Sep 20 2010

Pentagon’s INFOCON status doesn’t match “Buckshot Yankee” timeline

It's set wrong on purpose because they don't know how else to enforce COMPUSEC
No Gravatar

I connected my USB “archives drive” to my laptop when I started writing this column. Specifically, I retrieved the Pentagon’s INFOCON status going back to 2005.

Know this: I’ve assembled data for years on the U.S. Department of Defense daily INFOCON status, along with threat-status data from computer security vendors who maintain their own color-coded “threat levels.” Quoting myself from a long-forgotten newsletter:

In January 2005, I posed a question to the folks who fix the daily popular alert status values. I made a simple request for a history log of each firm’s alert status. Of all the firms I contacted, ONLY Kaspersky Labs offered to provide a history log for their daily alert status. Some firms (e.g. SANS) didn’t even bother to respond. Others (e.g. ISS) claimed they could only provide a history log to people who subscribe to their intelligence products. The U.S. Air Intelligence Agency refused to provide a history log for reasons of national security. So, I assembled my own history log of the daily alert status for various firms…

“Why don’t you publish the INFOCON data you collected, Rob?” Because I’ll occupy a cell next to Pvt. “Wikileaks” Manning if I dare release my historical compilation of DoD’s INFOCON status. You see, multiple FOIA requestdenials from the Air Intelligence Agency clearly describe it as a classified product — this, despite the fact I compiled all of my data from public military sources:

“[The] INFOCON status for Robins [AFB] is posted on base gate marquees…”

  • Eielson AFB and and Randolph AFB and Travis AFB posted the daily INFOCON status for all to see on their public websites;
  • The U.S. Navy announced the INFOCON status in press releases and in appropriations documents;
  • Incirlik AB published it for all to see in a weekly newspaper;
  • Robins AFB & Offutt AFB displayed the daily INFOCON for all to see on the marquee signs at their entry gates;
  • AAFES stores and Burger King restaurants at U.S. military installations all over the globe posted INFOCON signs at every entrance;
  • USAF’s 2001 public affairs contest included an amazing submission that revealed the exact moments when the Pentagon ratcheted up to INFOCON Alpha (10:20am) and INFOCON Bravo (4:25pm) following the 9/11/01 terror attack…

“You’re writing in the past tense, Rob. Give us something fresh.” Hey, not a problem! Right now, the Army’s HQ European Command website (archived here), and the Army’s USAG Baumholder website (archived here), and a chat room for the Navy’s C2CEN DET Suffolk, all show we’re at INFOCON 3. Ron Broersma, SPAWAR’s network security manager, briefed a bunch of salesmen this summer (archived here) on “new requirements” that came from the Pentagon’s decision to hold at INFOCON 3 for the long term…

Indeed, the Pentagon will even publish why they changed their INFOCON status. Let’s do some review, shall we?

  • This official message on the Marine Corps website (archived here) reveals the Pentagon ratcheted up to INFOCON 3 on 22 November 2008; and
  • This “FOUO” Army lecture (archived here) reveals the Pentagon threw a fit over USB thumb drives at that same time.

COMPUSEC surety must be breaking down in ways similar to the recent breakdown of NUCSEC surety.

So, “yes,” the Pentagon’s INFOCON history for 2008 matches what U.S. Deputy Secretary of Defense William J. Lynn III “declassified” for the world to see & fear

—yet as you can see on this status page at the Army’s HQ European Command website (archived here), the Pentagon hasn’t changed its justification for INFOCON 3 since Operation Buckshot Yankee wrapped up.

Buckshot Yankee must be long over, as the Pentagon won’t declassify an ongoing cyber-intelligence operation. The “ENDOP” occurred around January 2010, as Lynn tells us it took 14 months to clean up agent.btz.

This forces us to ask a philosophical question:

If Buckshot Yankee ended so long ago, then why didn’t the reason for INFOCON 3 change with it?

It doesn’t take nine months to update a near-real-time status indicator, folks.

