Category Archives: WikiLeaks

The much-anticipated hearing for accused leaker Bradley Manning starts today. This is not a trial for establishing guilt or innocence, but rather the military equivalent of a grand jury hearing — giving prosecutors and defense the opportunity to present information, intended to convince a judge that there is enough to proceed to a trial.

There’s been a tremendous amount of media coverage and protest around this, related to both Manning’s actions, as well as the government’s treatment of the accused.  Staying away from the political aspects of these,  we’ll be monitoring the Information Security aspects of the hearing.  Portions of the hearing will be open to journalists, while some will be closed to the public, due to security considerations.

The Guardian has a good overview, here , and their journalist @Edpilkington  is live tweeting the trial.

Next week’s military assignment of accused leaker Bradley Manning promises to be interesting at many different levels, with defense and prosecution sparring in the press over witnesses and legal strategies. Putting aside the political and legal aspects, we will be watching this closely to see how much of a role access management plays, and to find some answers to questions that are relevant to us as practitioners in this space.  Specifically, did the Army know what classified information Private Manning had access to? Would they have been able to effectively restrict his access to it, had they chosen to do so? Did they try, and fail to prevent this? Was there a sufficiently well-thought out and well-executed data security strategy in place, for this sensitive information?

According to publicly released defense documents[1], the Army was not doing an at-all adequate job in securing the data resources on shared, secure systems  – one of the witnesses “will testify that the information assurance procedures were not being followed by the brigade” and that “the brigade did not have an Approval to Operate (ATO) or an Interim Approval to Operate (IATO) for their network. Additionally, the brigade did not receive a formal IA [Information Assurance] certification and accreditation inspection during its tour, contrary to the guidance in MNF-I Directives”[2].

Like many of the enterprises I speak with, this organization had both internal and external information security guidelines, and was not doing a good-enough job meeting them. Could an effective Access Governance solution have prevented these leaks from occurring?  This certainly appears to be the case, and we look forward to learning more next week, as the hearing begins.

[1] DEFENSE REQUEST FOR ARTICLE 32 WITNESSES http://www.wired.com/images_blogs/threatlevel/2011/12/Defense-Article-32-Witness-List.pdf
[2] ibid, page 9

Private Bradley Manning, who has been charged with 22 counts associated with the leaks of classified information to WikiLeaks, will be facing a pre-trial hearing starting December 16, during which his defense attorneys plan to call 50 witnesses to testify. Most of this will be open to the public, and will likely be covered in-depth by the media.

From an information security perspective, I’m particularly interested in seeing how much of a role access management plays in both the prosecution and defense arguments. According to a Wired Magazine article, expert testimony “might include assessments of forensic evidence from classified networks and databases that contained the sensitive documents Manning is charged with downloading and leaking.”

We’ll be using this blog to discuss the information security aspects of the trial, and explore any implications to the larger identity management industry.