Pages

Search This Blog

Tuesday, November 30, 2010

Digital security problem is bigger than Assange and PFC Manning

Prior to September 2001, administrators within the U.S. government had their reasons for stubbornly hoarding their agency’s secrets. In the wake of the latest Wikileaks episode involving classified State Department cables, some of those reasons are again apparent. The 9/11 Commission concluded that insufficient cross-agency sharing was partly to blame for the disaster. But we are now reminded that sharing brings its own risks. With a million people thought to have access to U.S. Secret-level correspondence and over 800,000 cleared for Top Secret access, the only surprise is that there are not more leaks. The problem of digital security extends beyond Mr. Assange and PFC Manning. Digital transmissions through the existing internet "cloud” will continue, but will increasingly consist of only the most inconsequential data and reports. The transmission of anything really sensitive will revert (if it hasn’t already) to pre-Internet methods – a hand-delivered document, a telephone call, or a face-to-face conversation in a secure room.
The fact that there have been so few surprises in the latest Wikileaks data dump is the best evidence that State Department cable-drafters, consciously or not, knew that these cables would have a very large audience. And the wider the audience becomes, the greater the incentive to be careful with secrets in the drafting. With so few differences between the content of these cables (admittedly classified no higher than Secret) and the content in the news media, we should conclude that U.S. diplomacy is already remarkably open and transparent.
The Wikileaks scandal reinforces what should be an instinct to be circumspect with anything transmitted in digital form. No doubt a battalion or more of counterintelligence specialists warned Defense Department network administrators about the security risks presented by the post 9/11 data-sharing arrangements. To apparently no avail – it seemed ridiculously simple for PFC Manning to extract (allegedly) hundreds of thousands of classified files. With the horse out of the barn and galloping into the next county, the Pentagon is only now tightening its computer security procedures. But there are still those million who have Secret access; the new security procedures are not likely to ward off a few trained and determined infiltrators.
The problems with the digital “cloud” do not stop there. In its recently released annual report, the U.S.-China Economic and Security Review Commission described a Chinese “hijacking” of global internet traffic. The report explains what happened better than I could:
For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed U.S. and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China. This incident affected traffic to and from U.S. government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.
Although the Commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications. This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a ‘‘spoofed’’ site). Arbor Networks Chief Security Officer Danny McPherson has explained that the volume of affected data here could have been intended to conceal one targeted attack. Perhaps most disconcertingly, as a result of the diffusion of Internet security certification authorities, control over diverted data could possibly allow a telecommunications firm to compromise the integrity of supposedly secure encrypted sessions.

More at:
http://smallwarsjournal.com/blog/2010/11/digital-security-problem-is-bi/

No comments: