This is part of a larger Federal Times 50-year anniversary project, showcasing the historic events from the last five decades that most shaped how government operates. Go to federaltimes.com/50 to see more of our coverage as it rolls out in December and the first part of 2016.
Discussions on tackling the cybersecurity threat are happening at every federal agency today. However, all too often those discussions bypass the most prevalent and potentially destructive vulnerability in any organization: the employees.
At no time was this threat more front-and-center than with the leaks propagated in 2010 by Chelsea Manning, known as U.S. Army soldier Bradley Manning at the time, and in 2013 by government contractor Edward Snowden. Both had dramatic impact on the way federal managers view employees and contractors, and resulted in revelations about intelligence gathering that led to significant changes in the way the government operates. That in itself proved the power of these actions, right or wrong.
Disgruntled employees and those motivated by a crisis of conscience released classified or sensitive information in the past, however the breadth of these leaks and their ramifications make them notable.
“What happened with those situations, to me, really demonstrate the quintessential insider threat, about what happens within a department and an agency,” said Karen Evans, national director of the U.S. Cyber Challenge and former administrator of OMB’s Office of E-Gov under President George W. Bush. “Everybody kind of lumps them together but they’re actually two different approaches that show how an agency really needs to think about their security and what they should be doing.”
When Army Pfc. Manning gave classified military information to WikiLeaks in 2010, it wasn’t a single document, as with the infamous Pentagon Papers in 1971. Manning released hundreds of thousands of documents about U.S. military actions in Iraq and Afghanistan, including diplomatic messages and video recordings of airstrikes.
Not only was the breadth of the leak staggering for the time, it also highlighted a security flaw that cropped up in the response to the terrorist attacks of Sept. 11, 2001.
After the attacks, government agencies moved to open the silos to share more information about potential threats in the hopes of preventing the next attack. Agencies began uploading information to a classified network, giving broad access to federal employees from the State Department to the intelligence community, as well as the Army.
“We didn’t want to be the agency that didn’t have the information out there that was key to catching the next terrorist. So that [meant] maximizing information sharing,” Evans said. “The question should have been asked, why was an Army private accessing State Department data – was there really a need?”
The Manning situation illustrates the importance of role-based access in cybersecurity. A secure system should go beyond authenticating a user with a password and PIV card to restricting where they go on a network and what files they can see.
Many federal agencies got that message and began implementing such controls. Others still lag behind, though insider threat programs and tools from initiatives like the Continuous Diagnostics and Mitigation (CDM) program are beginning to take hold.
The case with Manning “was the pendulum swinging totally in the opposite direction to maximized information sharing,” Evans said. “It maximized it all right: he got into an information holding that he shouldn’t of and that’s how it ended up on WikiLeaks.”
Some view Manning as a hero, crediting the leaks with sparking revolutionary movements such as the Arab Spring later that year. Others, including a military court, considered the disclosures criminal. Manning was convicted on several charges of espionage and theft in 2013 and later sentenced to 35 years in prison.
Similarly, in 2013, then-CIA contractor Snowden removed thousands of documents from a classified National Security Agency network and released them to journalists, exposing the government’s massive digital surveillance programs.
The revelations of mass data collection, surveillance, espionage and more sparked a backlash the federal government – in particularly the Intelligence Community and law enforcement agencies – is still dealing with today.
“The effect [was to damage] the public’s trust in the government when both of these situations occurred,” Evans said.
She cited the Snowden leaks in particular, which continue to raise questions from the public. “What is the appropriate role for the government? What kind of information holdings should the government have?”
The leak spurred a debate around surveillance measures and a number of provisions in the USA PATRIOT Act, a bill that granted intelligence agencies wide new powers in the wake of the Sept. 11 attacks.
That debate came to a head this summer with the passage of the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring – or the USA FREEDOM Act – which, as the name implies, rolled back a number of the more contentious sections of the PATRIOT Act.
These two massive leaks showed the power whistleblowers have to affect change. However, the method by which the information was released can be questioned.
“There are ways that you can raise these issues to levels of management within the government so that you can bring resolution or you can highlight them,” Evans said, pointing to existing oversight and whistleblower statutes. “We should have those discussions. But the way that it should be brought out should be in a more positive way.”
Right or wrong in their methods, Manning and Snowden both forced the country to have difficult discussions. At the same time, they forced federal managers to rethink access management and the trust they put in their employees.