Frontier Justice: Governmental Protections from Criminal, Terrorist, and Wartime Threats
Written By: Kyree N. Clarke, Gary C. Coulter, Leonard P. Gentile III, and Amy L. Wees
University of Maryland University College
Pfc. Bradley Manning was an intelligence analyst for the U.S. Army who was stationed in Baghdad, Iraq. Beginning in November 2009, Manning allegedly began working with Julian Assange, the founder of the whistleblowing site WikiLeaks. By his own admission in online chats, Manning sent WikiLeaks hundreds of thousands of sensitive documents that he was able to access through his job as an intelligence analyst and download onto blank CD-RWs. He exploited the Army’s lax information security to do so. This paper will examine not only Manning, but also the sort of threat he and others may pose to a secure military network. It will examine the type of liabilities that come with protecting classified information and the effect that this sort of cybercrime has on an organization. In addition, the paper will examine how the military has changed in regards to its security posture since Manning. Finally, the paper will discuss the security measures that could be taken by the U.S. Army to prevent a security breach similar to the WikiLeaks incident from ever happening again.
In October 2007 Bradley Manning stood with a group of his fellow Americans at the Military Entrance Processing Station (MEPS) in Oklahoma City, Okla., and took the oath of enlistment (Fishman, 2011; USMEPCOM, 2012). He made a choice in his life at this point, choosing to follow the tenets of the U.S. Armed Forces, specifically the U.S. Army. However, little did he or the world know that at that juncture he had started down the road to becoming one of the largest threats to secure information the U.S. and possibly the world has ever seen.
This paper will examine not only Manning, but also the sort of threat he and others may pose to a secure military network. It will examine the type of liabilities that come with protecting classified information and the effect that this sort of cybercrime has on an organization. Finally, the paper will examine how the military has changed in regards to its security posture since Manning.
An Army of One
Bradley Manning enlisted in the U.S. Army as a private choosing to become an intelligence analyst (Fishman, 2011). This Mission Operations Specialist (MOS) classification is for an all-source intelligence analyst. Their duties include preparing all-source intelligence products to support a combatant commander, assessing the significance and reliability of incoming information, and establishing and maintaining intelligence records. Training for this position includes critical thinking, preparation of intelligence documents, and most importantly using computer systems (U.S. Army, 2012). Manning developed a number of these skills by working as a developer at a photo-hosting (Fishman, 2011).
Upon completion of his training, Manning transitioned to his permanent duty station, Ft. Drum, N.Y. Although it has never been stated in open press what battalion Manning was a part of, it appears that he either worked in the brigade command group, support battalion, or as part of the infantry battalion. In chat logs between Manning and Adrian Lamo, the former hacker who eventually turned Manning in, Manning discussed being ordered to provide intelligence to another soldier so that they could detain additional individuals while in Iraq (Poulsen & Zetter, 2010). This implies that Manning was working with infantry soldiers.
Due to the nature of intelligence and the broad mission that Manning had to support in Iraq, he had access to a wide variety of information. Manning’s position as a 35F gave him access to not only the Army’s intelligence, but also the entirety of the intelligence communities. This information was not just at the Secret level, which is information that would cause “grave damage to national security if it were publically available.” The information he had available was to the Top Secret level, meaning that it would cause “exceptionally grave damage to national security if made publicly available” (Office of The President of the United States, 2009).
It also seems that Manning was not particularly busy in Iraq. He indicated that individuals in his unit spent a lot of time watching movies and listening to music during work hours. In chats with Lamo, Manning stated that he was burning his unauthorized CD-RWs while others were burning their own CDs of movies and music videos or they were cultivating connections with federal level agencies (Poulsen & Zetter, 2010).
In addition to these factors, it seems that there was a lack of information security for Manning’s unit. Manning mentions this situation in the same chat logs with Lamo describing the system as having weak logins, servers, physical security, counter intelligence, and having inattentive signal analysis. Manning went on to state that security should have been better (Poulsen & Zetter, 2010).
This access to information, free time, and lack of security provided Manning the opportunity to illicitly use skills he possessed before joining the Army. Manning knew that due to the limited nature of access to the unclassified Internet (NIPR) that it would be more closely monitored then either the secured Internet (SIPR) or the Joint Worldwide Intelligence Communication System (JWICS), the two systems where classified data was stored. He realized that he could not openly upload massive amounts of data without being noticed. As such, Manning utilized a secure site to transfer encrypted data slowly through the monitored system (Poulsen & Zetter, 2010).
Threats to Military Cyber
The idea of having a classified network is that it will always be secure and information shared within that network would only be accessed by those who are intended to see, use, or benefit from having access to it. With the intelligence agency having access and having to store almost all of military secrets, it is good practice “to focus on hiring the right people not just in terms of requisite skills, but also in terms of character and values” (Himma, 2006). The Army, being one of the most sought out branches of the military, faces cyber threats that do not compare to those faced by other organizations. With the amount of intelligence being shared, it was only a matter of time before military networks would be an instant target for hactivists.