As I said in a previous column, Lynn revealed (without meaning to do so) that callous military personnel turned USB devices into a rogue cross-domain solution. This makes sense: a thumb drive lets them quickhastily move data between the “enclaves” (i.e. airgap networks) known as NIPRNET and SIPRNET and JWICS. It’s called an “enclave barrier violation” if you fail to follow extremely rigid procedures.

This is exactly what Pvt. “Wikileaks” Manning is accused of: he allegedly violated an enclave barrier.

Regardless if you do it on purpose or just by accident, an enclave barrier violation “causes {{exceptionally} grave} damage to the national security of the United States of America.” It’s supposed to be a really big huge giant colossal enormous career-ending no-no—

—except the savvy Beltway reader will notice we don’t hear about a court-martial or an Article 15 for any military person who circumvented enclave barriers by accident or in a misguided effort to “get the job done.” Rather, we hear only about “agent.btz” and “Buckshot Yankee” and one soldier with malice aforethought.

People are only human; they make mistakes. Back during the Cold War (aka the “typewriter era”), the U.S. military anticipated one accidental enclave barrier violation per year for every 1,000 troops. Let’s use this old rule of thumb to decipher what we’re not being told.

Lynn revealed (with­out meaning to do so) that USCENTCOM can’t properly guard their classi­fied computer data.

The Air Force, for example, deploys 26,000 airmen to USCENTCOM on any given day. So, using the old rule of thumb, the flyboys alone should expect one accidental violation every other week.

Now let’s use a simple round-total of 104,000 deployed troops. Under the old rule of thumb, USCENTCOM would anticipate at least two accidental enclave barrier violations per week. Let’s double that number, seeing as how Lynn revealed (without meaning to do so) that callous military personnel turned USB devices into a rogue cross-domain solution.

Nine years of war multiplied by four enclave barrier violations per week equals 1,872 events in USCENTCOM. “Wow.”

Hundreds of thousands of combatants with high security clearances … serving in the world’s most networked military … fighting a war non-stop around the globe and on two fronts for nearly a decade … yet we hear nothing at all about accidental enclave barrier violations involving a computer peripheral. We hear nothing at all about a court-martial or an Article 15 or even just an officer relieved of command.

The silence is deafening, folks.

This total is so large, we can speculate there must no longer be a formal punishment for COMPUSEC violations. We can say this because no one compares & contrasts Pvt. “Wikileaks” Manning to the estimated 1,872 troops who violated enclave barriers by accident.

This utter lack of punishment is a vital piece of the puzzle. It gives Pvt. Manning’s legal team some ammunition. It lets us speculate two things with high certainty:

  1. A systemic breakdown of COMPUSEC surety has crept into the Pentagon’s cyber operations like a noxious weed. Its roots must go all the way up & down the chains of command. It might be global in scope by now.
  2. Shallow thinkers inside the Pentagon purposely left the INFOCON set for an invalid reason — perhaps even set for an invalid level! — because they don’t know how else to enforce COMPUSEC among military computer users.

You’ll notice Lynn focused on USCENTCOM in his “declassified” hype. Nine years of troops deployed to war zones convinces me COMPUSEC surety must be breaking down at a much faster rate in Iraq & Afghanistan, and in ways similar to the recent breakdown of NUCSEC surety at nuclear bomber wings.

Can you say “fraud, waste, and abuse“? The people who control the INFOCON status are lying to the rest of the Pentagon, and we know INFOCON 3 costs a lot of excess money

We can go on to speculate this breakdown of COMPUSEC surety has re-manifested itself in the form of a waiver for senior officers:

  • By now, general officers certainly must enjoy a blanket waiver to use USB thumb drives. You can only annoy the “flag corps” for a very short while.
  • The generals’ personal staffs, too, almost certainly fall under the same waivers as their bosses.
  • Colonels at the wing / brigade levels by now almost certainly enjoy waivers to use USB thumb drives. So, too, would their executive officers.
  • The intelligence directorates always need the very latest technology to do their jobs, so they’ve probably got the most waivers of all.
  • We can expect the top communications officer at every base enjoys a waiver to use USB thumb drives…

All these waivers destroy the rationale for maintaining an invalid INFOCON status / level. “How come, Rob?” Because the Pentagon banned USBs for being too convenient; each waiver returns that convenience.

