Wired’s Danger Room blog recently acquired a “Cyber Control Order” penned by Major General Richard Webber, commander of Air Force Network Operations. This order, dated December 3rd, bans the use of removable media on SIPRNET, and specifically reminds all Airmen that failing to comply with an order is punishable under Article 92 of the UCMJ. This order may sound good, if not a little late, on the surface but ultimately it does not do much to change the policies that were already in place.
SIPRNET is the DoD “classified” network. This is the network built to handle processing of all classified information. It is specifically designed with encryption, tampering safeguards, and policies and procedures meant to ensure that all data on the network remains confidential and retains its integrity. Something on the magnitude of billions has been spent to develop, deploy, and maintain this network.
Some of the more important safeguards include maintaining separation of data. If unclassified data, or unclassified devices come in contact with classified systems or data, the original data and devices now become classified to the level of classification of the second system. This means if you plug your USB thumb drive into a SIPRNET machine, it becomes a classified device and must be treated as such. This brings us to the rules for classified devices or data. Usually these items cannot leave the secure facility where they are being processed without proper authorization and often times must be transported in a secure way. i.e. Locked briefcase carried by a person with a sidearm. Furthermore a proper chain of custody must be maintained and verified by multiple persons.
In addition to the rules regarding the handling of classified data there are rules regarding the secure processing facilities. These areas are secured in similar ways to the SIPRNET itself. Gobs of money and advanced physical security technology has been thrown at these rooms to make sure unauthorized persons cannot get in and secure data cannot get out. The rules for these rooms specifically limit what devices and media can be brought in or taken out. Most rooms like this that I have had access to do not allow personal cell phones of any kind, USB drives, removable media (i.e. CDRWs), recording devices like tape recorders, video or still cameras, etc. Most even limited personal audio devices like CD players, just like the one allegedly used by Bradley Manning to “smuggle” CDRWs in and out of the facility. Why weren’t these processes being followed? Why was an unauthorized personal electronic device allowed in the facility in the first place?
Now the “Cyber Control Order” sounds less impressive. The policies and procedures to help keep data secure were there, they’ve been around for a long time, they just weren’t followed. But what about the threat of punishment under Article 92 (i.e. court marshal)? Won’t that be more of a deterrent? No. The ban of removable media on these systems and subsequent threat of punishment under Art. 92 may have the positive effect of increasing everyones awareness of their surroundings and ultimately catching or deterring insiders attempting to write data to removable media. But the order also ensures that soldiers that need to use removable media to transfer data into and out of SIPRNET for valid missions will get caught up and punished for trying to do their job. The order issued by General Webber even acknowledges that “Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution.” This is a prime example of mandating a security policy that either cannot be enforced, or that causes harm by being so restrictive that it forces your users to sidestep it in order to do their jobs.
I really fail to see how this action increases our security or the security of classified data. It might have a limited, indirect effect on the security of classified data, but it ultimately impedes the soldiers ability to complete their mission effectively.
The true solution to the problem is to follow the existing policies and procedures for classified data, systems, and processing facilities. This means following chain of custody procedures, securing data moving in and out of a secure processing facility, and most importantly not allowing unauthorized electronic devices or media into a facility. Then couple this adherence to policies and procedures with several technical solutions. I would note that the original Wired article states that “DARPA, the Pentagon’s leading-edge research arm, has launched an effort to 'greatly increase the accuracy, rate and speed with which insider threats are detected…within government and military interest networks.'” Again this all sounds great but what does it ultimately mean. Is DARPA researching and building out systems or software to protect secure data and systems? Because those systems already exist. Network Data Loss Prevention and Host-based Data Loss Prevention systems are on the market and have been for several years now. They are mature and they operate well in most cases. In fact the DoD even researched and chose a full host based security suite authorized for use on all DoD systems. Why then does this DARPA project exist? What is the purpose?
The bottom line is that the Wikileaks incident was entirely avoidable. The policies and procedures exist and should have been in use and technical solutions to help enforce those policies exist but the organization did not have the foresight to implement those controls. Any effort at adding more controls is, to some extent, misguided then. Instead, the full and appropriate use of existing controls should be the focus.