One of the biggest pressures to classified networks is insider threats; however, misclassification of information, and lack of server monitoring could pose just as much of a risk. Whether using SIPR or NIPR networks, which Manning demonstrated, e-mails are sent all day long with some level of classified information. It is not uncommon to inadvertently forward this information to someone who should not have access, and in turn, leak valuable information or be a victim while someone else leaks the information.
Misclassification of information is another big threat when it comes to military cyber. One of the defenses for the Manning case is that he had access to information that was misclassified in the first place, which poses the argument that some of the documentation that was shared with WikiLeaks should not be have been classified as Top Secret. Regardless of the information being misclassified or not, trust was still broken when the documents and video was presented to an outside source. The amount of information that is held within a government agency should be carefully classified and dispersed.
If a system crashes, the backup should be readily accessible, yet it should also be well protected. It is counterproductive to have servers anyone can get to and that could easily be attacked by hackers within or outside an agency as it is not wise to hold all Top Secret information in one place. The most detrimental harm to military cyber comes from insider threats. With the amount of employees and allies involved in an agency as civilians or even military, it becomes difficult to build a relationship with each individually. Having a negative experience at work does not help a situation, for it only increases the chance that an employee will use their inside knowledge to damage its employer. For example, Manning was dealing with coming into his own sexuality, so when he was getting demoted for what he thought was a personal issue that just caused more confusion and fury towards the Army. Per his conversations with Lamo, he felt everyone was turning their backs on him and he no longer had anyone to trust. Although he thought he found an ally with Lamo to confide in, his apprehensiveness and negative feelings toward the government were already ingrained.
More often than not, we gain trust in individuals that seem to have our best interest at hand, but are just forming a relationship to get closer to insider information that should not be shared. These allies come in government and military buildings as visitors and sit in meetings with high officials. They are considered one of our own, and involved with classified information that can later be used against us. Taking time to form intimate relationships with each employee will help to foster a positive rapport as well as decrease any chance of destructive behavior that could possibly cause harm to the agency. “To mitigate Intellectual Property theft, companies can increase security awareness among their employees. They should also compartmentalize employee access to information, restricting knowledge to a need-to-know basis” (Himma, 2006).
With the many threats that come along with any government agency, mainly military, there is an equal amount of rules, regulations, and policies in place to help avoid cyber crimes. Probably one of the most overlooked would be awareness training. Aside from being knowledgeable and being overloaded with all the on boarding rules and regulations, it is very important to have continuous learning with regards to security and how it plays a part in each department.
An effective information technology policy should be customized to address all current and future employees in an organization as well as leave room for employees to attend additional training as needed according to their specific jobs. The company should offer mandatory yearly training and employees must certify that they have reviewed and understand the materials. Basic rules must be followed as far as leaving their workstations unlocked, not sharing passwords, or walking around without identification. Keeping documents secure and reprimanding individuals who violate any of these rules is also in the agency’s best interest, so that the employees understand how important it is to follow these best practices. If they constantly violate the rules, and never get in trouble for it, chances are the unwarranted behavior will continue. Holding individuals accountable for their actions is a sure way to deter fascinated hackers from future attacks on the agency.
Carefully evaluating a person’s history and background information should allow for a better judgment of character and may eliminate some of the extensive training of policies and regulations once brought onboard. Allowing employees to only have access to what they need to have access to is another way to counter some of the possible wrong doings of insiders. When too much access is given to certain individuals, they feel it is their right to expose weaknesses presented before them.
Liabilities of Protecting Classified Information
Unlike the private sector, military units do not have to worry about protecting credit card numbers or information of customers. The biggest concern of military leaders when it comes to cyber security is loss of classified information. With such a large amount of information to protect and so many people with access to that information, there are many liabilities, the most dangerous of which is the insider charged with protecting that information. Military units such as Manning’s operate out of large data centers in remote locations. Deployed locations have a high turnover which often results in a false sense of security and slack security practices by Information Technology (IT) personnel. As Manning reports of the video he recovered from a classified network in his chats with Lamo “At first glance it was just a bunch of guys getting shot up by a helicopter. No big deal … about two dozen more where that came from, right? But something struck me as odd with the van thing, and also the fact it was being stored in a JAG officer’s directory. So I looked into it (Poulson & Zetter, 2010).” He also describes rummaging through classified information out of boredom and curiosity; “If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do (Poulson & Zetter, 2010)?” he asked.
