Two years have passed since WikiLeaks released a dump of more than 250,000 U.S. diplomatic cables, in what would become one of the most disruptive confidential government data leaks in history. Since then, one might assume that the U.S. State Department has worked quickly to plug the gaping security holes that allowed lowly private Bradley Manning to easily copy thousands upon thousands of classified messages onto a writable CD before passing them on to WikiLeaks.
It hasn’t.
A report from the U.S. Office of Audits, completed in September, 2012, but first made public on Nov. 5, reveals that the State Department’s Net-Centric-Diplomacy system (NCD) and Classified State Messaging and Archive Retrieval Toolset (SMART-C), which it uses to share information with other U.S. agencies and embassies around the world, are still vulnerable to many of the same weaknesses exploited by WikiLeaks.
“Progress in addressing the NCD weaknesses that made the WikiLeaks incident possible has been very slow,” the report stated. (In the publicly available version of the report, those specific weaknesses were redacted.)
“Some of the Federal Government’s most sensitive information exists in cables stored in applications such as NCD and SMART-C. Without resolving the logical access controls issues inherent in these applications, an incident similar to Wikileaks could occur.”
By “logical access controls,” the report is simply referring to computer-based security measures, such as a login ID and password, as opposed to physical controls, like a lock and key.
What’s worse,the department was bungling its own plans to fix holes even as the audit was underway.
Back in February, the NCD team had proposed a suite of changes to buff up its security, but shortly ran into numerous problems with its contractors, according to the audit report. Some simply didn’t have the technological expertise necessary; others didn’t have the proper security clearance. Those who actually were qualified and did have the proper clearance were handicapped because the NCD team didn’t “provide the full source code” or even “sufficient documentation.”
You can’t just parachute in and fix the State Department’s messaging system without a manual, apparently.
It’s no surprise, then, that the auditors’ very first recommendation was to simply implement the security overhaul the State Department’s own team had proposed back in February.
According to the report, State officials have since brought in people with the right level of expertise and access, and “a full team of developers” is now working on the problem.
So maybe by the time Manning is finally sentenced, the security holes he so easily exploited will at last be fixed.
Photo by LadyDragonflyCC<3/Flickr