Bill mandating WikiLeaks safeguards for Pentagon networks set to advance to House floor
A House committee is poised to advance legislation to protect classified information -- and avoid gross losses, such as those suffered during the WikiLeaks breach -- by requiring the installation of a centralized instrument for detecting unauthorized behavior on all military networks.
The deadline for activating the system of software and machinery is 2013, under the measure expected to pass Wednesday night, but computer security experts caution that even if enacted, such mandates would not stop malevolent insiders.
Lawmakers envision equipment to monitor the use of external ports, ensure restrictions are in place for reading and writing on files, audit unusual user activities, permit access based on job functions and mediate traffic between networks to prevent the exchange of restricted data. The apparatus also would track software bug fixes and security updates.
The measure, part of the Armed Services Committee's annual defense authorization bill (H.R. 1540), was prompted by disclosures of sensitive diplomatic cables and war materials on the whistleblower website WikiLeaks, after a soldier allegedly downloaded the digital files to a music CD.
"The committee is concerned with the acute damage to national security of recent unauthorized releases of classified information from the Department of Defense and other government information systems," bill sponsor Rep. Howard P. "Buck" McKeon, R-Calif., chairman of the Armed Services Committee, wrote in a summary of the legislation. "The impact of these releases will continue for many years, to the detriment of existing operations in the Islamic Republic of Afghanistan, as well as the reputation and credibility of the United States in international affairs now and in the future."
The bill acknowledges that the Pentagon is "responding seriously" to the incident by deploying some safeguards aimed at preventing future breaches, but reflects lawmakers' concerns that officials are overlooking other human dimensions of the problem. The language targets the "insider threat" posed by trusted individuals within the organization who would intentionally compromise the security of the network.
Security specialists described the legislation's controls as good practices that already are in place on certain military networks.
But there is one related provision that could prove more difficult: instituting rules stipulating that international and interagency partners should comply with the same controls.
"Cybersecurity, as we know, is a critically challenging issue, because it is always such a moving target and the threats facing our country online cannot be met alone in a vacuum," Rep. James R. Langevin, D-R.I., a committee member and chairman of the Congressional Cybersecurity Caucus, noted on Wednesday. He said the language "would increase both bilateral international and private sector cyber cooperation efforts."
Given that every country and every department has its own information sharing protocols, such efforts may run into resistance, several analysts said. "Most IT environments today are complex, but this would certainly be one of the most complex, especially when different country regulations and approaches are taken into account," said Ray Wagner, managing vice president at Gartner who researches security and risk.
His colleague, Paul Proctor, a Gartner vice president specializing in risk management, added, "Raising awareness and addressing the handling and treatment of sensitive data is a good thing, even if it is not 100 percent effective."
Pentagon officials on Wednesday said a number of activities are under way to improve the military's ability to track insider behavior but could not comment on specific requirements. One instrument, a so-called host-based security system will be attached to all department servers, desktops and laptops to flag and counteract threats. Individual network administrators will configure the machinery's intrusion prevention systems and firewalls to spot exploits.
In addition, the U.S. Strategic Command is identifying gaps and weaknesses across the department's information technology portfolio.
"The results of this analysis, due late this fiscal year, will be considered in future tool or process improvements," Pentagon spokeswoman April Cunningham said. "As requirements are developed we will assess the potential for commercial as well as government-developed tools to provide insider threat detection and indications of anomalous behavior. . . these tools are intended to give network operators indicators of questionable behavior using existing operating system audit capabilities."
Defense, along with civilian agencies, also is in the midst of automating the monitoring of security settings so that IT managers can have near real-time visibility into compliance, she said.