Did you ever set your alarm clock five minutes ahead because you couldn’t get out of bed on time? You were lying to yourself about what time it was when the buzzer went off. It worked a few times, but then you realized “oh yeah, I’ve got five more minutes…” And wasn’t that exactly the same problem you tried to solve by lying to yourself?

Every waiver that lets military personnel use USB thumb drives leads to the very same problem Lynn & his crew tried to solve when they first banned—

Memo to the Pentagon: you can’t fix poor self-discipline by lying to yourself.

—uh-oh! We can speculate enclave barrier violations are rising again. “Ouch.”

Ah, but here’s the kicker. We can only believe these waivers fall under the notion of RHIP (“rank has its privileges”). This means we can assume enclave barrier violations now take place on average at a much higher rank level. I’m so confident about this, I’ll bet Deputy Secretary Lynn a waivered general has violated an enclave barrier with a USB thumb drive.

Want another kicker? Let’s ask another philosophical question:

If 1,872 troops didn’t even get an Article 15 for violating enclave barriers … then what is the punishment for these offenses?

“Good question, Rob. What do you think it might be?” It can only be something along the lines of a boxer’s warning or a yellow flag or a Form 341:

Lieutenant Holland, I know you mean well, but you can’t use a thumb drive to copy files from SIPRNET to NIPRNET. If you keep this up, I’ll be compelled to report you to the captain. I can’t keep looking the other way every time you get in a hurry! Did you even check this thumb drive for viruses before putting it on SIPRNET?”

A Google search for “COMPUSEC surety” produced zero hits. Tsk, tsk. “But Rob,” you interject. “There’s a bunch of hits for ‘cyber surety.’ What’s the difference?”

Why does no one com­pare & con­trast Pvt. “Wiki­leaks” Manning to an esti­mated 1,872 troops who vio­lated enclave bar­riers by accident?

Let’s consider the difference between “nuclear surety” and “NUCSEC surety.” Back in 2007 the Air Force could put nuclear bombs on target but they couldn’t properly guard the weapons. Defense Secretary Robert Gates fired his top Air Force general and the Secretary of the Air Force over it.

Thanks to Lynn’s “declassified” hype, we can speculate USCENTCOM moves classified data at light speed but they can’t properly guard the data. If “cyber” is as important as Lynn claims, then his boss needs to fire somebody over this breakdown of COMPUSEC surety.

But wait! What if this COMPUSEC surety problem goes beyond the general officers? What if, say, a waivered Deputy Secretary or a member of his staff violated an enclave barrier with a USB thumb drive? Consider the following circumstantial evidence:

I subscribe to the RSS feeds for Air Force press releases & photos. On August 25, every photo caption for Air Force Secretary Michael Donley accidentally revealed a directive that Donley must personally approve all photos of himself before release.

I won’t take bets on it, but my hunch tells me another classified photo-op went awry a few weeks ago. Maybe someone in LynnDonley’s posse plugged a USB thumb drive into a SIPRNET computer to snag a cool-looking photo? Who knows…

I repeat today’s headline when I say the the Pentagon’s INFOCON status doesn’t match their “Buckshot Yankee” timeline. Personally, I don’t think deputy Secretary Lynn lied to us — I think he got duped by the shallow groupthink.

But regardless if Lynn lied or not, we do know the #2 man at the Pentagon can’t see the institutionalized failure of CRM; he can’t see the forest for the trees. Lynn is part of the problem, not part of the solution.

Remember this when one of Lynn’s successors declassifies a second cyber-instigated fratricide event