The Lessons of PFC Manning

Make no mistake: PFC Manning made some very bad decisions and he should pay a very heavy price. Taking a step back, however, one can see that in his betrayal he has done something of a public service for both the security and operational communities in both the military, government, and commercial world.

Lesson number one is that your current computer security regime is probably a waste of time and effort. Even in what should have been an extremely secure environment, computer security was something approaching a joke. If Manning’s M.O. is confirmed, there was a complete security breakdown. Military necessity has always trumped certain non-combat-related protocols during wartime, but being able to run roughshod through Top Secret networks and rip classified material to cracked music CDs beggars belief. No amount of briefings, posters, forms and extra-duties will remedy this problem.

Next: you can’t ensure the confidentiality or integrity of anything on SIPRnet or JWICS (private sector entities who find themselves with a similar insider threat issue, insert your own network here). There are intelligence community agencies that don’t like to use SIPRnet, the military’s secret-level network, because they think it isn’t nearly as secure as it should be. PFC Manning has demonstrated that neither is the military’s top secret-level network. The intelligence posted to JWICS by any DOD-intelligence activity (which is most of the intelligence community) has been at risk for who knows how long. If one misguided, low-level troop can do what he is alleged to have done, I don’t even want to think about what a determined adversary – or an agent-in-place – could have been doing all this time.

Finally, more certifications and billions of dollars worth of grand strategies will not improve security. Ten CNCIs would not have stopped this, only a fundamental change in culture – both operational and security – would have worked. To the best of my knowledge, money doesn’t fund the widespread dissemination of good security ideas; it just buys more of the same boxes, software and bodies to reinforce the same dysfunctional security models.

If we are truly serious about improving computer security, if we don’t want $17 Billion in CNCI money to go completely to waste, if we are finally tired of shooting our own feet while trekking towards security nirvana, we need to pay attention to reality, design our security solutions accordingly.

If your approach to security impedes a unit’s (company, agency, etc.) ability to operate effectively, you’re doing it wrong. Security that presumes a condition or series of conditions that do not exist in the real world – much less combat environments – will fail. The people who need to get things done will intentionally cause it to fail . . . in order to get things done. This is not an original thought, but it one that needs to be revised in both military, government, and business circles. Good security is not perfect, it is good enough for what you need to do, what environment you are operating in, and for the duration of your decision-making cycle.

Presume your adversaries know everything you do at this point: react accordingly. Things are fairly speculative at this point, but when the damage assessment is done I’m fairly sure most sane people involved will probably walk away thinking there is no way to verify the confidentiality or integrity of any piece of information on SIPRnet or JWICS. I think that makes this a perfect time to implement some living intelligence solution. Maintaining the static production model gives our adversaries the advantage, because what was a mystery is now history and their Pentagon-ology skills have just gotten a huge boost. An environment of living intelligence also makes spy/leak hunting a lot easier by allowing a more granular view of who accessed what, when.

Clinging to outmoded security models and approaches is only going to end up endangering soldiers and national security because no one will adhere to them when they are needed most. Stop focusing on moats and walls because the enemy is already inside the wire (literally and figuratively). Most arguments against change – radical or incremental – don’t carry a lot of weight because they presume that what was done to date made us secure. What was done to date made us more insecure than ever; doing more of the same won’t bring improvement.

My greatest concern is that when he is in prison and the final chapter on the story of his actions is written, our “solution” will be more strongly-worded policy, more stringent procedures, more paperwork . . . all of which will promptly be ignored the next time the operational need demands it. We’ll carry on – business as usual – thinking that now we’re safe and secure in our own digital cloister, when in fact we’re simply doing more of the same things that got us in trouble in the first place. The tragedy here is not that we were undone by a shit-bird GI who didn’t have his head screwed on straight, it’s that we will ignore what he is teaching us.

How Many Holes in a Gohor Stick?

I’ve never used Palantir. I’ve never used DCGS-A. When I started as an Analyst you (no-shit) used pencil and paper (and a thing called a guhor stick…but that’s a lewd joke for another day). The kerfuffle over Palatir vs. DCGS-A reminds me of the days when computers started making in-roads in analysis shops, and I hope everyone involved can remember some of those lessons learned.

Now my working world in those early days wasn’t entirely computer-free, but back then computers were where you stored data and recorded activity and typed up reports, you didn’t “link” things together and you certainly didn’t draw, graph or do anything anyone coming up in the business today would recognize as computer-oriented.

If there was a quantum leap in the utility computers gave to analysis it was this application called Analyst Notebook. Analyst Notebook would take in the data you had already entered into some other system (assuming you could get it out of said system), and kick out diagrams and pictures that let you make quick sense of who was talking to whom, what happened when, and identify connections or anomalies you may have missed staring into a green screen at row after row, column after column of letters and numbers.

That’s the key here: Analyst Notebook, Palantir, etc. are Analyst’s tools, they are not analysis tools. Is that a distinction without a difference? I’m not aware of any software application that will think on your behalf. I’m not aware of anyone in the military or IC who would trust answers produced entirely by an algorithm and without human interpretation or enhancement. If you could computerize analysis you wouldn’t have a headcount problem in the IC. Analyst Notebook, Palantir, DCGS-A . . . they’re all tools, and if you’ve been working with hand tools all your life and suddenly someone hands you a Skil saw, of course you’re going to think the Skil saw was sent from heaven.

