Former Army Intelligence Analyst: “Army security is like a Band-Aid on a sunken chest wound”
Evan Knappenberger, a member of Iraq Veterans Against the War who served in roughly the same position Bradley Manning did (but several years earlier), was interviewed by his college newspaper about my latest obsession, DOD’s network security. (h/t Asher_Wolf)
What kind of access did you have here and in Iraq?
Army security is like a Band-Aid on a sunken [sic] chest wound. I remember when I was training, before I had my clearance even, they were talking about diplomatic cables. It was a big scandal at Fort Huachuca (Arizona), with all these kids from analyst school. Somebody said (in the cables) Sadaam wanted to negotiate and was willing to agree to peace terms before we invaded, and Bush said no. And this wasn’t very widely known. Somehow it came across on a cable at Fort Huachuca, and everybody at the fort knew about it.
It’s interesting the access we had. I did the briefing for a two-star general every morning for a year. So I had secret and top-secret information readily available. The funny thing is, Western’s password system they have here on all these computers is better security than the Army had on their secret computers.
There are 2 million people, many of them not U.S. citizens, with access to SIPRNet (Secret Internet Protocol Router Network, the Department of Defense’s largest network for the exchange of classified information and messages). There are 1,400 government agencies with SIPR websites. It’s not that secret.
[snip]
We basically gave (the Iraqi army) SIPRNet. It’s not official, but if you’ve got a secret Internet computer sitting there with a wire running across from the American side of the base, with no guard, you’re basically giving them access.
Then in every Iraqi division command post, you have a SIPRNet computer, with all the stuff Bradley Manning leaked and massive amounts more.
I could look up FBI files on the SIPRNet. In fact, I was reading Hunter Thompson’s “Hell’s Angels” book, and I was like “this sounds cool,” and I looked up all the Hell’s Angels.
Now, as I said, Knappenberger was in Iraq several years before Manning, before malware was introduced into DOD networks via a thumb drive and the limited response DOD made to that. So this can’t necessarily be taken as a description of what the network was like when Manning allegedly downloaded three databases on a Lady Gaga CD, nor as a description of what it is now (though as Congressional testimony has made clear, DOD isn’t in a big rush to fix its gaping security problems).
But Knappenberger’s account backs up two points I’ve been making: first, the level of security tolerated in DOD is far worse than what you’d find on networks in the States that carry much less sensitive information (he refers to the network at Western Washington University).
Further, one of DOD’s challenges is that we need to share information with our “coalition partners” (in his account, the Iraqi army). No matter how trustworthy they seem, these coalition partners are going to have different motivations than American soldiers (think, for example, how close members of Nuri al-Maliki’s government are to Iran). They may be far more susceptible to approaches from other countries’ intelligence services than your average Army Specialist. And if there are data breaches to foreign government, we (both citizens and our government) may not be learning about them.
And there’s some indication our network security is weakest precisely at those points where we are sharing data. One of the reasons 12% of SIPRNet computers will remain accessible to removable media, after all, is to facilitate sharing of data with coalition partners. While DOD is finally implementing a buddy system to add a level of security at those sensitive computers, that still leaves them exposed to human sloppiness.
With security like this, the data Manning is alleged to have taken simply can’t be called secret. Limited access, maybe. But it’s not even clear we’re limiting access from the people who most seriously shouldn’t have it.
I think the College Newspaper misinterpreted the transcription. I believe the correct phrase is “Like a band-aid on a sucking chest wound”.
Understand that. But I can’t change the direct quote.
Indeed. And it’s an appropriate analogy…Band-Aid on a sucking chest wound.
I work for a very large cable ISP and we fire people for playing bootleg media on their company workstations. I personally know 2 people who’ve met this fate. It’s insane that DoD doesn’t or can’t enforce similar policies.
mistaking sucking for sunken is about par for the course…Fort Wah Hooka is located in Arizona, afterall…hell, they don’t know what time it is there…”we don’t need no stinkin Daylight Savings Time”.
sorry to be o/t already, ew, but have you seen this?:
The bombing continues until Gaddafi goes; David Cameron, Barack Obama and Nicolas Sarkozy; The Telegraph; 15 Apr 2011
Also at:
http://www.nytimes.com/2011/04/15/opinion/15iht-edlibya15.html
http://www.lefigaro.fr/international/2011/04/14/01003-20110414ARTFIG00772-sarkozy-obama-cameron-kadhafi-doit-partir.php
and at al-Hayat
Not to mention your avg black box DOD contractor, intent upon “growing” their business…
Christ… even when they’re (wiki)leaked, most of our citizens aren’t learning about them.
ew-
repeatedly deleting my logons seems rather childish.
do i need to take this up with greg levine?
