Saturday, January 8, 2011










STANFORD, Calif. - President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.

It's "the absolute perfect spot in the U.S. government" to centralize efforts toward creating an "identity ecosystem" for the Internet, White House Cybersecurity Coordinator Howard Schmidt said.

That news, first reported by CNET, effectively pushes the department to the forefront of the issue, beating out other potential candidates including the National Security Agency and the Department of Homeland Security. The move also is likely to please privacy and civil liberties groups that have raised concerns in the past over the dual roles of police and intelligence agencies.

The announcement came at an event today at the Stanford Institute for Economic Policy Research, where U.S. Commerce Secretary Gary Locke and Schmidt spoke.

The Obama administration is currently drafting what it's calling the National Strategy for Trusted Identities in Cyberspace, which Locke said will be released by the president in the next few months. (An early version was publicly released last summer.)

"We are not talking about a national ID card," Locke said at the Stanford event. "We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities."

The Commerce Department will be setting up a national program office to work on this project, Locke said.

Details about the "trusted identity" project are unusually scarce. Last year's announcement referenced a possible forthcoming smart card or digital certificate that would prove that online users are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions.

Schmidt stressed today that anonymity and pseudonymity will remain possible on the Internet. "I don't have to get a credential if I don't want to," he said. There's no chance that "a centralized database will emerge," and "we need the private sector to lead the implementation of this," he said.

Inter-agency rivalries to claim authority over cybersecurity have exited ever since many responsibilities were centralized in the Department of Homeland Security as part of its creation nine years ago. Three years ago, proposals were were circulating in Washington to transfer authority to the secretive NSA, which is part of the U.S. Defense Department.

In March 2009, Rod Beckstrom, director of Homeland Security's National Cybersecurity Center, resigned through a letter that gave a rare public glimpse into the competition for budgetary dollars and cybersecurity authority. Beckstrom said at the time that the NSA "effectively controls DHS cyber efforts through detailees, technology insertions," and has proposed moving some functions to the agency's Fort Meade, Md., headquarters.

The apparent revelations originating from the latest WikiLeaks are both embarrassing and rapid-fire: Afghanistan's vice president was found to be transporting $52 million in cash; Saudi Arabia's king called for the U.S. to attack Iran; a British duke mocked Americans' understanding of geography.

This week's leak--still incomplete--of some 250,000 State Department dispatches follows WikiLeaks' April release of a video showing U.S. troops firing on journalists and its release of hundreds of thousands of classified military dispatches from Afghanistan and Iraq. There was also, earlier this year, an internal Army report that worried about the threat posed by WikiLeaks.

These documents add up to a massive store of sensitive U.S. information totaling around 725,000 files and amounting to what Der Spiegel is calling "nothing short of a political meltdown for U.S. foreign policy." And, according to chat logs made public earlier this year, they all came from one source: Bradley Manning, an Army intelligence specialist whose successful efforts to liberate data went completely undetected by authorities.

The possibility that a lowly Army private could have access to such a dizzying volume of classified files, and manage to spirit it away under the noses of his superiors until turned in by a hacker living in a Sacramento suburb, has left official Washington scrambling for explanations.

"One of the questions I have is, while people can access individual messages related to their specific job, shouldn't this system have caught someone downloading 500,000 messages and asked him, 'What are you doing?'" Senator-Elect Mark Kirk (R-Ill.) said on MSNBC yesterday.

While Obama administration officials have declined requests to confirm that Manning was WikiLeaks' sole source for these files, a State Department official may have been a bit more forthcoming than he intended.

"Someone within the United States government with access to the--this information, downloaded it and provided it, you know, to parties outside of the U.S. government," P.J. Crowley, assistant secretary of state for public affairs, said yesterday. Crowley would not specify whether he was talking about Manning.

The leaked files apparently originated from the U.S. Defense Department's SIPRNET, which is used for exchanging information up to the secret level, and is jointly administered by the NSA, the Defense Intelligence Agency, and the Defense Information Systems Agency. SIPRNET stands for Secret IP Router Network. (In what may have been an effort to protect its source, WikiLeaks editor Julian Assange in July publicly denied receiving the State Department cables.)

"It should not have been physically possible for an individual private to download records at will from a classified network onto transportable media," says Steven Aftergood, who directs the Federation of American Scientists' Project on Government Secrecy. "That was asking for trouble."

