[Infowarrior] - State Dept: Epic Fail in Infosec

[Richard Forno]

Finally something useful appears in the MSM about the Wikileaks situation....now if only the Powers That Be will learn from it.   -- rick


WikiLeaks cable dump reveals flaws of State Department's information-sharing tool
By Joby Warrick
Washington Post Staff Writer
Thursday, December 30, 2010; 10:42 PM 

http://www.washingtonpost.com/wp-dyn/content/article/2010/12/30/AR2010123004962_pf.html

Before the infamous leak, the 250,000 State Department cables acquired by anti-secrecy activists resided in a database so obscure that few diplomats had heard of it.

It had a bureaucratic name, Net-Centric Diplomacy, and served an important mission: the rapid sharing of information that could help uncover threats against the United States. But like many bureaucratic inventions, it expanded beyond what its creators had imagined. It also contained risks that no one foresaw.

Millions of people around the world now know that the State Department's secret cables became the property of WikiLeaks. But only recently have investigators understood the critical role played by Net-Centric Diplomacy, a computer initiative that became the conduit for what was perhaps the biggest heist of sensitive U.S. government documents in modern times.

Partly because of its design but also because of confusion among its users, the database became an inadvertent repository for a vast array of State Department cables, including records of the U.S. government's most sensitive discussions with foreign leaders and diplomats. Unfortunately for the department, the system lacked features to detect the unauthorized downloading by Pentagon employees and others of massive amounts of data, according to State Department officials and information-security experts. The result was a disastrous setback for U.S. diplomatic efforts around the globe.

"This was as bad as it gets," said Patrick F. Kennedy, undersecretary of state for management, referring to the diplomatic fallout. "We had, over the course of many years, built up a huge amount of faith and trust. That's ruptured now, all over the world."

U.S. officials and security analysts describe the leak as a cautionary tale, one that underscores flaws in security for secret government data while also exposing a downside to the U.S. government's enthusiastic embrace of information-sharing in the months after the Sept. 11, 2001, terrorist attacks.

Investigations into the attacks concluded that government agencies had failed to share critical information that could have helped uncover the Sept. 11 plot. Because of that lapse, Congress tasked the Office of the Director of National Intelligence with pressuring key government agencies - including the Pentagon, the Homeland Security Department and the State Department - to find ways to rapidly share information that could be relevant to possible terrorist plots and other threats.

The State Department, with its hundreds of diplomatic posts worldwide, was already making tens of thousands of classified cables available to intelligence and military officials with secret security clearances. But in 2005, the DNI and the Defense Department agreed to pay for a new State Department computer database that could allow the agency's cables to flow more easily to other users throughout the federal government.

"It was consistent with the concept of needing to share information after September 11th," said State Department spokesman P.J. Crowley. "We were asked to do it, and the Pentagon paid for it."

Plagued by user errors
Net-Centric Diplomacy was launched in 2006 and tied into a giant Defense Department system known as the Secret Internet Protocol Router Network, or SIPRnet. Soon, nearly half a million government employees and contractors with security clearances could tap into the diplomatic cables from computer terminals around the globe.

The State Department's new database quickly garnered praise as a model of interagency collaboration. The database was named a finalist for an Excellence in Government award in 2006. The following year, then-Director of National Intelligence John D. Negroponte, whose agency led the push for information-sharing, congratulated State Department officials for making their secret cables "available in a timely, user-friendly way."

"The State Department's commitment shows the way for other agencies," Negroponte wrote in a Jan. 29, 2007, letter to then-Secretary of State Condoleezza Rice.

The flaws did not become apparent until much later. One of biggest problems: Sensitive cables were often dumped willy-nilly into the database regardless of whether they belonged there, according to two department officials familiar with the internal procedures for data storage.

Thousands of cables and other documents pass through Foggy Bottom daily, and to ensure that they are routed properly, each is assigned a code or codes, similar to a Zip code. One such six-letter code - SIPDIS - flags a computer to route the document to the Net-Centric database, allowing it to be viewed by intelligence officers and military personnel worldwide.

In practice, embassy employees added the code word SIPDIS by rote, often without fully understanding what it meant, said one of the department officials, who spoke on the condition of anonymity because he was not authorized to discuss the subject.

"It wasn't clear what was to be shared or not shared," the official said. "So you end up with a cable in the database that contains embarrassing stuff about [German Prime Minister Angela] Merkel. Is that the kind of stuff that a war fighter really needs to see?"

Limited oversight
A few State Department officials expressed early concerns about unauthorized access to the database, but these worries mostly involved threats to individual privacy, department officials said. In practice, agency officials relied on the end-users of the data - mostly military and intelligence personnel - to guard against abuse.

The department was not equipped to assign individual passwords or perform independent scrutiny over the hundreds of thousands of users authorized by the Pentagon to use the database, said Kennedy, the undersecretary of state.

"It is the responsibility of the receiving agency to ensure that the information is handled, stored and processed in accordance with U.S. government procedures," he said.

To prevent illegal intrusion, the State Department has long maintained safeguards that make it difficult for an individual to download sensitive information onto a portable device such as a flash drive or compact disc. But Kennedy acknowledged that the department had no means of overseeing practices by other agencies using its data.

U.S. investigators suspect that Bradley Manning, an Army private stationed in the Persian Gulf, downloaded the 250,000 State Department cables to compact discs from a computer terminal in Kuwait. He then allegedly provided the files to WikiLeaks, which shared them with newspapers and posted hundreds of them online.

In the wake of the leak, State Department officials cut off outside access to Net-Centric Diplomacy pending a review. Some secret documents are still being made available to other agencies through a different network designed to handle highly classified data, Kennedy said.

Although it is perhaps small comfort, the disclosures could have been worse. In May, the Obama administration's top intelligence officer asked the State Department to expand the amount of material available to other agencies through Net-Centric Diplomacy.

In a letter to Secretary of State Hillary Rodham Clinton, then-Director of National Intelligence Dennis C. Blair urged that the database include not only cables but also e-mails between State Department officials. Such a move would "ensure that critical information will reach the necessary readers across the government," Blair wrote. 

Clinton refused.