Uh, huh? I don’t know what you’re talking about.
Sorta OT also, but…I’m dying to find out if any of the State Dept leaks go back far enough to indict Marc Grossman for any of the Sibel Edmonds allegations.
the siprnet security matter explains to me better than anything else why manning is being subjected to markless torture.
what the dod may want is a guilty plea and no testimony on the sorry security status of their communications system.
as usual the objective is to keep the public from knowing an embarrassing fact.
Back to Army security. I did spend 21 years in the U.S. Navy. I have some (limited) understanding of classified info. What I have extreme difficulty understanding is the amount of extremely sensitive data to which an E-3 would have access. E-3 in any branch are not specialists. At best they are “specialists-in-training” and normally they are floor sweepers or carry a rifle.
And to share this secret, sensitive data with contractors and foreign gov’ts? Stupid in the extreme.
Back in the day, all promotions to Specialist(4) were temporary so the PTB could bust one back to E-3 via Article 15(non-judicial punishment). Manning was an E-4 but following a
canteen” incident was demoted.
well, somebody with access to logon sure does. i cannot stay logged on to this site, and only this site.
I often have to sign back in again, it’s not a big deal. It’s possible the cookie is being lost or there are some coding issues at the back end regarding session persistence…you aren’t being singled out.
We can be fairly confident that the state of network security in Iraq had deteriorated even further by the time Manning got there. Here’s why. Anybody who has been involved in network security knows that, without constant work, network security degrades over time. Especially in high-stress environments, the pressure to “get it done” leads people to compromise, circumvent, and cripple the in-place security measures. The only way to combat that natural tendency is through on-going training, communication, audits, and reviews. In short, you have to build a security culture. In an organization like the military, those efforts leave lots of tracks. If that had been done effectively, we would have seen evidence of it in the Manning charging documents. Instead, there is evidence of omission. The stuff they don’t know is pretty horrifying, from a network security point of view.
And on top of that, add in 6-9 month “tours” where responsibility for stuff, including IT, gets passed from hand to hand.
Responsibility handovers are never 100% successful even under the best of circumstances for normal organizations, and in the case of military organizations at war, it has to be even worse.
Ut oh. I was assuming as things got safer the network did too.
Guess I was wrong.
So basically we ought to assume Iran has got a copy of everything that WikiLeaks has, and more. Probably obtained via the Iraqis.
I wonder if Gadafi had access or if the rebels now have access.
A sucking chest wound is nature’s way of telling you you’ve been in a firefight. A saying from Nam.
It’s been that since the 1970s when young hacker kids would get in and trawl around. I didn’t do it but I heard about others who did and all they had was a Teletype!
You could do it with the ordinary telephones. My wife tells mew that back in the early 70s people would hack into Bell and create what amounted to a huge conference call for themselves. Those were the days. Probably better not to go there in prime time.
It was called Phreaking, using a “blue box”–Steve Wozniak is famous for building one–and it was quite the fun pastime.
http://en.wikipedia.org/wiki/Blue_box
Captain Crunch
I was surprised at the story around Manning’s alleged inappropriate access of classified material. Not that he had access to it, but he allegedly removed it via a CD/DVD burner.
Someone I know works at a military installation where they perform equipment maintenance. His computer has a special version of windows that doesn’t have drivers for USB ports – you can plug a thumb drive in but they don’t work. It definitely doesn’t have any removeable media drives. There is no way to get secure information off the computer other than taking a photograph of the screen. Likewise, there is no way to load information except through the keyboard.
When they need to load digital photographs unto a machine, they have to provide the camera to an IT support person who loads them onto a local network from a separate computer after first checking for malicious software.
These were not ‘new’ security measures put in place in the last X years. It’s been standard procedure since they’ve had computers connected to networks with secure data.
My question is why computers with access to SIPR are less secure than those that deal with maintenance procedures on equipment.
I’m guessing because of the decentralized responsibilities and gradual rollout of security procedures. The aim is to get the system up and running in the shortest period, and a PC will work just fine, as long as you have the access key (or whatever system they use to secure the link). We know lots of things were hacked/jury-rigged in Iraq and throughout the military over the last ten years; it would follow that a network would as well. Get ‘er done.
Right, as I’ve pointed out, DOD recently testified that their SIPRNet security was lower than their unclassified network.
There seem to be two reasons SIPRNet has lower security: Much of the network was kluged together as they went to war (and over many years). And they need to have removable media available to get data to some coalition partners (as I said here) and some weapons platforms. So while they’re finally trying to fix that security hole (3 years after having bad malware inserted into their networks), they’re going to leave 12% of all SIPRNet computers accessible to removable media.
