Page 2 of 2   <      

With better sharing of data comes danger

Hundreds of thousands of State Department documents leaked Sunday revealed a hidden world of backstage international diplomacy, divulging candid comments from world leaders and detailing occasional U.S. pressure tactics overseas.

The Defense Department will limit the number of classified systems from which material can be transferred to unclassified systems. It will also require that two people be involved in moving data from classified to unclassified systems.

Such efforts "should have been done long ago before any of this happened," said Steven Aftergood of the Federation of American Scientists. The rush to knock down so-called "stove-piping" without hardening operational security "was asking for trouble," he said.

Rep. Pete Hoekstra (R-Mich.), vice chairman of the House Intelligence Committee, called the Pentagon's new security measures "Cyber 101." He questioned a database design that would allow an intelligence analyst in Baghdad - where Manning was stationed - access to State Department cables. "How would this help him do his job in Baghdad?"

The military relies on Siprnet, or Secret Internet Protocol Network, to transmit classified operational information securely and outside the commercial Internet.

A former senior intelligence official said that over the past decade access to Siprnet has ballooned to about 500,000 or 600,000 people, including embassy personnel, military officials from other countries, state National Guard officials and Department of Homeland Security personnel. That is partly in response to calls for data-sharing and partly because agencies such as the State Department wanted a way to communicate classified information without going to the expense of setting up their own network, said the former official, requesting anonymity because Siprnet's size and uses are considered a sensitive matter.

He said that the answer to network breaches is not to restrict access but to improve the vetting of personnel by strengthening the clearance process.

"The fact that you've got someone exfiltrating information doesn't mean you've got a technical problem," he said. "You've got a human problem."

The Pentagon has been on notice for several years that its database security was at risk. After WikiLeaks in 2007 posted a series of leaked military documents about tactics used in the battle of Fallujah in Iraq and alleged human rights violations at Guantanamo Bay prison, an analyst at the Army Counterintelligence Center wrote a classified report concluding that WikiLeaks posed a potential operational and information security threat.

The "possibility that current employees or moles within DoD or elsewhere are providing sensitive or classified information to WikiLeaks cannot be ruled out," the analyst, Michael Horvath, wrote in the February 2008 report. He recommended the military enhance training on proper handling of classified information and on how to detect and report on an insider threat. But according to a military source, no action was taken on his report.

While Aftergood welcomed the Pentagon's newly announced security measures, he said they do not address the problem of overclassification. "A more discriminating approach to classifying information would yield a smaller volume of information requiring protection, making it easier to protect," he said.

Simon Jenkins, a British journalist who writes a column for the Guardian, wrote in a blog Sunday that the recent leaks "have blown a hole" in the framework by which governments guard their secrets. "Words on paper can be made secure, electronic archives not," he said.

In the future, he added, "the only secrets will be spoken ones. Whether that is a good thing should be a topic for public debate."

<       2

© 2010 The Washington Post Company