Small Wars Journal

Digital security problem is bigger than Assange and PFC Manning

Tue, 11/30/2010 - 2:29pm
Prior to September 2001, administrators within the U.S. government had their reasons for stubbornly hoarding their agency's secrets. In the wake of the latest Wikileaks episode involving classified State Department cables, some of those reasons are again apparent. The 9/11 Commission concluded that insufficient cross-agency sharing was partly to blame for the disaster. But we are now reminded that sharing brings its own risks. With a million people thought to have access to U.S. Secret-level correspondence and over 800,000 cleared for Top Secret access, the only surprise is that there are not more leaks. The problem of digital security extends beyond Mr. Assange and PFC Manning. Digital transmissions through the existing internet "cloud" will continue, but will increasingly consist of only the most inconsequential data and reports. The transmission of anything really sensitive will revert (if it hasn't already) to pre-Internet methods -- a hand-delivered document, a telephone call, or a face-to-face conversation in a secure room.

The fact that there have been so few surprises in the latest Wikileaks data dump is the best evidence that State Department cable-drafters, consciously or not, knew that these cables would have a very large audience. And the wider the audience becomes, the greater the incentive to be careful with secrets in the drafting. With so few differences between the content of these cables (admittedly classified no higher than Secret) and the content in the news media, we should conclude that U.S. diplomacy is already remarkably open and transparent.

The Wikileaks scandal reinforces what should be an instinct to be circumspect with anything transmitted in digital form. No doubt a battalion or more of counterintelligence specialists warned Defense Department network administrators about the security risks presented by the post 9/11 data-sharing arrangements. To apparently no avail -- it seemed ridiculously simple for PFC Manning to extract (allegedly) hundreds of thousands of classified files. With the horse out of the barn and galloping into the next county, the Pentagon is only now tightening its computer security procedures. But there are still those million who have Secret access; the new security procedures are not likely to ward off a few trained and determined infiltrators.

The problems with the digital "cloud" do not stop there. In its recently released annual report, the U.S.-China Economic and Security Review Commission described a Chinese "hijacking" of global internet traffic. The report explains what happened better than I could:

For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet's destinations through servers located in China. This incident affected traffic to and from U.S. government (''.gov'') and military (''.mil'') sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.

Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications. This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ''spoofed'' site). Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack. Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.

The designers of the internet assumed trust into its architecture. These early designers did not anticipate what the internet would become. Today, trust is obviously a very poor assumption. How will users who require security and reliability adjust?

We should expect "Balkanization" of digital communications, with those needing high security dropping out of the existing system and setting up their own. The Defense Department's SIPRNet has been an inadequate attempt at this answer, as the Wikileaks affair has revealed. DARPA (ironically the original inventor of the internet) now recommends that the Defense Department establish its own network hardware and software, a system that would emphasize security and would presumably be incompatible with the existing internet.

Users who need high security but who can't afford their own custom network would be wise to revert to the pre-Internet age of the courier, the telephone, and for the most sensitive of thoughts, the face-to-face meeting. This should not be much of an adjustment for those possessing either suspicious minds or experience.

Comments

Brett Patron

Thu, 12/02/2010 - 4:40pm

<b>The Defense Departments SIPRNet has been an inadequate attempt at this answer, as the Wikileaks affair has revealed.</b>

The only truly "secure" data network has no users.

The Wikileaks affair occurred because an entrusted <b>PERSON</b> acted badly (and, in this case, apparently with malicious intent). The SIPR wasn't hacked. But now, because of bad actors, all manner of overreaction will occur. Any "balkanization" that accrues will be self-inflicted "cyber-fratricide" that attempts to cure the wrong thing.

Brett Patron

Thu, 12/02/2010 - 4:32pm

Secure Cell Phones are neat as long as you have working towers.

A lot of the contingency commo that was supposed to be used to support Hurricane KATRINA relief relied on cell phone infrastructure. That was great except for that whole "no power" thing.

HF ain't out dated. It's just not the "one-size fits all" system.

Brian Canny (not verified)

Wed, 12/01/2010 - 5:23am

Why don't we go a step further and scrap all the outdated tactical commo gear we currently use and issue everyone secure iPhones or smart phones. I've got 4 ways of tactically communicating, of which only 1 works consistently.

Not joking, it would be nice to quit trying to re-create a system that already works by using Apple and smart phones versus paying to completely re-work another DOD or government intranet.

SJPONeill

Tue, 11/30/2010 - 7:09pm

Curses!! Drafted a comment just as my net connection dropped off...

While not arguing against the steps in the last paragraph, I think that we need to remember that they only go so far in mitigating the effects of PFC Manning and his ilk...it's quite possible (and we see this through history) that regardless of the physical protection measures in place, people remain the weakest links ("Hey! didn't we used to have one more MiG-25 here?") and that possibly where we have lacked off (one area anyway) is in security training and education, both is how to not inadvertently compromise security and how to recognise potential/possible breaches/breachers...the Assanges of the world would be nothing without the PFC Mannings to feed them...

Also, the balkanisation of information systems that may occur as a kneejerk response to Wikileaks et al only cedes the public information domain to the other gut, in a similar fashion to kneejerk responses to IEDs cede the physical environment to the other guy...much better in the long term to adapt improvise overcome (cheers, Gunny Highway) and learn to dominate and control the information environment as we do the air, maritime and conventional land environments...