I don’t know why. Compared to most weapon systems, this is the (relatively) easy stuff. Contractors are available to custom-make and ship specific secure boxes pretty much overnight. I’m sure Dell has a nice DOD contract. The obvious need is there, and the secure approach is well documented. It takes someone in charge with the ability to audit and write violations that sit in an officer and commander’s record and have the potential to affect advancement. This is a clear lack of leadership, as the technology is off-the-shelf, and the operational standards are in use in thousands of corporate IT systems and networks, many of them global.
Sheesh.
It would be interesting to do thorough research on this, but when I was a crypto tech in ’71, the whole system was secured by using crypto gear, run and maintained by a guy with a Top Secret clearance, and a manual on what to do and not to do. That was pretty much it–we were the Trusted Guys. My ship was never audited and I never spoke to anyone ever that was higher than I and was checking security systems. The whole system depended on the assumption that the guy doing the operation and maintenance was doing it “By the book”.
Almost twenty years later when I was working for the DOD contractor, the security system was basically the same, depending on individuals that had been through specialized schools or trained in the field, all with TS clearances.
Now I’m sure there’s more overview and audits, more centralized security authority, as well as activity and key word monitoring on the network and servers. But all that I read here and in the bit of press that addresses this subject indicates that it’s still primarily a trusted-guy approach to security.
That’s fine as far as operating the system, but there must be a tight security auditing system, pretty much in real-time, and reports that activate constant investigations. Otherwise, you *will* suffer breaches, it’s just the way it is, irregardless of clearances.
AND THE KILLIN’ GOEZ ON AND ON AND…
Citizen emptywheel:
“First, the level of security tolerated in the DOD is far worse than that what you’d find on netwroks in the States that carry much less sensitive information…”
That is the telling point for us here…the security technology priority of our government is first and foremost to keep the citizenry ignorant. The wars and international security are a horrible diversion from the looting of the vaults in the treasury.
So now that we all know this, how do we get the military and the oilagopoly to devour itself before it gets all the rest of us…where is our leverage to use against the beast that is dying anyway? It’s clear that if we don’t get the banksters to turn on the oil cowboys, then we’re all in for a trip back to the Dark Ages.
KEEP THE FAITH AND PASS THE AMMUNITION, NO COMPROMISE WITH FASCISM!
geraldo@17
thank you for that explanation.
the work of the computer gods, or is it gremlins, is hidden from understanding many of us. :>)
Another thing to check is make sure you check off “Remember me” when you log in, otherwise you won’t get a cookie. The cookie is only good for 30 days but I’m not convinced it doesn’t get eaten if you log on from a different computer and move the cookie there instead.
SNAFU Homeland is not secure? Financial industry is beyond corrupt? USA infrastructure has decayed. Climate change is increasingly severe. Frank Zappa called it…
“Some scientists claim that hydrogen, because it is so plentiful, is the basic building block of the universe. I dispute that. I say there is more stupidity than hydrogen, and that is the basic building block of the universe.”
Inspite of all this I recommend happiness while doing the best you can to change what we can.
Citizen bigbrother:
ROFLMAO…it’s their stupidity that the fascists are tryin ta keep secret from the world, ain’t that God’s big joke on us.
Here’s another one. Remember the live feed of the CNN reporter broadcasting when a US missile took out the hotel in the background (Persian Gulf War)? It was finally confirmed to me that MCI and E-Systems coordinated to have that live test demo seen on CNN so the missile maker’s stock would soar (which it did).
Gregg Levine’s weekly vlog is up: The Party Line – April 15, 2011
Three Men in a Room
Bradly Manning is a national hero. He is being mistreated by people who believe in imaginary friends that tell them to act like enemies of the people. You myth believers need not worry about going to some imaginary place with fire and brimstone (what the fuck is brimstone?) if they don’t mistreat anyone with less Religulous than they do.
It was said early on in the Manning case that over 3,000,000 Federal employees had access to the files that were leaked.
Some secret.
There seems to be discontinuity between the network problems discussed in the post; in contrast to some other efforts of the amoebic Bush administration which was promultating policies and programs directed toward strengthening secrecy of many sorts. Consider: Jennifer Mayfield was stamping papers Treat As If Classified xxx; the Bush*s administration was shuttering select EPA libraries to prevent public and researcher access; Bushco launched a reclassification initiative, bringing documents that had been published in the public realm back under a classified access only umbrella. Then there were some of JudyJudy Miller*s own apparently revealing allusions to having seen classified materials in her **investigative** reporting exercises; the latter may have become a pathway for JudyJudy to learn some of the material on the defective network discussed, though she is notoriously reluctant to get explicit about reporter shielded sources.
