A small section of the 2012 defense bill, under consideration Wednesday by the House Armed Services Committee, requires the Defense Department to put in place an “insider-detection” system to ferret out the suspicious acquisition of sensitive information. Call it the “No More Bradley Mannings” provision. It could be a great boon to an effort already under way by the Pentagon’s blue-sky researchers.
There aren’t many specifics listed in the provision, just technical requirements the program has to meet. It needs to “allow for centralized monitoring and detection of unauthorized activities,” including the use of external ports. It needs to implement a “roles-based certification” system, meaning if you work on missiles and want to read about tanks over the Pentagon’s secure internet, it’ll record your attempt. And it needs “cross-domain guards for transfers of information between different networks.”
Darpa’s already got a head start. Last summer, it launched a program run by star hacker Peiter “Mudge” Zatko called Cyber Insider Threat, or CINDER, to find “tells” in military online usage that might tip the Defense Department to the next WikiLeaker. The project is still in its infancy: a proposal period ended March 31.
But the House panel isn’t in a hurry, despite their concern about the danger from WikiLeaks. The mandated “insider detection” program won’t have to be operational until October 2012. (That’s the same timetable that the House intel committee mandated for the spy community’s insider-detection effort, by the way.)
In the meantime, the military has taken a number of ad hoc measures to protect against another huge document leak. It banned removable media. The Air Force briefly threatened to prosecute airmen who allowed their families to read WikiLeaks – before promptly reversing itself when the threat became public – and temporarily banned websites that published the purloined docs. Currently, it requires employees who come across the WikiLeaks documents on their work computers to summon their “information assurance manager” to delete the illicit material.
Intriguingly, the insider threat provision suggests that those early anti-WikiLeaks measures have an unintended consequence. “[T]he committee is concerned that the technological and procedural responses [to WikiLeaks] may be having a negative impact on the productivity and effectiveness of forces supporting ongoing operations in areas of hostility,” the panel notes. That’s not something we’ve heard. Are you in a war zone and have trouble getting the data you need to do your job because of the post-WikiLeaks lockdown? Let us know.