Monday, December 06, 2010

Wikileaks: Lessons Learned

I've spent the past couple days in our nation's capital, and it seems that everywhere I go, someone wants to know what I think of the Wikileaks scandal. I'll tell you at the end of this article. First, I want to talk about what we should LEARN from Wikileaks. When I worked more actively in Critical Infrastructure Protection, there was a saying I heard from time to time that the problem with most Crisis Events is that we don't learn from them. To rectify this failure to learn, the Department of Homeland Security even created the "Lessons Learned Information Sharing" site, Perhaps my exposure to DHS as a then-member of the Energy Sector has taught me to look for Lessons Learned as the silver lining to every dark cloud.

So what is the major Lesson Learned in the Wikileaks situation?

It has to do with information classification, access control, and monitoring. We'll go over those lessons learned, but first, here's a bit of background on what happened.


In the case of PFC Bradley Manning, here was a young man with a very important job. As an Intelligence Analyst, it was important that Manning have access to everything he needed to do his job. In the post-9/11 Kumbaya world of Information Sharing, that pretty much gives counter-terrorism warriors carte blanche. The information access level for people like this may be "If he needs it, give it to him, if you don't, the next 9/11 will be on your head!"

Like Katharine Gun, the UK's GCHQ intel analyst who decided to leak information about wiretaps among the UN prior to the Iraq invasion, Manning was an analyst who did not understand the chain of command. In Gun's situation, she became aware of cables which implicated the United States in the tapping of communications of United Nations personnel prior to the Iraq invasion. Gun determined that it would be a noble and responsible thing to ignore all of her oaths and orders and rather than sharing her concerns with her supervisors, smuggled this information out of GCHQ and leaked it to the press. Its a growing trend among Intelligence Analysts who determine they are in possession of information that the public has a "Right to Know" and Gun received the "Sam Adams Associates for Integrity in Intelligence" award for her actions. (Sam Adams was an information leaker during the Vietnam War.)

Brannon Manning became a ten-minute celebrity back in May for choosing to put his job on the line for a statement of his principles. He chose an act of civil disobedience, in the form of leaking a video of a helicopter gunship attack in Iraq where US forces fired on and killed Reuters news service photographer Namir Noor-Eldeen, 22, and his driver, 40-year-old Saeed Chmagh. Manning seemed to believe passionately that the US army had attempted to cover up their responsibility for the deaths, and decided to risk his job and his freedom to reveal this video. He was identified as a "whistle-blower" in the news. While I strongly disagree with his decision, that is an act of civil disobedience, and a "whistle-blower" action where a particular individual, possessing access to evidence of what they believe is an act of wrong-doing, "blows the whistle," understanding that there may be consequences for their action and choosing to accept the risk. I do not condone his actions in any way.

World-Wide Anarchy

To clarify, this attitude and action has absolutely nothing to do with the current Wikileaks crisis.

As reported in WIRED Magazine, the new hero of the left had no such intentions in mind when he then determined to leak 260,000 classified documents. He states his intention clearly:

“Everywhere there’s a U.S. post, there’s a diplomatic scandal that will be revealed,” Manning wrote. “It’s open diplomacy. World-wide anarchy in CSV format. It’s Climategate with a global scope, and breathtaking depth. It’s beautiful, and horrifying.”

So, was the goal of the "big data dump" to help reduce future civilian casualties? No. The stated goal was "world-wide anarchy."

According to the same article, Manning had access to "two classified networks from two separate secured laptops: SIPRNET, the Secret-level network used by the Department of Defense and the State Department, and the Joint Worldwide Intelligence Communications System which serves both agencies at the Top Secret/SCI level."

