Security Controls At Their Worst?

The Pentagon has launched a "very robust investigation" into the source of the leak of more than 90,000 classified documents on the war in Afghanistan, Geoff Morrell told CBS' The Early Show Tuesday, but what few are discussing is how the source got away with it.

We can pretty much figure that the leak happened via military networks (it would be a long shot that 90,000 documents were hand delivered as hard copies, though even then the source would have had to access them from classified computer applications). But beyond that, questions remain: Did the source download the documents to an attached storage device and then send them via a personal email, or was he more bold still -- sending them directly from a federal account? In either case, why on earth were security control not in place to prevent the download and/or transfer of classified documents? Furthermore, did the source actually need access to 90,000 documents or was this an (epic) failure to implement access controls?

And perhaps most significant: Shouldn't the Pentagon be able to identify the source of the leaks by checking the network logs to see who accessed the documents? Maybe that's exactly what's involved with the "very robust investigation" that Morrell mentioned, though one would think -- if an option - it could have been done already.

Marc Ambinder, the politics editor at The Atlantic, Nextgov.com's sister publication, wrote in June that Army Specialist Bradley Manning had been outed by an informant as the source behind Wikileaks' best scoops, including its "Collateral Murder" video that shows a killing of journalists by U.S. soldiers. Manning supposedly bragged to the reformed hacker that "weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis" created a perfect storm for him to exfiltrate "possibly the largest data spillage in American history."

Apparently, that perfect storm rages on.