While attending the court-martial of Pfc. Bradley Manning in Fort Meade yesterday, I was reminded once again that the biggest security breach in US history was as challenging and intricate as instant coffee. Witness after witness from the subcontracted world of “information assurance” took the stand to declaim the military’s ironclad information security (“InfoSec”) protocols and to also mumble about how these rules were never enforced. Installing the instant-message chat program mIRC may have been “not authorized,” but that didn’t keep the military itself from issuing bulletins on how to install it. Reporters from The Guardian long ago sketched the scene in the “SCIF”—“senstitive compartmented information facility”—at FOB Hammer where Manning worked in Army Intelligence as a scene of freshman-dorm indiscipline, with passwords posted on sticky-notes and everyone watching movies and playing online games, against the regs, on their computers. Manning famously exfiltrated the files on CD-ROMs in Lady Gaga drag, got them onto a memory stick which he later uploaded in his secret hideout, a busy Barnes & Noble in suburban Maryland, over an open WiFi signal. There really was no infosec to speak of at Pfc. Manning’s deployment, and the selectivity of punishing him for unauthorized behavior that was pandemic—if not as bold and meaningful as his—will surely come into play when it’s sentencing time.
A bigger question: Why are so many massive national security breaches ridiculously easy?
Consider the crack commando unit that busted into the Y-12 National Security Complex (famous for its uranium processing) in Oak Ridge,Tennessee, last July. By “crack commando unit”: I mean an 82-year-old nun, a housepainter and a man who listed his occupation as “drifter.” And yet these three members of the Transform Now Ploughshares Catholic peace community made it through three layers of security, James Bond–style (hardware-store bolt-cutters through chainlink fence) before eventually being happened upon by security guard Kirk Garland. (Garland was the only one at Oak Ridge fired for the breach; his very creditable lapse was not pulling his gun on the activists.) Sister Megan Rice, Michael Walli and Greg Boertje-Obed, I salute your courage, your message of peace and your mockery of the security at our nuclear facilities.
Airport security, it grows ever more intrusive with porno-scanners, pat downs and ten-plus years of gratuitous shoe removal in what few experts consider to be more than gestural security theater. Have our airports been secured? Ask Daniel Castillo, who accidentally beached his malfunctioning jetski on the embanked border of JFK Airport in New York last summer, climbed over an eight-foot fence and walked across two runways in a fluorescent yellow vest before anyone noticed him. Or the drunk driver who crashed his SUV through a fence and onto a runway at Philadelphia International Airport in March last year. And these two guys weren’t even trying!
But it’s infosec that’s the biggest joke of all. Our government sporadically bestirs itself to prosecute an Aaron Swartz or a Bradley Manning in a vain attempt to look serious. But the way the feds and the military handle information is as sloshy as a tray at the height of Oktoberfest. US military hard drives full of classified material, for sale at the Kabul bazaar! Documents about US war crimes in Iraq turning up at the town dump! Leon Panetta spewing, Tourettes-style, operational intelligence to Hollywood people and a top-secret Navy SEAL identity before an audience of a thousand people! Dana Priest and William Arkin in their fine recent study of grotesque secrecy bloat, Top Secret America, note that all sorts of classified material works its way onto the web, often because the senior intelligence officials don’t understand the file-sharing software that their kids install on their laptops.
“Don’t they vet these people?” has been a common indignant snort in response to the disclosures from contractor Edward Snowden. The truth is, there are 1.4 million people with top-secret security clearance, and you simply cannot vet 1.4 million people in any thorough way. Ben Franklin once said that three can keep a secret, if two are dead. Who are we kidding? Any piece of information that 1.4 million people are authorized to get at is really not a secret.
I write this not to bemoan the sluicing porosity of our national security apparatus—that’s exactly how we find out so much essential information that we need to keep our government in line. Keep the leaks flowing! In the meantime, the self-impressed panjandrums of our national security state might quit pretending that their half-assed security measures are anything other than a public nuisance, whether at the airport or in the world of intel. It’s almost axiomatic: authoritarian states that try too hard at controlling everything end up providing little security—remember when an 18-year-old West German kid flew his single-engine airplane to Moscow and landed next to Red Square? (Matthias Rust signed autographs and shook hands for two hours before anyone arrested him.)
We do not want to become more like Sovietized Eastern Europe, we want to be less like those unhappy nations. We could start by releasing about 99 percent of what’s currently classified, and put genuine security measures around the tiny amount of state secrets that are legitimate. It will only make us safer.
(Further reading: Anything security-related by John Mueller, that rare national security expert who is not an preening piece of fraudulence; Mueller’s a political scientist at Ohio State who has been writing about this stuff with great élan since long before 9/11/01.)
UPDATE: Slate’s Fred Kaplan asks on Twitter, given that national security breaches are so easy, why are they so rare?