According to the same WIRED story, he boasted to celebrity hacker and information leaker Adrian Lamo:

“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
(source: WIRED: ThreatLevel)

While Manning apparently thought he would find a kindred spirit in Adrian Lamo, Lamo knows the difference between information disclosure and treason. Its curious that the New York Times seems to consider Manning a patriotic hero and is certainly selling a lot of papers based on his leaked information. Especially curious when you consider that when Adrian Lamo accessed confidential data at the New York Times back in 2002, the response was not to celebrate the glorious freedom of information, but rather to file charges against Lamo, resulting in facing up to five years in prison, (although he received House arrest, limited access to computers, and payment of restitution in the end. Lamo told the Washington Post that he agonized over the decision, but he turned him in.

Lessons Learned: #1 -- Classification vs. Categorization

I'm going to imagine a slightly oversimplified classification system for a moment, to make our illustrations easier. Let's imagine that the classifications in our system are Unclassified, Secret, Top Secret, and (Collateral / SCI / SAP). The last one is actually not a "classification" but rather means "super secret Need-To-Know." SCI means "Sensitive Compartmented Information" and SAP means "Special Access Programs." We'll imagine for the moment that they both mean simply "Need to Know."

Now, consider various types of information to which a government employee may have access.

It seems that in the environment in which Manning was working, as long as he held an appropriate clearance for the information, he was able to access the information. Imagine an information access chart then that looks like this:

Imagine this information request:

What level of classification does this diplomatic cable have?
"Top Secret"
Does the requester have Top Secret clearance?
Permission granted.

What failure has occurred? A failure in ACCESS MONITORING. Manning was attempting to access information for which he had an appropriate clearance, but information which was in an inappropriate CATEGORY for him.

The same challenge is present in many other workplaces where sensitive information can be found. Consider for example the categories of interest in a hospital or healthcare environment:

Although I've never been in a hospital where things are marked "SECRET" and "TOP SECRET", let's use those as an analogy to the sensitivity of data. Perhaps an unclassified Personnel fact would be that Joe works in radiology. A Top Secret Personnel fact may be that Joe has three DUIs in the past year and has to take a breathalyzer test each shift before reporting for duty. An unclassified patient billing fact may be that office visits cost $175. A Top Secret billing fact may be the credit card number of the patient. An unclassified billing payroll fact may be that Tom is in a minimum wage job. A secret payroll fact may be that Tom's wages are being garnished for child support.

While HIPAA makes it clear that only certain personnel are supposed to see certain records, how is this monitored within your organization?

A more appropriate monitoring situation for PFC Manning may have looked like this:

In a system like this, an auditing record is recorded for review whenever someone accesses Secret or Top Secret information that is outside of their assigned categories of responsibility. With this monitoring system, Manning would still be allowed access to Secret documents in other categories, but these would be flagged for a potential review because of the mismatch with his job description.

Here's a similar chart for a HealthCare environment:

Many of my students are surprised that in my own lab, I do not have "Administrator" access to the workstations! I don't want it! I gave it back! We have an IT staff who is responsible for the creation and maintenance of access permissions, and for the installation of software and documenting its licenses and controls. Because I am not a part of that group, and don't know their methods, I choose to not have that access.

Lessons Learned #2: Volume of Data Flow

The other red flag is the volume of information being extracted. As repeated requests for information IN ANY CATEGORY are made, the volume of requests should be used to determine if a more urgent review is needed. For example, if someone is working in the Iraq war theater, it would make sense for many requests to be made related to that category of information. Occasional requests in other categories may also not be alarming. However, if you saw a large number of requests in a category for which this person does not have a job responsibility match, those should sound a more urgent alarm.


We can agree to disagree on whether Manning is a Patriot, an Anarchist, or a Traitor, but the important outcome of any event of this nature is that we document our Lessons Learned.

Consider your own Information Collection in your workplace.

What are the "Categories of Information" and how is access to those categories assigned?

Within each area what are the "Sensitivity Levels" or "Classification" of that data?

What is a "reasonable volume" for accessing data in each of those categories and classes?

Perhaps most importantly, who is in charge of monitoring access to those categories of information, and how are "alarms" set when a category, class, or volume condition is reached?

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.