These are the questions that, government officials admit, are being asked at the highest levels of the Obama administration right now: why was the computer network designed to allow a 22-year-old analyst to copy megabytes of data? Where were the internal alarms that should have detected abnormal behavior?

In July, Pfc. Manning was charged with obtaining "more than 150,000 diplomatic cables" and sending the Iraq helicopter video to someone not authorized to receive it, both in violation of the Uniform Code of Military Justice. Manning, part of the 10th Mountain Division (light infantry) in Iraq, was detained in May and has been in military custody ever since.

A military checklist for SIPRNET connections requires users to consent to monitoring as well as an acknowledgement that assessments will take place to "determine the security features in place to protect against unauthorized access."

That's the theory. In practice, however, that didn't appear to happen. Manning allegedly recounted his clandestine exploits in a series of conversations that Adrian Lamo, the onetime hacker best known for breaking into networks belonging to the New York Times Co. and Yahoo, recorded in full. Lamo told CNET that he did not alter the logs (No. 1 and No. 2) before releasing them earlier this year.

Some excerpts from the logs, which describe slipshod or easily circumvented security measures:

(12:54:47 PM) Adrian Lamo: What sort of content?
(12:56:36 PM) Adrian Lamo: brb cigarette
(12:56:43 PM) Adrian Lamo: keep typing <3>

(02:18:09 AM) Bradley Manning: they were stored on a centralized server...
(02:18:34 AM) Adrian Lamo: what's your endgame plan, then?
(02:18:36 AM) Bradley Manning: it was vulnerable as fuck
(02:20:57 AM) Bradley Manning: well, it was forwarded to WL
(02:21:18 AM) Bradley Manning: and god knows what happens now
(02:22:27 AM) Bradley Manning: hopefully worldwide discussion, debates, and reforms

(01:54:42 PM) Bradley Manning: i would come in with music on a CD-RW
(01:55:21 PM) Bradley Manning: labelled with something like "Lady Gaga"... erase the music... then write a compressed split file
(01:55:46 PM) Bradley Manning: no-one suspected a thing
(01:55:48 PM) Bradley Manning: =L kind of sad
(01:56:04 PM) Adrian Lamo: and odds are, they never will
(01:56:07 PM) Bradley Manning: i didnt even have to hide anything
(02:15:03 PM) Bradley Manning: pretty simple, and unglamorous
(02:17:56 PM) Bradley Manning: weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis... a perfect storm

(02:44:47 PM) Bradley Manning: the network was upgraded, and patched up so many times... and systems would go down, logs would be lost... and when moved or upgraded... hard drives were zeroed
(02:45:12 PM) Bradley Manning: its impossible to trace much on these field networks...
(02:46:10 PM) Bradley Manning: and who would honestly expect so much information to be exfiltrated from a field network?
(02:46:25 PM) Adrian Lamo: I'd be one paranoid boy in your shoes.

Lamo eventually decided, he says, to turn on his late-night correspondent. "I turned him in to protect lives and to protect information that's essential for the U.S. to be able to effectively carry out foreign policy abroad," Lamo said at the time.

For its part, the Obama administration is responding by tightening computer security. A one-page memo (PDF) from the White House's Office of Management and Budget this week orders federal agencies to "ensure that users do not have broader access than is necessary to do their jobs effectively."

In addition, OMB said, there must be limits on "removable media" such as USB sticks and CD-ROMs when used on "classified government computer networks."

An executive order that President Obama signed in 2009 says that the secret classification level is reserved for material that, if disclosed publicly, "reasonably could be expected to cause serious damage to the national security." Top Secret is reserved for material that could cause "exceptionally grave damage to the national security."

A Defense Department official told the Associated Press that he was unaware of any firings or other discipline over the security conditions at Manning's post in Iraq. The Israeli military is also reportedly adopting new security measures to prevent WikiLeaks-style disclosures.

Rep. Peter King (R-N.Y.), the incoming chairman of the House Homeland Security committee who has called for WikiLeaks to be listed as a terrorist organization, has pledged to probe what went wrong inside the U.S. military.

"Oh, we will, definitely," King said yesterday. "I intend to have full hearings on this. But the answer is going to have to come from the people who were in charge. And that is the head of the intelligence--the heads of the intelligence community. This cannot be allowed to go on."



Read more: http://news.cnet.com/8301-13578_3-20024080-38.html#ixzz1AW4e4dDo

0 Comments:

Post a Comment