Skip to main content

Expert: Pentagon cybersecurity changes 'very basic, very late'

By Ashley Fantz, CNN
The Pentagon says that 60 percent of its computers have software that might prevent another intelligence leak.
The Pentagon says that 60 percent of its computers have software that might prevent another intelligence leak.
STORY HIGHLIGHTS
  • Pentagon e-mail: 60% of Defense Department's computers equipped with needed software
  • Cyber security expert: 'Only 60 percent? That's ridiculous'
  • Pentagon is trying to improve cybersecurity after classified intel was leaked to WikiLeaks.org
RELATED TOPICS

(CNN) -- When WikiLeaks first caused an international uproar this summer by publishing reams of classified U.S. intelligence, possibly stolen by a 23-year-old soldier using a CD and a memory stick, the Pentagon pledged to fix loopholes in its computer systems.

So how is that going?

Sixty percent of the Defense Department's computer system is now equipped with software capable of "monitoring unusual data access or usage."

That's according to an e-mail Pentagon spokesman Bryan Whitman sent to reporters on Sunday, a few hours before WikiLeaks published diplomatic cables that revealed a spiderweb of secrets covering nearly every crisis, controversy and diplomatic headache involving the U.S.

"Only 60 percent? That's ridiculous. You would never hear a corporation saying they have anything less than 90 percent cyber security," said Hemu Nigam who has worked for two decades in computer security.

WikiLeaks ramifications

He has collaborated with the U.S. Secret Service, Interpol and the FBI to implement a hacker identification program for Microsoft. Nigam was also one of the first Justice Department Internet predator prosecutors. He left that job, he said, because the Motion Picture Association of America recruited him to help launch its anti-piracy department.

He now runs SSP Blue, an advisory firm that tells major corporations how to protect against hackers and insiders looking to leak.

"Only 60 percent? That's ridiculous."
--Hemu Nigam, cyber security expert on the percentage of computers the Pentagon says has been affixed with new security software.

Nigam's take on the measures the Pentagon says its taken: "It's all very basic, and very late."

CNN also asked Pentagon chief spokesman Col. David Lapan to elaborate on the e-mail detailed in this story.

CNN asked Lapan whether there are other measures the government has taken that were not referenced in the e-mail. Lapan said he has talked to the Department of Defense officials working on improving the computing system, and was assured that changes are underway, but there are no firm dates on when those changes would be made. He did not go into detail.

WHAT IS WIKILEAKS? WHO LEADS IT?

Since August, Defense Secretary Robert Gates has "commissioned two reviews to determine what policy, procedural and/or technological shortfalls contributed to the unauthorized disclosure to the Wikileaks website," Whitman wrote in the e-mail. See what Gates said about cyber security this week

Yet on Wednesday, the State Department's Press Secretary P.J. Crowley told CNN that it's still unclear what documents were taken from the military's computer system. "We've done forensics across the Defense Department, the State Department, they [WikiLeaks] do have more documents. We're not entirely sure what they are," he said.

Regardless, the reviews Gates ordered led to "a number of findings and recommendations [which] are in the process of being reviewed and implemented," according to Whitman's email.

According to the email, that includes "disabling all write capability to removable media on DoD classified computers, as a temporary technical solution to mitigate the future risks of personnel moving classified data to unclassified systems."

That language means a person would technically be unable to copy and paste a classified document into an unclassified file, said Nigam.

"This is an easy fix to make -- I don't know any businesses that don't have this kind of wall up to protect sensitive internal information."

Nigam said the first thing he would advise a company to do is an assessment of how someone penetrated the system, from where, what was taken and who else is still possibly inside doing damage.

Whitman's e-mail states that certain measures have already been taken including limiting the number of systems authorized to move data from classified to unclassified systems.

Nigam likens that security concept to only being able to get money out of a single ATM at a mall.

"Having a centralized place to get classified information is, again, basic," Nigam says.

Another measure Whitman cites is "two-person handling rules" for "moving data from classified to unclassified systems to ensure proper oversight and reduce chances of unauthorized release of classified material."

"Wouldn't you want at least two people involved to make sure that secure information remains in the right hands?" said Nigam.

The suspected WikiLeaks source is former intelligence analyst Bradley Manning, an Army private. In May, he allegedly began bragging in Web chats with a California-based hacker about how easy it was, from his base outside Baghdad, to download hundreds of thousands of classified documents.

Manning was said to have told Adrian Lamo, a legendary figure among hackers, that he copied classified information onto a CD while he pretended to his fellow soldiers to be listening to Lady Gaga's song "Telephone."

"No one suspected a thing," Manning allegedly told Lamo in an instant message. "Weak servers, weak logging, weak physical security, weak counterintelligence, inattentive signal analysis. A perfect storm."

Thechats were published in Wired magazine. CNN is unable to authenticate them.

These days, Lamo considers himself a "white hat" hacker, someone who hacks for good, not mischief. He told CNN.com that he was alarmed by Manning's alleged confessions and notified the FBI.

Earlier this year, as WikiLeaks published secret documents about the Afghanistan war, Manning was sent to Quantico, the Marine Corps base prison in Virginia. He remains there, in a cell by himself, charged with eight violations of the U.S. Criminal Code for transferring classified data, according to his lawyer David Coombs Video. Coombs declined further comment about the case.

Nigam stressed that the military would be wise to hire more white-hat hackers, if it is having difficulty securing computer networks, or reach out to the private sector. There have been numerous reports that the government is already doing this. PC World, among other sources, interviewed a military official who have tried to recruit at major hacking conventions.

"It was embarrassing. I was embarrassed for our country," Rep. Pete Hoekstra told CNN after he was briefed about the level of security within the military's computer system.

He is the ranking Republican on the House Intelligence Committee. "I'm worried about how many other databases that we have out there with sensitive information that may be compromised each and everyday," he said.

Hoekstra continued: "I didn't see the urgency that I would have expected from the people that were briefing us to get this situation under control."

The Pentagon has known for years that WikiLeaks could mean trouble when it came to publishing classified or secret information.

In 2008, the U.S. Army Counterintelligence Center and the Department of Defense wrote a 26-page threat assessment report about WikiLeaks, predicting "articles involving sensitive or classified DoD will most likely be posted to the WikiLeaks.org Web site in the future."

That report, too, was classified.

But WikiLeaks got ahold of it and published it in the spring of this year.

CNN's Charley Keyes contributed to this report.