A Government Accountability Office (GAO) audit report released this weekdisclosed the Defense Department (DOD) has a mixed record of instituting numerous reforms that were ordered by President Obama after Pfc. Chelsea Manning, formerly known as Bradley Manning, leaked one of the largest caches of classified documents in US history, according to Ashden Fein, who prosecuted Manning, who is now serving 35 years in prison.
The prosecution of Manning for the unlawful disclosure of classified information to WikiLeaks was the largest national security and cybercrime investigation and prosecution in the history of the US Army.
“During the trial,” Fein told Homeland Security Today, “many senior government officials testified under oath about their personally observed damage, and they provided concrete examples of the impact directly resulting from Private Manning’s crimes.”
“Such damage included degraded trust and credibility with foreign interlocutors which caused a chilling effect in our diplomatic relations,” Fein said, noting that, “In regards to whether we can recover from Private Manning’s damaging actions, I believe there were never before seen resources expended to mitigate the impact of the disclosures which assisted with our recovery, but the recovery is ongoing today and subsequent disclosures from other leakers compound the problems that the United States government must continue to face.”
“The effects of Private Manning’s disclosures were felt at the operational and strategic levels militarily — especially considering the United States was in two theaters of war at the times of the disclosures — and diplomatically by impacting strategic bilateral military relationships and diplomatic relationships,” said Fein, who now is an associate in the Covington & Burling law firm’s privacy and data security, litigation, white collar defense and investigations and international trade practice groups.
Fein served 13 years in the United States Army as a military intelligence officer and later as a Major in the Judge Advocate General’s Corps. While on active duty, he specialized as a military prosecutor, gaining significant experience in complex litigation. In addition, he served as the Chief of the Criminal Division for a command of 17,000 soldiers and as a legal advisor for an Army Aviation organization deployed in Iraq. Fein currently serves as a Judge Advocate in the US Army Reserve.
Since 2010, GAO report, the United States has suffered grave damage to national security and an increased risk to the lives of US personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the President have issued requirements for structural reforms and a new program to address insider threats.
A 2014 House Committee on Armed Services report included a provision that GAO assess DOD’s efforts to protect its information and systems. The report “evaluates the extent to which DOD has implemented an insider-threat program that incorporates minimum standards and key elements; DOD and others have assessed DOD’s insider-threat program; and DOD has identified any technical and policy changes needed to protect against future insider threats. GAO reviewed studies, guidance and other documents; and interviewed officials regarding actions that DOD and a nonprobability sample of six DOD components have taken to address insider threats.”
GAO recommended DOD issue guidance to incorporate key elements into insider-threat programs, evaluate the extent to which programs address capability gaps, issue risk-assessment guidance and identify a program office to manage and oversee insider-threat programs.
DOD agreed — or partially agreed — with all of GAO’s recommendations, and described actions it plans to take. “However, DOD’s actions may not fully address the issues as discussed in the report,” GAO’s audit report stated.
GAO said “DOD components [it] selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance and leading practices recommended by the National Insider Threat Task Force.”
“However,” GAO said, “the components have not consistently incorporated all recommended key elements. For example, three of the six components have developed a baseline of normal activity—a key element that could mitigate insider threats. DOD components have not consistently incorporated these key elements because DOD has not issued guidance that identifies recommended actions beyond the minimum standards that components should take to enhance their insider-threat programs.”
“Such guidance,” GAO said, “would assist DOD and its components in developing and strengthening insider-threat programs and better position the department to safeguard classified information and systems.”
Continuing, GAO’s audit determined that “DOD and others, such as the National Insider Threat Task Force, have assessed the department’s insider-threat program, but DOD has not analyzed gaps or incorporated risk assessments into the program. DOD officials believe that current assessments meet the intent of the statute that requires DOD to implement a continuing gap analysis. However, DOD has not evaluated and documented the extent to which the current assessments describe existing insider-threat program capabilities, as is required by the law.”
And, “Without such a documented evaluation, the department will not know whether its capabilities to address insider threats are adequate and address statutory requirements,” GAO said. “Further, national-level security guidance states that agencies, including DOD, should assess risk posture as part of insider-threat programs. GAO found that DOD components had not incorporated risk assessments because DOD had not provided guidance on how to incorporate risk assessments into components’ programs.”
But, “Until DOD issues guidance on incorporating risk assessments, DOD components may not conduct such assessments and thus not be able to determine whether security measures are adequate.”
Lastly, GAO reported that, “DOD components have identified technical and policy changes to help protect classified information and systems from insider threats in the future, but DOD is not consistently collecting this information to support management and oversight responsibilities. According to Office of the Under Secretary of Defense for Intelligence officials, they do not consistently collect this information because DOD has not identified a program office that is focused on overseeing the insider-threat program.”
“Without an identified program office dedicated to oversight of insider-threat programs,” GAO said, “DOD may not be able to ensure the collection of all needed information and could face challenges in establishing goals and in recommending resources and improvements to address insider threats.”
“Understanding what is publicly known about Private Manning’s background, it is promising to see [DOD] is continuing to develop programs that could better detect potential insider threats from the time of assessment and throughout an individual’s career, as such programs would likely have identify Private Manning earlier in his career,” Fein said.
The issue of insider threats — specifically leakers — is not just an issue for [DOD] and Intelligence Community,” he said, “but also, companies of all sizes are concerned about employees who might leak valuable information and they are developing similar insider threat prevention programs.”
Fein said, “It appears from the GAO report that individual DOD components are continuing to work on collecting the required indicators and identifying the technical controls to protect classified information and systems, and GAO identified that [DOD] does not appear to have a consolidated department-level effort focused on combatting these threats. This seems like the right progression because the DOD components are closer to the employees and the information, and have the ability to institute the appropriate controls to identify, assess, deter, prevent, detect and take action against insider threats.”
