Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room — which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches.
“Unauthorized data transfers routinely occur on classified networks using removable media and are a method the insider threat uses to exploit classified information. To mitigate the activity, all Air Force organizations must immediately suspend all SIPRNET data transfer activities on removable media,” the order adds.
It’s one of a number of moves the Defense Department is making to prevent further disclosures of secret information in the wake of the WikiLeaks document dumps. Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.
This raises a few questions. Let me preface this by saying I have no direct experience with military IT policies and procedures. There may be very good reasons for why things were set up the way they were. I'd like to think the military considered these questions at some point prior to this.
Why weren't these devices already heavily restricted or permitted only with additional approvals in advance? For years, it's been possible to configure a corporate PC in such a way that these devices won't work.
It seems like a the main suspect in the leak was a relatively low-ranking service member. Should he have had access to such a large volume of disparate information? I can see someone having a job requiring them to have access to classified information, but the breadth of it is rather astonishing.
Finally, it seem that this exposure is the result of someone intentionally downloading information to removable media, in a way not relevant to his job. It seems like that would already be at the very least a policy violation. He then likely committed an illegal act in turning the data over to another organization. Would the threat of Court Martial for using removable media really have made any difference?
It's not like someone copied the data to an insecure thumb drive to work on it and then lost that drive accidentally. This appears to be a deliberate and intentional act. Would these policy changes have made any difference in this case? It seems doubtful.