Manning may have had the security clearance to be on the network but his account privileges should not have allowed him to view files in a JAG directory. Other videos and documents he found by searching intelligence Web sites which are also controlled on a username and password basis. All IT personnel in the Department of Defense (DOD) must hold a COMPTIA Security Plus certification in accordance with DOD directive 8570 (US Army Signal Center, 2012). The most basic of security principles covered under this certification is the principle of least privilege. Least privilege ensures that users are only given the privileges they need to perform the responsibilities of their jobs (Saltzer & Schroeder, 1975). By not using least privilege and allowing users to access information that they do not need, organizations run the risk of suffering the negative impacts of data breaches (Bishop, 2003).
Users can also be irresponsible by posting unencrypted information or in the case of the JAG, not properly protecting their public file folders on shared partitions. Military personnel receive annual information assurance and information protection training via online computer based training (CBT). In 2008, a study conducted by the U.S. Navy found that annual learning requirements were not being met by CBT as courses were not often tailored to the job and sailors often had trouble learning in an “electronic environment (Navy Inspector General, 2009).” Despite negative reports regarding the effectiveness of CBT, the military continues to conduct 100 percent of information assurance and information protection training in this manner.
Cyber Crime Reporting, Prosecution and Prevention
The Department of the Army’s Information Security Program details what should be done when classified material is leaked or not under proper control. The immediate priority is to report the incident, regain control of the information and conduct an investigation to determine the details of the event, the classification and contents of the information, and any witnesses involved. The most important question to answer during the loss or compromise of classified information is “whether any compromise did occur and what, if any, potential damage to nationalsecurity has occurred (Department of the Army, 2000).”
Incident reporting and thorough investigations are critical to ensuring those who leak classified information are caught and prosecuted. However, it can be very difficult to determine who leaked the information and successfully prosecute the perpetrator, particularly in an electronic environment where it is easy to share information (The Heritage Foundation, 2005). In addition, there is no one statute that provides criminal penalties for the unauthorized disclosure of classified information regardless of the type of information or the recipient involved. This means that the Justice Department must rely on a number of different laws to prosecute those who commit data breaches. As a result, there has only been one prosecution for non-espionage disclosure of classified information in the last half century. If the past is any indication, Manning, who is currently charged with violating two articles of the United States Code of Military Justice, may not be prosecuted on all charges (Miklaszewski & Kube, 2011).
What Could Have Been Done to Prevent the Leak?
There are a number of things that the U.S. Army could have done to prevent Manning from leaking the documents to Assange. In Manning’s online chat with former hacker Adrian Lamo, Manning said that he was able to steal the sensitive documents that he leaked by erasing a music CD and writing the files to the disc (Hansen, 2011). Although allowing intelligence analysts to use storage media such as CD-RWs poses serious risks to the security of the sensitive documents on SIPR and other computer networks, this practice was not banned because using a disc or a thumb drive is the easiest way to transfer files between computers in environments where classified machines are generally not connected to one another for security reasons (Aamoth, 2010). Despite the convenience of being able to transfer files from one machine to another using CD-RWs or thumb drives, the military may have been able to prevent Manning from leaking the documents by banning personnel from downloading sensitive files to such forms of storage media. Indeed, the Army had a ban in place on the use of rewritable storage media until February 2010, when it was lifted (Aamoth, 2010). Manning began downloading the documents that he would eventually leak shortly after that (Aamoth, 2010). In the aftermath of the WikiLeaks incident, the U.S. Air Force has adopted a ban on the use of removable media on systems, servers, and stand-alone machines connected to SIPR (Aamoth, 2010).
The Army may have also been able to prevent Manning from leaking the documents to Assange by more closely monitoring his activities. Manning was a junior intelligence analyst who hacked access to hundreds of thousands of sensitive documents. His rank at the time of the leak was specialist, though he was demoted to private first class after striking a female soldier (Nakashima, 2010). The ranks of specialist and private first class are two of the lowest ranks in the U.S. Army, yet people of these ranks were allowed to access sensitive files and download them to CDs, apparently without much supervision. Manning may have been prevented from leaking the files to Assange if someone of a higher rank had been watching him.
One way in which Manning’s activities could have been monitored is by implementing a system that documents the actions specific users take with certain files. Such a system would note which files an intelligence analyst had been accessing and whether or not the analyst had transferred those files to some form of removable media. This would allow higher-ranking personnel to identify when intelligence analysts are accessing files that they do not need or when they are accessing an unusually large number of files. It would also help higher-ranking personnel to determine if files were being downloaded when they should not have been.
If Manning had been monitored after he was demoted, it is possible that this whole situation could have been avoided. It was apparent that his behavior was erratic and should have been flagged. Kabay and Robertson (2009) noted that managers who identify early signs of trouble in an employee may be able to prevent more serious problems later.
