recommended reading

Pentagon Spent Millions to Counter Insider Threats After WikiLeaks Fiasco

Pfc. Bradley Manning allegedly downloaded classified files from military networks and leaked them to the anti-secrecy website WikiLeaks.

Pfc. Bradley Manning allegedly downloaded classified files from military networks and leaked them to the anti-secrecy website WikiLeaks. // Patrick Semansky/AP

Since 2010, when Pfc. Bradley Manning allegedly downloaded classified files from military networks and leaked them to the anti-secrecy website WikiLeaks, the Pentagon has paid millions of dollars for technology designed to protect networks against insiders intent on leaking sensitive data -- the kind of activities former National Security Agency contractor Edward Snowden claims to have done in releasing classified files on the agency's spying operations.

NSA, which is part of the Defense Department, doesn't appear to have enabled those protections, despite earlier Pentagon assertions the technology was rolled out departmentwide.

The Host-Based Security System, launched in 2010, prevents the use of removable storage devices such as CDs and thumb drives on Defense Department networks. An NSA information technology official, who left the agency in the summer of 2012, said that at that time, HBSS was not installed

Between 2010 and early 2013, the military had spent at least $12 million on core implementation contracts, according to budget analysts. Going forward, the Defense Information Systems Agency, which provides IT support throughout the department, is expected to pay about $1.3 million annually for software licenses, said Ray Bjorklund, founder of BirchGrove Consulting.

Snowden, an NSA system administrator working for Booz Allen Hamilton until he was fired last month, allegedly transferred to a thumb drive classified information about how the agency tracks domestic call data and foreigners' Internet activities. 

"There's usually a collaboration between DISA and NSA on net security technologies," Bjorklund said, but "NSA may have been responsible for funding its own implementation under the DoD directive."

In fall 2010, Defense officials directed military components to ban downloading information onto removable devices from the military's secret network, using technologies such as HBSS. 

The move came after Manning, who as a low-level intelligence analyst based in Iraq in early 2010, allegedly downloaded to a CD classified files about the wars in Iraq and Afghanistan to release publicly on the anti-secrets website WikiLeaks.

A December 2010 memorandum from the Committee on National Security Systems, an interagency group that sets national policy, advised Defense organizations to “begin using physical configuration, software settings, a capability such as a Host-Based Security System (HBSS) (a DoD capability designed to address exploit traffic on network hosts)" or any combination of those approaches "to disable all 'write' privileges," meaning downloads, "for all forms of removable media devices" on national security systems. 

By early spring 2012, most Defense organizations had activated the technology.

Federal spending databases indicate a slew of contractors, including General Dynamics, Northrop Grumman, and now BAE Systems were hired to deploy the McAfee-developed HBSS. Booz Allen does not appear to be on military's payroll for this particular project. 

HP, NCI Information Systems and SAIC are among the vendors that individual military departments have commissioned for HBSS services, according to the databases.

NSA declined to say whether the agency had installed or activated HBSS. 

Threatwatch Alert

Network intrusion / Spear-phishing

Researchers: Bank-Targeting Malware Sales Rise in Dark Web Markets

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.