Now, is the government notorious for producing bloated, expensive, minimally functional software that everyone hates to use (when it works at all)? We don’t have time to go into all the examples, but the answer is ‘yes.’ If I offer you tool A OR tool B when you’ve been using tool C, which are you going to choose? Does that make your other choice crap? Of course not.

It sounds to me like if there is a 800 lb gorilla in the room it’s usability, and if there is one thing that commercial apps excel at its the user experience. Think about the Google interface, and then think about a data retrieval system fielded in the 70s, and you tell me what your average analyst would rather use…

If the ultimate requirement is capability, then the answer is simple: hold a shoot-out and may the best app win. Pretty-but-sub-capable isn’t going to cut it; functional-but-frustrating isn’t either. If DCGS-A is all that, they should be big enough to learn from what Palantir does well; If Palantir is really about saving lives and national defense, they ought to be big enough to implement what GIs need most. Competition raises everyone’s game, but this isn’t about .com vs .gov, it’s about lives.

Mission First, People Always

Not going to repeat the now well-worn story of Walter Reed-related issues, merely wanted to take a minute to point out a trend and offer up a lesson.

There was a time when, while serving on active duty, the Army just decided to stop paying me. Never did figure out what happened, the checks just stopped coming. I worked through the chain. I trusted it. I accepted the fact that things move slowly in the Army. I waited. I followed up. I waited some more. I exhausted every internal option available to me as I watched my savings dwindle (the chow hall was great, but I still had other bills to pay).  When loan defaults loomed I wrote my Senator who at the time was Army veteran Daniel Inouye.

Roughly 72 hours later I had a check for all my back pay and a line outside my barracks room door of members of my chain of command from battalion-level on down asking if everything was OK, and would I please work through the chain of command to resolve future problems ’cause we really get the heebie jeebies when Senator’s offices call.

The pay problems of one buck sergeant don’t compare to the woes of outpatients at Walter Reed, but this story – and many others any GI will be happy to relate to you – are indicative of the general mindset of those at the top. Nothing is their problem (“If you sloppy GI’s wouldn’t keep food in your rooms there wouldn’t be a rat problem”)  until someone makes it their problem, and that “someone” is never going to be someone they outrank. The operative phrase is “mission first, people always” until people do what people do and then it becomes “people whenever.”

Under different circumstances I’m sure everyone highest levels of Army medicine and the Department of the Army are great folks, but that they responded in typical Army fashion to this situation is beyond shameful. I hope this serves as a lesson for a wider variety of defense and national security leadership: fat lot of good your big initiatives are going to be if you are undone by the little things.

On accountability

That’s what I’m talkin’ about!

Maj. Gen. George W. Weightman, commanding general of the North
Atlantic Regional Medical Command and Walter Reed Army Medical Center,
was relieved of command at 10 a.m. Thursday by Secretary of the Army
Dr. Francis Harvey, according to an Army press release. […]

Weightman
was informed this morning that the senior Army leadership had lost
trust and confidence in the commander’s leadership abilities to address
needed solutions for soldier-outpatient care at Walter Reed Army
Medical Center.

It has been a long time since a senior Army officer has taken been forced to accept responsibility for his actions or inactions. General Colonel Karpinski is the only one in recent memory. The Navy, by contrast, regularly sends commanders packing for running aground, bumping into fishing boats, etc.

The MFIC sits on a three-legged stool (authority, responsibility, perks) that all too often is missing a leg (responsibility). We saw this in the immediate aftermath of 9/11 and the subsequent recycling of national security seniors from discrete agencies into DNI positions. Almost none of those people should still be on the payroll, not because any given one of them is personally responsible for intelligence failures, but because that’s the price you are supposed to pay for being granted certain authorities. If you have nothing at risk, you are disinclined to do what is necessary to achieve real gains.

Unrealistic? In an age when everyone is special and no one makes judgment calls it may very well be. Cruel? It is not like someone with a Masters in International Relations (not to mention a security clearance) doesn’t have options outside the General Schedule.

Reality Check

The United States Military Academy at West Point yesterday confirmed that Brigadier General Patrick Finnegan recently travelled to California to meet producers of the show, broadcast on the Fox channel. He told them that promoting illegal behaviour in the series – apparently hugely popular among the US military – was having a damaging effect on young troops.

Are you kidding me? ITS A TV SHOW! At the risk of painting with too broad a brush, if this is the state of military training today, we need to be worried.

I reject the idea that even the rawest recruit cannot separate the fantasy world of 24 and reality. This might be the Playstation generation, but I would bet any amount of money that every troop regardless of Service or MOS gets a block of instruction or twelve on the laws of war and the Geneva Conventions, with particular attention paid to this disgrace called Abu Garhib and what is and is not acceptable behavior towards prisoners or detainees.

And if that is not the case then I am aghast that an institution with as long and historic a reputation for forging honorable warriors out of myriad malcontents considers itself so ineffectual that it has to ask the producers of a TV show to dial down the gore because they cannot exert the kind of control and demonstrate the kind of leadership necessary to prevent imaginations from getting carried away.

Somewhere my drill instructors are weeping.