Nothing to report on the zero based defense intelligence review or the Afghan Strategy review, but as indicated last month I have just finished reading President Bush’s book DECISION POINTS, which ironically I enjoyed while being disappointed. In a sound bite, I found this presidential memoir insightful [about the Bush view of events] but not very revealing about his motivations. The 43rd President tells us much about "what" and "how" he made decisions, but little about why he made the decisions he made beyond a drumbeat that it was "the right thing to do.” Making me ask as I read "so how did you know what was the right thing to do?" such as lowering taxes while embarking on a Global War on Terrorism; accepting the intelligence on Saddam’s weapons of mass destruction (WMD); or not questioning the clarity of the National Intelligence Estimate on Iran’s nuclear weapons program?
While DECISION POINTS quickly achieved and has maintained its status as the bestselling book in America, the national security media and blogosphere has been consumed by the of hundreds of thousands of classified diplomatic cables released by WikiLeaks. Unlike the earlier WikiLeak releases dealing with the wars in Iraq and Afghanistan that mostly got the attention of government damage assessors and security officers, this latest tranche has gotten the chattering class hyperventilating about the revelations of candid remarks by foreign leaders to US diplomats. Apparently it takes embarrassing US Ambassadors and the Secretary of State to do what the compromise of Iraqi and Afghani friendlies supporting US military operations did not do: cause widespread understanding of the damage done by the misdirected treachery of Private Bradley Manning in down loading and releasing gigabytes of classified material illegally to WikiLeaks.
I tend to agree with Defense Secretary Gates’ assessment though that on balance the immediate damage done by the classified information WikiLeaks has disclosed, despite its volume, is moderate and fleeting. Is anyone really surprised to learn that moderate Sunni Arab state leaders want the US to move forcefully against Shiite Iran’s nuclear program? That the Kharzi government is rife with corruption? Or Pakistani officials are hedging their bets when it comes to supporting US policy aimed at Al Qaeda? No the real damage is the loss of trust that will make foreign sources reluctant to share candid observations and views with American interlocutors and how such information is reported and retained. The strategic danger WikiLeaks presents is the future data of national security import that sources will not provide to us as well the inability of policy and intelligence analysts across the government to be able to access what information is available so they can provide as complete advice as possible to decision makers. Director of National Intelligence (DNI) James Clapper’s observation that the WikiLeaks releases will have a "chilling effect" on information-sharing I believe is indisputable.
While there is some rational to support them, the excited assertions by both government and media pundits that the WikiLeaks disclosures are the result of an overdone post 9/11 enterprise-based information sharing environment are misguided. Certainly the Secret Internet Protocol Router Network (SIPRNET), which predates 9/11, and information centers such as NCTC (National Counter Terrorism Center) and military JIOCs (Joint Intelligence Operations Centers) that consolidate, fuse and correlate all source data enabled Private Manning’s access, but neither SIPRNET nor the need to share intelligence caused or created the breach. Manning’s sordid life story and need for 15 minutes of fame did that!
The State Department disconnecting from SIPRNET is as predictable as it is ineffective ---- does the WikiLeaks compromise mean diplomats don’t need to know what the military is doing in Afghanistan. Does asserting stronger adherence to “need to know” make the assumption that those holding classified data actually can determine who needs to know it? This is not risk avoidance, but a reflexive return (hmm when did we leave?) to risk avoidance and security based on compliance. Condoning nothing Manning did, it is however fair to point out, that he was aided and abetted by both poor Counter Intelligence (CI) and Operational Security (OPSEC) procedures so there is work to be done here.
Leaving aside all of the information that should have been turned up in his background check for a Secret Clearance and should have flagged Manning as a potential security risk, his immediate chain of command failed to connect his expressed disillusionment with the Army and his recent reduction in rank as a reason to more carefully monitor if not restrict his access to classified material. The companion question to why a junior ranking enlisted person in Iraq should have such broad access to classified information is why are there hundreds of thousands of classified reports being generated and retained that require Secret level security protection? Given that broad access on a global scale to lots of classified information is the driving need for why DoD developed and deployed SIPRNET, it follows then that there should be basic identity management, network monitoring, and auditing capabilities in use that will alert when someone is accessing information not germane to their mission profile and/or downloading significant amount of material. Let’s not even dwell on the obvious poor practice of allowing thumb drives and DVDs to be loaded on to classified terminals without some kind of two person authorization. Netting this out, what we have is a military E-3 downloading gigabytes of classified information that the Government didn’t know had been compromised until WikiLeaks said “look what we have”!
All this tells me that DoD and the IC, despite existing mature software technology, do not have the means or processes in place to defend their information ----- which is increasingly described as a weapon or a strategic advantage. Accepting that CI cannot find all of the Mannings, Montes, Aimes, Peneltons, Pollards, Whitworths, Walkers, etc that the clearance process misses, the IC needs to start immediately using commercially available products (many of which are already owned!) for identity management, content management, digital rights management, network monitoring, and auditing. Then there is the accepted threat that foreign adversaries are actively trying to penetrate classified networks and data stores to exploit, alter, or deny access to US classified information that makes data defense even more imperative.
However, as powerful as software is for defending data, it will be no more effective than an unmonitored alarmed fence if there is not someone to see the warning light alert or a reaction force available to close the breach. Said differently, WikiLeads should teach us that you can’t defend data with a “deploy software and forget strategy” any more than you can fight fires by just investing in fire trucks!
That’s what I think; what do you think?