[Infowarrior] - WH Orders New Computer Security Rules

[Richard Forno]

October 6, 2011
White House Orders New Computer Security Rules

By ERIC SCHMITT

http://www.nytimes.com/2011/10/07/us/politics/white-house-orders-new-computer-security-rules.html

WASHINGTON — The White House plans to issue an executive order on Friday to replace a flawed patchwork of computer security safeguards exposed by the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year.

The order by President Obama culminates a seven-month governmentwide review of policies and procedures involving the handling of classified information, and recommendations on how to reduce the risk of breaches.

The directive enshrines many stopgap fixes that the Pentagon, the State Department and the Central Intelligence Agency made immediately after the initial WikiLeaks disclosures last November. Since then, for instance, the military has disabled 87 percent of its computers to prevent people from downloading classified data onto memory sticks, CDs or DVDs.

The Pentagon has also developed procedures to monitor and detect suspicious behavior on classified computer systems. And the State Department stopped distributing its diplomatic cables over a classified e-mail system used by many in the military, including Pfc. Bradley E. Manning, who is accused of leaking the classified documents to WikiLeaks.

Computer security analysts say these safeguards, as well as others in the executive order aimed at bringing greater consistency and accountability to information sharing and protection policies, are long overdue, and lag behind what is routine in the private sector.

“The real surprise continues to be that relatively elementary procedures should have been in place and were not,” said Ravi Sandhu, executive director of the Institute for Cyber Security at the University of Texas at San Antonio.

In addition to these immediate measures, Mr. Obama’s order creates a task force led by the attorney general and the director of national intelligence to combat leaks from government workers, or what the White House calls an “insider threat.”

The directive also establishes a special government committee that must submit a report to the president within 90 days, and then at least once a year after that, assessing federal successes and failures in protecting classified information on government computer networks.

According to government prosecutors, the three big WikiLeaks document dumps were disguised as a Lady Gaga CD and smuggled out of a military intelligence office in Iraq by Private Manning. Computer security analysts say the case revealed major lapses in securing classified data in war zones.

Now, virtually every Defense Department computer is blocked from downloading classified information onto memory sticks or CDs, except for explicitly authorized “mission essential” exceptions.

The Pentagon has issued a cyber identity credential to anyone using unclassified networks and has started a similar program for personnel using classified networks. These credentials allow supervisors to track what users are working on.

And the military is accelerating the analysis of logs from computers on the classified networks to detect large transfers of data or the use of data that is unrelated to an individual’s job duties.

“It’s an additional tool to provide indicators that flag anomalous behavior, much as credit card companies monitor credit card use and a user’s profile,” said Teri Takai, the Defense Department’s chief information officer.

The WikiLeaks disclosure also revealed disparities in the use of security safeguards by various federal agencies and even within agencies. Under the new order, each federal agency will designate a senior official to oversee procedures for safeguarding classified data that also protect user privacy and civil liberties.

“As technology changes, we hope to be ahead of the curve, seeing where technology is going and being able to respond before it’s necessary,” said Patrick F. Kennedy, the under secretary for management at the State Department.

Despite the changes and continuing review, administration officials say the new policies and procedures are relatively untested.

“I don’t think we’ll ever be able to guarantee this won’t happen again, but this greatly enhances our chances of preventing it or catching it in the process,” said Monte Hawkins, the director for identity management and biometrics policy at the National Security Council.