implementing is "a Public Key Infrastructure (PKI)-based identity credential on a hardened smart card," according to the joint written testimony of Teresa Takai, chef information officer and acting assistant secretary for networks and information integration at Defense, and Ferguson. The use of these cards "will both deter bad behavior and require absolute identification of who is accessing data and managing that access," the testimony said.
Other solutions discussed include better monitoring of personnel behavior to identify possible inside threats, automated computer tools that detect anomalies within the classified network and security policies that will prohibit downloading classified information to removable media, such as CDs and thumb drives.
Punishment for those who release or publish classified documents was not mentioned during the hearing. There was also no discussion of possible changes to laws such as the Espionage Act.
Other witnesses for the hearing included: the Hon. Patrick Kennedy, under secretary for management at the State department; Corin Stone, intelligence community information sharing executive with the Office of the Director of National Intelligence; and Kshemendra Paul, program manager for information sharing environment at the Office of the Director of National Intelligence.