Tuesday, March 04, 2008

How did those classified emails get out?

The Register is reporting that the owner of mildenhall.com, a site for the town of Mildenhall England, has been getting thousands of emails intended for people at Mildenhall Air Force Base, including many that are classified and include sensitive information such as the path of Air Force One.

What I can't figure out is how the emails got there. The US military runs several separate networks - NIPRnet for unclassified stuff, SIPRNet for Secret, and then various other networks that are more highly classified. If the information is classified (and from the descriptions, it probably should be), it should have been on SIPRNet. There are "guards" (automated or semi-automated transfer devices that do content-based filtering) that allow limited flow of information between network classifications.

So one of a few things happened:
  • The information wasn't classified, but probably should have been. Unlikely, given that the current administration is much more likely to over than under classify information.
  • The information was classified, but for some reason was on the NIPRNet, instead of SIPRNet (or higher). Maybe someone felt they absolutely had to get the information to Mildenhall AFB, and couldn't wait for the normal channels, so they took a shortcut.
  • The guards weren't in place.
  • The messages are bypassing the guards.
  • The automated part of the guards that are supposed to be filtering the data aren't working correctly, approving release of information that shouldn't be released.
  • The "semi" part of the semi-automated guards made bad decisions (i.e., the person reviewing the data for release approved things that shouldn't have been). Given the tens of thousands of messages involved, this seems unlikely.
Without knowing what actually happened (and I doubt we ever will - the Department of Defense is nothing if not tight-lipped), it's impossible to come up with lessons learned. But clearly something went quite wrong. And whether it was a personnel security failure or a computer system failure, it shouldn't take years to accomplish.

And it's worth pointing out that the problem isn't actually solved! All that happened is that the owner of mildenhall.com gave up on his site - the messages are still flowing across the Internet unencrypted, and to whomever the new owner of mildenhall.com is. The suggestions from the Department of Defense that mildenhall.com block messages coming from DoD sites is ridiculous - they shouldn't be sending out the classified information in the first place!


Post a Comment

Subscribe to Post Comments [Atom]

<< Home