|Page 2 of 2 <|
With better sharing of data comes danger
The Defense Department will limit the number of classified systems from which material can be transferred to unclassified systems. It will also require that two people be involved in moving data from classified to unclassified systems.
Such efforts "should have been done long ago before any of this happened," said Steven Aftergood of the Federation of American Scientists. The rush to knock down so-called "stove-piping" without hardening operational security "was asking for trouble," he said.
Rep. Pete Hoekstra (R-Mich.), vice chairman of the House Intelligence Committee, called the Pentagon's new security measures "Cyber 101." He questioned a database design that would allow an intelligence analyst in Baghdad - where Manning was stationed - access to State Department cables.
The military relies on Siprnet, or Secret Internet Protocol Network, to transmit classified operational information securely and outside the commercial Internet.
A former senior intelligence official said that over the past decade access to Siprnet has ballooned to about 500,000 or 600,000 people, including embassy personnel, military officials from other countries, state National Guard officials and Department of Homeland Security personnel. That is partly in response to calls for data-sharing and partly because agencies such as the State Department wanted a way to communicate classified information without going to the expense of setting up their own network, said the former official, requesting anonymity because Siprnet's size and uses are considered a sensitive matter.
He said that the answer to network breaches is not to restrict access but to improve the vetting of personnel by strengthening the clearance process.
"The fact that you've got someone exfiltrating information doesn't mean you've got a technical problem," he said. "You've got a human problem."
After WikiLeaks in 2007 posted a series of leaked military documents about tactics used in the battle of Fallujah in Iraq and alleged human rights violations at Guantanamo Bay prison, an analyst at the Army Counterintelligence Center wrote a classified report concluding that WikiLeaks posed a potential operational and information security threat.
The "possibility that current employees or moles within DoD or elsewhere are providing sensitive or classified information to WikiLeaks cannot be ruled out," the analyst, Michael Horvath, wrote in the February 2008 report. He recommended the military enhance training on proper handling of classified information and on how to detect and report on an insider threat. But according to a military source, no action was taken on his report.
While Aftergood welcomed the Pentagon's newly announced security measures, he said they do not address the problem of overclassification. "A more discriminating approach to classifying information would yield a smaller volume of information requiring protection, making it easier to protect," he said.