Kudos to your article indicating how critical security is to the DOD networks . . . and by implication how egregious and harmful Manning’s conduct was. It is one thing for a foreign power to use its government resources to exploit the vulnerabilities in US security, but it is even more depraved when one of its “heroes” makes a conscious decision to abuse the trust that the military and his superiors gave him and to exploit those vulnerabilities. Makes for a pretty compelling case in aggravation, eh?
Actually, if you have been reading, the point is that the DOD secure network and server system is broken, insecure, and wide open to a stupid-level breach.
Whatever a person feels about Manning’s access and alleged sharing of secure data, it points up the unacceptable level of Stupid by DOD leadership in securing their Top Secret data.
In my military experience, back when thousands of warheads were pointed at each other and we were constantly prepared for nuclear warfare, this kind of security breach would have had commander’s heads rolling all the way up to the Pentagon. If it happened today at IBM or Visa, the entire IT leadership would be fired and it would be Big News in the Wall Street Journal.
It’s unacceptable.
“With security like this, the data Manning is alleged to have taken simply can’t be called secret. Limited access, maybe. . . .” Actually, the author is trying to link the lack of DOD security with Manning’s alleged date mining, either as a defense (legal or moral) or as mitigation.
Dude, they grow on trees, out past Palm Springs.
That’s true, except for the short telecoms equipment towers disguised to look like palms. Harvesting their fruit requires different skills altogether.
Reminds me of the April 1st announcement that the southern Swiss spaghetti trees had produced a bumper crop for the 1957 season. It was only an average crop; as always, it needed to be cut and harvested before the rains came.
As with dating, inadvertent mispeaking can distort the meaning of gaping wounds in the chest, but only if that’s what the critic wants to do anyway.
I’ve seen cell palms. They’re almost convincing. (So are the better cell pines, but I know of one that looks like it’s a dead cell pine.)
These days date palms get moved out of the orchards and into landscaping, when they get too tall to harvest. They still bloom and get fruit, though. (Don’t know if it’s any good, but it might be worth renting a small crane to find out, if you have access to a date palm.)
I’ve driven the San Diego to Sedona route through Phoenix. I think part of the stretch through Southern California and maybe western Arizona is called “date alley”. Date ice cream’s not bad; I like fresh dates better.
Growing up in SoCal in the 50’s with a mom born in Long Beach in 1922 and raised during the depression on a Fallbrook ranch, going out to the desert (which started just outside of Riverside back then) on Route 66 was always an adventure. Sand storms. Overheated ’55 Ford Country Squire wagon. Stops at weird roadside gas stations for a dime coke (ice cold) and an ice cream sandwich. Oh, and the giant plaster dinosaurs. She knew all the cool places.
Anyway, out past Palm Springs on the way to Indio stretched acre after acre of date palms, many with little roadside stands. Fresh dates, date products, apple cider in a jug, yum!
I like computers and my Prius and digital music, but sometimes I miss those simpler times–plaster dinosaurs and fresh dates from the farm.
That sounds like the Old Rte 66, before television Corvettes, before interstates shut off access to towns, villages, produce stands, and roadside rests, complete with dinosaurs. I think the few roadside restaurants that survive still offer adventurous cooking, some of it good, especially if you like it hot and spicy.
What I was surprised to see in the desert en route to Yuma, Phoenix and Sedona were the cattle factories. In that climate, even with federally subsidized water, I would have thought it would mean selling barbecued beef on the hoof.
I was under the impression that 66 went through Barstow and Needles, not Indio and Blythe. I can’t find the route number, though – although it’s interesting that US 99 went from Riverside to Calexico. (That explains some of the stuff I run into at work.)
I was probably using Rte 66 generically, as a symbol for pre-interstate highway travel on routes that went through rather than around cities and towns.
Ten points. Nicely played, sir.
I am curious about your ref to Art 15 NJP. When I was doing it (1958 – 79) the Commanding Officer (O-5 or above) could reduce any E-6 or below in rank at a Captains Mast (NJP). And beyond that, up until about 1967 an E-7 could also be reduced in rank during their first year as a Chief.
Are all specialist promotions temporary?
Giant shed-roofed feed lots, water spray, and the innate ability for cattle to adapt to whatever shitty conditions are thrown at them. Whatever, it’s just about keeping ’em healthy enough to get fat and then off to factory.
Get along little doggies.
Keeping them in the desert along the interstate would reduce the odds of DFH’s and Greenies picketing and objecting to the lifestyle corporations permit Elsie before turning her into a protein-based delivery system for antibiotics and E. coli.