The latest Wikileaks dump – it’s a wonderful way to highlight some, um, issues with cyber-security, and allows the chattering classes to bloviate ponderously on topics they really don’t know that much about. I, for one, am not stunned by what PFC Manning managed to get access to, as anyone with a modicum of ability who has access to the SIPRnet can attest. The goodness from this will probably be a quicker tightening of security within the classified networks, by the expanded institution of some simple-to-implement checks on the “need-to-know” side of things.
Access to classified information has two parts – clearance at the appropriate level, and need-to-know. All “clearance” does is vet that your life-to-date has been examined and there are no huge warning signs that you aren’t trustworthy to be considered for access to defined levels of information. Think of it as having passed your written test for a driver’s license. That just allows you to take the driving test. If you don’t pass the actual driving test, you don’t get a license. In this case, if you don’t have the need to know, you don’t get access. Manning clearly had access to things he had no “need-to-know” reason to be accessing. For those who have been operating in that environment there has been steady and stuttering-but-inexorable movement to stitching up those seams, all tempered by a real desire to make information available to people who need it without going through a huge number of hoops to get it in a timely fashion in a time of war.
PFC Manning was poking about in places he had no business poking about in. While that’s covered by the user agreement you sign when you are granted access to the networks – i.e., you promise to not go fishing – the real problem lies in the fact that State had (apparently) no internal controls on who had access to their data. Once you figured out where it was, you could have it. There should have been some form of vetting process to cover the need-to-know. Mind you, given PFC Manning’s hacker-bent, even if he’d had the need to know, he’d have stolen the data. Which points to the fact that you have to monitor the activities of people who have access.
The devil will be in the details.
Secondly, it has been an interesting look into the State Department’s world, and how things going on behind the scenes oft-times have little bearing to what’s happening on the public side of things, as all governments have reason to present a public face that differs from the private. Sausage-making isn’t pretty, but there didn’t strike me that there was/were horrible revelations in there. More of it was along the lines of, “Yep, okay, that doesn’t surprise me.” and “People still don’t get that some things should be said face-to-face and not in potentially record communications.” But I don’t believe that exposing what amounts to working papers is a good idea.
Lastly, the document dump gave the New York Times an opportunity to excel, and they predictably flubbed it, preferring instead to stay in their comfort zone of doctrinaire biased hypocritical hackery, all while swirling their Mantle of Morality around their head.
Quick! Who said this? “The documents appear to have been acquired illegally and contain all manner of private information and statements that were never intended for the public eye, so they won’t be posted here.”
Hint: It wasn’t a Times reporter or editor talking about the Wikileaks dump.
It was the Times’ former environmental blogger, Andy Revkin, discussing the so-called ClimateGate emails. Rules for thee, not for me. Feh.