Source of WikiLeaks Is Removable Media

Wayne Rash
A couple of weeks ago I wrote a blog entry about the danger of allowing unrestricted use of USB memory sticks in the enterprise. Then I was focusing on their role as a vector for malware and other security risks. But of course, there are other security risks that go with those handy USB devices and their CD and DVD counterparts. It's just as easy to copy sensitive information onto them as it is to release a worm from them. Sometimes you can do both at the same time.

Army Private First Class Bradley Manning, who is now in custody in Quantico, Virginia, has already admitted to collecting over a quarter million messages (which the U.S .Department of State calls 'cables,' but are really e-mails) using nothing but rewritable media and a USB drive. He was arrested in June for his release of a helicopter attack in Iraq to WikiLeaks.

Manning remains in federal custody for the release of the video, but will likely be charged for the State Department leaks in the near future. In the meantime, the military and the rest of the government have some thinking to do. Clearly the most important is how a 22-year-old (at the time) junior enlisted man was able to gain access to some of the most tightly-held government secrets. The second is how was he able to use removable media on a military computer with access to such sensitive data.

The Departments of Defense and State share computer networks that provide access to critical data that allow either of the two agencies to take action much more quickly than if they had to depend on the other to sift through data, decide what's important and then forward it along. It's an important step in eliminating the government's long-standing problem with silos of information, and it's proven very effective. However, when such critical information is broadly available, it means that extraordinary care must be taken to protect it.

For Manning, this apparently wasn't done. Manning allegedly accessed the highly secret Defense and State department systems with ease, and used something as simple as USB ports and a CD drive to accomplish a vast intelligence breach. Manning, if he's found guilty of doing this, should pay the price, and since he's already bragged to others about this, it seems likely that a military court will agree with him.

But that doesn't answer the question of why he was given access in the first place, and it doesn't answer the question as to why the removable media could be used on a machine with such critical access. This is where you, the reader, come in.

There's every likelihood that your company has information that is as important to you as the State Department messages are to the government. But the questions is, what do you do to protect it? While it's true that you might not expect your private documents to appear on WikiLeaks-unless you're working for a bank-it would still hurt to see them appear on the computers of your competition.

So ask yourself, what people and which computers have access to your company's most critical information? Do any of those computers have a CD or DVD drive, or a USB port that's not protected against unauthorized use? Are any of them able to be used without that use being logged by your security software? And what about the people you allow to access your most sensitive data? Have you even run a background check on them? A credit check?

Without the most basic level of security, it's hard to see how you can expect your sensitive data, including your business plans, your customer information or your own accounting data, to not eventually leak out. The difference between the government and you is that such a leak can shut down your business, and perhaps put you in jail if you violate federal compliance laws. With the government, only Manning is likely to see prison time. The people who designed the security system, it appears, aren't being held accountable.

Add Comment      Leave a comment on this blog post
Aug 16, 2011 1:08 PM AWS AWS  says:
The essential facts regarding the Manning incident are completely ignored by the media. Manning was an Intelligence Analyst. He was in a position of trust. He was accessing a network which requires at least 4 approvals to be allowed access and he was granted a secret clearance prior to that. There are thousands of young soldiers who do this job every day and uphold the trust they've been given. In Mannings case he chose to betray the trust he was given. He chose to betray the oath he took when he joined the Army, the agreement he made when granted a secret clearance, and the agreement to act responsibly with the data he could access on that network. He is a traitor. And no security manager can be held accountable for such a person's decision to betray the oaths he made. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.