Tuesday, December 07, 2010

How did the Wikileaks get leaked?

A compelling article in Pajamas Media by Charlie Martin:
As someone who has been involved with intelligence for more than 30 years and with computer security for 25, the professionally interesting point is: “How did it happen?”

Let’s start by recalling some of the basics of the whole arcane mechanism of classification. The classification system in the U.S. grows out of two basic axioms: first, you work hardest to protect the material that can cause the most damage; and second, the one way to be certain someone can’t reveal a secret is to make sure they don’t know it.

...The whole system of classification depends on two things: making it hard to get sensitive information, and making sure as few people as possible do know a particular piece of classified information by using “need to know” rules and their formalization in compartments.

According to the press coverage, the only suspect is one Pfc. Bradley Manning. Manning had been an intelligence analyst supporting the 10th Mountain Division. Manning bragged about having passed information to WikiLeaks to Adrian Lamo, previously famous for having cracking into the New York Times‘ internal systems. Lamo turned him in.

The story, as reported by the Guardian, is that Manning gathered the information on SIPRnet — a U.S. government sharing network for data at SECRET and below — then loaded it on writable CD-ROMs that he brought into his work area saying they contained Lady GaGa music.

The problem here: this explanation raises many more questions than it answers.

First is the “need to know” question. Manning had been a E-4 Specialist (same pay grade as a corporal) analyst — he was busted to PFC for unrelated reasons — and would have had access to intelligence in theatre. It seems inconceivable that he would have access to worldwide diplomatic cable traffic. The Guardian story’s answer is that these cables were being dumped into SIPRnet as part of a 9/11-inspired attempt to make information available, and thus avoid the problem of people not “connecting the dots.”

Perhaps. But the other side of that argument is what’s known as the “aggregation problem” in computer security: the more information you collect together, the more you can learn. As we’re seeing in these leaks, you can infer some very sensitive stuff from a lot of relatively low-level information. Are we really giving any random person with a SECRET clearance access to this much information, including video of Baghdad firefights and Special Forces operation reports?

Second, there’s the way Manning is said to have gotten the information out of his secure area. According to the Guardian, Manning brought in some rewritable CD-ROMs with music, erased the music, copied the data to the CD-ROMs, and walked back out with them.

If so, there is an ex-officer from his unit who is now counting socks in Thule, Greenland, or should be. Secure areas have a very straightforward rule on such things: media may come in, but it can’t go back out. (In fact, when I worked in a secured area, we even had to lock up our typewriter ribbons and platens.)

But this seems unlikely, because the DoD had forbidden people to even bring CDs and thumb drives in to secure areas in 2008.
This explanation isn’t completely implausible. Not completely. If it’s true, it appears that it means general breakdowns in the methods by which the U.S. has protected classified information since the First World War, as well as violating explicit policies and procedures.

Of course, there’s another explanation: someone at a higher level of trust than Pfc. Manning is the real source, and Manning is just a convenient fall guy.