DOD wounded by lax information security, WikiLeaks
Senior official tells Senate committee that Pentagon's search for speed, agility in regard to sharing documents within the military has backfired
- By Matthew Weigelt
- Mar 11, 2011
A senior Defense Department official has told a Senate committee the department sought speed and agility in its information-sharing systems, and that ended up biting DOD in the case of WikiLeaks.
“We took a risk that by putting the information out there to provide agility and flexibility, so the military forces could reach into any database,” and make it mobile, Tom Ferguson, principle deputy undersecretary for intelligence at DOD, said March 10 during a hearing on how the government shares and protects its information. The Senate Homeland Security and Governmental Affairs Committee held the hearing to look at how the leak has affected sharing of information among agencies.
The military wanted to give military officials easy access to DOD’s Secret Internet Protocol Router Network, a database of classified information. Officers could download the data and move it across different secret domains and between coalition domains, too. The point was to let officials do it quickly, Ferguson said.
Taking that risk failed when Army Pvt. Bradley Manning allegedly stole millions of classified government documents and WikiLeaks released the information, officials said at the hearing.
Report: WikiLeaks source exploited security flaw
Info sharing: Compartmentalization vs. common sense
In 2008, DOD began protecting networks workstations with the Host Based Security System. It provides technical controls over the workstations, and it reports on machine configurations to allow monitoring. For example, HBSS could disable the use of removable media, experts testified. However, not all the systems, particularly the networks on the battlefield, are protected because there is no central, uniform system but rather numerous systems cobbled together, Ferguson said.
“The key is a failure on the part of not monitoring and following security regulations,” Ferguson said.
Senators were concerned that DOD and other agencies may tighten their hold on their own classified documents. But they also talked about the fears of returning to the days of stovepiped cultures when agencies shared no information.
Sen. Joe Lieberman (I-Conn.), the committee's chairman, warned officials about reverting to the time before the terrorist attacks of 2001 when agencies hoarded information, and also said they need to find a way to balance security concerns with the needs of a connected government, particularly in contingency operations.
“The bottom line is we cannot walk away from the progress we have made that has saved lives,” he said.
Terri Takai, CIO and acting assistant secretary for networks and information integration at DOD, said officials still are working to protect data while sharing it. DOD is moving toward a technology that looks for odd and unusual behavior around information networks, similar to credit card companies that watch for strange purchases.
Officials have wrestled with the issue of sharing and protecting data long before the WikiLeaks disclosure, said Corin Stone, intelligence community information sharing executive in the Office of the Director of National Intelligence. They have narrowed issues down to allowing the right people access to the networks, setting up technical protections against removing mass amounts of data, and auditing and monitoring users' activities.
Overall, she said officials must never use lose sight of the cenral point of sharing and protecting sensitive, classified information.
Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.