An analysis of the WikiLeaks incident also indicates that a lack of security awareness was a factor that may have contributed to Manning’s ability to leak the documents. Manning noted that the room he worked in was so small that people could hardly move without bumping into one another (Fishman, 2011). Yet somehow in this tiny room, Manning was able to download hundreds of thousands of documents onto CD-RWs without anyone noticing. In addition, it seems as if Manning was downloading documents that did not have anything to do with his job as an intelligence analyst stationed in Iraq. Among the documents that he downloaded and sent to Assange was a classified cable from the U.S. Embassy in Reykavik, Iceland (Hansen, 2011). Surely if Manning’s fellow analysts had noticed that he was viewing and downloading documents that had nothing to do with his job, they might have been able to prevent the leak of the documents to WikiLeaks by reporting Manning’s actions to their superior officers.
As a result, a security awareness program may have been able to prevent Manning from leaking the documents to WikiLeaks. Such a program could have taught intelligence analysts or anyone dealing with sensitive documents to be on the lookout for suspicious behavior, such as people downloading documents that are not related to their jobs, as well as people downloading an unusually large numbers of files.
As important as a security awareness program is, such a program would likely be a failure unless soldiers agreed to take the necessary steps to protect sensitive information. The environment that Manning and his fellow intelligence analysts were working in likely made that difficult. Intelligence analysts stationed in Iraq were working 14 hours per day and had little time off for recreation, and as a result had stopped caring about information security (Hansen, 2011). Perhaps if the Army was able to recruit more intelligence analysts, its existing analysts would not get so burned out in their jobs and would thus be more inclined to care about information security.
Physical security also seems to have been an issue in the WikiLeaks case. For instance, the physical security of the room that housed servers that stored the confidential information Manning leaked was lax (Hansen, 2011). There was a five-digit cipher lock on the door to this room, though Manning said that this security measure could be bypassed by simply knocking on the door (Hansen, 2011). Perhaps if the Army had a policy in place that prohibited such behavior, the leak could have been prevented. In addition, the Army should require anyone who enters a room containing computers that store sensitive information to provide identification that displays their job code and proves that they have a reason to be there. Soldiers should also sign a log with the time they visited so that their visits are matched with any activity that may have happened on the servers.
Finally, the Army may have been able to prevent the leak by acting on the warning signs that Manning himself exhibited. For instance, Manning was referred to a psychologist several months before he was arrested because of concerns about his mental health (Fantz, 2011). After evaluating Manning, the psychologist determined that he posed a danger to himself and others (Fantz, 2011). The psychologist later said that he did not remember why he did not check a box on a form that would have revoked Manning’s security clearance (Fantz, 2011). Manning’s security clearance would have been revoked had the psychologist recommended it (Fantz, 2011). If Manning’s security clearance had been revoked after all the troubling signs that he displayed, he may have been prevented from leaking the documents to Assange.
Aamoth, D. (2010, Dec. 10). Military outlaws blank CDs and thumb drives to prevent leaks. Time Techland. Retrieved from http://techland.time.com
All-Source Intelligence. (n.d.). In About.com US Military. Retrieved from http://usmilitary.about.com/cs/generalinfo/g/alsoin.htm
Fantz, A. (2011, Dec. 8). Defense: Military failed to heed warnings Manning was unstable. CNN. Retrieved from http://www.cnn.com/
Fishman, S. (2011, Jul 3). Bradley Manning’s Army of One. New York Magazine. Retrieved from http://nymag.com/news/features/bradley-manning-2011-7/
Hansen, E. (2011, July 13). Manning-Lamo chat logs revealed. Wired.com. Retrieved from http://www.wired.com/
Kabay, M.E., & Robertson, B. (2009). Employment practices and policies. In Bosworth, et al (Eds.), Computer security handbook. New York, NY: John Wiley & Sons, Inc.
Nakashima, E. (2010, June 10). Despondent words from an alleged hacker. Washington Post. Retrieved from http://www.washingtonpost.com/
Office of The President of the United States. (2009, Dec 29). Executive Order 13526- Classified National Security Information. Washington, DC. Retrieved from http://www.whitehouse.gov/the-press-office/executive-order-classified-national-security-information
Poulsen, K. & Zetter, K. (2010, Jun 10). “I Can’t Believe What I’m Confessing to You”: The Wikileaks Chats. Wired. Retrieved from http://www.wired.com/threatlevel/2010/06/wikileaks-chat/
United States Army. (2012). Intelligence Analyst (35F). Washington, DC. Retrieved from http://www.goarmy.com/careers-and-jobs/browse-career-and-job-categories/intelligence-and-combat-support/intelligence-analyst.html
US Army Signal Center. (2012). Security Plus Course. Retrieved from Information Assurance Training Center: https://ia.signal.army.mil/FtDetrick/sec_plus.asp
USMEPCOM: United States Military Entrance Processing Command. (2012). Oklahoma City MEPS. Retrieved from http://www.mepcom.army.mil/meps/oklahomacity/index.html