Security at State: Hamburgers and Mud
Security and the State Department go together like hamburgers and mud. Over the years, State has leaked like an old boot. One of its most hilarious security breaches took place when an unknown person walked into the Secretary of State's outer office and grabbed a pile of classified documents. From the vast trove of missing classified laptops to bugging devices found in its secure conference rooms, from high ranking officials trading secrets in Vienna to top diplomats dallying with spies in Taiwan, even the publicly available list is long and ugly.
Of course, nothing compares to what history will no doubt record as the most significant outpouring of classified material ever, the dump of hundreds of thousands of cables that are now on display on WikiLeaks and its mushroom-like mirror sites. The Bureau of Diplomatic Security (an oxymoron if there ever was one) is supposed to protect our American diplomats by securing State's secrets, and over time they just haven't done very well at that.
The State Department and its Bureau of Diplomatic Security never took responsibility for their part in the loss of all those cables, never acknowledged their own mistakes or porous security measures. No one will ever be fired at State because of WikiLeaks -- except, at some point, possibly me. Instead, State joined in the Federal mugging of Army Private Bradley Manning, the person alleged to have copied the cables onto a Lady Gaga CD while sitting in the Iraqi desert.
That all those cables were available electronically to everyone from the Secretary of State to a lowly Army private was the result of a clumsy post-9/11 decision at the highest levels of the State Department to quickly make up for information-sharing shortcomings. Trying to please an angry Bush White House, State went from sharing almost nothing to sharing almost everything overnight. They flung their whole library onto the government's classified intranet, SIPRnet, making it available to hundreds of thousands of Federal employees worldwide. It is usually not a good idea to make classified information that broadly available when you cannot control who gets access to it outside your own organization. The intelligence agencies and the military certainly did no such thing on SIPRnet, before or after 9/11.
State did not restrict access. If you were in, you could see it all. There was no safeguard to ask why someone in the Army in Iraq in 2010 needed to see reporting from 1980s Iceland. Even inside their own organization, State requires its employees to "subscribe" to classified cables by topic, creating a record of what you see and limiting access by justifiable need. A guy who works on trade issues for Morocco might need to explain why he asked for political-military reports from Chile.
Most for-pay porn sites limit the amount of data that can be downloaded. Not State. Once those cables were available on SIPRnet, no alarms or restrictions were implemented so that low-level users couldn't just download terabytes of classified data. If any activity logs were kept, it does not look like anyone checked them.
A few classified State Department cables will include sourcing, details on from whom or how information was collected. This source data allows an informed reader to judge the veracity of the information; was the source on a country's nuclear plans a street vendor or a high military officer? Despite the sometimes life-or-death nature of protecting sources (though some argue this is overstated), State simply dumped its hundreds of thousands of cables online unredacted, leaving source names there, all pink and naked in the sun.
Then again, history shows that technical security is just not State's game, which means the Wikileaks uproar is less of a surprise in context. For example,in 2006, news reports indicated that State's computer systems were massively hacked by Chinese computer geeks. In 2008, State data disclosures led to an identity theft scheme only uncovered through a fluke arrest by the Washington D.C. cops. Before it was closed down in 2009, snooping on private passport records was a popular intramural activity at the State Department, widely known and casually accepted. In 2011, contractors using fake identities appear to have downloaded 250,000 internal medical records of State Department employees, including mine.
Wishing Isn't a Strategy, Hope Isn't a Plan
Despite their own shortcomings, State and its Bureau of Diplomatic Security take this position: if we shut our eyes tightly enough, there is no Wikileaks. (The morning news summary at State includes this message: "Due to the security classification of many documents, the Daily Addendum will not include news clips that are generated by leaked cables by the website WikiLeaks.")
The corollary to such a position evidently goes something like this: since we won't punish our own technical security people or the big shots who approved the whole flawed scheme in the first place, and the damned First Amendment doesn't allow us to punish the New York Times, let's just punish one of our own employees for looking at, creating links to, and discussing stuff on the web -- and while he was at it, writing an accurate, first-hand, and critical account of the disastrous, if often farcical, American project in Iraq.
That's what frustrated bullies do -- they pick on the ones they think they can get away with beating up. The advantage of all this? It gets rid of a "troublemaker," and the Bureau of Diplomatic Security people can claim that they are "doing something" about the WikiLeaks drip that continues even while they fiddle. Of course, it also chills free speech, sending a message to other employees about the price of speaking plainly.
Now does that make sense? Only inside the world of Diplomatic Security, and historically it always has.
For example, Diplomatic Security famously took into custody the color slides reproduced in the Foreign Service Journal showing an open copy of one of the Government's most sensitive intelligence documents, albeit only after the photos were published and distributed in the thousands. Similarly DS made it a crime to take photos of the giant U.S. Embassy compound in Baghdad, but only after the architecture firm building it posted sketches of the Embassy online; a Google search will still reveal many of those images; others who served in Iraq have posted them on their unsecured Facebook pages.
Imagine this: State's employees are still blocked by a firewall from looking at websites that carry or simply write about and refer to WikiLeaks documents, including TomDispatch.com, which is publishing this piece. (That, in turn, means my colleagues at State won't be able to read this -- except on the sly.)